Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/12/2017
02:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security No. 1 Inhibitor to Microsoft Office 365 Adoption

More businesses are switching to Office 365 despite fear of social engineering and ransomware attacks, but some remain wary.

Security is the primary reason businesses are hesitant to switch to the cloud-based Microsoft Office 365, but adoption continues to grow despite fears of spearphishing and ransomware attacks.

In April 2017, data protection firm Barracuda Networks polled 1,100+ organizations to learn about the trends around Office 365 adoption and usage, including the factors and concerns customers face when deciding whether to migrate or stick with their existing business software platform.

Results say adoption is increasing overall. Researchers found 63% of respondents currently use Office 365 and among the remaining respondents, some 49% plan to migrate to it. This marks a 20% jump from a similar study in 2016, when 42% of businesses surveyed were using Office 365.

"The cost and complexity of running on-premise datacenters is at a point where the cloud offers some very compelling benefits," says Sanjay Ramnath, vice president of security products and business strategy at Barracuda. "There's a combination of things that is in some cases enticing, in some cases forcing, users to move to the cloud."

Security concerns are the top inhibitor for 44% of businesses deciding against Office 365, primarily because of email-based threats like phishing, spearphishing, and ransomware. Exchange Online is the most commonly used tool in Office 365, with 87.3% usage, followed by OneDrive for Business (70.9%), and SharePoint Online (56.8%).

Other reasons for not adopting Office 365 include having a "no cloud" policy (32%), lack of budget (38.4%), and hassle of migration (30.4%). While the transition from traditional Microsoft Office to Office 365 is "nearly transparent," researchers say, it takes a lot of time and effort to shift resources, processes, and workloads, which affects security, compliance, and backups.

The fear of advanced threats extends to current Office 365 users as well, says Ramnath. More than three-quarters of those planning to migrate were concerned about advanced threats, but so were 70% of people currently on the platform. An overwhelming majority (89%) of those surveyed are worried about phishing, spearphishing, and social engineering attacks.

Ransomware came up in almost every conversation with respondents, he reports. Overall, more than 92% are worried about ransomware, and more than 47% report they have been victim of a ransomware attack. Of those victims, 76% report email was the threat vector.

"Adoption is growing but there are barriers to Office 365," Ramnath explains. "The biggest were around the need for the right level of security and right level of control."

Despite their concern, only 15.6% of respondents use Office 365 Advanced Threat Protection (ATP), reporting doubts about the effectiveness of native security and other features in Office 365. Most don't believe these features will protect them from advanced threats.

However, this doesn't mean they seek alternative tools to protect themselves. Less than 36% of respondents report using a third-party tool to lessen the threats of phishing, spearphishing, and social engineering, researchers found.

Only 8.5% of respondents have set up Domain-based Message Authentication, Reporting & Conformance (DMARC), standards-based protocols that can cut the risk of phishing and social engineering threats. Nearly 40% have set up DomainKeys Identified Mail/Sender Policy Framework (DKIM/SPF), but more than half (52.5%) have done neither.

Most (70%) train employees on how to recognize and avoid these threats but only about 19% use a third party to conduct this training. "Training can only get you so far," says Ramnath. "You need a combination of training, and technology to protect yourself."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.