IT leaders gathered at a Computing Dining Club event at Claridge’s discussed their experiences with Microsoft’s Office 365 email tool, focusing on its need for additional plug-in security measures.
One CIO gave an example of an attack his organisation became exposed to once it switched from an on-premises email tool to Office 365.
“I user inadvertently gave their credentials away and a hacker got in. That couldn’t happen with our previous on-premises solution, but it happened once we moved to O365.
“Once someone’s in, they’re in, so you need to spend more on security once you’ve got O365. The benefit of O365 is you can access it from anywhere, and the risk is that anyone can get in from anywhere.”
Another CIO discussed the results of some penetration testing he’d recently organised.
“These friendly hackers made up their own pass cards – they’d seen our employees’ cards at the local coffee shop, and made their own. They didn’t work on the doors, but they look legitimate, so they just tailgated people into the building.
“They wore headphones so people didn’t want to disturb them , and they were able to get everywhere.
“They also attacked our O365 users. We allowed them ten attacks on every account, and we have 20,000 O365 users, so that’s a lot of attacks. They just tried the most obvious passwords like ‘welcom123’, and that got them in.”
Another CIO from the banking sector said his organisation uses two-factor authentication, and is looking to move to three-factor.
“With us you need a smart card to enter the building, and then it’s two-factor to even use your PC, and we’re looking at using QR codes to move that to three factor.”
Save this article