A global IT security and compliance survey of over 800 IT professionals found that the number of IT security incidents increases as more Microsoft 365 security features are used.
Organizations using Microsoft 365 that use 1 or 2 of the default security features reported attacks 24.4% and 28.2% of the time, respectively, while those using 6 or 7 features attacked 55.6% and 40.8%, respectively, of the time reported. Overall, 3 in 10 organizations (29.2%) using Microsoft 365 reported a known security incident in the past 12 months.
Hornetsecurity experts, who conducted the study, say these findings could be due to several factors.
They point to the likelihood that organizations with a large number of security features have done so due to persistent cyberattacks over some time to mitigate security risks.
They also suggest that the more security features IT teams try to implement, the more complex the security system becomes. Features may be misconfigured, causing vulnerabilities.
This is confirmed by the fact that 62.6% of respondents indicated that insufficient time or resources are the main barrier to implementing security functions within their organization.
Another theory is that using more features can contribute to an organization’s false sense of security. This can cause it to stop paying attention to potential security threats, assuming that all these features will keep them safe without putting in the extra effort.
The results of our research made it clear that relying on inventory security features for digital safety is insufficient. Hornetsecurity CEO Daniel Hofmann says: “It’s a cat-and-mouse game. As you grow, you add security features but become more susceptible to attack because you’re a more lucrative target. Still, you must keep trying the criminals before harming your organization.”
“Organizations need to proactively find ways to identify unseen vulnerabilities and take a careful, holistic approach to cybersecurity, rather than relying on what’s available out-of-the-box and reacting when it’s too late.”
When considering obstacles faced by IT professionals, the survey found that a quarter of respondents (25.7%) who employ more than 50 people and have compliance requirements do not have a dedicated compliance officer or IT security officer in their service.
Several factors contribute to a lack of focus on IT security and compliance in medium to large organizations. Nearly 2 in 3 IT professionals surveyed (62.6%) say insufficient time or resources is the number one barrier to implementing security features within their organization.
After this, respondents cite a lack of budget (44.6%), skills problems and a lack of knowledge (36.2%), and a lack of interest from management (23.1%).
The researchers say all of the above results point to a general lack of urgency around security within organizations. Only 2% of respondents said they have no barriers related to security, and more than half of respondents (55.5%) said their organization lacks a change tracking and review process – an essential tool for identifying security risks.
Taking a closer look at the commonly used security features within organizations, spam filtration was the most popular of the 11 security features mentioned: 84.4% of respondents reported using it within their organization. Multi-factor authentication (82.7% of respondents) follows closely.
Web traffic filtering, permission management, and IT security awareness training for users are used by 68.8%, 66.4%, and 61.2%, respectively. The least common security measure was the SIEM Solution, with only 14.1% of respondents implementing such action.
However, the researchers say SIEM Solutions matched the highest incident rate at 42.1%, confirming that more sophisticated security is needed as organizations become more targeted.