LONDON, UK – 21st June 2022 – Egress, the leading provider of intelligent email security, has today issued a report identifying a number of security risks facing users of Microsoft 365, which along with its suite of tools, is expected to be relied upon by more than one million companies and over 250 million users1.
Click here to read the full report.
The threat analysis has been compiled by leading experts in cyber security. Lisa Forte is the co-founder of Red Goat Cyber Security LLP, Robin Bell is the Chief Information Security Officer, (CISO) at Egress, and Jack Chapman is the VP of Threat Intelligence at Egress. Their collective insights provide both the context associated with perceived risks as well as recommendations for CISOs to reduce both inbound and outbound risk, protecting their people, organization and customers.
Overall, the expert panel felt Microsoft 365’s native security capabilities offered good, basic email protection from phishing, and data loss prevention (DLP) tools for dealing with outbound data loss. However, the group also believes that there remain issues requiring enhanced protection from highly advanced inbound phishing threats, outbound data loss, and exfiltration events that cannot be reduced by static DLP.
“Microsoft’s protection now rivals Secure Email Gateways (SEGs), but there remain substantial gaps in its email security. Both Microsoft and SEGs struggle to detect the most sophisticated social engineering attacks,” said Jack Chapman, Egress VP of Threat Intelligence. “Topping the list are threats that target and exploit individuals such as phishing attacks, and outbound risks such as data loss caused by human error or intentional exfiltration. CISOs must evaluate their level of protection and augment their existing email security with additional layers of technology where required, to protect their employees and their data.”
Snapshot of Email Risks in Microsoft 365
- Phishing: credential theft, leakage of sensitive/regulated data, navigating users to malicious URLs, requesting multi-factor authentication (MFA) codes, and ransomware.
- Human Error: autocomplete of the incorrect email recipient, complex, manual management of customizations and settings.
- Deliberate acts of data exfiltration for as yet unknown use cases that are not covered by policies.
- Reporting is limited when seeking to understand the level of risk from phishing emails.
Microsoft 365 - CISO Security Recommendations
To CISO’s responsible for the safe deployment and use of Microsoft 365, the Egress report offers a number of key recommendations, beginning with a question - how much do I understand? Framing this guidance is that any tool or service is more easily deployed when it is user-friendly and frictionless.
Understanding begins with CISO’s who must analyze the risks their organization faces in order to prioritize the right layers of security across people, technology, and processes. Further, they must understand the limits of Microsoft 365 and seek to avoid a cookie-cutter cyber approach. A comprehensive, holistic view of the risk is invaluable to identify the products that will complement and seamlessly integrate into your business environment to manage and reduce risks.
This approach must also extend to employees. To reduce human-activated risk, businesses need to reinforce widespread staff training and back it up with intelligent email security tools to catch moments when employees are prone to making mistakes.
According to the 2022 Egress report, Fighting Phishing: The IT Leader’s View, over the past 12 months, 85% of organizations were victims of phishing, 60% of organizations were hit by ransomware, and 40% of organizations had credentials stolen.