In CoreView’s recent survey Security Benchmark Report on Microsoft 365, researchers studied the Microsoft 365 usage of over 1.6 million users. The results are shocking.
There were significant security issues with every single organization in the study. Of the organizations studied, 90 percent struggled with password policies, multi-factor authentication, email security, and failed logins. Even in the remaining 10 percent, all organizations struggled with at least two of those issues.
Disuse of Microsoft 365 was also strangely common among the study’s sample. Thirty-five percent of users did not access Teams, 53 percent did not access OneDrive, and 15 percent did not access Exchange. These data vary greatly across companies, industries, and job roles.
Common security mistakes
Researchers found the most common password policy mistakes: weak passwords and no password expiration date. These issues were usually not company-wide, with most users setting strong passwords even if it wasn’t required. That said, 83 percent of the organizations surveyed did not require strong passwords for all employees, so some weak passwords were sure to slip through in all of them.
Multi-factor authentication (MFA) was also disabled for many users. At least one admin had MFA disabled in 87 percent of organizations in the study.
Possibly as a result of weak password security, emailed malware was relatively common. Twenty-five percent of companies surveyed had an email with detectable malware sent within a week of the survey, and ten percent had 25 or more detectable malware events. According to the researchers, there was also an average of 140,433 failed logins per company per week, which is about 14 times the amount expected from legitimate mistakes. The rest, according to the researchers, come from purposeful attacks.
The news that every company studied was both deficient in security and constantly under attack may be alarming. It should be, but the good news is that the solution is somewhat simple.
The first two common mistakes (weak passwords and single-factor authentication) are the simplest to fix. Simply requiring strong passwords and multi-factor authentication (at least of admins) will completely close these security loopholes.
Malware is a more complicated issue to solve. Because most of it appeared over email in the study, simply limiting the amount that employees contact out-of-company emails with their work email addresses can limit exposure to malware. However, some job roles cannot avoid large amounts of outside contact and may inevitably run into malware. For these employees, training on how to avoid accessing malware may be a better method of preventing security breaches than simply trying to keep them away from it.
The last major issue the study noted was that the surveyed companies were constantly under attack. While it is almost impossible to prevent cyberattacks, it is possible to prevent their success. Requiring password expiration policies, strong passwords, and multi-factor authentication can provide greater protection against security breaches than an organization would otherwise have. This combined solution may be inconvenient but less inconvenient than a security breach.