The simplification of anything is always sensational. This was true when noted British philosopher Gilbert Chesterton wrote it in 1903 and a little over a century later, it still rings true today. Now, it’s cloud technologies that offer a way to sensationally simplify the administration and operation of key business technologies. From the office applications we all use on a daily basis, it is now a viable option for administrators to move keystone technologies such as their Identity and Access (Active Directory and LDAP) or their Email server (Exchange) to the cloud.

This allows your administrators to leverage the scale, resilience, and upgradability inherent in cloud architectures to simplify their operational practices and maximize their use of expensive skills and resources on higher-value activities. After all, it’s far more effective for your email administrator to focus on the email policies that are unique to your business instead of worrying about the availability and scale of your Exchange server — never mind the nightmare of applying the latest and greatest security patches!

However sensational this is, simply moving your Exchange server to Office 365 (O365) does not mean that all the concerns of the past are gone. Email continues to hold its title as the number one threat vector. The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) recently announced that between January 2014 and October 2019, they had received complaints totaling over $2.1 billion in actual losses from Business Email Compromise (BEC) scams targeting Microsoft Office 365 and Google G Suite. BEC, also known as Email Account Compromise (EAC), is a form of fraud in which criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds from a business to a fictitious supplier. The cybercriminals behind this invest in developing and designing phishing kits that target these cloud platforms, and in the words of the FBI “particularly Office 365 given its dominant market share.”

So, what can be done?

Put simply, the base security in Office 365 needs some augmentation. Microsoft offers several options to enhance the base security of the product via additional Advanced Threat Protection (ATP) 1 or 2 plans, or the Enterprise E5 offer. These add additional security around areas such as Safe Attachments, Safe Links/URLs, Phishing Protection as well as reporting and visibility options. The very existence of these products from Microsoft points to the need for customers to consider their security and how best to adjust that security to fit their specific needs. Naturally, there are options available from other vendors, to help address this need!

In this era of APIs, Microsoft has built Office 365 from the ground up with cloud capabilities like the Graph API that allow for the enrichment of native functionality. In fact, Gartner recently created a market category to track these solutions, which they’ve dubbed the Cloud Email Security Supplements (CESS) market segment. Moreover, Gartner also recommends a CESS to address gaps in the advanced threat capabilities of existing solutions.