Reading time:
4 min

Microsoft Office 365 IT Security Policies Need Work, Research Finds

office 365 security practices

Microsoft Office documents hold 58.4% of enterprises’ critical data. The problem too few talk about is that this data is too rarely fully protected, and the O365 environment itself is commonly left at risk.

Much of this is because O365 doesn’t come with a full complement of built-in protections or security policies. Just as scary, IT organizations don’t always do all they can to safeguard the tenant from their end.

CoreView wanted to know more, and researched more than five million workers from enterprises running on M365 and either actively use CoreView’s SMP, have received a complimentary CoreView Office 365 Health Check analysis, or use our free version — CoreDiscovery.

The report — “Global Microsoft 365 Report: Application Security, Data Governance and Shadow IT”, finds shortcomings in Data Governance, which tends to be reactive rather than proactive, and not enough attention paid to Application Security Strategies. Read the full report here.

Here is what they should be doing. “Organizations today need to provide workers with technology and tools for the digital workplace while ensuring their enterprise data is protected. CoreView’s research indicates that enterprises are failing at M365 governance and security,” said Michael A. Morrison, chief executive officer at CoreView. “Enterprises must ensure they have the processes and tools, including CoreView, in place to help securely migrate and operate within the world’s leading SaaS productivity platform, M365.”

Pay Attention to O365 Security Best Practices

Taking proper steps vastly boosts O365 security. Unfortunately, many enterprises don’t implement basic security practices. For instance, 78% of O365 administrators do not have multi-factor authentication (MFA) activated. That’s a huge problem. According to the SANS Software Security Institute, 99% of data breaches can be prevented using MFA. If a hacker cracks an admin account, they have the keys to your entire O365 kingdom.

At the same time, O365 administrators are given excessive control and rights. In fact, 57% of global organizations have M365 administrators with excess permissions to access, modify, or share critical data. Moreover, 36% of O365 administrators are Global Admins, giving them full access to the tenant. Finally, 17% of O365 admins are Exchange admins, meaning they can see and do whatever they want on any employee’s inbox, including the CEO’s.

Microsoft and CIS advise having only 2-4 Global Admins per tenant.

The Problem with O365 Guest Users

External users, those non-employees invited to be part of the Office 365, may not have as many rights as full timers, but the bad or negligent ones can quickly become a dangerous internal security threat.

CoreView research finds that 1 in 5 users on enterprise O365 environments are a guest user. Meanwhile, 70% of guest users are inactive, which creates unnecessary risks and costs to the organization, and should be removed.

The actions that external users can perform is what makes them so dangerous. “An external user is authenticated when they have an identity account that can be Microsoft 365, or a different provider like Gmail. These people can work on your documents as well as be part of your M365/O365 groups. An anonymous user can access a folder or document through a shareable link, and view these documents without logging in with a user name and password,” explained David Mascarella, CoreView Chief Global Strategist. “That makes this kind of collaboration very dangerous. External user accounts, for instance, cannot match your password security policy. And those credentials can be used to log in to multiple end user cloud services that are easier to hack.”

How CoreView Secures External Users

CoreView addresses all these problems through a workflow that can be used to force users to add detailed information when an external user is invited such as department, company, manager, country and a validity. CoreView will take care of removing the invited user or renew it based on a customizable approval process. CoreView automation can also be used to identify external users inactive in the last 60 days and automatically start a process of cleanup with approval.

Any external user is an additional endpoint to your tenant – keeping them active indefinitely is a common bad practice that can be easily addressed with CoreView.


Get your O365 security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page:

Or sign up for a personalized CoreView demo.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.