Security Navigator for Business Leaders
Auditing the security of Microsoft 365 instances for Swiss companies
A key security challenge
In today’s digital environment, safeguarding your organization’s data has become more important than ever. As companies increasingly depend on cloud solutions, Microsoft 365 has emerged as the preferred collaboration platform for many organizations. However, our findings from the Microsoft 365 security assessment service—primarily carried out for Swiss-based organizations—highlight a worrying pattern: Microsoft 365 instances are rarely "secure by default," and the majority of our clients operate on instances that are not adequately fortified.
The essentials of security assessments
A statistical analysis of four year of security assessments of Microsoft 365 instances for Swiss companies, conducted by Orange Cyberdefense Switzerland. The goal is to:
- identify Trends & common vulnerabilities.
- provide recommendations to strengthen security.
Trends & results
Client assessments show Microsoft 365 instances are rarely secure by default, with an average compliance score of 52% since 2021. We recommend aiming for 65%, focusing on cost-effective "Level 1" controls. Currently, 69% of clients fall below this target.
13 scenarios typically resulting from Microsoft 365 threats and risks
- Account takeover attacks
- Abuse of access rights
- Business identity spoofing
- Failure to investigate or detect an incident
- External infrastructure failure
- Administration failures
- Unapproved sharing of confidential data
- Internal infrastructure failure or breakdown
- Internal compartmentalisation failure
- Compromised administrator account
- Access to confidential resources from unapproved Apps
- Access to confidential resources from unapproved devices
- Malware propagation
Plan your security strategy
Security Navigator 2025
Security Navigator 2025 Research-driven insights to build a safer digital society, Adopt a proactive security posture based on cyber threat intelligence.
The role of the C-Suite in the event of a cyber-attack
Before anyone can know what to do, everyone needs to understand their responsibility in the event of a cyber-crisis.
Regulation Compliance