The rush to enable distributed work, paired with the explosion of Microsoft Teams, has created new challenges for securing Microsoft 365 collaboration. Understand the impact on IT with these key security trends from our benchmark report.
Following the widespread shift to distributed work in 2020, companies are still grappling with how best to maintain security through governance. As explored in our benchmark cloud productivity report, many companies fast-tracked security to facilitate the transition to distributed work in the wake of COVID-19.
With users looking for ways to collaborate virtually, Microsoft Teams and other tools are being deployed at a record pace. For IT professionals, this unfettered growth translates into greater potential for security failures, such as accidental sharing and data leakage. IT teams need to implement security strategies that give users the freedom to collaborate while keeping sensitive information secure.
Microsoft 365 and Microsoft Teams security key takeaways:
- Companies fast-tracking security to facilitate distributed work
In the wake of COVID-19, companies fast-tracked security to facilitate the transition to distributed work.
- New challenges of securing Microsoft 365 collaboration
IT teams need to balance security concerns with collaboration needs.
- The need to find a scalable middle ground for security
Companies must find a scalable middle ground on the security spectrum.
- Security is a team effort in the distributed workplace
Security is everybody’s responsibility in a distributed workplace.
Companies fast-tracking security to facilitate distributed work
Like many other topics covered in this report, when it comes to security, the COVID-19 pandemic accelerated existing trends. According to an August 2020 report by Microsoft, “54% of security leaders reported an increase in phishing attacks since the beginning of the outbreak.”
Of course, security encompasses not only external threats, but also internal risks related to how untrained users handle and share sensitive data. If distributed work continues as expected,* companies will continue to face threats related to deploying Teams with untrained users who are working outside the company’s network. (*Gartner )
Given the rush to enable remote work in 2020, there is tension between what companies knew they should do and what they actually did regarding security. A Netwrix survey of more than 900 IT professionals found that “85% of CISOs admit they sacrificed cybersecurity to quickly enable employees to work remotely.”
After establishing essential security policies to get remote teams up and running, companies then needed to turn their attention to the other threats inherent to a remote workforce. We interviewed Microsoft MVP Joanne Klein, who said: “the pandemic accelerated or fast-tracked a lot of security teams to get up to speed with everything that they need to do to protect their organization.”
In terms of data security, “they were then thinking, ‘we need to step up the game right now and get in front of this problem because it’s not getting any easier and our workforce is now out there in the wild. How are we going to manage this?’”
In March 2021, we surveyed IT professionals about a variety of security-related issues. Not surprisingly, more than half of respondents (67.2%) said they allow employees to use personal devices for work. All respondents had some amount of confidential data stored within their Microsoft 365 environment—data which users are potentially accessing with unsecured personal devices.
“The challenge here,” said ShareGate Head of Product and Microsoft Regional Director Benjamin Niaulin, “is that because…the company doesn’t manage those personal devices, there’s a higher risk of the data being stolen off those devices.”
“It’s not a bad thing that employees are using personal devices,” he added. “It’s common and it’s necessary, especially with distributed work. I would imagine that for a lot of companies, [allowing personal devices] was what they had to do to enable remote work. The question now becomes how are they controlling the data?”
Zero Trust is now a business priority
With rising concerns about data protection, many companies have implemented or accelerated Zero Trust projects* during the pandemic. (*Security Magazine)
A Zero Trust security framework, according to Forrester, is “a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach.’” Zero Trust stands in contrast to traditional security models, which are based on the concept that anything inside a corporate network can be trusted.
Based on the principle “never trust, always verify,” the Zero Trust strategy protects organizations by maintaining security through the continuous authentication of identities, devices, and services.
Zero Trust gained traction in the early days of the pandemic when IT teams struggled to keep up with the surge of new, potentially unsecured devices as employees logged into corporate networks from home.
Said Andrew Conway, Microsoft’s General Manager, Security Marketing, in Microsoft’s August 2020 report, “Zero Trust shifted from an option to a business priority.” As a result, “51% of business leaders are speeding up the deployment of Zero Trust capabilities. The Zero Trust architecture will eventually become the industry standard, which means everyone is on a Zero Trust journey.”
