Microsoft 365 (M365)—originally introduced as Office in 1990, rebranded as Office 365 in 2011 when the bundle moved to a cloud subscription model, and given its current name in 2020—is the leading productivity suite in the world today. It accounts for 48% of the global market, with 70% of Fortune 500 firms having licenses for M365. Companies worldwide have long relied on the traditional Office apps (Word, Excel, Outlook, and PowerPoint), but in recent years, they’ve come to also embrace the new collaboration tools of SharePoint, Teams, Exchange Online, and OneDrive to share documents, calendars, and ideas, and to work together in real time via chat, team workspaces, or audio/video conferencing. The pandemic led to an exponential expansion of these collaborative tools. From March to June 2020, Teams usage increased by 894%, and it more than doubled again, from 115 million active daily users in 2020 to 250 million in 2022.
Unfortunately, with the ubiquity of M365 within enterprises, it’s not surprising that it has become a prime target for attackers. Here are a few mind-boggling statistics about M365-related data breaches over the last couple of years.
- Eighty-five percent of organizations using Microsoft 365 have suffered email data breaches, and 6 in 10 ransomware attacks come via email.
- Organizations using Microsoft 365 are more likely to experience accidental email data leakage, with 26% reporting incidents caused by an employee sharing data in error via email, compared to just 14% of organizations without Microsoft 365.
- Forty-seven organizations exposed 38 million personal records due to a Power Apps misconfiguration.
Beyond the numbers, hackers are getting increasingly sophisticated. Recently, attackers targeting M365 users were able to craft specialized links that took users to their organization’s own email login page. After a user logged in, the link prompted them to install an innocuously named app that gave the attacker persistent, unfettered access to all of the user’s emails and files. That data was then interrogated to launch malware and phishing attacks against others. “Of those who got attacked, about 22% were successfully compromised,” said Ryan Kalember of Proofpoint. Considering all this distressing data on successful hacks and breaches, it is imperative to make this essential business suite as secure as it possibly can be.
To address these potentially devastating vulnerabilities, it is important to get recommendations and advice from trusted sources. Synopsys, one of the world’s leading application security testing providers with a highly regarded security consultancy, notes that although M365 is a business-critical application platform and a repository of confidential company data, it often is not afforded the level of security that it should be given. So it developed a service offering based on a proprietary framework that assesses risks, identifies deficiencies, recommends remediations, and develops metrics to track improvements, and then provides a roadmap for customers to follow to achieve a desired level of protection. There are several crucial elements in the Synopsys Microsoft 365 Security Assessment that should be considered by every organization serious about making M365 as secure as possible. The list of resources utilized and recommended to all organizations trying to secure M365 includes
- The Center for Internet Security Microsoft 365 Foundations benchmark
- The Cybersecurity and Infrastructure Security Agency Secure Cloud Business Applications recommendations
- Microsoft’s own M365 security tools and other best practices