Cloud

10/12/2017
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security No. 1 Inhibitor to Microsoft Office 365 Adoption

More businesses are switching to Office 365 despite fear of social engineering and ransomware attacks, but some remain wary.

Security is the primary reason businesses are hesitant to switch to the cloud-based Microsoft Office 365, but adoption continues to grow despite fears of spearphishing and ransomware attacks.

In April 2017, data protection firm Barracuda Networks polled 1,100+ organizations to learn about the trends around Office 365 adoption and usage, including the factors and concerns customers face when deciding whether to migrate or stick with their existing business software platform.

Results say adoption is increasing overall. Researchers found 63% of respondents currently use Office 365 and among the remaining respondents, some 49% plan to migrate to it. This marks a 20% jump from a similar study in 2016, when 42% of businesses surveyed were using Office 365.

"The cost and complexity of running on-premise datacenters is at a point where the cloud offers some very compelling benefits," says Sanjay Ramnath, vice president of security products and business strategy at Barracuda. "There's a combination of things that is in some cases enticing, in some cases forcing, users to move to the cloud."

Security concerns are the top inhibitor for 44% of businesses deciding against Office 365, primarily because of email-based threats like phishing, spearphishing, and ransomware. Exchange Online is the most commonly used tool in Office 365, with 87.3% usage, followed by OneDrive for Business (70.9%), and SharePoint Online (56.8%).

Other reasons for not adopting Office 365 include having a "no cloud" policy (32%), lack of budget (38.4%), and hassle of migration (30.4%). While the transition from traditional Microsoft Office to Office 365 is "nearly transparent," researchers say, it takes a lot of time and effort to shift resources, processes, and workloads, which affects security, compliance, and backups.

The fear of advanced threats extends to current Office 365 users as well, says Ramnath. More than three-quarters of those planning to migrate were concerned about advanced threats, but so were 70% of people currently on the platform. An overwhelming majority (89%) of those surveyed are worried about phishing, spearphishing, and social engineering attacks.

Ransomware came up in almost every conversation with respondents, he reports. Overall, more than 92% are worried about ransomware, and more than 47% report they have been victim of a ransomware attack. Of those victims, 76% report email was the threat vector.

"Adoption is growing but there are barriers to Office 365," Ramnath explains. "The biggest were around the need for the right level of security and right level of control."

Despite their concern, only 15.6% of respondents use Office 365 Advanced Threat Protection (ATP), reporting doubts about the effectiveness of native security and other features in Office 365. Most don't believe these features will protect them from advanced threats.

However, this doesn't mean they seek alternative tools to protect themselves. Less than 36% of respondents report using a third-party tool to lessen the threats of phishing, spearphishing, and social engineering, researchers found.

Only 8.5% of respondents have set up Domain-based Message Authentication, Reporting & Conformance (DMARC), standards-based protocols that can cut the risk of phishing and social engineering threats. Nearly 40% have set up DomainKeys Identified Mail/Sender Policy Framework (DKIM/SPF), but more than half (52.5%) have done neither.

Most (70%) train employees on how to recognize and avoid these threats but only about 19% use a third party to conduct this training. "Training can only get you so far," says Ramnath. "You need a combination of training, and technology to protect yourself."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20000
PUBLISHED: 2018-12-10
Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.
CVE-2018-20001
PUBLISHED: 2018-12-10
In Libav 12.3, there is a floating point exception in the range_decode_culshift function (called from range_decode_bits) in libavcodec/apedec.c that will lead to remote denial of service via crafted input.
CVE-2018-20002
PUBLISHED: 2018-12-10
The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.
CVE-2018-19991
PUBLISHED: 2018-12-10
VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230.
CVE-2018-19653
PUBLISHED: 2018-12-09
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.