Image: Microsoft

ShareGate’s first annual State of Microsoft 365: Migration, Modernization and Security report recommends a new approach to security in this time of remote work. Instead of trying to control all activity, security leaders should give users more freedom to manage Microsoft 365 features combined with clear data governance guidance. The report authors say that this is the right balance that will allow people to get work done without compromising security.

The report includes sections on migration, security and modernization and is based on industry surveys and interviews with Microsoft MVPs. In the security section, the researchers found that IT teams need to make security a team effort in the distributed workplace.

The report authors wrote that, “By entrusting users to make decisions about things like group creation, external sharing and archival/deletion, you share the responsibility.”

According to the report, end users can decide how best to collaborate and communicate while keeping sensitive information secure, as long as they have guidance and advice from IT. With IT acting as a coach, not a guard, this approach to security is good for both employees and IT professionals as well, according to the report.

The report also states that 84% of IT admins think that turning on self-service functionality in Microsoft 365 will save time and money, as long as users have with the right guidance from IT.

SEE: Identity theft protection policy (TechRepublic Premium)

Joanne Klein, founder of NexNovus and a four-time Microsoft MVP in Office Apps and Services said in the report that she believes this principle is more salient than ever in a distributed workplace.

“It doesn’t matter what your role is in the organization,” she said. You have a role to play and you need to be aware of the threats that are out there, and then act securely and safely in your environment.”

Klein shared a recommended “trifecta of security” in the era of distributed work: identity, data and devices.

  1. Identity: Use Microsoft tools to identify who is accessing what
  2. Data: Classify data in order to know the nature of the data that is being accessed
  3. Devices: Identify what company (or personal) devices are being used

One of the first challenges in this new approach is defining a data classification policy. The research found that only 25% of IT admins have a system like this in place. The next challenge will be enforcing those rules, according to the report.

The survey found that this governance is crucial because external sharing is growing exponentially:

  • 67% of organizations have external sharing enabled in their Microsoft 365 environment
  • 64% use a SharePoint external sharing setting to verify users
  • 26% do not require any user verification or sign-in to access shared files
  • 41% of IT teams have a process in place to review/audit externally shared links, but 59% do not
  • 86% of organizations having enabled multi-factor authentication which is key to a zero trust approach

A 2020 study by the Harvard Business Review and Microsoft examined the impact of digital transformation on data governance. After surveying some 500 global business leaders across industries, the analysis recommends these five pillars of effective data governance:

  1. Data policies: Address internal, industry and governmental requirements for security and privacy
  2. Corporate cultures: Programs for developing an organization-wide awareness about the proper use and protection of information
  3. Organizational structures: Clearly defined roles and responsibilities related to security, risk and compliance
  4. Technology infrastructure: Applications and services for cybersecurity, data monitoring and other compliance areas
  5. Workforce development: Company-wide training and skill development related to security and privacy

Sharegate conducted four online surveys in Q1 2021 to produce this report. A total of 801 IT professionals participated in these surveys across government and public administration, finance and insurance, healthcare, manufacturing, and information services. Their companies range from smaller startups to medium-sized businesses and established enterprise companies.