50% of Microsoft 365 Users are Not Managed by Default Security Policies, CoreView Research Finds

New Report From CoreView Indicates the Missing Ingredient in Deploying and Using Microsoft 365 (M365) Effectively Is Often Proactive Data Governance and Application Security Strategies

Alpharetta, GA — October 22, 2020 — Today CoreView, the only intelligent SaaS Management Platform (SMP), published new research that reveals, on average, half (50%) of users at enterprises running Microsoft 365 (M365) are not managed by default security policies within the platform. The in-depth research report, “Global Microsoft 365 Report: Application Security, Data Governance and Shadow IT,” examines the state of application governance and security among M365 enterprise users.

The research is based on more than five million workers from enterprises running on M365 and either actively use CoreView’s SMP, have received a complimentary CoreView Office 365 Health Check analysis.

“Organizations today need to provide workers with technology and tools for the digital workplace while ensuring their enterprise data is protected. CoreView’s research indicates that enterprises are failing at M365 governance and security,” said Michael A. Morrison, chief executive officer at CoreView. “Enterprises must ensure they have the processes and tools, including CoreView, in place to help securely migrate and operate within the world’s leading SaaS productivity platform, M365.”

Key themes and results from the research include:

• Enterprises are failing to implement basic security practices – The survey research shows that approximately 78% of M365 administrators do not have multi-factor authentication (MFA) activated. According to the SANS Software Security Institute, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely.
• M365 administrators are given excessive control, leading to increased access to sensitive information – 57% of global organizations have M635 administrators with excess permissions to access, modify, or share critical data. In addition, 36% of M365 administrators are Global Admins, meaning these administrators can essentially do whatever they want in M365. CIS O365 security guidelines suggests limiting the number of Global Admins to two-four operators maximum per business.
• Investing in productivity and operation applications without considering security implications – The data shows that US enterprises, on average, utilize more than 1,100 different productivity and operations applications, which indicates a strong dedication to the growing needs of business across departments, locations, and time zones. While increased access to productivity and operations apps helps fuel productivity, unsanctioned Shadow IT apps have varying levels of security, while unsanctioned apps represent a significant security risk. Shadow IT is ripe for attack and according to a Gartner prediction, this year, one-third of all successful attacks on enterprises will be against Shadow IT resources.

Many businesses underestimate the security and governance responsibilities they take on when migrating to Microsoft 365 (M365). IT leaders often assume that M365 has built-in, fool-proof frameworks for critical IT-related decisions, such as data governance, securing business applications, and prioritizing IT investments and principles. CoreView research disprove this by revealing that many organizations struggle with fundamental governance and security tasks for their M365 environment. Today’s remote and hybrid working environment requires IT leaders to be proactive in prioritizing security and data governance in M365.

Additional Resources:

• To download the full “Global Microsoft 365 Report: Application Security, Data Governance and Shadow IT,” visit: https://www.coreview.com/resources/whitepaper/microsoft-365-app-security-governance-shadow-it-report
• For more information on Microsoft 365 security, click here: https://www.coreview.com/security-and-compliance/