Pinja Blog

User is the weakest link in Microsoft 365 data security

Written by Tuomas Lassila | Dec 3, 2020 9:49:46 AM

Over the past year, many of us have shifted towards more time- and place-independent work. In many organizations, daily work leans more and more on cloud-based information work tools, such as Microsoft 365 services. With mobile remote work, more attention should be paid to data security than before, and employees should be carefully trained in the use of remote work tools from the point of view of data security as well. It is indeed the users that are the greatest data security risk in Microsoft 365 services.

User identification is the anchor of data security in a cloud service


Previously, data and systems have typically been located in a private network or a private cloud where access can be controlled with firewalls between the networks. User identification has been much less significant for data security than it is today. For example, sufficient attention may not have been paid to the password strength of intranet systems.

With the increasing popularity of public cloud services, such as M365, the effect of firewall protection on data security has notably weakened. User identification has become the most important access control tool in remote work – a data security anchor, a so-called new firewall. In fact, authentication methods should be promptly updated if strong identification is not yet used. 

The challenge with M365 is that most users do not consider it a “self-service” tool, which it basically is. Many people assume that Microsoft is responsible for data security and the use of the tools is completely safe. However, Microsoft only takes care of the platform maintenance – therefore, it is primarily a platform service. It is under Microsoft’s responsibility to examine data security on a general level and develop platform features based on this, whereas it is almost always the users’ duty to take into use new features that improve data security.

Maintaining a sufficient data security level requires continuous learning 

Do you know whom to contact first in your organization in a problem related to M365? What is the response timeline for addressing disturbances? These questions should be answered in every organization now – it is too late when problems actually occur. If your own resources are not sufficient for system management, it is worth assigning the maintenance task to an external partner.

Microsoft develops M365 services and their data security features on a continuous basis. Therefore, continuous learning and follow-up are necessary to keep up to date. By assigning the administration and maintenance of a M365 tenant to a competent partner, you can be sure of the sufficiency of your data security. In practice, the partner monitors your M365 environment constantly and, if needed, suggests adoption of efficient operating models or better data security procedures, and responds quickly in case of disturbances. The partner can either act as a contact point for the entire personnel or provide expert support to the IT team.

Assess the data security level of your organization

Do you know if you use DMARC, Audit Log or MFA for Administrators? Do you know what your company’s security score is? It is important to be aware of the data security level of your company. However, if you think that there are gaps in your data security strategy, it’s about time to make a course correction. New data security threats emerge continuously, so beware of being locked in the past.

Read more

3+1 tips to successfully migrate to Microsoft 365
Remote working has accelerated the deployment of Microsoft 365 – this is foremost a cultural change
Microsoft 365 services
IT services