How Microsoft 365 Affects Digital Workplace Security

Securing data has long been a concern for companies, but as cyber incidents continue to multiply, new tools and functionalities emerge. And as remote work becomes more commonplace, the risks are increasing.  

Millions of companies worldwide currently use the Microsoft 365 suite, with over 879,851 of them in the US alone, according to Statista. The software suite now dominates the enterprise productivity space along with Google Workspace (formerly G-Suite), but keeping these apps and tools safe from attack or misuse is becoming increasingly difficult.

When Microsoft first announced the newly minted product in July 2017, it heralded it as "fundamental shift" in how it addressed customer needs. Microsoft 365 bundled together the Office 365 and Windows 10 functionality with Enterprise Mobility and Security. In the years since, new functionality has been added to address customer needs, but that growing sprawl has made it potentially more unwieldy to manage.

A False Sense of Security?

The main challenge with Microsoft 365 is that it is composed of a bundle of services that include Office 365, Windows 10 Enterprise and Teams — all widely used tools. Of course, Microsoft environments are not the only ones under pressure, but recent Hornetsecurity research shows the sheer scope of users on this platform is amplifying the risk.

For instance, nearly half of workers report sending sensitive information to their colleagues or co-workers through Teams, and 51% say they share business critical information. Over two-thirds (70%) of users send direct messages rather than communicating in-group channel conversations, and 48% have accidentally sent messages containing sensitive information in the wrong channel.

But these aren't so much tool issues as they are user challenges. Hornetsecurity CEO Daniel Hofmann said Microsoft 365 has engendered a certain laxity among security professionals.

“If anything, IT pros have a false sense of security," he said. "A quarter [of the 2,000 IT pros surveyed] either don’t know or don’t think Microsoft 365 data can be affected by ransomware."

Meanwhile, attacks on businesses are increasing, and there is a significant lack of awareness and preparation by IT pros. According to the research, 40% of IT professionals that use Microsoft 365 in their organization admitted they do not have a recovery plan in case their Microsoft 365 data is compromised by a ransomware attack.

Related Article: How Security Technology Enables the Digital Workplace

The Full Enterprise Impact

Doug Saylors, partner and lead of the cybersecurity practice at ISG, said Microsoft 365 has changed the way cybersecurity is done in many organizations. He argues that the adoption of core Microsoft 365 components — e.g., email, SharePoint and Teams — has allowed organizations to streamline security controls by using a common platform for these applications.

These aspects were previously dispersed across multiple support teams (e.g., end user, knowledge management and network), and each had individual processes and tool biases. But advancements in the Microsoft security stack available through an E5 subscription and bolt-ons have provided tremendous gains for organizations that invest the time and resources to fully utilize the technology, Saylors said.

An example is Microsoft Defender Portal, which provides advanced capabilities, including threat hunting across Office 365, endpoints and cloud platforms while adding insider threat protection and identification of compromised identities within Azure AD.

“While enterprises are slow to adopt some of these capabilities due to investments in other technologies and the need to scale for multi-cloud estates, the gains for SMBs are substantial, resulting in increased adoption with quick expansion of security capabilities,” Saylors said.

Learning Opportunities

Mar 14 11:00 AM PST

Challenges to Efficiency in 2023: Your Employees Need the Digital Workplace of the Future

The era of asking employees to do more with less is upon us

Register

Apr 13 12:00 PM AST

How McDonald’s GBS Empowered Employee Self-Care to Drive Productivity

Register

Mar 16 9:00 AM PST

How to Future-Proof Your Employee Experience Strategy in 2023

A framework to navigate through economic uncertainty

Register

ON DEMAND

The Essential Role of Communicators in Fostering Wellbeing in the Digital Workplace

Join us for practical insights on how digital communicators can support employees to thrive in the digital workplace

Watch Now

ON DEMAND

Addressing Employee Needs and Wants with a Digital Workplace

The workplace is getting more and more digital – both in how we work and where we work

Watch Now

ON DEMAND

Maintaining a Human-Centered Approach During Digital Transformation

When it comes to digital transformation - people drive change, not technology

Watch Now

ON DEMAND

The Evolution of Employee Recognition

Leveraging the power of appreciation to improve the employee experience

Watch Now

ON DEMAND

How to Build a More Innovative and Resilient Workplace Culture

What would happen if every member of your team came to work focused on finding solutions and creating better results?

Watch Now

ON DEMAND

Are You Blocking Your Internal Comms Team Without Knowing It

Best practices & tips to help IC teams thrive

Watch Now

ON DEMAND

Cyber Resilience In The Cloud Is Not Optional

In today’s age of ransomware and widespread cyber attacks, your cloud data needs to be protected.

Watch Now

View All

Related Article: Cybersecurity Isn't an IT Risk, It's a Business Risk

Microsoft 365 Requires Rethinking the Tech Stack

While Microsoft 365 is marketed as a cloud-based office suite, Will Heineman, director at Philadelphia-based Security Risk Advisors, said it is much more than that. In his view, it represents an entire new way of thinking about enterprise technology solutions.

The many levels provided by Microsoft 365 each come with a variety of IT and security features, and some of those may overlap with existing solutions. For example, organizations that purchase an E5 license gain access to Defender for Endpoint, which can replace existing EDR (Endpoint Detection and Response), anti-virus and anti-malware solutions.

Heineman offers three security considerations for companies that use or plan to use Microsoft 365:

1. Configuration: Perform a Microsoft 365 Security Hardening assessment using CIS (Center for Internet Security) or similar frameworks to validate the environment is properly configured.
2. MFA: Enable multi-factor authentication on all accounts to decrease the likelihood of unauthorized access.
3. Azure: Set up Azure Sentinel to manage and respond to Security Events in your environment.

Related Article: Are Your Risk Assessments Reliable?

Shared Responsibility

According to Skyhigh Security’s chief technologist Vishwas Manral, because Microsoft 365 is among the most widely used and successful enterprise SaaS applications, many enterprises forget that securing it is part of a shared responsibility model — between them and Microsoft.

While Microsoft takes care of the infrastructure and the security of Microsoft 365 (which before adoption is the enterprise’s responsibility), the enterprise must make sure to take care of security in Microsoft 365. Enterprises, Manral said, are not off the hook for security. 

“It is the enterprise’s responsibility to capture audit-trails of all users, correctly configure Office 365, continuously check security posture, ensure that sensitive data is not lost, detect any insider threat activity and enforce data sharing policies,” he said.

About the Author

David is a full-time journalist based in Ireland. A partisan of ‘green’ living and conservation, he is particularly interested in information management and how enterprise content management, analytics, big data and cloud computing impact on it.