An expert panel of cyber security experts have voiced concerns around some threats related to the usage of Microsoft 365.
While the experts have not issued damning threats, they have expressed reservations. The threat analysis has been compiled by leading experts in cyber security.
Lisa Forte is the co-founder of Red Goat Cyber Security LLP, Robin Bell is the Chief Information Security Officer, (CISO) at Egress, and Jack Chapman is the VP of Threat Intelligence at Egress. Their collective insights provide both the context associated with perceived risks as well as recommendations for CISOs to reduce both inbound and outbound risk, protecting their people, organisation and customers.
Along with their analysis, Egress, a provider of intelligent email security, has issued a report identifying a number of security risks facing users of Microsoft 365, which along with its suite of tools, is expected to be relied upon by more than one million companies and over 250 million users.
Vulnerable to advanced threats
Overall, the expert panel felt Microsoft 365’s native security capabilities offered good, basic email protection from phishing, and data loss prevention (DLP) tools for dealing with outbound data loss. However, the group also believes that there remain issues requiring enhanced protection from highly advanced inbound phishing threats, outbound data loss, and exfiltration events that cannot be reduced by static DLP.
“Microsoft’s protection now rivals Secure Email Gateways (SEGs), but there remain substantial gaps in its email security. Both Microsoft and SEGs struggle to detect the most sophisticated social engineering attacks,” said Jack Chapman, Egress VP of Threat Intelligence. “Topping the list are threats that target and exploit individuals such as phishing attacks, and outbound risks such as data loss caused by human error or intentional exfiltration. CISOs must evaluate their level of protection and augment their existing email security with additional layers of technology where required, to protect their employees and their data.”
According to the 2022 Egress report, over the past 12 months, 85% of organisations were victims of phishing, 60% of organisations were hit by ransomware and 40% of organisations had credentials stolen.
Snapshot of Email Risks in Microsoft 365
Phishing: credential theft, leakage of sensitive/regulated data, navigating users to malicious URLs, requesting multi-factor authentication (MFA) codes, and ransomware.
Human Error: autocomplete of the incorrect email recipient, complex, manual management of customizations and settings.
Deliberate acts of data exfiltration for as yet unknown use cases that are not covered by policies.
Reporting is limited when seeking to understand the level of risk from phishing emails.
CISO Recommendations
The Egress report offers a number of key recommendations, beginning with a question – how much do I understand? Framing this guidance is that any tool or service is more easily deployed when it is user-friendly and frictionless.
Understanding begins with CISO’s who must analyze the risks their organisation faces in order to prioritize the right layers of security across people, technology, and processes. Further, they must understand the limits of Microsoft 365 and seek to avoid a cookie-cutter cyber approach.
A comprehensive, holistic view of the risk is invaluable to identify the products that will complement and seamlessly integrate into the business environment to manage and reduce risks, the report said. This approach must also extend to employees. To reduce human-activated risk, businesses need to reinforce widespread staff training and back it up with intelligent email security tools to catch moments when employees are prone to making mistakes.
