Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/12/2017
02:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security No. 1 Inhibitor to Microsoft Office 365 Adoption

More businesses are switching to Office 365 despite fear of social engineering and ransomware attacks, but some remain wary.

Security is the primary reason businesses are hesitant to switch to the cloud-based Microsoft Office 365, but adoption continues to grow despite fears of spearphishing and ransomware attacks.

In April 2017, data protection firm Barracuda Networks polled 1,100+ organizations to learn about the trends around Office 365 adoption and usage, including the factors and concerns customers face when deciding whether to migrate or stick with their existing business software platform.

Results say adoption is increasing overall. Researchers found 63% of respondents currently use Office 365 and among the remaining respondents, some 49% plan to migrate to it. This marks a 20% jump from a similar study in 2016, when 42% of businesses surveyed were using Office 365.

"The cost and complexity of running on-premise datacenters is at a point where the cloud offers some very compelling benefits," says Sanjay Ramnath, vice president of security products and business strategy at Barracuda. "There's a combination of things that is in some cases enticing, in some cases forcing, users to move to the cloud."

Security concerns are the top inhibitor for 44% of businesses deciding against Office 365, primarily because of email-based threats like phishing, spearphishing, and ransomware. Exchange Online is the most commonly used tool in Office 365, with 87.3% usage, followed by OneDrive for Business (70.9%), and SharePoint Online (56.8%).

Other reasons for not adopting Office 365 include having a "no cloud" policy (32%), lack of budget (38.4%), and hassle of migration (30.4%). While the transition from traditional Microsoft Office to Office 365 is "nearly transparent," researchers say, it takes a lot of time and effort to shift resources, processes, and workloads, which affects security, compliance, and backups.

The fear of advanced threats extends to current Office 365 users as well, says Ramnath. More than three-quarters of those planning to migrate were concerned about advanced threats, but so were 70% of people currently on the platform. An overwhelming majority (89%) of those surveyed are worried about phishing, spearphishing, and social engineering attacks.

Ransomware came up in almost every conversation with respondents, he reports. Overall, more than 92% are worried about ransomware, and more than 47% report they have been victim of a ransomware attack. Of those victims, 76% report email was the threat vector.

"Adoption is growing but there are barriers to Office 365," Ramnath explains. "The biggest were around the need for the right level of security and right level of control."

Despite their concern, only 15.6% of respondents use Office 365 Advanced Threat Protection (ATP), reporting doubts about the effectiveness of native security and other features in Office 365. Most don't believe these features will protect them from advanced threats.

However, this doesn't mean they seek alternative tools to protect themselves. Less than 36% of respondents report using a third-party tool to lessen the threats of phishing, spearphishing, and social engineering, researchers found.

Only 8.5% of respondents have set up Domain-based Message Authentication, Reporting & Conformance (DMARC), standards-based protocols that can cut the risk of phishing and social engineering threats. Nearly 40% have set up DomainKeys Identified Mail/Sender Policy Framework (DKIM/SPF), but more than half (52.5%) have done neither.

Most (70%) train employees on how to recognize and avoid these threats but only about 19% use a third party to conduct this training. "Training can only get you so far," says Ramnath. "You need a combination of training, and technology to protect yourself."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.