Skip to Content
Cybersecurity professional talking to colleagues about Microsoft 365.

Microsoft 365 & cybersecurity: Is your environment as secure as you think?

May 23, 2023 / 5 min read

Many companies use one or more cloud-based business and productivity apps, but most organizations haven’t properly secured them. Don’t put cybersecurity at risk by using out-of-the-box default settings. A Microsoft 365 assessment can help.

If your business uses Microsoft 365 apps, including Outlook, OneDrive, Teams, SharePoint, or Azure, you’re in good company. Microsoft’s suite of business tools is used by over 1 million organizations worldwide. And although so many companies rely on one or more of the platform’s apps, you might be surprised to learn that most organizations haven’t properly secured them.

As with any IT tool, there’s an inherent tradeoff when it comes to Microsoft 365 cybersecurity, and organizations must balance functionality and access so your staff can efficiently carry out their work without increasing cybersecurity risks. Consider Outlook for a moment, essentially the front door to your organization — a mega-highway in and out that’s used hundreds of times each day across most if not all functions companywide. Like many MS 365 apps, Outlook email has become a critical part of everyday business, in part because it’s easy to get up and running; staff can have access on day one.

But optimizing each app, securing it, and systematically enabling heightened controls takes longer. Measures like setting limits on the number of log-in attempts, attachment and file-share size limits, and alerts on suspicious messages? We see far too many well-intended IT departments overlook these additional options, sticking with out-of-the-box default settings.

Cyberattacks exploit gaps in MS 365 deployments

Cyberattacks continue to trend upward, with hackers growing ever more organized and sophisticated in their approaches. Any cloud-based email solution and other business and productivity apps create risk. Since Office 365 is so widely used, it’s no surprise cybercriminals have become good at seeking out organizations’ gaps and vulnerabilities.

Cyberattacks aren’t always against targeted, well-researched organizations; hackers regularly use brute force attacks and social engineering tactics to gain access to vulnerable systems. Hackers with readily accessible technology can try billions of keystroke combinations — in seconds — to crack a password. By default, MS 365 doesn’t limit login attempts, so if you haven’t set up your system properly, you won’t know it’s happening. That said, many companies don’t want to limit login attempts because it can add help-desk time when employees have trouble logging in, but consider the tradeoff of a successful cyberattack.

Phishing and ransomware are among the greatest threats, and they primarily come through email. Once an attacker gains access to your organization’s email system, they have a much easier time getting into your VPN (virtual private network) or your primary network. Then they can make changes, run malicious scripts, modify your employees’ inboxes, and a host of other things you don't want anyone to do.

But it’s not only email that can make your business vulnerable. With SharePoint or Azure, if a user account with administrative credentials is compromised, a bad actor can get in and modify infrastructure; in the case of Azure, publicly accessible storage accounts and other applications can be compromised.

You may think your organization is completely protected by multifactor authentication (MFA). MFA used to be an effective solution — even if an employee were phished, MFA would prevent an unauthorized login. Today, depending on how you set up MS 365, cybercriminals could employ several techniques to hijack or circumvent MFA.

Social flares and social engineering are another common springboard to an attack on your organization — in fact, 98% of successful cyberattacks start this way. Again, once hackers gain a foothold inside your system, they can launch additional attacks — deploy ransomware, spoof, or crack key employees’ passwords to gain access to sensitive information.

Since so many attacks begin on the social side, user awareness is critical, but so too is locking down your system, closing the gaps to bar virtual entrances from unwanted visitors. A stronger Office 365 environment and limiting what your users can do on the front end will strengthen your organization’s overall cyber defenses against the biggest threats.

A stronger Office 365 environment and limiting what your users can do on the front end will strengthen your organization’s overall cyber defenses against the biggest threats.

All organizations need to consider MS 365 cybersecurity

Over one million organizations — around 46% of the global market — and 95% of the Fortune 500, use MS 365.

We’ve received many panicked phone calls. We’ve seen companies in which a spoofed email convinced an employee to change vendor payment data, diverting more than $1 million to the thief’s account — all from a single email sent from a compromised account. Another company lost $3 million — and a church, $1 million — funds they likely won’t recover.

Our words of warning are this: Set up more controls and strengthen your MS 365 environment to make it much harder for bad actors.

Don’t be lulled into a false sense of security with your MS 365 settings

Your environment isn’t as secure as you think. It’s easy to overlook many simple steps and features to make your system safer. Additionally, business leaders too often trust without verifying the degree of security their IT team believes it has established.

Don’t be lulled into a false sense of security with your MS 365 settings. Your environment isn’t as secure as you think.

An MS 365 assessment is a key step in your organization’s IT and cybersecurity. Assessments are essential to identify gaps and vulnerabilities in your Office 365 environment. An MS 365 assessment also provides you with documentation you can show to auditors and that can potentially lower cyber insurance premiums.

Critical areas of an MS 365 assessment

Our assessment covers seven crucial areas, using a combination of evaluation tools, testing, and a physical audit of the environment to assess your MS 365 deployment. Our assessment also includes related business processes and user awareness, because you can’t look at a platform like MS 365 in isolation; it requires holistically addressing people, process, and technology.

You can’t look at a platform like MS 365 in isolation; it requires holistically addressing people, process, and technology.

As part of our assessment, you receive a technical report that identifies weaknesses, threats, and misconfigurations created by using MS 365 default settings as well as other settings that can tip the risk-value balance, based on your industry and organization type, to enhance the security posture of your Office 365 environment. The report assesses the maturity of your platform deployment and level of risk, with an overview and detailed analysis.

We review our findings with you and provide recommendations and next steps that align with your business priorities and your organization’s risk tolerance.

Doing business involves risk, and business leaders can’t leverage opportunity without it. But leaving MS 365 and other cloud-based app settings and controls in default mode is usually not a calculated risk organizations will want to take. Don’t wait to close the gaps, secure your environment, and optimize the MS 365 platform for your organization.

How strong is your MS365 cybersecurity protection? Answer these questions to receive a custom, complimentary benchmarking report.  

Related Thinking

Business professionals meeting around a table discussing risk, opportunity, and growth.
March 15, 2023

Lean into risk: Break barriers to opportunity and growth

Article 6 min read
Image of a digital LED wall
November 17, 2022

Seven-point cybersecurity assessment: Identify your organization’s digital risks

Article 3 min read
Hands typing on laptop computer.
September 29, 2023

Think cybersecurity is just an IT responsibility? Think again

Article 5 min read