Skip to main content

US Department of Homeland Security Warns of Office 365 Security Risks

We have been discussing the abrupt roll-out of remote workforce capabilities both in this space (here and here) and in our recent webinar.   As companies raced to get employees up and running remotely, business continuity was the primary focus, while privacy and cybersecurity issues likely took a backseat.   The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert providing security advice for companies that may have rushed out Microsoft Office 365 (O365) deployments to support these remote work environments. 

CISA warns in this latest alert that it continues to see companies that have failed to implement the necessary security for the Office 365 implementation, and expresses concern that the hurried nature of the deployments may have led to important security configuration oversights that could be (and have been in the past) exploited by bad actors.

CISA says “In recent weeks, organizations have been forced to change their collaboration methods to support a full ‘work from home’ workforce… While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.  CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.”

CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services. Specifically, CISA recommends that administrators implement the following mitigations and best practices:

  • Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
  • Protect Global Admins from compromise and use the principle of “Least Privilege.”
  • Enable unified audit logging in the Security and Compliance Center.
  • Enable Alerting capabilities.
  • Integrate with organizational security incident event management solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

Attacks on O365 environments as a result of oversights in cyber-hygiene can result in unauthorized access to company confidential information, trade secrets, and personal information triggering notification obligations under state data breach notification laws.  Keep your employees and your corporate information safe by securing your remote work environments.   And wash your hands.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.