Regardless of your Office 365 tier, layered security is the best way to protect your business email

Office 365 is popular, but experts agree that even the top tier should be bolstered by third party systems

Microsoft Office 365 is now generally accepted as ‘the way of all things' for the enterprise: 72 per cent of UK businesses are using it, according to the latest Computing research. However, mass adoption seems to come with a curious omission: as well-reported email-based cyber attacks like WannaCry and NotPetya demonstrate, Office 365 is not necessarily the last word in security.

As our research, presented in a recent web seminar (now available on-demand), shows, UK businesses lack confidence that Office 365 can protect them from current threats. We found that, while around 90 per cent of threats are now entering via email, email security takes up just 10 per cent of the average security budget.

Panellist Adenike Cosgrove, from cyber security firm Proofpoint, said that people mistakenly believe that it becomes Microsoft's responsibility to protect their data when they move to Office 365. Fellow guest Nick Ioannou, head of IT at Ratcliffe Groves Partnership, added, "You have to treat [the cloud] like it's your on-prem server. Whatever you had in place before, you have to make sure that it's in place on Office 365."

Microsoft's filters are adequate, but they won't keep a determined attacker out; for this, businesses should invest in third-party systems. A poll conducted during the websem showed that more than two-thirds of viewers' organisations supplement their Office subscriptions with third-party security software.

However, even advanced blocking won't stop every malicious email; social engineering is one of the most significant threats to company security, and filters can do little to block a well-targeted attack.

Cosgrove said, "Criminals aren't looking at the network any more, they're looking at the people: those with access to critical data in the organisation."

She added, "Some email security solutions can't detect these attacks because there's no malicious code, it's just text [(like an email ‘from the CEO' asking for the employee database)]. That is why layered security is so important…

"We can't just rely on technology; we also need education. It really is that layered approach of people, process and technology."

Watch the websem on-demand now.