In our interview with Klein, she underscored the importance of Zero Trust, which leverages technologies such as multi-factor authentication (MFA) to manage user access based on continual verification.
“The Zero Trust principle is what most organizations are going to,” she said. “It’s just a sound practice, and it’s particularly important when organizations are distributed and not contained within a confined network anymore.”
In our March 2021 survey, most respondents (86.2%) said they had enabled MFA in their organization. Niaulin hopes to see that number become a hundred percent in the near future, as multi-factor authentication “doesn’t cost any money, and there’s no extra work to put it in place. It’s a box you check. As soon as you go to Microsoft 365, you should be turning this on.”
In a distributed workplace, business continuity depends on balancing security with the end-user experience. Zero Trust is an example of a user-friendly solution that minimizes employee disruption without compromising security.
New challenges of securing Microsoft 365 collaboration
The rush to enable full-time work from home, paired with the explosion of Microsoft Teams, has increased external sharing, unique permissions, and the number of files shared. In the hands of untrained users, these are all security risks. Teams usage went from 20 million active users in late 2019 to over 115 million by the end of 2020.*(*Microsoft)
This means that some 95 million new users are being managed by IT teams who were not necessarily prepared to tackle all the related issues surrounding Microsoft 365 security.
External sharing is growing exponentially
As the pandemic limited in-person meetings and people were forced to collaborate virtually, we saw a corresponding rise in external sharing. In our March 2021 survey, 67.2% of respondents said they have external sharing enabled in their Microsoft 365 environment.
As for which SharePoint external sharing settings they’ve set, the results were as follows:
What these numbers indicate, said Niaulin, is that “around 64% have a controlled way of working with people outside the company. But the 25% that have no rules in place for verifying users…that’s a high number.”
Microsoft 365 Groups is a cross-application membership service in Microsoft 365. Each Microsoft 365 group lives in Azure Active Directory, has a list of members, and is attached to that group’s related Microsoft 365 workloads, including a SharePoint team site, Exchange mailbox, Planner, Power BI, OneNote—and, optionally, a team in Microsoft Teams.
For this report, we also looked at six months of from ShareGate Apricot. From September 2020 to February 2021, the average number of Microsoft 365 groups in each tenant grew by 21.5%.
Along with the growth in group creation, ShareGate Apricot data also showed a significant increase in external sharing. The number of groups with active external sharing links grew by 52.62%. And within those groups, the number of external sharing links grew by 73.74% at the same time.
The rise in external sharing shows that users still need ways to collaborate inside and outside their core environment. Despite this increase, many companies have yet to implement a system for controlling what is shared. In the March 2021 survey, 41% of respondents said they have a process in place to review/audit externally shared links, while 59% do not.
“Access review” is the process of periodically auditing shared links, which entails identifying and breaking invalid links. Access review is necessary, said Niaulin, because when employees start sharing anonymous external sharing links, “there’s a risk involved in letting anyone from the outside come in.”
Anonymous external sharing links can be forwarded on anonymously, and they don’t require any authentication to access. Continued Niaulin: “As soon as you open a door, users can use that door to potentially go through another door you don’t know about. And this cleanup process ensures that you reduce that risk.”
Clearly, IT teams must understand where and why things are being shared, as these are potential points of security failure. However, this shouldn’t be seen as a reason to shut down sharing. Rather, it’s an indication that groups need to have permissions that reflect their confidentiality/business importance.
Klein concurred with this sentiment, saying: “The odds are, external sharing is happening whether you allow it, or you want to allow it, or not. My approach is to allow it, but put in the appropriate controls. Because if you can see it and you’re aware it exists, at least you have an opportunity to manage it.”
When IT blocks external sharing and other collaboration tools, users will often turn to unapproved apps and devices—in other words, shadow IT. “If you’re trying to prevent an end-user from doing something completely,” said Klein, “that end-user will find a way, almost guaranteed, and that’s a worse position to be in. I think the pragmatic approach is to allow it, and then try to manage it through controls in the back end.”
Orphaned groups are also increasing
In Microsoft 365, an “orphaned group” is a Microsoft 365 group that has no valid, active/licensed owner. Orphaned groups present a risk because there is nobody accountable for that group’s security, including externally shared files and guest members.
