Enhancing email security in Office 365

The need for corporate security has never been greater. Identity theft remains a lucrative crime, and we read about a major hack nearly every day. Companies moving to Office 365 are sometimes unaware that simply moving their employees to an online email system will increase their exposure to threats.

Because Office 365 includes a baseline measure of security – called Exchange Online Protection – some companies are tempted to rely on that for email security, believing that because email is happening in Microsoft’s cloud, their environments are not impacted.

The reality is quite different. First of all, Office Online Protection is limited because most of its features are designed to detect spam. Spam remains a large problem for email, but phishing has become a more dangerous threat. Phishing, spear-phishing, and whaling are all variations of the same theme designed to lure readers into a false confidence that what they are reading is genuine in order to convince them to make that all-important click to the included link.

According to Verizon’s latest security report, a staggering 25 percent of phishing attempts are successful. That doesn’t mean 25 percent of the recipients will fall prey, but rather that 25 percent of the attacks will snag at least one victim.

In the current release of Office 365, phishing attacks aren’t caught by Exchange Online Protection. For true content inspection (which is how spurious links are detected), companies need to license an additional product called Advanced Threat Protection. This add-on is expensive, and while very extensive, might be overkill for some companies.

Microsoft’s email security strategy essentially treats anything they don’t recognize as suspect, which is a good strategy but one that comes at a price. Until Microsoft builds a large database of known “good” senders, links, etc. – a large amount of mail is likely to get tagged.

Third parties who have a longer history in the security business have more robust databases where essentially, it is easier for them to separate valid mail from potential threats, versus tagging more valid emails. These are known as false positives – emails that should have been delivered, but were instead tagged as potentially malicious.

Managing false positives has always required work on IT’s part; hence the value of “allow” lists that are built-up over time. Once again, switching over to Office 365’s Online Protection requires companies to start again – there is no easy way to migrate existing lists into Microsoft solution, at least not yet.

Companies need to carefully evaluate security when moving to Office 365. First of all, they will need more security than the basic solution provides. Second, third party providers may offer solutions that are more robust and easier to manage than Microsoft’s. Finally, most security experts agree that a multi-layered approach, i.e. putting a different vendor in front of a SaaS application, provides a stronger security alternative than relying just on native security. For Office 365, this is definitely the case.