Security Concerns of Hidden Permissions in SharePoint

Security Concerns of Hidden Permissions in SharePoint

SharePoint is a stalwart of collaboration and file sharing in Microsoft 365 which started its life as SharePoint server back in 2001. Most organizations use SharePoint online as hosted by Microsoft and it’s become a “plumbing” technology – something that’s fundamental, sits in the background and most people don’t take any notice of it, until it stops working properly.

This is even more evident in how SharePoint is used in Microsoft 365, you probably have SharePoint sites for various teams, departments, or countries, but SharePoint sites are also used as the backend file storage for everyone’s OneDrive for Business file storage. And when you share files and folders in Teams – guess what, that storage is also backed by SharePoint. So, not only do you need to govern the data stored in SharePoint sites, but also in these other locations, and as we’ll show you – governing data access in SharePoint is hard to do.

The heritage has a downside, starting life as on-premises piece of software and now running as a hosted service brings with it some serious security baggage. In this article we’ll show you the lack of permission visibility that can lead to security risks, and how hidden groups and hidden users make this situation even worse. Furthermore, custom permission levels can have disastrous consequences when it comes to assigning rights, and the manual management of user access is a recipe for security mistakes. Finally – custom document libraries can be an attackers’ hidden haven.

In other words – your SharePoint environment might already be infiltrated by an attacker, and you wouldn’t know it. At the very least, your permissions are likely not aligned with “least privilege”, one of the tenets of Zero Trust.

Most CISOs and security professionals are focused on the “loud” threats such as ransomware, but it’s important to be aware that there are many other avenues attackers take, and an attacker who’s been able to compromise a single user account might quietly watch the vendor invoice document folder in SharePoint for example. Gathering these documents, they may be able to change payment details in a classic Business Email Compromise attack (in this case without the email vector).

The Visibility Gap

We’ll focus most of this article on the Documents folder in your SharePoint sites – this is what most sites are used for – file sharing.

A fundamental difference, compared to traditional file shares, is that there’s no folder tree hierarchy that you can see. You can create subfolders in subfolders and so forth, and put files into any of the folders, but there’s no easy way to visualize the hierarchy, and you must click into each folder to see what’s stored in there.

To actually see which user accounts, groups or external guest users have been granted permissions to each folder (and each file, as they can have different permissions) means you must click on the object – then go to Manage Access to see who has access.

Manage Access Permissions for each individual folder and file

Manage Access Permissions for each individual folder and file

The second challenge is that while you can see the names of the groups that have been granted permissions on a particular folder, you can’t see the user accounts that are members of those groups in the Manage Access dialog. Clicking on a group name doesn’t bring up the members, in fact it does nothing.

List of groups that have been granted permissions

List of groups that have been granted permissions

To determine the user accounts in a group requires a visit to either the Microsoft 365 admin center ( or the Entra ID portal ( Administrators will have access to these portals but if you’re a department manager, who is the owner of a SharePoint Team site, trying to ascertain who’s got access to what document folders in a SharePoint team site means you can’t complete this task without contacting the IT department.

Even more troubling (thanks to the SharePoint server heritage mentioned above) is that there is a group type in SharePoint itself, that is not visible in the Microsoft 365 admin center or the Entra ID portal, only in the SharePoint admin center (again, which ordinary users don’t have access to). If there are nested groups inside one of these groups you might have to track down those groups in one of the three mentioned admin centers. Finally, if you grant permissions to a group which has one user and one group inside of it, it’ll tell you that you’re granting permissions to two people, when in fact there could be hundreds of user accounts inside the nested group.

Hornetsecurity’s 365 Permission Manager thoroughly fixes these visibility problems, showing you all the users that have permissions to a site, folder, or file, as well as if those permissions are inherited from the site, or are unique to that object. It also surfaces external sharing, either where it has been shared with specific people outside your organization, or where an anonymous link has been created.

Another innovative feature is the ability to see SharePoint / OneDrive for Business sites “through the eyes” of a selected user – exactly which sites / folders / documents does this user account have access to? This is useful during a forensic investigation (what data did the attacker who compromised this account have access to?), insider risk cases (what’s the blast radius of this malicious employee?), and data governance (do our permissions match our data access policies?).

Permission Levels

SharePoint Online provides four levels of access permissions to folders and files: Owner, Can edit, Can View and Can’t Download (=view but not save files locally). However, SharePoint Server had and still has a more comprehensive model – with multiple built-in permissions levels, as well as the ability to create custom permission levels.

The first issue that this leads to is that when you check permissions granted on an object, the UI will “round off” to the closest permission level granted, Design for example is a legacy level that grants more permissions than Edit, but this is shown as Edit in the UI.

Much scarier, however, is the ability to create custom permission levels with the same name as a built in one – such as “read”. This level could be granted every available permission (definitely not just read). Not only does that lead to the situation where a casual check of permissions granted would lead you to assume that a group or user only has read access but if you do decide to investigate why there are two permission levels called read / Read, it turns out that the UI will show you the built-in permission level, not your custom one. If a custom permissions level has the same name as a built in one, the URL in SharePoint isn’t case sensitive, and thus will show you the built in one.

365 Permission Manager will surface these custom permission levels, bringing visibility and governance to your entire SharePoint Online estate, it also allows you to use built-in or create customized policies that you can apply across different types of sites. This then shows you where sites are deviating from your policy intent and allows you to remediate permissions with a single click.