From September 2020 to February 2021, our data showed that the number of orphaned groups per tenant grew by 24.8%, roughly the same amount as overall growth. Per tenant, orphaned groups currently account for 8-9% of all groups. When it comes to lack of oversight, eight to nine percent isn’t a trivial number of orphaned groups per tenant.
The need to find a scalable middle ground for security
As with most decisions in Microsoft 365 administration, security and governance decisions lie on a spectrum. In the case of distributed work, they range from “locked down” to “wide open.” At ShareGate, we see a middle ground where users can access the tools they need, in the ways they want, with some guidance and solid governance.
Self-service features are an integral part of this model because they improve efficiency, reduce costs, and create an environment of user empowerment.
The security spectrum
In comparing a “wide open” versus “locked down” security model, both have their drawbacks for IT teams and companies.
A fully locked down system wherein IT administrators must research, approve, and take responsibility for all decisions, has a major cost in terms of IT scalability. You need people to read tickets, implement changes, etc., and the bigger your organization is, the more bodies are required.
However, when things are wide open, IT needs to constantly manage the cleanup—not to mention the risks—of uncontrolled creation and sharing.
In our February 2021 survey, one question asked IT professionals about the level of self-service functionality that they currently have enabled in Microsoft 365. The results showed that most incorporate some form of self-service, rather than implementing a fully locked down system:
“There’s no right or wrong answer when it comes to self-service,” said Niaulin. “What we believe in [at ShareGate] is to try and find the middle ground where it makes sense.” Large banks, for example, which have thousands of employees and must follow strict regulatory and compliance rules, “aren’t going to enable self-service.”
Usually, Niaulin sees “a little bit of both, depending on the company culture and needs.” You don’t want the needle pointed too far in either direction. “The more you go toward ultra-control, the more your users will turn to unapproved apps. And if your system is too loose and free, there’s more risk of a security breach.” The challenge for organizations “is to place the needle somewhere in the middle.”
When companies first put Microsoft 365 in place, Niaulin said, they typically start “at the edges” of the security spectrum, “then slowly go towards the middle because the edges don’t work.”
If they go to one extreme, “people complain that there are too many processes.” However, “if it’s too much self-service, people can’t find anything and don’t know how to use the software.” The solution, he noted, “is really about figuring out where the friction is and then studying that, seeing what’s not working and trying to bring your processes in balance.”
Finding the right balance
Our findings show IT professionals recognize the benefits of enabling self-service. In our February 2021 survey, 84.1% of respondents said that enabling self-service functionality in Microsoft 365 has saved their IT teams time and money.
The term “self-service,” however, may require a more nuanced definition. In fact, Niaulin thinks “self-service” is often misunderstood. He prefers the term “frictionless guidance.” The goal of IT, he said, should be “about guiding people to use Microsoft 365 without you being a blocker.”
Here at ShareGate, we believe in the benefits of self-serve IT and collaborative governance. By entrusting group and team owners with the power to label their group’s purpose, data criticality, and level of confidentiality, IT can implement policies that keep things running smoothly, without friction, and without locking down the entire system.
Like Niaulin, Microsoft MVP Joanne Klein believes it’s about striking the right balance. “I’m still in support of self-serve. I never want to go back to the world where we were putting up our hands, saying ‘No, you can’t do that,’ and every little thing has to go through a bigger approval process first. That said, we still need to implement some controls so it’s not the Wild West.”
She added: “I think you can allow self-serve, but you need to have some guardrails around that. And that means, for example, you can still have an approval process, but make sure it’s automated, smooth, and quick, and implement a lot of the technical controls in the back end in an automated way.”
The trifecta of security for distributed work
To protect a company’s Teams work across Microsoft 365, IT needs a strategy to keep content secure across platforms and devices.
In our interview, Klein discussed the steps IT professionals should take to protect sensitive data wherever it lives. She shared a recommended “trifecta of security” in the era of distributed work: identity, data, and devices.
- Identity: Use Microsoft tools to identify who is accessing what in your environment.
