Posey's Tips & Tricks
Microsoft is Rolling Out New Security Messaging for Teams
Microsoft is adding security warning messages in Teams for organizations using default configurations, a move the company says is part of its Secure By Default initiative and aimed at increasing user awareness of potentially risky files and links without changing existing enforcement policies.
As a part of its Secure By Default initiative, Microsoft has announced that it is going to be adding some new messaging to Teams. This new messaging is only going to appear in organizations that are operating Teams with a default security configuration. Those organizations who have customized their Teams security reportedly won't notice any changes.
The fact that Microsoft has invested resources into adding messaging to Teams and has also taken the time to announce the new messaging tells me that security breaches are most likely happening within Teams and that Microsoft is trying to do something about it.
The announcement also points to the idea that the problems are widespread. Although Microsoft has often focused on enterprise class customers who have their own elite security teams, there are way more organizations who don't. There are surely countless SMBs or even midmarket players whose IT teams are stretched way too thin to worry about advanced Teams security settings. Microsoft's announcement makes it clear that many such organizations are operating with default, baseline protection.
One more thing that I find interesting about this announcement is that in some ways, it reflects a different approach for Microsoft. Microsoft has a long history of ping ponging back and forth between two extremes with regard to security. In some cases, the company seems to want security to be completely transparent, automated, and unintrusive. In other cases, security is far more overt than it needs to be, almost as if Microsoft is trying to prove that it takes security seriously. The messaging that is being added to Teams falls somewhere between these two extremes.
Perhaps more importantly, Microsoft may be subtly acknowledging the idea that no amount of policies or AI driven detection mechanisms can ever completely eliminate all security risks. Try as they might, it is unrealistic to expect that Microsoft is going to be able to stop every malicious file or URL. Instead, Microsoft seems to finally be accepting the idea that end users will always play a roll in security. After all, it is the end user who ultimately makes the decision on whether or not to click on a link or open a file.
Conversely, this new security messaging could conceivably be designed as a tool for keeping auditors happy. On the surface, this idea probably seems ludicrous. After all, the only thing that has changed is that Teams will begin displaying messages pertaining to file types that may include malicious content and potentially malicious URLs. Teams isn't doing anything new with regard to enforcing policies pertaining to such content. Even so, I can't help but to think that there may be a compliance angle here.
The reason why this may be the case stems from the fact that when a breach occurs, those performing the post breach analysis often ask questions about any protections that might have been in place that could have potentially prevented the breach. These same investigators also sometimes ask questions about whether or not users were warned about the risk that allowed the breach to happen. That being the case, having security messaging in place might provide a degree of legal cover for Microsoft and / or the organization that was breached. I'm not a lawyer, but I can just imagine an organization telling an investigator, “the system flagged the risk, but the user chose to ignore it”.
One of the security messages that I haven't talked about yet is a new message that will give users the opportunity to flag false positives that occur when legitimate content is incorrectly identified as potentially malicious. Having the ability to flag false positives will probably lead to a better experience for the users later on, because it may assist admins with fine tuning security policies to reduce false positives. It's also possible that when a user reports a false positive, that action might be used to train AI to do a better job.
Whatever Microsoft's reasons for enabling security messaging, I tend to think that displaying a warning message is far better than mandating heavy handed policies. After all, newly implemented security mandates tend to break things. For organizations, this is disruptive and annoying. For Microsoft, it could mean an increased number of support calls, which increases costs. Personally, I am glad to see Microsoft making customers aware of potential security risks, but leaving it up to the organization to configure policies as they see fit rather than forcing them to adopt certain policies.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.