Microsoft 365 is a powerful suite of tools that millions rely on for productivity and collaboration. In fact, it’s one of the number one software we recommend to our clients, across industries and business scopes.
The dangers come when users overlook the fact that certain default security settings in the platform can leave your organization vulnerable to cyber threats. These defaults are often designed for convenience, not security, and can create significant risks if not properly adjusted. It’s not uncommon for us to start working with a client that already uses 365 but has absolutely no idea of the potentially disastrous security defaults they’re operating under.
We’ll highlight three key security defaults in Microsoft 365 that your CPA firms needs to address immediately to better protect your data and users from potential breaches, and as a bonus, check out our PDF if you’re looking for actionable solutions to these common 365 problems.
We get it – convenience can often trump most things. But when it comes to Microsoft 365, we urge you not to fall into this trap. By identifying these risky default settings and taking proactive steps to adjust them, you can significantly reduce the chances of a security breach. Here are the settings that need immediate attention.
Have you ever invited a vendor or a client to a Teams channel or a SharePoint folder? Maybe your answer is yes, and maybe it’s no. Regardless, did you know that anyone in your firm can do this by default without restriction?
As a default setting, Microsoft allows external users to be inserted into your sensitive Microsoft 365 environment and access way more information than is reasonable. Imagine your client having all your staff's cell phone numbers and knowing when they are at their desk just because you wanted to collaborate with them in a channel.
In addition, your groups and their members are freely accessible to external users by default. For example, if you use informal mode internally (or even slightly, assuming they are internal and “private,”) these can be seen by outside users. In our humble opinion, this is not the best look for your clients.
Microsoft claims that allowing all staff to invite any third party into your environment is "more collaborative." However, the reality of how this plays out in organizations is more complicated.
In keeping with Microsoft's policy of allowing the most insecure and collaborative functionality by default, your staff can share sensitive data in OneDrive and SharePoint with any third party without your knowledge. Yes, you read that right.
What does this mean in practice? Basically, the default setting allows anyone to share any file or folder they have access to in OneDrive and SharePoint with anyone, including anonymous users who do not even need to sign in. This is a risky and cavalier default setting if you deal with any sensitive information storage.
Taking this a step further: By default, Microsoft allows invited third parties to reshare shared files and folders in OneDrive and SharePoint with anyone they want. What could go wrong?
Have you ever seen the "Login with Microsoft" prompt on your third-party cloud applications (e.g., Adobe, Salesforce, Linkedin)? If you haven't, your staff has, and they have probably clicked on it. Microsoft allows any of your staff members to authorize these third parties to integrate inside your Microsoft 365 environment with just a few clicks without notifying anyone.
Why is this a problem?
Basically, you’re allowing any staff member to connect your entire Microsoft 365 tenant directly to a third party with specific permissions, including sharing all your profile information for every user.
Have you ever wondered why spammers know your title, phone number, and email address so quickly? This is one of the biggest open secrets in the industry. Your staff authorizes a free third-party app into Microsoft 365 and mindlessly clicks through consent popups. Now, your entire directory is synced, and they sell your data. You see the problem here.
While Microsoft 365 provides powerful productivity tools for CPAs, its default security settings can leave your firm exposed to significant risks. Relying on these universal and potentially disastrous defaults without understanding the potential vulnerabilities can make it easier for cybercriminals to exploit weaknesses and gain unauthorized access to sensitive data. And when you're in the business of dealing almost exclusively with people's personal identifiable data, that's a huge problem.
By taking the time to review and adjust these settings, you can enhance your firm's security posture and better protect against data breaches and other cyber threats. Don’t wait for a breach to force you into action: make securing your Microsoft 365 environment a priority today.
With 15 years in business, we’ve been at the top of our class for over a decade, and we’re only getting better. As one of our top recommended software products, we consider ourselves experts in Microsoft 365, and rightfully so. Does your CPA firm need help securing your use of 365? If you’re looking for simple and actionable solutions to these common default setting issues, check out our exclusive PDF.