- Data: Classify data in order to know the nature of the data that is being accessed
- Devices: Identify what company (or personal) devices are being used.
With this approach, said Klein, “security teams can lean into this new modern workplace and better understand how they can govern and control it.”
When it comes to data classification, configuring a team’s security settings in Microsoft 365 according to its level of sensitivity is not an easy feat. In our March 2021 survey, only 24.6% of IT admins said they have a clearly defined data classification scheme/policy in place. That leaves 75.4% who do not currently have a system for classifying sensitive data and making sure only the right people have access to it.
Not all data is created equal, of course, and applying unnecessary blanket restrictions can end up hindering end user productivity. A better solution, we believe, is a tool like ShareGate Apricot, which has a “Group sensitivity” feature that enables you to automatically apply custom security settings to your teams and Microsoft 365 groups depending on each one’s level of sensitivity.
Security is a team effort in the distributed workplace
Because IT can’t possibly manage each individual set-up for a remote worker, organizations have shifted from a model of controlling all tasks and security issues “in-house” to decentralization and more empowerment for end-users. If IT teams give more power to end-users, however, they also need to give them more responsibility to keep content secure across platforms and devices.
A 2020 study by the Harvard Business Review and Microsoft examined the impact of digital transformation on data governance. After surveying some 500 global business leaders across industries, the report concluded that “everyone within the organization must understand how to capitalize on the tools and stay up to date on the latest security vulnerabilities and compliance trends.”* (*A Blueprint for Data Governance in the Age of Business Transformation, Harvard Business Review and Microsoft).
Not only is collaborative governance best practice, the report concluded, but it is also good for business, as “leaders are outspending peers in training to heighten awareness of both business managers and employees about the importance of security and compliance.”* (*A Blueprint for Data Governance in the Age of Business Transformation, Harvard Business Review and Microsoft).
ShareGate has long promoted the idea of collaborative governance. As stated in our ShareGate Apricot product announcement: “Group owners should be held accountable for the resources they create—and the people they share them with—throughout the entire lifecycle.”
Klein believes this principle is more salient than ever in a distributed workplace. “Security should be more than just a team on your org chart, it’s everybody’s responsibility,” she said. “It doesn’t matter what your role is in the organization. You have a role to play and you need to be aware of the threats that are out there, and then act securely and safely in your environment.”
She added: “Security teams realize this is much more than a technology problem. It’s a people problem, and you need to inform and educate your users so you can protect against this at scale across your environment. Because you aren’t going to be able to solve it with technology alone.”
Although training and education of end-users are critical, it’s not automatic for companies—and when it occurs, it’s not always in-depth. In a survey of the Microsoft 365 professional community, we asked how much Teams training was offered to end-users during rollout. Only 19% said that they provided users (i.e. employees) with official training that included extensive training material and activities.
With an estimated 43 percent of data breaches coming from internal “accidental” leakage,* end user education is critical. (*Intel) In the past, we’ve outlined practical steps IT professionals can take to implement healthy data habits among employees. It starts with understanding which employee habits are putting sensitive data at risk, then educating and empowering users to do the right thing.
Looking to the future
According to the experts we interviewed for this report, one of the top governance challenges for IT teams in the next year will be around compliance. Oosterveld explained that this involves “making sure sensitive data has been classified and that people who should not have access to it don’t. And that’ll definitely become more relevant due to the collaboration with people outside the company.”
As the new world of distributed work continues impacting the security landscape, companies must find ways to stay productive and connected while minimizing risk. We believe that in a virtual infrastructure of virtual employees—whether hybrid or full-time remote—security issues can no longer be the sole responsibility of IT. It’s time to get everyone on board.
Read the full report on the State of Microsoft 365
Seventy percent of the IT professionals we surveyed for our cloud computing report expect the majority of their workforce to continue working remotely through 2021. In this new world of work, leveraging Microsoft 365 to support your remote employees—and your business—is more important than ever.
Learn about more Microsoft cloud productivity trends in our full report, State of Microsoft 365: Migration, Modernization, and Security in 2021. Get data-backed insights and expert recommendations to better leverage Microsoft for your business. The report also outlines what makes for a successful, scalable, and secure distributed workplace—now and in the future.