Email Continuity Service - Microsoft 365

Microsoft 365 Email Continuity Service – Is it Needed?

An email continuity service, whilst not strictly required for Microsoft 365, can be highly beneficial for ensuring business continuity. When considering MX (Mail Exchange) backup services for M365, several regulations and best practices need to be taken into account to ensure compliance and the security of email communications. These considerations often fall under broader data protection, privacy, and cybersecurity regulations, depending on the jurisdiction and industry.

Microsoft 365 has experienced several notable outages recently. In January 2023, a major outage lasted over five hours, affecting various services, including Exchange Online. This incident was attributed to a network configuration issue during a planned update (Practical 365). Another significant outage occurred in June 2023, impacting services like Outlook, Teams, and OneDrive for several hours due to a network issue (WinBuzzer).

These outages highlight the importance of having contingency plans, such as email continuity services, to minimize the impact on business operations during service disruptions. While Microsoft strives to ensure reliability, occasional downtime is inevitable in any cloud service.

Here’s a detailed overview of why you might consider using such a service with Microsoft 365:

Benefits of Email Continuity Services

  • Uninterrupted Email Access

    • Downtime Protection: Even though Microsoft 365 has a strong uptime record, no service is immune to outages. An email continuity service ensures users can send and receive emails during such disruptions.
    • Scheduled Maintenance: During Microsoft 365 maintenance periods, a continuity service can keep email communication flowing.
  • Data Protection and Compliance:

    • Archiving and Retention: Email continuity services often come with archiving features that ensure all emails are stored securely and can be retrieved as needed, which is crucial for compliance with regulatory requirements.
    • E-discovery: Simplifies the process of locating and retrieving emails for legal or compliance purposes.
  • Disaster Recovery:

    • Backup Capabilities: Provides an additional layer of backup for email data, ensuring that emails can be restored in case of data loss.
    • Business Continuity Planning: Assists in maintaining communication during significant disruptions, such as natural disasters or cyberattacks.
  • Security Enhancements:

    • Spam and Malware Filtering: Many email continuity services include advanced security features that can complement Microsoft 365’s built-in protections.
    • Phishing Protection**: Additional layers of defense against sophisticated phishing attacks.
  • User Experience:

    • Web Access: Users can access their email through a web portal provided by the continuity service if the primary service is down.

    • Mobile Access**: Ensures continuous email access on mobile devices, which is critical for remote or traveling employees.

Implementing an email continuity service entails additional costs. Organizations must weigh these costs against the potential risks and impacts of email downtime. Managing another service can add complexity to IT operations. It’s important to choose a solution that integrates seamlessly with Microsoft 365 and does not add time-intensive administration. The chosen email continuity service provider should have a strong track record and robust infrastructure to ensure they can meet any business continuity requirements you may have in scope.

Here are some key regulatory and compliance considerations:

General Data Protection Regulations

  1. GDPR (General Data Protection Regulation):

    • Data Protection: If your organization handles the personal data of individuals in the European Union, GDPR requires that you ensure the security and privacy of this data, which includes email communications.
    • Data Processing Agreements: You must have agreements in place with your MX backup service providers that outline how they handle and protect personal data.
  2. CCPA (California Consumer Privacy Act):

    • Consumer Rights: Similar to GDPR, CCPA provides rights to consumers regarding their personal data. Businesses must ensure that email data, when backed up, is handled in compliance with these rights.
  3. HIPAA (Health Insurance Portability and Accountability Act):

    • PHI (Protected Health Information): For organizations in the healthcare sector, email communications containing PHI must be protected according to HIPAA standards. This means ensuring that MX backup services are HIPAA-compliant.
  4. FINRA (Financial Industry Regulatory Authority):

    • Record Keeping: Financial institutions are required to retain electronic communications, including emails, for specified periods. MX backup services should comply with these retention policies.

Industry-Specific Regulations

  1. SOX (Sarbanes-Oxley Act):

    • Record Retention: Public companies in the U.S. must keep business records, including emails, for a minimum period. An MX backup service should facilitate compliance with these requirements.
  2. FISMA (Federal Information Security Management Act):

    • Security Standards: For U.S. federal agencies, email backup services must comply with FISMA security standards to ensure the confidentiality, integrity, and availability of email data.

Best Practices for MX Backup Services

  1. Encryption:

    • Ensure that the backup service encrypts emails both in transit and at rest to protect sensitive information from unauthorized access.
  2. Data Sovereignty:

    • Be aware of where the backup data is stored. Some regulations require that data remains within certain geographical boundaries.
  3. Access Controls:

    • Implement strict access controls to ensure that only authorized personnel can access the backed-up emails.
  4. Audit and Monitoring:

    • Regularly audit and monitor the backup service to ensure compliance with applicable regulations and internal policies.
  5. Disaster Recovery:

    • Ensure the service provides robust disaster recovery options to quickly restore email functionality in the event of a disruption.
  6. Service Level Agreements (SLAs):

    • Establish clear SLAs with the backup service provider to define uptime guarantees, support response times, and data recovery timeframes.

Microsoft 365 is a robust and reliable platform with built-in features for continuity and security, an additional email continuity service will provide an extra layer of protection and peace of mind especially when relying solely on a single gateway for email deliverability. This can be particularly valuable for businesses that rely heavily on email communication and cannot afford any downtime. Using an email continuity service will help ensure compliance with a variety of data protection, privacy, and industry-specific regulations. It is crucial to select a M365 email backup service that aligns with your regulatory requirements and incorporates robust security measures to protect email data.

Further reading:

Business email archiving: Compliance and accessibility

GDPR Training for Employees – Security Awareness

WannaCry Ransomware Infects Thousands Especially UK’s NHS