Cryptzone Survey Reveals High Adoption of Office 365 and SharePoint Online, Highlights Ongoing Security Concerns

Cryptzone has revealed the results of a Microsoft® Office 365 and SharePoint survey conducted with TechValidate. The survey addressed how organizations are utilizing Office 365 and SharePoint, what applications they are using from the platform, where they have limitations, and how organizations perceive the security of Office 365 for controlling sensitive data.

Key findings show that a majority of respondents are utilizing Office 365 for its ability to universally connect employees, but that there are still lingering concerns about the solution’s security, especially when it comes to highly sensitive information. Half of the respondents affirmed that the only types of information currently stored in Office 365 are public/non-sensitive documentation or project documents.

Office 365 Holds Sway 

48% of organizations surveyed currently use Office 365, and an additional 15% plan to use it within the next year; 6% in the next two years and 10% in the next 5 years; 21% noted they had no plans to use it.

When looking at SharePoint usage, 39% are using SharePoint 2013, 29% are still using SharePoint 2010; SharePoint Online adoption is growing at 16%. 
Of the capabilities within Office 365, the most commonly used are Exchange and Office (44% each), followed by SharePoint Online (40%), OneDrive (39%), and Lync (36%). 

More than half cite universal access for employees (44%) and third party (11%) as the principle driver for Office 365 use.

The second most common reason for using Office 365 was functionality (29%), followed by economics at (26%).
The survey revealed that the cloud environment is here to stay, as 70% of respondents reported that up to 50% of document collaboration is already done in the cloud. With 100% saying they plan to go to the cloud within the next 5 years.

For those companies who have a hybrid approach, meaning they have both Office 365 and on-premises farms, 59% of respondents were not sure how long they would maintain an on-premises farm and 17% plan to maintain one permanently.

Organizations Actively Addressing Security, But Concerns Remain

A majority of organizations (54%) believe there is enough built-in security to store confidential documents in Office 365.
Of those planning on maintaining an on-premises installation permanently, integrations with other on-premises data (61%) and third party security concerns (45%) ranked as a primary driver.

That said, 34% said they are not planning to store confidential information in Office 365. 
The top three most common document types companies currently store include public/non-sensitive documentation (59%), project documents (51%) and corporate projects (39%).

Respondents felt uncomfortable or extremely uncomfortable storing the following sensitive data: financial documents (48%), HR documents (41%), Intellectual Property/IP (46%), military or intelligence data (61%), regulated data such as PCI, PII, and PHI (40%). 

When asked how companies that store or plan to store sensitive data in Office 365 plan to secure it, the top four solutions cited were permissions (79%), access control (74%), active directory (71%), encryption (51%), and classification (27%).

“Office 365 is here to stay,” said Chris McNulty, CTO and Microsoft SharePoint MVP, for Cryptzone. “As companies migrate to the cloud, the focus needs to be on uniformly securing all environments, on-premises or cloud. Then organizations can truly take advantage of the advanced capabilities, features and sharing components of Office 365 and SharePoint Online. While Office 365 provides unmatched productivity and cost-effectiveness, many are still concerned about its security. Organizations should consider taking a layered approach to security, to help them increase their comfort level and confidence in working in the cloud.



Cutting Through the RSA Conference Jargon: Cybersecurity Lessons for the C-Suite

By Mike Potts, CEO, Lancope

Another RSA conference is behind us, and as always, we overheard security professionals speaking their own language using terms like “APTs“ and “zero-day threats.” While these words and numerous other terms sound like jargon, they represent important cybersecurity concepts that have typically flown over the collective head of C-Suite executives and board members — until today.  At this year’s RSA conference, I noticed that cybersecurity is finally being recognised as a business discipline that directly impacts an organisation’s business goals, which is causing the C-Suite to sit up and listen.

The string of damaging data breaches suffered by high-profile companies like Target, Sony Pictures, Home Depot and JP Morgan Chase have helped to elevate the issue of cybersecurity to the C-Suite and board levels.  While the mechanics of identifying and remediating attacks may reside with the IT team, cybersecurity has become a company-wide effort that the leadership team must oversee. 

With cyber security cast in this new light, CEO’s need to consider three crucial questions: what must be done to provide security administrators with network visibility to manage both the internal and external security threat, what is the company’s incident response plan, and what will be done to minimise the damage done by the inevitable attack? And, in fact, many Fortune 500 enterprises are forming board cybersecurity subcommittees to answer these questions, translating the cybersecurity discussion into business terms that directors and the C-Suite can digest and act upon. 

Another observation I had at RSA is that the cybersecurity discussion is changing. No longer are we talking about if we’ll be attacked and even when we will be attacked. Today, we know that it is very likely that the bad guys are already inside the network.

