What are the greatest security concerns with Microsoft 365?
With many employees working remotely, businesses everywhere have turned to cloud-based suites such as Microsoft 365 to keep the wheels turning.
The good news is that, according to our recent report – Empowering The People: Critical Security Challenges 2020 – only 10% of security professionals now believe the cloud has made security worse.
But, despite the benefits that suites offer, some concerns around security still remain.
The email attack, amplified
With lockdown measures resulting in a huge proportion of the workforce becoming remote workers practically overnight, Microsoft 365 (M365) has swiftly become the de facto solution for an increasing number of organisations.
It’s no surprise, though, that the criminals have capitalised on this move. This year has seen a 50% rise in social engineering and sophisticated malware attacks! Unfortunately, with email still the lifeblood of many organisations, it remains the primary starting point for the majority of these attacks.
We can see this with phishing attacks, CEO fraud and Business Email Compromise (BEC) growing quarter on quarter, while the average cost of a BEC attack involving a wire transfer has been trending upwards, from $54,000 in Q1 2020 up to $80,183 in Q2 2020, as criminals continue to leverage fear and uncertainty associated with the pandemic.
86% of professionals in our own survey agree that email security threats have become more sophisticated.
Any opportunity cyber criminals have to create new social engineering campaigns, they’ll take, and this pandemic has opened the door to a seemingly endless world of unlawful possibility.
Even though Microsoft does offer two levels of M365 email security to customers – Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) – neither offer true enterprise level security.
Microsoft 365 does not include ultra-modern, multi-layered security that specialist third-party email security solutions can provide.
To help stay ahead of the criminals, organisations cannot rely on the in-built M365 security alone. Even Osterman Research and Gartner advocate for organisations to choose third-party security solutions that are complementary and can enhance the security of the Microsoft platform.
Easy account access for employees, and criminals
37% of professionals cite unauthorised account access as one of their top concerns.
With employees working from home and relying on M365 now more than ever, huge volumes of critical information and vital business processes are now only a simple username and password away from being unlawfully accessed.
The Anatomy of Account Takeover
Get practical tips to protect your organisation in our on-demand webinar
Privileged accounts, such as those of administrators, finance teams, and executives are the most attractive to cyber criminals, as they offer the quickest route to the most sensitive information and gaining access to other cloud applications from where secondary attacks can be launched on colleagues, customers and suppliers.
With access to multiple apps associated with one Microsoft 365 log in the risks associated with an account breach are numerous – the inbox and cloud storage are fully exposed. Given the severity of an account breach, those in the industry would hope employees would treat those log-in details with due sensitivity.
Unfortunately, that does not seem to be the case. According to our research, 34% of cyber security professionals had found employees reusing work credentials for personal accounts. While 87% of security professionals said that most threats could be prevented if employees followed best practice, only around three quarters (73%) said they trusted employees to do so.
Holding regular workshops on security best practices in the company, who to report to and the procedure to follow when an incident does occur can help to keep employees informed.
Employees are also likely to be receptive to ‘contextual security education’ and user awareness training which will help them to spot scams and new innovative phishing techniques designed to trick them.
Assurance that staff are secure by default
While employee education can go so far, technology can provide assurance that protection is in place by default.
M365 might be convenient for employees, with email, chat, video conferencing and cloud storage all in one offering, but it can cause headaches for security teams. Layering on third-party security solutions like Censornet’s advanced Email Security, Multi-factor Authentication and Cloud Access Security Broker solutions, can help tackle the growing complexity of increasingly sophisticated targeted attacks.
According to Osterman Research, “In security and compliance areas, more focused third-party providers are likely to offer better capabilities than relying solely on what Microsoft has to offer.”
Many organisations using Microsoft 365, who lack modern layered email protection, have found advanced phishing emails still reaching the inboxes of high value senior targets, HR and finance teams.
With the right email security in place it is possible to significantly reduce, or even completely stop these malicious emails from reaching the inbox so staff can be assured that any emails they receive are legitimate.
When it comes to protecting user accounts from unauthorised access, Multi-Factor Authentication (MFA) can add an extra layer over and above the venerable password, intelligently challenging users when risk is high.
File sharing is essential for today’s distributed workforce. Once suitable protection is in place for accounts, the next step is to apply controls to actions in applications to prevent accidental sharing or intentional unauthorised exfiltration of data with a Cloud Access Security Broker (CASB).
Even better, manage all these security tools in one integrated cloud security platform.
For more information on how to protect yourself from Microsoft 365 security weaknesses, visit our How to Secure Microsoft 365 hub.