Is Microsoft 365 Secure? Data Protection at a Glance
The productivity tools offered in the Microsoft 365 package are well known and widely used by companies around the world. Its popularity can be attributed to its simplicity for employees to share and collaborate on projects from everywhere. It is also compatible with different kinds of devices and operating systems, and it contributes to the reduction of costs in infrastructure and maintenance thanks to being a cloud-based service. It is not hard to imagine why Microsoft's suit is the preferred choice for almost a 100 million online users, who regularly store sensitive data in OneDrive, Microsoft's cloud storage platform. But is data stored in Microsoft 365 entirely secure?
What is Microsoft 365?
Microsoft 365 (formerly known as Office 365) is a universe of subscription services offered by Microsoft which allows users to create, manage and share data online using cloud-based applications. The most popular office tools are:
- Microsoft Teams
The advantages of using Microsoft 365 are clear: relatively low maintenance costs and permanent availability. However, it is important to consider the vulnerabilities tied to using the Suite, and to know what you can do to get the most out of it while complying with security standards and handling company data safely.
Is Your Data at Risk?
The Covid-19 pandemic has brought to light an issue that was already in progress: switching from office-based working to digital, mobile workplaces. Suddenly, companies were scrambling to accommodate this "new" form of working and in doing so, needed to start relying on software allowing their employees to collaborate remotely. This raised the question in the minds of the decision makers: Is it safe to entrust all company data in the hands of Microsoft? Considering the dangers of unauthorized third-party access and data leaks, this question is quite justified.
Potential Exposure to Third Parties
Companies and organizations are becoming increasingly sceptical about entrusting data, for which they are liable, to third parties. And with good reason. In 2020, Microsoft was accused of sharing its Office 365 customers' business data with Facebook and other third parties without consent. The court filing claimed Microsoft used customer emails, calendars, and location data to inform the development of future products – a violation of the US Wiretap Act, the Stored Communications Act and consumer protection laws.
Yet there are also other US laws that have the opposite effect: jeopardising the confidentiality of your corporate data. One such law is the CLOUD Act – this regulation demands all US-based companies, including Microsoft, to provide data at the request of the US authorities, no matter if their servers are located on American or foreign soil.
In these times of digital transformation, data is one of the most important assets a company has, and there is only one way to remain compliant with this legislation without compromising confidentiality. How? By making it invisible to the eyes of third parties, or in other words, by encrypting it. Especially if the data is stored in the cloud.
Cloud storage is certainly a useful tool for modern businesses. When selecting a provider, customers should not only ensure they are choosing a safe and reliable service, it is also essential to consider the setup: for a truly secure cloud storage, servers that store their data must be separate from those running the encryption of this data. In other words, make sure that the key for encrypting and decrypting your data lies in your hands alone. This ensures that the content of your data stays out of reach of your cloud provider – Microsoft may claim to maintain high levels of security, but that certainly doesn’t stop them from having some control over your data. Due to their data administration structure and the existing US legislation such as the CLOUD Act, they are able (and obligated) to provide access to contents of your data if needed.
The Growing Threat of a Data Breach
According to a study at the University of Maryland there is a hacker attack every 39 seconds. Remote working has exacerbated the risk of various dangerous behaviour patterns like:
- clicking malicious links in emails
- sharing sensitive data in Microsoft Teams from different locations or devices
- using weak passwords
A single compromised employee account can give cybercriminals broad access to company databases, customer information and internal networks.
Every 39 seconds on average, there is a hacker attack in a computer with Internet access, and the non-secure usernames and passwords we use give attackers more chance of success.
It takes most cyber-attacks only a brief time to occur, but the impact is dire:
- Data loss and consequently, the disruption of business operations
- Brand identity damage
- Financial impact due to the cost of dealing with the breach and regaining systems
- Loss of intellectual property and legal consequences
The looming danger is not only the damage caused by the hackers, but also the punishment imposed by the authorities – e.g. a hefty fine that the company would be obliged to pay for violating data protection legislation.
Legal Compliance – GDPR
Legal compliance requires taking the necessary measures to protect corporate information as well as respecting regulatory rules around data, such as the General Data Protection Regulation (GDPR) within the European Union. The GDPR threatens to levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
Microsoft makes sure to provide resources and assessment systems for compliance and is regularly updated. It offers practical tools to improve security and makes the Microsoft 365 Compliance Centre available to users.
However, it should not be overlooked that Microsoft explicitly emphasized the importance of shared responsibility in this area in their Plan for security & compliance:
Managing security and compliance is a partnership. You are responsible for protecting your data, identities, and devices, while Microsoft vigorously protects Microsoft 365 services.
Considering Microsoft's past data protection slip-ups, users are justifiably questioning if Microsoft is in fact keeping their side of the bargain in this partnership. While resources like the Compliance Centre are helpful, companies need to implement their own strategy to keep their data protected. In this guide, you can learn more about the specific requirements of the GDPR.
Best Practices for Keeping your Data Secure in Microsoft 365
Following these steps will help you make Microsoft 365 more secure and lets you benefit from maximum advantages with minimum risk:
- Training your users: Educating employees about the importance of cybersecurity is vital. Here are some examples of essential actions:
- Using strong passwords
- Keeping business information off employees’ personal devices
- Enabling security features on corporate devices
- Blocking attachments with certain file types
Enabling two-factor authentication (2FA): This measure significantly mitigates the risk of security incidents and cyberattacks. Even if personal credentials were exposed to hackers, perpetrators would be unable to break through the additional authentication control. The 2FA measure can be applied in different services such as social networks or emails, among others.
Using all available tools to enhance security: Having control of network access as well as encrypting data can be a powerful tool for keeping corporate information secure and protected. Boxcryptor adds end-to-end encryption to your cloud, ensuring that nobody but you can access your data.
Boxcryptor and Microsoft 365
Using Boxcryptor, companies retain control over their corporate data even when using Microsoft’s third-party solutions OneDrive, SharePoint, or Microsoft Teams. All sensitive data is encrypted before leaving the company devices and is then safely stored in the cloud. This helps keep business documents secure through end-to-end encryption and prevents data from being visible to the cloud provider or from being misused by external unauthorized parties. This way, your team can use the cloud to collaborate securely on your company data while being compliant with internal and external regulations.
Despite the false belief that storing data in the cloud makes them more exposed to attacks, working with cloud services is in fact the most reliable model. Microsoft 365 has substantially improved accessibility and security in the last years. They are continually being updated to provide better security patches and additional features supporting remote work and collaboration, including data encryption. In this sense, Microsoft provides a safety net, but ultimately, companies are the ones responsible for maintaining security and compliance. Left to their own devices, there are barely any companies who are able to put up effective defences against hacking and cyberattacks. The fact that Microsoft or other authorised third parties could theoretically access all stored corporate data if they wanted to, adds even more oil to fire. Therefore, an additional layer of encryption is the only way to ensure that your data is completely under your control, only yours and no one else's.