Cloud storage services such as Dropbox and Microsoft’s OneDrive are becoming more and more popular among small businesses for storage of company data.  They add conveniences such as file versioning, file retention, and easy access from any device connected to the internet.

Unfortunately there is often a misconception that these cloud services will protect your data in the event of an incident such as a ransomware infection.  In this blog we will explain why this is untrue, and offer tips on how to avoid data loss or downtime in such an event.


Backup versus Sync

Cloud storage services such as Dropbox, OneDrive, Box, etc, work in a manner that allows you to edit your data from anywhere, and those edits will automatically be updated on any other device connected to that account.  This results in your data being copied to several locations, one of which is on the cloud storage provider’s servers.

As we’ve discussed in previous blogs, backup best practices tell us that we should have 3 copies of our data – two of which are onsite, and at least one of which is offsite.  At first glance, it would appear that using a cloud storage service covers these requirements.  But the key difference here is that these services are data sync services, and not backup services.

Say your small business has two office locations, and some remote workers, all of which use shared Dropbox folders.  One of your remote workers clicks on a malicious link in an email, and his machine is infected with ransomware.   Since this worker has a sync’d copy of the shared Dropbox folders on his local machine, those now-encrypted files are being sync’d out to all other employees, in all other locations.  Those shared folders are now unusable, and the business cannot operate.


But My Cloud Storage Provider Has File Versioning?

Cloud storage providers generally provide file versioning, which allows you to restore previous versions of files up to a certain amount of time.  While this is great for the occasional one-off file restore, the big issue is that you’re putting the recovery responsibility in the hands of a third-party.

Say there is a massive world-wide ransomware outbreak (remember WannaCry?), that has encrypted your cloud storage.  For large restores, cloud providers often require the restore be initiated by the provider.   Dropbox for example, requires that you contact them to restore large amounts of files:

In the event of a widespread outbreak, there is no guarantee on how quickly your storage provider will recover your data, or if they will recover your data at all.  It could  be days, or even weeks, leaving your business sitting on its hands.


So What Should I Do?

To reiterate, having a cloud storage provider does not mean you shouldn’t back up the data.  The cloud data should be backed up just as if was sitting on a server in your office.  How and where that data should be backed up depends on the individual use case of each business, so talk to your IT provider to come up with a plan that best works for your business.