To complicate matters, we’re on the leading edge of the Internet of Things trend. An increasing number of machines, encompassing everything from printers to refrigerators to heart monitors in hospitals, have their own unique IP address and can communicate with one another. This creates a new set of cybersecurity vulnerabilities that will affect virtually every industry.

Welcome to Security 2.0.

In the world of Security 2.0, attackers have become increasingly sophisticated and are capable of bypassing traditional network perimeter security defences; in fact, the threat of an insider attack is actually a bit higher — about 51 percent — than that from an outsider. That is why having a real-time view inside the network is so critical. I’m not suggesting that organisations abandon perimeter defences altogether.  But, at the same time, companies and government entities alike cannot rely on perimeter defence tools alone and expect to adequately secure their networks. Outside attackers can too easily break through, and of course, it’s just as easy for the inside threat actor to open the door and walk out.

Insider threats, network visibility, device classification, Internet of Things…I realise that for a CEO this post may start to fall under the heading of “cybersecurity jargon I don’t need to understand.” So let me revisit the three questions I mentioned earlier and provide some context.  These are questions that you, and hopefully the new director of your board’s cybersecurity subcommittee, should be asking your security administrator:

    1.     Do you have visibility into activity going on across our entire network?
This is a necessity in a Security 2.0 world, and your budget should focus on implementing technologies that provide this internal visibility as well as hardening the security perimeter around the network. 

    2.     What is our incident response plan?
This is the company’s response plan, not just an IT plan. How are employees trained to recognise suspicious external and internal activities and report those activities? How will you work with your marketing and legal teams to communicate the incident to employees and to the public? These just a few of the questions that must be addressed in a comprehensive incident response plan.

    3.     What is our remediation process?
It is naive to expect an attacker will not penetrate the defences on your network. If the attacker tries 100 times and only succeeds once, he wins. With this in mind, cybersecurity best practices must also include how to quickly remediate an attack to minimise the damage, both in terms of compromised assets and damage to your company’s reputation.

Many companies that suffer a data breach don’t realise the damage has been done until a third party such as the Department of Justice or a bank alerts them. This is a clear signal that the era of Security 1.0, which had companies devoting their budgets to blocking outside threats from getting in, is over. We’re now in the era of Security 2.0 where the attacks are more sophisticated, the insider threat is very real, and the term “connected devices” applies to an ever-growing variety of machines that are connected to our networks. It is also an era when the C-Suite and the board of directors are finally giving information security the attention it requires in order to maintain the company’s security posture while also recognizing its importance as part of the overall business plan.



Applying Technology to Defeat Child Abuse

Nuix, a technology company that enables people to make fact-based decisions from unstructured data and NetClean, provider of intelligence solutions that detect, block, and analyse digital media to create a safer society today announced a technology partnership to integrate their investigative tools and allow users to analyse multiple digital media formats in a timely manner.

The NetClean Analyze platform improves efficiency and adds intelligence to digital media investigations through in-depth analysis of images and video files, media management, cross-case traceability, and reporting. Nuix Investigator is known for quickly processing large volumes of data from thousands of file formats and storage technologies. The partnership gives customers a seamless workflow that bridges the gap between text and image analytics.

“With Analyze DI, we envision a world where investigators in every industry have the capability to fully examine the abundance of data they have collected in order to help them achieve their investigative goals,” said Johann Hofmann, product manager, Analyze. “Together with Nuix, we’re able to offer a solution that can analyse any type of digital material an investigator may come across, ultimately increasing their efficiency and effectiveness so they can get the job done.”

“As part of our mission to create an ecosystem of data sharing among agencies working on child exploitation investigations, we’ve developed a highly anticipated standards-based protocol based on OData,” said Richard Brown, technology advancement officer, International Centre for Missing and Exploited Children. “The protocol allows different applications to connect and law enforcement to mix and match the tools that work best for each authority. We’re pleased that NetClean and Nuix, two best-in-breed companies, have acted as leaders by integrating with our protocol, ultimately helping our community protect more children.”

The integration of Analyze DI and Nuix Investigator avoids the multiple workflows and additional processing time that result from tools that do not communicate or collaborate. The two products share information using the OData-based VICS protocol, an emerging standard that allows digital forensic tools to share data with each other and with law enforcement initiatives such as the US-based Project Vic and UK-based CAID databases of known child abuse images.

Benefits of the integration for customers include a seamless and customisable workflow with the ability to share files, tags and other metadata between tools, eliminating the need to reprocess data. It will ultimately allow the joint solution to be integrated with other tools that use the same protocol.
“At Nuix, we focus on streamlining workflows, enabling collaboration, and extracting and sharing intelligence for investigation and analysis—and we recognise that NetClean as a brand shares the same vision,” said Dr. Jim Kent, CEO of Nuix North America. “The Analyze platform is an industry leader, and we are excited to integrate and bring additional features to Analyze DI. Our partnership is a strong, positive collaboration that should help improve the workflow of investigators worldwide.”

Click here for further information on the technology.