The expert view: Defending the cloud – bridging the Office 365 security gap

Often the driver behind a move to Office 365 is a desire to put the company’s email in the hands of the ‘experts’. After all, Microsoft are email experts, right? However, the criminals know that too, Adenike Cosgrove of Proofpoint told attendees during a recent Business Reporter briefing at London’s Savoy Hotel.

Criminals will craft phishing emails which exploit the fact that the target is on Office 365 – and that’s just one weakness. How do we benefit from moving office productivity software to Microsoft’s cloud without falling into the security gap?

Aiming for the clouds

Attendees were most likely to give cost as their reason for moving to Office 365. Office productivity is now a commodity, said an attendee from the insurance industry, so it is best to outsource it to someone who can provide it cheaply.

Another benefit is that it removes the need to upgrade. A cloud solution such as Office 365 keeps you up-to-date without requiring you to do anything. It is, as one attendee put it, “an evergreen path”.

In the public sector, one attendee said, a significant driver to Office 365 is that the existing infrastructure is simply broken. Updating it would either be too time-consuming or just not possible.

Considering the risks

A lot of businesses do not take even the basic security measures with Office 365, said a delegate from a university. He said his main problem is phishing attacks, adding that “there is a huge gap between people’s understanding of cybersecurity and the criminals’ ability to exploit it”.

All present saw phishing attacks as the key concern, certainly more than an attack on Microsoft itself, which is a target too big and secure for most criminals to bother with. Instead, they target the weakest point in the chain, which is likely to be a company whose employees can be tricked by a rogue email.

One attendee argued that information loss was a greater risk than phishing. The risk that somebody will put something in an email that should be kept secure means multiple security layers need to be in place, depending on the sensitivity of the data.

Adding third-party security measures is not always as easy as it might be, said some. Some vendors can be reluctant to provide the information needed to set up additional security layers, leaving companies exposed or insufficiently secure.

Do that we take email for granted? It is not on our list of critical systems, said an attendee from a major bank. But, she added, it is a vital tool that ensures many of our other systems and processes work as they should. Perhaps we do need to rethink our view of email.

Bridging the security gap

Handing office productivity over to Microsoft does not absolve us of responsibility for security, said Ms. Cosgrove. She pointed to straightforward measures that could cut down the number of attacks a company receives. Email authentication, for example, can block more than 50 per cent of phishing attacks by removing the ability for attackers to send an email which appears to come from within the business.

Attendees also agreed that multi-factor authentication is a must-have tool in the fight against email attacks. Some users will always be tricked into giving away their credentials. Multi-factor authentication will at least ensure those credentials are less useful to an attacker.

All of those at the briefing said their companies run training and awareness campaigns to improve user knowledge of phishing attacks, and all then run tests to measure the effectiveness of the training. At some companies, failing the test meant employees having to undergo remedial training. Others felt it was counterproductive to make employees feel like ‘failures’ because they could become too worried about making a mistake to do their job effectively.

There was wide agreement that companies need to assess their exposure and determine their risk tolerance before deciding on the security measures to apply to Office 365. The ‘crown jewels’ of your organisation – its most sensitive data – need to be protected, perhaps with extra controls. However, one attendee warned against putting too many controls into the system because employees are likely to get frustrated and devise their own workarounds, making the security measures redundant.

Summing up the discussion, Ian Emery of Proofpoint noted, that 10 years ago, most of the large banks were saying that they would never move to the cloud. Nobody would say that today. But he said that those who do make the move must understand their risk profile and take advantage of wraparound security options.