There are many misconceptions about Microsoft 365, Office 365, and Azure Active Directory. As healthcare organizations experience record-high insider threats, business email compromises, and system intrusions, inconsistencies in these oft-overlooked platforms are frequently being held to blame.
However, several common myths prevent companies from devoting energy to the much-needed task of tightening down security in this area.
Below, we unpack these myths and make a case as to why a Microsoft 365 Assessment should be a high-priority item in your organization’s cybersecurity roadmap.
Myth: “I have antivirus, a firewall, and other purchased security tools. My organization seems well-protected.”
State-of-the-art endpoint platforms, firewalls, and other security measures are all very important components of every organization’s cybersecurity program.
However, these represent only a few parts of a good defense-in-depth posture. Like an onion, proper security is implemented in multiple layers. Proper configuration of cloud applications, especially ones containing critical data, is paramount to having a proper security posture.
Furthermore, because applications like Office 365 are directly exposed to the Internet, the best firewalls and endpoint protection packages - while vitally important - are insufficient for protecting these critical platforms.
Simply put, firewalls and other purchased technologies are unable to
defend against Internet-borne attacks to cloud infrastructure like
Myth: “Microsoft is one of the world’s largest organizations. They properly secure Office 365 for my organization.”
Microsoft has a few good security defaults that help organizations get started on Office 365; for example, multi-factor authentication is turned on with all new tenants of this service. But, according to Verizon’s widely publicized Data Breach Investigations Report, “Despite the efforts of the major cloud providers to make the default configurations more secure (which we applaud), [misconfiguration] errors persist.”
Why is this the case?
While Microsoft’s defaults are a good start for Office 365 security, they are not the end-all. An in-depth assessment covers items like protections on sharing data outside of the organization, proper email controls, alerting of appropriate personnel in the event of an incident, and so on.
Because Microsoft generalizes the individual requirements for each organization’s security posture, there are numerous default settings that are likely to be considered unsafe by regulated industries, such as healthcare.
For example, by default, Microsoft allows any user of an organization to deploy an unsanctioned application that has access to that company’s Office 365 tenant. Defaults also allow users to be able to create groups that are visible across the entire tenant. And alarmingly, users can share out potentially sensitive files in SharePoint and OneDrive to external visitors without approval. While these are only a few of the default settings that many organizations deem inappropriate, there are many others.
Finally, these security defaults, while basic, have only been in place recently. If your organization has used Office 365 for more than a few years, it’s entirely possible that you may not have these baseline security settings implemented.
Myth: “I’ve purchased an email filter that sits in front of Office 365, which makes up for security shortcomings in our tenant.”
There are several reputable organizations that offer third-party email filters and secure mail gateways. While Microsoft over the years has augmented the email security of its own Office 365 platform with subscriptions such as Defender for 365 (formerly ATP/Advanced Threat Protection), some companies choose to partner with third parties that address these needs.
Generally speaking, these third-party services will address a narrow set of needs. In the case of email filters, these services typically address incoming and outgoing mail, sandboxing of links and attachments, and searching of mail items for sensitive content.
However, these features do not address larger potential configuration
shortcomings of Office 365 and Exchange Online. Therefore, even if
organizations make use of a third-party platform to help secure a
portion of Office 365, configuration shortcomings can still leave major
holes in their tenant.
Myth: “Office 365 is ‘HIPAA certified’ – so my healthcare organization should be secure.”
First, the United States Health & Human Services (HHS) agency does not recognize any type of HIPAA certification for services. While the moniker “HIPAA certification” is regularly used by vendors, these tend to be given by private organizations that have unofficial courses for healthcare practices.
Office 365 does have awareness of both HIPAA (1996) and HITECH Act (2009) regulations. As such, Microsoft is willing to enter into Business Associate Agreements (BAAs) with both covered entities and other healthcare business associates for the exchange of protected health information (PHI) over in-scope services. This includes the ability of Microsoft to restrict the geographic locations of sensitive data.
However, Microsoft leaves the process of building internal processes for compliance, including configuring the Office 365 environment, up to its customers: “By offering a Business Associate Agreement, Microsoft helps support your HIPAA compliance. However, using Microsoft services does not on its own achieve HIPAA compliance. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with your obligations under HIPAA and the HITECH Act.”
An assessment on the configuration of Office 365 will ensure that
guardrails are in place to support organizations’ HIPAA compliance
through the use of these Microsoft platforms.
The Bottom Line
Remember, business email compromises and misconfigured cloud
applications represent a large percentage of breaches in the healthcare
An assessment of your organization’s Microsoft 365 environment will ensure that the proper settings are in place to dramatically reduce the chances of becoming breached.