Press release

50% of Microsoft 365 Users are Not Managed by Default Security Policies, CoreView Research Finds

Sponsored by Businesswire

Today CoreView, the only intelligent SaaS Management Platform (SMP), published new research that reveals, on average, half (50%) of users at enterprises running Microsoft 365 (M365) are not managed by default security policies within the platform. The in-depth research report, “Global Microsoft 365 Report: Application Security, Data Governance and Shadow IT,” examines the state of application governance and security among M365 enterprise users.

The research is based on insights from more than five million workers from enterprises running on M365 and either actively use CoreView’s SMP, have received a complimentary CoreView Office 365 Health Check analysis, or use CoreDiscovery. The complimentary CoreDiscovery solution discovers opportunities to drive adoption, license optimization and savings opportunities, finds vulnerabilities, and lets IT understand what operators and end users are doing with Microsoft 365.

“Organizations today need to provide workers with technology and tools for the digital workplace while ensuring their enterprise data is protected. CoreView’s research indicates that enterprises are failing at basic M365 governance and security best practices,” said Doug Hazelman, VP at CoreView. “Enterprises must ensure they have the processes and tools, including CoreView, in place to help securely migrate and operate within the world’s leading SaaS productivity platform: M365.”

Key themes and results from the research include:

  • Enterprises are failing to implement basic security practices – CoreView’s research shows that approximately 78% of M365 administrators do not have multi-factor authentication (MFA) activated. According to the SANS Software Security Institute, 99% of data breaches can be prevented using MFA. CoreView’s research indicates a huge security risk, particularly during a time when so many employees are working remotely.
  • M365 administrators are given excessive control, leading to increased access to sensitive information – 57% of global organizations have M635 administrators with excess permissions to access, modify, or share critical data. In addition, 36% of M365 administrators are Global Admins, meaning these administrators can essentially do whatever they want in M365. To ensure security compliance, CIS (Center for Internet Security) M365 security guidelines suggest limiting the number of Global Admins to two-four operators maximum per business.
  • Investing in productivity and operation applications without considering security implications – The data shows that US enterprises (on average, not collectively) utilize more than 1,100 different productivity and operations applications, which indicates a strong dedication to the growing needs of businesses across departments, locations, and time zones. While increased access to productivity and operations apps helps fuel productivity, unsanctioned Shadow IT apps have varying levels of security, representing a significant security risk. Shadow IT is ripe for attack and according to a Gartner prediction, this year, one-third of all successful attacks on enterprises will be against Shadow IT resources.

Many businesses underestimate the security and governance responsibilities they take on when migrating to Microsoft 365 (M365). IT leaders often assume that M365 has built-in, fool-proof frameworks for critical IT-related decisions, such as data governance, securing business applications, and prioritizing IT investments and principles. CoreView research disproves this by revealing that many organizations struggle with fundamental governance and security tasks for their M365 environment. Today’s remote and hybrid working environment requires IT leaders to be proactive in prioritizing security and data governance in M365.

Additional Resources:

About CoreView

CoreView provides the most powerful SaaS management platform (SMP) to help organizations protect, manage, and optimize Microsoft 365 and other SaaS applications. CoreView’s solution prevents data breaches, identifies excess costs, and promotes employee productivity through actionable visibility with granular management capabilities in a single-pane interface. For more information on CoreView, visit: and follow us on Twitter (@CoreView_Inc) and LinkedIn.