720-891-1663

Return to list of client alerts

90% of Organizations have Microsoft 365 Security Gaps

If this statistic doesn’t scare the <bleep> out of you, it should.

A study of 1.6 million Microsoft 365 users across three continents found that NINETY PERCENT of the organizations had gaps in essential security protections.

Managing the Microsoft cloud environment is hard, no question about it.

But getting your organization compromised, well, that can be an existential threat to the business.

Research from the study revealed that many common security procedures are not being followed 100% of the time.

90 percent of companies had gaps in all four key areas studied including multi-factor authentication, email security, password policies and failed logins.

Remember, these four areas are just the tip of the iceberg. There are dozens of areas and hundreds of controls to consider.

87 percent of companies have MFA disabled for some or all of their admins.

Only 17 percent of companies had strong password requirements that were being consistently followed.

The thing that is interesting is that Microsoft offers a number of free tools to manage these security gaps. Some of the tools even tell you, specifically, how to fix them. But most companies are not aware of them and/or use them.

Microsoft offers a security score tool as well. If you are not using these free tools then you are adding risk to your business.

For some organizations, they want to learn how to use these tools themselves.

For other organizations, they want a service provider called a Managed Security Service Provider (MSSP) to do this for them.

Managed Service Providers (MSPs) are different than MSSPs. MSPs run your help desk, fix broken computers, manage the software on your employee’s laptops and the like.

Some MSPs say they are MSSPs also. Our experience is that this is mostly not exactly true.

Whether you do it yourself or you outsource it, you don’t want to be in the 90 percent. You have to manage it. Ignoring it is not an option. Many companies have been “owned” for years without even knowing it. If you are hit by a ransomware attack, you will know it. If an intelligent adversary invades your IT environment, you won’t even know they are there. Ransomware is a one and done crime. Other attacks can net revenue (by selling access, selling your data or using your systems to launch other attacks) for years.

If you need assistance with this, please contact us.

Credit: Helpnet Security