When Office 365 Security Just Isn’t Enough
Every piece of software has a quirk here and there. I haven’t found ours yet. Office 365, due to its large install base, is no different. Office 365 incurs 10 million login attempts every day. But that’s just attempts. The behemoth does place a high priority on security and, of course, if Microsoft is taking care of maintaining and updating servers and applications for us, we can assume the servers are in a safe place from attack – we hope.
A report by Skyhigh Networks, analyzing usage of over 20,000 cloud services, found that 58.4 percent of sensitive data in the cloud is stored in Office documents. OneDrive for Business has the highest penetration rate, with 79.1 percent of organizations possessing at least 100 users. OneDrive for Business also has the highest usage rate, with 18.6 percent of all enterprise employees actively using it. Exchange Online has the second highest penetration rate – 66.9 percent of enterprises have at least 100 users. However, while Skype for Business is used by fewer enterprises, more users are using cloud-based Skype for Business than Exchange. Take a step back, we have now identified three critical areas that may have vulnerabilities waiting to be exposed. Where are you going to focus your efforts?
What are the stats?
To start, the average organization experiences 2.7 actual threats every month. Does yours? Do you know about them? Skyhigh Networks was kind enough to break down the categories of breaches.
- 1.3 compromised accounts each month – such as an unauthorized third party logging in to a corporate Office 365 account using stolen credentials
- 0.8 insider threats each month – such as a user downloading sensitive data from SharePoint Online and taking it with them when they join a competitor
- 0.6 privileged user threats each month – such as an administrator provisioning excessive permissions to a user relative to their role
The average organization generates 5.4 million user events each month within Office 365. IT staff must employ intelligence and sometimes even gut feeling to attempt to address a miniscule number of the vulnerabilities – in other words, they are constantly bombarded. Sadly, the average enterprise has 204 files that contain password in the file name stored in OneDrive for Business – an increase from the 143 files in Q3 2015. Do you use tools to assist in the identification and remediation of threats? Are your end users trained on how to spot confidential information and protect it?
What is the mix of events every month?
- 9.4 percent of data is confidential – financial records, business plans, source code, trading algorithms
- 4.1 percent of data contains personally identifiable information – social security numbers, taxpayer identification numbers, phone numbers, date of birth details
- 1.9 percent of data contains protected health information – patient diagnoses, medical treatments, medical record identification numbers
- 1.7 percent of data contains payment information – credit card numbers, debit card numbers, bank account numbers
Based on this information then, we can find several areas to improve organizations’ security posture, and perhaps whittle down the number of events they experience. We now know Exchange, OneDrive for Business, and to a lesser extent Skype for Business seem to be easily accessible and somewhat defenseless in warding off data breaches. We also know what types of confidential information that internal and external actors are seeking. Finally, we can strongly infer that perhaps end users may need some policies, procedures, and training to help reduce, if not eliminate, exposure of data to unauthorized staff or third parties.
Even if you try to address these areas, you still face an uphill battle. One shared attribute of all the different security scenarios is getting down to the nitty-gritty – what is in the content that must be protected. We call this content in context. Rather than create expressions until you start dreaming about them, you can use a tool, such as ours, that will proactively find, secure, remediate, and notify – all in real time, mind you – any combination of words, phrases, concepts, subjects, or topics in a simple rule-building tool, designed for business professionals.