Microsoft has successfully disrupted the traditional email security market and its native security capabilities are enough to match the features and functionality of many secure email gateways on the market. But where do its weaknesses lie? And how can organizations augment Microsoft 365 against more advanced threats?
This is what three cybersecurity experts have set out to answer in our latest report: “Cybersecurity experts’ views on email within Microsoft 365”. We’ve picked out some quotes here from Lisa Forte (Co-founder, Red Goat Cyber Security LLP) Robin Bell (CISO, Egress Software Technologies), and Jack Chapman (VP of Threat Intelligence, Egress Software Technologies).
A platform with strengths and weaknesses
Over one-million companies across the world are using Microsoft 365, meaning it controls nearly half of the office productivity software market. Robin Bell explains what this means for email security: “Microsoft 365 has been widely adopted by many organizations globally, from sole-trader businesses up to multi-national conglomerates. It therefore has to cater to the needs of all these organizations with advanced features in an easy-to-use package.
“A key strength of it being so widely used is that the Microsoft engineering teams have visibility of a high volume of attack strategies and have the resources to invest at an enormous scale. If there are potential security incidents, then Microsoft 365 administrators are notified and can investigate
“However, there are some weaknesses. Microsoft 365 does provide some user notifications but they are not very rich in information when it comes to things like phishing emails. Reporting is also somewhat limited to understand the level of risk to a business from phishing emails.
Sophisticated phishing threats
According to Microsoft’s New Future of Work report, 80% of security professionals have experienced an increase in security threats since shifting to remote work. Of this 80%, 62% say phishing campaigns have increased more than any other type of threat. This was backed up by Lisa Forte’s personal experience: “I’ve seen a huge increase in phishing emails and SMS messages over the past year.
“Covid played a major role in this, firstly because of the uncertainty it created and secondly because of the amount of e-commerce it drove. The latter means we constantly had deliveries, online vaccine bookings, and notifications about social distancing all sent to us with links.
“We became desensitized to seeing Zoom links and SharePoint links to things we needed for work as we’d moved to the cloud. All these things present huge opportunities for attackers. Covid was probably the best thing that could have happened to organized crime groups.”
Outbound risk – not to be underestimated
Data from our 2021 report Preventing outbound data loss in Microsoft 365 showed that 85% of organizations using Microsoft 365 had suffered outbound email data breaches. We asked the experts whether organizations are neglecting outbound risk. For Jack Chapman, the answer was clear: “It’s part of the challenge that organizations segment inbound and outbound email risks from each other, rather than looking holistically at ‘email risk’.</p
“With outbound risks in particular, people often underestimate the damage that can occur from a mistake, rather than something malicious. This has a greater impact on the evaluation of outbound risks versus inbound risks.”
Augmenting Microsoft 365
So what can businesses do to augment their Microsoft 365 defenses? Lisa Forte offered one solution: “Focus on the “human activated risks”. We want to see layers of security starting with training our employees in a more engaging way than we currently are.
“We need to reinforce this training and back it up with more intelligent email security tools to catch the moments when someone makes a mistake. The key to success is that, ultimately, any tool or service you deploy has to be user friendly and frictionless. Otherwise, corners get cut and you are back to the start!”
This was just a snippet of the insight offered by the experts – get your own copy for the full interviews.