Is your organization taking full advantage of Microsoft 365’s security features?
A recent benchmark study of more than 1.6 million M365 users found shocking security gaps. Even fundamental security measures are not fully implemented in many organizations.
Only 17 percent of organizations required all employees to use strong passwords. Many also had multifactor authentication disabled. One-fourth of the organizations studied had allowed at least one malware-infected email to reach users within a one-week timeframe. On average, organizations had more than 140,000 failed login attempts each week, indicating that they were being targeted with brute force attacks.
M365’s advanced security features often remain unused due to a lack of awareness, perceived complexity or a false sense of security. Many organizations face limitations in time, budget and skilled staff required for comprehensive security management. All in all, the researchers estimate that 90 percent of organizations are failing to utilize the M365 security capabilities they’re paying for.
Common Mistakes Can Create Big Problems
Misconfigurations are another common problem with M365 security features. In fact, Gartner found that 99 percent of M365 security breaches come down to excess permissions, disabled policies and other common mistakes.
Poor identity and access management practices play a role in 82 percent of security breaches. Within M365, overly permissive external sharing settings in SharePoint or unsecure Teams guest access policies could expose an organization’s entire M365 environment. Organizations also struggle with a lack of visibility into user activity and don’t retain audit logs long enough to perform thorough forensic analysis after a breach is detected.
Even some IT pros mistakenly believe that Microsoft provides all necessary security by default. Default M365 settings are often configured for maximum collaboration and productivity, requiring organizations to manually adjust controls to meet their specific risk profile and regulatory requirements.
M365 Identities Need Strong Protection
Securing M365 starts with identity and access management. Because it is widely adopted and globally accessible, M365 is a frequent target of cybercriminals. Compromising one identity can provide access to privileged accounts and a wealth of sensitive information. Organizations should enable MFA across the M365 tenant and require the use of Microsoft Authenticator or another phishing-resistant authentication method. User training and monitoring of overall adoption help ensure the success of MFA rollouts.
Requiring strong passwords is also essential. Organizations can use the Microsoft Entra admin center to manage user passwords and enforce password policies. Windows Hello for Business is an enterprise-class passwordless authentication mechanism that can reduce friction among users.
Overly broad permissions can give attackers virtually unfettered access to M365 if they successfully hijack an account. Access should be strictly limited based on the individual user’s role. Organizations should also consider using risk-based conditional access to grant or deny access to certain resources based on user behavior and context. (Such policies should be implemented in report-only mode first to determine their impact.)
Protect Data, Defend Against Attacks
Data is a valuable asset, but organizations often lack clear policies governing data access. In one survey, 42 percent of data leaders said they did not have effective data management processes. Because M365 often holds an organization’s most business-critical information, it’s critical to utilize M365’s built-in tools to classify data and enforce data protection policies.
Of course, organizations should use all the tools at their disposal to protect against sophisticated attacks. When fully deployed and properly configured, Microsoft Defender provides layered protection against malicious content and advanced persistent threats.
M365 offers a robust, integrated security toolkit, but organizations are not leveraging its full potential. These gaps leave them vulnerable to a variety of cyber threats. The Verteks team is well-versed in all the features and capabilities of the M365 security suite and can help you implement and configure the tools your organization needs. Contact us to schedule a confidential consultation and assessment.
