Up to 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) security measures enabled.
Also, researchers say that 97% of all total Microsoft 365 users do not use multi-factor authentication.
A recent report by CoreView Research also found that 97% of all total Microsoft 365 users do not use MFA, putting a light on the security issues inherent with the implementation of Microsoft’s subscription service. Launched in 2017, this service provides users with basic productivity applications, including Office 365, Windows 10 & Enterprise Mobility.
“This is a huge security risk, particularly during a time where the majority of employees are remote – that IT departments must acknowledge & address in order to effectively deter cyberattacks and strengthen their organisation’s security posture,” according to the report, released last week.
Microsoft 365 accounts are a good source for cyber-criminals looking for sensitive organisation data. Attackers typically targeting Microsoft 365 accounts email-based phishing or spear phishing attacks, automated credential stuffing, or guessing attacks.
MFA is one of the best ways to prevent this type of unauthorised access to Microsoft 365, researchers said, with research from SANS Software Security Institute indicating that 99% of data breaches can be prevented using MFA.
However, the research shows that Microsoft 365 users, & even admin accounts, with the highest level of permissions & oversight of data are not doing their part to implement MFA for their accounts.
Overall, researchers found overlapping issues with how Microsoft 365 is being implemented in companies. Beyond failing to implement basic security practices, researchers warned that organisations are giving administrators ‘excessive controls’ (which results in increased access to sensitive information).
For example, researchers ascertained that 57% of global organisations have Microsoft 365 administrators with excess permissions to access, modify, share critical data, thus potentially giving them unnecessary access to private data & opening up risks for insider threats.
A further problem is that companies are investing in various productivity applications without considering their security implications. While these apps help fuel productivity, unsanctioned “shadow IT” apps have varying levels of security unsanctioned apps represent a significant security risk. Shadow IT apps are SaaS applications that employees use, typically without IT’s permission or even knowledge.
“In today’s modern work environment, where supporting remote work is a must, CoreView’s data indicates that the missing ingredient in deploying & using M365 (Microsoft 365) effectively is often data governance, application security & Shadow IT oversight,” they observed.
“Enterprises must ensure they have the processes and tools, including CoreView, to help securely migrate & operate the world’s leading SaaS productivity platform.”
Security issues & attacks using Microsoft 365 are common. In Sept., researchers said that bugs in the multi-factor authentication system used by Microsoft’s cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system.
Also in Sept., Microsoft 365 faced another phishing attack – this one using a new technique to make use of authentication APIs to validate victims’ Office 365 credentials, in real time, as they enter them into the landing page.