4 min read

The security gaps in Microsoft 365 and how to manage them

Posted by Rick Goud on 5th April 2022

M365 and Zivver

According to Statista, over one million companies worldwide use Microsoft 365 (M365). However, when it comes to sharing sensitive information, the popular productivity suite leaves businesses open to some serious security risks.

The fact is, while your traditional M365 license can protect against some security hazards, alone, it does very little to prevent the leading causes of data incidents as reported by the ICO (some of these being sensitive data sent to the wrong person, misuse of Bcc, failure to adequately encrypt data, unauthorized access by missing authentication, failure to recall emails - the list goes on).

In addition, M365 does not provide a solution to the increasing need for zero-trust security strategies. This is because zero trust models require a zero keys, zero access architecture, meaning vendors must not have access to a client’s data; unfortunately, this is the case for the majority of suppliers, M365 included. 

Simply put, M365 alone leaves your sensitive communications open to risk. Only 3rd Generation smart communication solutions can help tackle these data protection challenges effectively - here’s how.

Frictionless workflows to secure sensitive information before, during, and after sending

3rd Generation communication solutions are designed to integrate seamlessly with leading collaboration tools, including M365. 

For employees, this is good news - they don’t need to adopt new processes or switch between platforms to manage their sensitive digital communications. 

Instead, they are empowered to do their job more effectively within the familiar environment of their existing email client. Employees no longer need to rely on fax, traditional paper and print, or third party file sharing platforms to go about their busy days and meet compliance.

By helping employees to prevent errors, the majority of data leaks can be avoided. Smart solutions combine traditional text and pattern matching with contextual machine-learning powered business rules to empower users to take action in the moment, based on company policy. 

For example, people are notified to the presence of sensitive data or an unknown recipient in the ‘to’ field and can apply the appropriate level of encryption with one (or no, depending on your preference) click. 

Rightsized encryption and authentication while sending

Enforced Transport Layer Security secures the connection between sender and receiver, ensuring messages cannot be intercepted during transit. If this isn’t possible, 3rd Generation solutions don’t automatically resort to unsecure sending (which is standard practice for most providers). Instead, they utilize alternative solutions with similar security levels to protect emails, such as rerouting to message portals or other apps.

In addition, once a message containing sensitive data has reached the recipient’s inbox, the recipient's identity is verified with multi-factor authentication (MFA). MFA is key to adequately protect data and is functionality we see in most apps today - except for when it comes to secure emailing. 

Most email providers also retain access to client encryption keys, making them a target for malicious threats. However, with the application of 3rd Generation security, only the client holds encryption keys. This architecture also helps to avoid sensitive information being accessible by foreign state actors.

Access control and insights after sending 

If an error still occurs (we’re only human, after all), users can recall emails without limits. Unlike M365’s revoke function, employees can recall emails regardless of the recipient’s email client.

In addition, senders can see who has or has not accessed the message and/or files, allowing the sender and organization to understand the potential impact of a mistake and act appropriately as required by the GDPR.

Plus, registered, verified proof of delivery functionality, as well as activity logs on communications sent and received, supports compliance with data protection regulations and provides legal proof on the details of communication when needed.

Zero keys, zero access

Unlike Office 365, 3rd Generation security operates a strict zero-knowledge policy. This means that, when we say secure, we mean secure; messages are asymmetrically encrypted, and we don’t store decryption keys or any derivatives to be able to access your data. Only the sender, recipient and the organizations they work for hold the keys.

Super simple user experience for all

3rd Generation solutions don’t require users to jump through hoops to send and receive secure communications. Single sign-on functionality means employees can seamlessly email stakeholders with full authentication and audit trails as part of every message, as soon as they log into their workstation. 

3rd Generation solutions are designed to remove communication barriers, not build them. Therefore, recipients are not required to create accounts or download applications to open a secure email.

Don’t spend more than you have to

By combining Zivver with any M365, whether E5, E3 or E1,  you’ll have the added benefits of enhanced security and data protection, and, when using E3 or lower, at a much lower cost compared to upgrading to E5.

Ready to secure your Office 365 environment? Learn more about our integrations. 

Rick Goud avatar

Rick Goud

CIO & Founder

Published: 5th April 2022

Subscribe to our newsletter
Share this

Enjoy this article? Share the knowledge

Stay informed with Zivver

Subscribe to get more email security tips straight to your inbox.