Padlock on a rusty chain between two poles

How Microsoft 365 Affects Digital Workplace Security

October 26, 2022 Information Management
David Barry
By David Barry

Securing data has long been a concern for companies, but as cyber incidents continue to multiply, new tools and functionalities emerge. And as remote work becomes more commonplace, the risks are increasing.  

Millions of companies worldwide currently use the Microsoft 365 suite, with over 879,851 of them in the US alone, according to Statista. The software suite now dominates the enterprise productivity space along with Google Workspace (formerly G-Suite), but keeping these apps and tools safe from attack or misuse is becoming increasingly difficult.

When Microsoft first announced the newly minted product in July 2017, it heralded it as "fundamental shift" in how it addressed customer needs. Microsoft 365 bundled together the Office 365 and Windows 10 functionality with Enterprise Mobility and Security. In the years since, new functionality has been added to address customer needs, but that growing sprawl has made it potentially more unwieldy to manage.

A False Sense of Security?

The main challenge with Microsoft 365 is that it is composed of a bundle of services that include Office 365, Windows 10 Enterprise and Teams — all widely used tools. Of course, Microsoft environments are not the only ones under pressure, but recent Hornetsecurity research shows the sheer scope of users on this platform is amplifying the risk.

For instance, nearly half of workers report sending sensitive information to their colleagues or co-workers through Teams, and 51% say they share business critical information. Over two-thirds (70%) of users send direct messages rather than communicating in-group channel conversations, and 48% have accidentally sent messages containing sensitive information in the wrong channel.

But these aren't so much tool issues as they are user challenges. Hornetsecurity CEO Daniel Hofmann said Microsoft 365 has engendered a certain laxity among security professionals.

“If anything, IT pros have a false sense of security," he said. "A quarter [of the 2,000 IT pros surveyed] either don’t know or don’t think Microsoft 365 data can be affected by ransomware."

Meanwhile, attacks on businesses are increasing, and there is a significant lack of awareness and preparation by IT pros. According to the research, 40% of IT professionals that use Microsoft 365 in their organization admitted they do not have a recovery plan in case their Microsoft 365 data is compromised by a ransomware attack.

Related Article: How Security Technology Enables the Digital Workplace

The Full Enterprise Impact

Doug Saylors, partner and lead of the cybersecurity practice at ISG, said Microsoft 365 has changed the way cybersecurity is done in many organizations. He argues that the adoption of core Microsoft 365 components — e.g., email, SharePoint and Teams — has allowed organizations to streamline security controls by using a common platform for these applications.

These aspects were previously dispersed across multiple support teams (e.g., end user, knowledge management and network), and each had individual processes and tool biases. But advancements in the Microsoft security stack available through an E5 subscription and bolt-ons have provided tremendous gains for organizations that invest the time and resources to fully utilize the technology, Saylors said.

An example is Microsoft Defender Portal, which provides advanced capabilities, including threat hunting across Office 365, endpoints and cloud platforms while adding insider threat protection and identification of compromised identities within Azure AD.

“While enterprises are slow to adopt some of these capabilities due to investments in other technologies and the need to scale for multi-cloud estates, the gains for SMBs are substantial, resulting in increased adoption with quick expansion of security capabilities,” Saylors said.

Related Article: Cybersecurity Isn't an IT Risk, It's a Business Risk

Microsoft 365 Requires Rethinking the Tech Stack

While Microsoft 365 is marketed as a cloud-based office suite, Will Heineman, director at Philadelphia-based Security Risk Advisors, said it is much more than that. In his view, it represents an entire new way of thinking about enterprise technology solutions.

The many levels provided by Microsoft 365 each come with a variety of IT and security features, and some of those may overlap with existing solutions. For example, organizations that purchase an E5 license gain access to Defender for Endpoint, which can replace existing EDR (Endpoint Detection and Response), anti-virus and anti-malware solutions.

Heineman offers three security considerations for companies that use or plan to use Microsoft 365:

  1. Configuration: Perform a Microsoft 365 Security Hardening assessment using CIS (Center for Internet Security) or similar frameworks to validate the environment is properly configured.
  2. MFA: Enable multi-factor authentication on all accounts to decrease the likelihood of unauthorized access.
  3. Azure: Set up Azure Sentinel to manage and respond to Security Events in your environment.

Related Article: Are Your Risk Assessments Reliable?

Shared Responsibility

According to Skyhigh Security’s chief technologist Vishwas Manral, because Microsoft 365 is among the most widely used and successful enterprise SaaS applications, many enterprises forget that securing it is part of a shared responsibility model — between them and Microsoft.

While Microsoft takes care of the infrastructure and the security of Microsoft 365 (which before adoption is the enterprise’s responsibility), the enterprise must make sure to take care of security in Microsoft 365. Enterprises, Manral said, are not off the hook for security. 

“It is the enterprise’s responsibility to capture audit-trails of all users, correctly configure Office 365, continuously check security posture, ensure that sensitive data is not lost, detect any insider threat activity and enforce data sharing policies,” he said.


Featured Research

Related Stories

bird feeding out of a person's hand, suggesting trust and care

Information Management

Why Responsible AI Should Be on the Agenda of Every Enterprise

Two dogs in robber masks

Information Management

Insider Risk: What Hybrid Companies Need to Know — and Do

tandem skydiving with what looks like a very tiny parachute

Information Management

Can You Trust Zero Trust Networks in the Remote Workplace?

Join Top Industry Leaders at the Most Impactful Employee Experience and Digital Workplace Conference of 2023

Reworked Connect