How secure is Microsoft?

How secure is Microsoft?

The majority of people have heard of Microsoft 365 and have used it either personally or for work. This is unlikely to change as it’s what most schools use to teach their students. Did you know that it is used by more than one million companies around the world and there are nearly 250 million monthly active users? That is a lot of people.

It’s so popular because it has many different features and benefits that businesses and individual users can use – email, cloud storage, a way to collate data and write up documents etc.

There is a question that we are often asked, that not many people think about – How secure is Microsoft?

Given the rise in cyber-crimes over the years, security should be a high concern for your business, and therefore you should be doing all you can to keep your business safe.

It is often assumed that because Microsoft is a huge organisation, they can be trusted with your business data and will keep it safe. Don’t worry, the answer is yes, but to what extent? Let’s take a look at these features…

Microsoft Cyber security features

There are lots of different Microsoft 365 licences. One of the most common licences is Microsoft 365 standard, which comes with some core security features, including Security Defaults, however (as Microsoft have stated here) most advanced security capabilities are not included. These features are either available as a separate add-on license or bundled into the Enterprise Mobility licence.

You can read about the five most common security features and controls here.

If you don’t have time to read the added link, there aren’t a lot of features and if you try to do your research about security features within Microsoft 365, you’ll find it incredibly difficult to find an answer.

The truth is Microsoft have a limited level of protection against cyber security. They state here “there is not a perfect configuration of security controls or features that can meet every organisational need. There is not a single product that can achieve this, either. Best practice has mandated a mix of controls, features, services, and products to gain a better security posture for a long time.” Therefore, it is strongly advised that your business should have extra security measures in place, in addition to the Microsoft standard.

Microsoft cyber attacks

There have been a large number of detrimental cyber-attacks on Microsoft users over the past few years. Below are a few well known Microsoft cyber attacks, however there have been a lot more incidents, especially since COVID because Microsoft is so popular among businesses it is a key target for attackers.

Solar Winds 2021

Businesses installed updates onto their devices that left them vulnerable to hackers. This effected 18,000 organisations, including Microsoft and government agencies. You can read more about this attack here.


Microsoft was hacked by Chinese cyber criminals which effected 60,000 organisations around the world. There were four undiscovered weaknesses in Microsoft’s Exchange software – this is known as “zero days” – which means the hacker was the first to discover the flaw within a system, and the developers have “zero days” to fix it – learn more about zero-day in a previous blog we wrote here. This attack was so serious that the FBI made a decision to hack into, and remove the malware from hundreds of servers – read about the HAFIUM attack here.

Russian cyber attack on Ukraine 2022

Back in April, Microsoft noticed Russia attacking their users within Ukraine and other parts of the world. The hackers penetrated 29% of defences, which resulted in businesses data stolen from networks. Read more about this attack here.

These businesses wouldn’t have had enough protection in place to prevent the attack from happening. It would’ve caused them a lot of disruption and potentially the end of their business.

What caused these attacks?

It is noticeable that attackers’ tactics over the years have remained consistent, here are some statistics:


91% of attacks start with a phishing email, these are emails pretending to be someone else and usually contain a malicious link and/or attachment – once clicked, a virus spreads to the users device and then the whole business network. These can be incredibly difficult to detect without the right protection in place.

66% of malware (malicious software) unleashed onto a businesses network comes from these infected attachments in phishing emails.

Targeted end-users

90% of reported breaches were caused by employee negligence and external threats. This is due to a lack of cyber security awareness – do your employees know how to spot a cyber attack?

Training your staff about cyber security is one way to improve the cyber security within your business, have a look at our blog to find out why this is so important – why should my business provide cyber security training?

What else can you do?

How to prevent a cyber attack

Diving into which security products will keep your business safe can be confusing, especially without expert advice. As an IT support company who are very passionate about cyber security and keeping businesses safe, we are always here to help – take a look at this blog how much cyber security does my business need? Here’s our easy explanation

Alternatively, you can get in touch with our cyber security experts who would be happy to advise you on what cyber security products your business needs to keep it secure. Contact us on 01273 806211 pr email [email protected]