Microsoft Teams Threats and Security

In my previous posts, I wrote a lot about all kinds of things you can do to improve your personal information security and cybersecurity. I gave you everyday use tips to improve your security and offered easy-to-follow guides for securing your home and work office. In this article about Microsoft Teams security, I want to focus on this software, that, over the last 2 to 3 years, became the de-facto standard of unified communications.

With 270 million monthly active users, Microsoft Teams has become essential to how hundreds of millions of people meet, call, chat, collaborate, and do business. And as we emerge from the pandemic, we see increased usage and engagement in Teams—users interact with Teams 1,500 times per month on average and spend more time in Teams chat than they do in email.

A recent post by Gartner® has recognized Microsoft as a Leader in the 2022 Gartner® Magic Quadrant™ for Unified Communications as a Service (UCaaS), Worldwide – this is the fourth consecutive year Microsoft received this recognition.

Let´s take a closer look at Microsoft Teams.

From a historic perspective, there has been a great deal of confusion over exactly what MS Teams is and how it can be used. Some belief it to be just a chat tool, others just a more advanced version of Skype for Business. But Microsoft Teams is far more powerful than this.

Teams combines persistent workplace chat, video meetings, file storage and collaboration, and application integration. It has a whole host of features and integrations to enable remote teams (or even on-premise teams) to work closely together and collaborate more easily. And it is available for most licenses of Office 365, which makes it widely used in both business and corporate settings.

Yes.

Microsoft states, that Teams is “Trustworthy by design” and “Trustworthy by default“. Teams is designed and developed in compliance with the Microsoft Trustworthy Computing Security Development Lifecycle (SDL), which is described in Microsoft Security Development Lifecycle (SDL). Network communications in Teams are encrypted by default. By requiring all servers to use certificates and by using OAUTH, Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP), all Teams data is protected on the network.

Teams is a Tier D service, meaning that it is compliant with the EU Model Clauses (EUMC), HIPAA, ISO 27001, ISO 27018, and SSAE 16 SOC 1 and SOC 2 standards.

Yes.

All you have to do is enable end-to-end encryption within your Teams client on your device. You only have to do this once, Teams synchronizes this setting across supported endpoints for each user. Microsoft offers instructions on how to set up end-to-end encryption here: Use end-to-end encryption for Teams calls. End-to-end encryption secures audio, video, and screen-sharing content. Be aware, that some features aren´t available during End-to-end encrypted calls. If you don’t enable end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest.

As an Administrator, you can enable organization-wide end-to-end encryption by creating one or more policies within Teams admin center.

Yes.

As an Administrator, you can design Microsoft Teams chat monitoring policies to fit your business and security needs. You can choose to use a Microsoft-provided template, such as one designed for monitoring communications for sensitive information or create a monitoring policy from scratch. You will need to decide which users and channels will be monitored, what data to collect, and who can check the monitored channels. The policy determines the level of Teams chat privacy for the organization.

Monitoring work chats is valuable for several reasons. In particular, it allows you to:

Microsoft Teams is a powerful tool for supporting cross-functional and even cross-organizational collaboration, but its openness introduces some concerns about unfettered files and data sharing between an unlimited number of users.

This feature enables team owners to invite parties from outside your organization to participate in team activities. These guests will have full access to team channels, chats, shared files, and meetings. The only requirement for guest access is a valid business or consumer email account. This raises obvious concerns about how easily sensitive or proprietary data can be exposed to entities outside your organization.

As an Administrator, you can use the Guest access settings in the Teams admin center to configure the level of access granted to guest users. For maximum security, you can leave guest access disabled by default. Or you can turn on guest access but disable certain privileges like screen sharing or peer-to-peer calls.

Teams is intentionally designed with an open permission model to promote agile, self-organizing collaboration between individuals from different functional groups. This means any user can become a team owner by creating a team and inviting other users. Every team member has full access to all the data on the team´s public channels. This includes chat messages, meeting content, and shared files. Every team member can share files and create new channels. This also applies to any guest user from outside your organization.

As an Administrator, you can limit the number of users with the privilege to create teams and become team owners. You should consider creating an Office 365 group. If this group, define users who have exclusive permissions to create new groups and, by extension, new teams. You can also set organization-wide preferences such as:

Use the capability to create private channels. Private channels are restricted to a selected subset of team members, instead of standard channels.

You can extend the capabilities of Teams channels by adding apps. Apps can be custom tabs, bots, or connectors to 3rd party services. However, these apps often request, or even require, users, to allow them to access their data. This opens the door to improper transfer of company information.

As an Administrator, you can control which apps to block or make available to your organization by using the settings on the Manage apps page in the Teams admin center. You can also use app permission policies to block or make certain apps available to specific sets of users.

The Teams ethos of open communications and file sharing runs counter to the practices of secure data governance, which has strict protocols for the collection, usage, retention, and removal of sensitive information. In addition, security and compliance standards like ISO 27001, HIPAA, and PCI DSS mandate data governance measures such as enterprise-wide labeling, oversight, and tracking of content, as well as appropriate handling of data that has expired or changed classification.

You can apply sensitivity labels to protect and regulate access to sensitive organizational content created during collaboration within teams.  For example, apply labels that configure the privacy (public or private) of teams, control guest access and external sharing, and manage access from unmanaged devices.

In general, Microsoft Teams is a secure and reliable collaboration tool. In the years since its debut in 2017, Teams steadily improved in all areas. But with rapid growth, performance issues beyond Microsoft Teams security might arise. Employees working from home, or on the go face issues, which can be incredibly frustrating and may have a serious impact on productivity. To improve the digital experience with Teams while working from anywhere, and ensure their cyber security, panagenda offers a solution: OfficeExpert. Designed to provide IT operations groups with access to a complete view of user experience, it shines a light on all aspects of employees’ end-to-end digital experience. No matter where they are working.

The information is gathered from each device endpoint, and the telemetry data provides the insights needed to pinpoint issues, identify the area of responsibility, and make informed decisions to optimize the user experience.

Sounds like something to you? Well, don’t be a stranger: have a look at the overview page, or sign-up for a trial.

And stay tuned on our channels: more security expert insights are coming!