Security No. 1 Inhibitor to Microsoft Office 365 AdoptionMore businesses are switching to Office 365 despite fear of social engineering and ransomware attacks, but some remain wary.
Security is the primary reason businesses are hesitant to switch to the cloud-based Microsoft Office 365, but adoption continues to grow despite fears of spearphishing and ransomware attacks.
In April 2017, data protection firm Barracuda Networks polled 1,100+ organizations to learn about the trends around Office 365 adoption and usage, including the factors and concerns customers face when deciding whether to migrate or stick with their existing business software platform.
Results say adoption is increasing overall. Researchers found 63% of respondents currently use Office 365 and among the remaining respondents, some 49% plan to migrate to it. This marks a 20% jump from a similar study in 2016, when 42% of businesses surveyed were using Office 365.
"The cost and complexity of running on-premise datacenters is at a point where the cloud offers some very compelling benefits," says Sanjay Ramnath, vice president of security products and business strategy at Barracuda. "There's a combination of things that is in some cases enticing, in some cases forcing, users to move to the cloud."
Security concerns are the top inhibitor for 44% of businesses deciding against Office 365, primarily because of email-based threats like phishing, spearphishing, and ransomware. Exchange Online is the most commonly used tool in Office 365, with 87.3% usage, followed by OneDrive for Business (70.9%), and SharePoint Online (56.8%).
Other reasons for not adopting Office 365 include having a "no cloud" policy (32%), lack of budget (38.4%), and hassle of migration (30.4%). While the transition from traditional Microsoft Office to Office 365 is "nearly transparent," researchers say, it takes a lot of time and effort to shift resources, processes, and workloads, which affects security, compliance, and backups.
The fear of advanced threats extends to current Office 365 users as well, says Ramnath. More than three-quarters of those planning to migrate were concerned about advanced threats, but so were 70% of people currently on the platform. An overwhelming majority (89%) of those surveyed are worried about phishing, spearphishing, and social engineering attacks.
Ransomware came up in almost every conversation with respondents, he reports. Overall, more than 92% are worried about ransomware, and more than 47% report they have been victim of a ransomware attack. Of those victims, 76% report email was the threat vector.
"Adoption is growing but there are barriers to Office 365," Ramnath explains. "The biggest were around the need for the right level of security and right level of control."
Despite their concern, only 15.6% of respondents use Office 365 Advanced Threat Protection (ATP), reporting doubts about the effectiveness of native security and other features in Office 365. Most don't believe these features will protect them from advanced threats.
However, this doesn't mean they seek alternative tools to protect themselves. Less than 36% of respondents report using a third-party tool to lessen the threats of phishing, spearphishing, and social engineering, researchers found.
Only 8.5% of respondents have set up Domain-based Message Authentication, Reporting & Conformance (DMARC), standards-based protocols that can cut the risk of phishing and social engineering threats. Nearly 40% have set up DomainKeys Identified Mail/Sender Policy Framework (DKIM/SPF), but more than half (52.5%) have done neither.
Most (70%) train employees on how to recognize and avoid these threats but only about 19% use a third party to conduct this training. "Training can only get you so far," says Ramnath. "You need a combination of training, and technology to protect yourself."
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio