There is one key question: should organizations worry so much about the security of their SharePoint solutions, or do media and SharePoint haters play havoc for no reason?
To cut it short, as a web application by nature, SharePoint is prone to all types of web-specific cyberattacks. Obviously, since the platform usually hosts big volumes of corporate content and sensitive information, it attracts cybercriminals. Throughout the years when SharePoint On-Premises dominated the market, companies reported a complete set of web attacks, including brute force, SQL injections, cross-site scripting, clickjacking, etc.
Going back to 2017, Ponemon Institute reported that nearly half of the surveyed organizations using SharePoint deployments had experienced at least one breach within the previous two years.
Today, with the global adoption of Office 365, cybercriminals started to use more sophisticated techniques to penetrate the suite and access SharePoint. Thus, companies register an increasing number of malware and phishing attacks that often target Exchange Online users and use emails as the entry point to the Office 365 environment. There is also a visible proliferation of account takeover (ATO) attacks that were reported by almost 30% of Office 365 owners in March 2019. In these attacks, hackers used compromised accounts to further spread over 1.5 million of malicious and spam emails.
At this point, we could expect a jeer from SharePoint Server adepts. However, SharePoint On-Premises isn’t safe from hackers’ attention either.
The exploit of CVE-2019-0604 vulnerability in May 2019 became a buzz. The flaw in SharePoint Server enabled hackers to run arbitrary code on the applications and get access to servers to further penetrate corporate networks through admin-level commands. The exploit was mitigated through a range of security updates and servers’ hardening.
That’s where we come to an interesting point.
First of all, there’s the prejudice that SharePoint is one of the most unprotected solutions. Yes, attacks do occur in SharePoint environments. However, there are no fewer attacks against other popular enterprise systems. For example, one of the recent SAP vulnerabilities put over 50,000 organizations at risk worldwide with misconfigurations registered across over a million systems using SAP NetWeaver and S/4HANA.
On the other hand, there is certain bias against the security of Office 365 and SharePoint Online. Regardless of the measures that Microsoft takes to improve the protection of their collaboration suites, organizations still blame the corporation and their software for cyberattacks of all types. In reality, organizations themselves are often badly prepared to face those attacks and aren’t familiar with the Microsoft security and compliance features.