Your IP: Unknown · Your Status: Unprotected Protected
Blog In Depth

How safe is Office 365 security?

Aug 10, 2020 · 5 min read

How safe is Office 365 security?

The future is in the cloud, and for corporations that increasingly rely on remote working practices, that future is now. Cloud storage systems are well-established, but with software like Microsoft Office 365 gaining prominence, our once-physical offices are going digital. But new allegations about Microsoft's mishandling of customer data have raised security concerns. How safe is Office 365?

What is Office 365?

Microsoft’s Office 365 offers classic productivity tools like word-processing and powerpoint presentations, along with extensive OneDrive space. The complete software suite contains communication tools, scheduling aids, and encrypted cloud-based storage.

However, the system’s security remains an open question. Anyone even remotely acquainted with the world of cybercrime and online security will understand that a system like this could be a tempting target. Furthermore, recent allegations against Microsoft have raised new concerns about their own ability to keep user data safe.

Does Microsoft mishandle customer data?

For enterprise customers relying on Microsoft, the news of a recent lawsuit against the company may be troubling.

A legal complaint in the US has alleged that the creators of Office 365 may have been profiting on paid user data through undisclosed back-channels. The lawsuit makes a number of claims:

  • Microsoft previously stated that user data would be available to third-parties on a strictly need-to-know basis. However, allegations suggest that the company may have shared customer information with hundreds of contractors and developers whose requirements failed to meet the need-to-know standards.
  • Information about Office 365 users’ business contacts was apparently shared directly with Facebook, regardless of whether or not those contacts even had Facebook accounts.
  • Microsoft may have utilised customer information for their own monetary gain. This may have included the development of new products, despite previous reassurances that user data would only affect the purchased services.

With Microsoft themselves regularly highlighting the importance of security and regulatory compliance, these allegations would represent a severe breach of trust if proven.

The risks of corporate data breaches

It can be easy to dismiss the seriousness of these allegations; after all, Microsoft is accused of sharing data with other companies and developers, not with criminals. However, it’s worth noting the immeasurable damage that a corporate data breach can cause, and examining the reasons for such an event.

Just one compromised employee account can give criminals wide-ranging access to company databases, customer information, and internal networks. For a business of any size, that could mean massive financial losses and a damaged reputation among consumers and clients.

Breaches of this kind often occur when private information is shared too widely and given to third-parties that may not uphold standards of best practice. Just because Microsoft maintains high levels of security doesn’t mean the hundreds of third-party companies they share data with will do the same.

Office 365 users need to know that they can trust Microsoft to do everything they can to maintain security and compliance.

Security and compliance in Office 365

With Microsoft marketing Office 365 towards corporate users, security and compliance plays a big role in the viability of the product for many potential customers. The developer has been keen to support users with both of these elements, but what does that really entail?

Firstly, what is the difference between security and compliance?

  • Security involves the practical preventative measures that keep a company’s data safe. Antivirus software, controls on network access, VPN encryption: these tools can all contribute to maintaining corporate security.
  • Compliance means upholding the rules and regulatory standards surrounding data, maintaining best practices, and ensuring that companies take the necessary steps to protect their information.

Microsoft offers a range of practical tools to enhance security, but they also provide users with the Microsoft 365 Compliance Centre. This hub makes resources and compliance scoring systems available, and is regularly updated.

It’s worth noting, however, that Microsoft stresses the importance of shared responsibility in this area, saying, “Managing security and compliance is a partnership. You are responsible for protecting your data, identities, and devices, while Microsoft vigorously protects Microsoft 365 services.”

Considering the allegations now raised against Microsoft, users may be concerned about the other half of their partnership. While resources like the Compliance Centre are useful, the developers need to maintain compliance with their own stated standards.

Two-Factor Authentication

A key step towards enhanced security in Office 365 is the enabling of its two-factor authentication (2FA) features. This can add a robust layer of protection to the system’s perimeter and lower the risks of password cracking.

2FA is similar to two-step verification (2SV), but differs in that it demands more definitive proof of each login’s authenticity. With 2FA, users who want to access their Office 365 account will first have to input their password, and then prove that they have access to a seperate verified device, like their phone.

After the password has been submitted, users are prompted to confirm their identity via their smartphone. This can even be done using a fingerprint if the device carries a biometric scanner. 2FA lowers the likelihood of a criminal cracking an employee’s password and gaining access to the network as a whole.

Is OneDrive secure?

At the heart of Office 365 is OneDrive, Microsoft's cloud storage platform. The security of the entire Office 365 system largely depends on OneDrive’s defenses against hacking and cyberattacks.

OneDrive comes with inbuilt security features, including data encryption both in the cloud and on any connected devices. While users are still the ones responsible for maintaining security and compliance, Microsoft provides a safety net. But is OneDrive really as safe as Microsoft makes out?

Although OneDrive hasn’t suffered any headline-grabbing breaches yet, the allegations against Microsoft should encourage users to be sceptical of the company’s security standards. Cloud storage is clearly a useful tool for modern businesses, but customers should make sure they’re choosing the right service for their needs.

Make Microsoft Office 365 more secure in 4 steps

Businesses cannot afford to view a software suite like Office 365 as a one-size-fits-all solution. Security measures work best when layered with other complimentary systems, buttressed by human-assured best practices.

Take these four steps to make Office 365 more secure, so you can enjoy maximum benefits with minimum risk.

    1. Enable two-factor authentication. With 2FA enabled, a hacker would need both your login credentials and access to your designated mobile device to break into your account. This can dramatically reduce the likelihood of an attack successfully penetrating a network’s outer perimeter and lowers the risks of Office 365 being compromised through brute force attacks.
    2. Encrypt and back up essential data. Protecting your data is vital for two reasons. Firstly, data loss can occur through a variety of channels and cause enormous financial losses. Furthermore, ransomware attacks are on the rise. If you encrypt and backup your data, it can’t be sold online or held for ransom. So try using a cloud storage service that also offers encryption – like NordLocker.
    3. Use all available tools to enhance email security. To ensure that your emails don’t become an access point for cybercriminals, take advantage of Microsoft’s Advanced Threat Protection system and adjust all in-email filtering systems to limit exposure to risk. Use 2FA to limit the dangers of spear-phishing attacks. Finally, ensure that employees are regularly updated on best practices and threat developments, so they can be empowered to spot and prevent attacks wherever possible.
    4. Ensure that employees use a VPN. No matter how many advanced threat prevention systems you buy, an employee’s compromised device can still give hackers access to Office 365 and the data stored on your OneDrive cloud. To combat the dangers of unsecured endpoints, ensure that employees use a VPN to encrypt their data.

With NordVPN, you can ensure that all browsing traffic, including passwords and other sensitive information, is wrapped in layers of next-generation encryption. For corporate clients, the NordVPN Teams service offers a bespoke enterprise solution that can work in tandem with software like Office 365. Securing your data is a process; start with NordVPN.

For more cybersecurity news, subscribe to our monthly blog newsletter below!


Malcolm Higgins
Malcolm Higgins successVerified author

Malcolm is a content writer specializing in cybersecurity and tech news. With a background in journalism and a passion for digital privacy, he hopes his work will empower people to control their own data.


Subscribe to NordVPN blog