Site vs Document Library Permissions

Another risk is that you can set custom permissions on the Document library, that are different to the overall Site permissions.

Once granted, when an audit is done, these permissions are visible, but can’t be changed in the UI.

Example user whose permissions can't be changed

Example user whose permissions can’t be changed

Again, 365 Permission Manager will find these discrepancies, surface them as deviations from your policies, and prioritize their remediation in the handy To Do list.

Hidden Document Libraries

Normally a SharePoint site has a single Documents folder, but you can create other ones. Furthermore, you can hide it from the site’s navigation (so no one else knows it is there), and you can remove everyone else’s permissions from it, only granting yourself access. This will in effect create an exfiltration channel, where the attacker can copy sensitive documents from the site into their custom Document library, perhaps even returning on a regular basis to capture the latest versions of files, and then downloading them to their machine.

Hidden Document library - only visible to the attacker

Hidden Document library – only visible to the attacker

This is a huge risk in a compromised SharePoint site and of course 365 Permission Manager will surface custom, hidden, Document libraries, and their permissions for you to remediate.

There’s another very useful feature – the ability to revoke all access to SharePoint / OneDrive for Business data for an account. If you know that an account is compromised, manually revoking access across every location is extremely time consuming – 365 Permission Manager gives you a single button to do it.

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.


As with many Microsoft technologies, the focus on backwards compatibility has proven to be a strength when it comes to enterprises for decades. Imagine an organization with a large investment in SharePoint Server on-premises, with thousands of busy sites and Terabytes of data, migrating this to SharePoint online – this compatibility is a requirement.

However, it also has scary security implications – the reality today is that many businesses might be compromised, with bad actors exfiltrating data at will from your most precious intellectual property, with very little chance of discovery.

This is why any CISO who wants to apply comprehensive data governance to their SharePoint estate needs 365 Permission Manager.


I’ve been hacked! WHAT SHOULD I DO?

With Hornetsecurity’s 365 Permission Manager you can regain control of your SharePoint environment and protect your business immediately.


  • Remove User Access Feature: With a single click, the Offboarding feature in 365 Permission Manager allows you to revoke access and stop a hacker immediately. This immediate action can prevent further unauthorized access and potential data breaches.
  • The View as feature: Gain insight into what files a compromised user could access with the View as feature in 365 Permission Manager. This feature allows you to see SharePoint through a user’s eyes, helping you identify potential areas of unauthorized access and take corrective action.
  • Generate Reports for Forensics: Understanding the extent of a security breach is crucial for effective remediation and compliance. With 365 Permission Manager, you can generate detailed reports for forensics, showing exactly what files a user had access to and the full permissions inside all SharePoint sites and OneDrive for Business locations. This information is invaluable for identifying the scope of the breach, assessing the damage, and implementing necessary security measures to prevent future incidents.


What are the primary security concerns associated with hidden permissions in SharePoint?

Hidden permissions in SharePoint pose significant security risks because they can allow unauthorized access without the knowledge of administrators or users. Key issues include:

  • Lack of Visibility: SharePoint’s permission settings can be complex and opaque, making it difficult to see who has access to what. This includes hidden groups and users whose permissions are not easily visible.
  • Custom Permission Levels: Custom permissions can be misleading. For example, a permission level named “read” might actually have full access rights, leading to potential security breaches if not properly managed.
  • Hidden Document Libraries: Attackers can create hidden document libraries with exclusive access, enabling them to exfiltrate data without detection. These hidden libraries are not easily visible in the SharePoint navigation, making them a significant risk.

How can 365 Permission Manager help mitigate the security risks in SharePoint?

365 Permission Manager provides several features to enhance security and governance in SharePoint:

  • Visibility Enhancement: It displays all users, groups, and permissions for sites, folders, and files, including inherited and unique permissions. This comprehensive visibility helps in identifying and addressing hidden access issues.
  • Permission Management: It surfaces custom permission levels and discrepancies, allowing administrators to standardize permissions according to policy. This reduces the risk of misconfigured access rights.
  • Access Control: The tool offers the ability to revoke all access for a compromised account with a single click, ensuring quick response to security incidents and preventing further unauthorized access.

How can Hornetsecurity help secure my SharePoint environment?

Hornetsecurity’s 365 Permission Manager enhances security by providing comprehensive visibility into all user permissions, managing and standardizing custom permission levels, and allowing for immediate revocation of access for compromised accounts. This ensures robust data governance and quick response to security incidents.

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

There are two challenges we in cybersecurity face when it comes to communicating what we do the rest of the business (and the rest of the world). For many people, computers, networks, and Information Technology in general are opaque, and most businesspeople know how to use tech to get their job done, but not how it works “under the hood”. Hacking that technology to subvert it for malicious purposes is another level of mystery.

Hollywood doesn’t help much either, with most on-screen depiction of hacking in movies and TV shows being radically different from reality (with the exception perhaps of Mr Robot).

The first challenge is communicating the technology and basic understanding of how it works to then show how it can be misused. But the second challenge is then imparting how the criminals carry out their attacks. Most people think a hack is just a single “thing” that happened – “we got hacked” and then all the bad stuff happened, when it’s actually a set of steps.

In this article we’ll look at two different frameworks that are used to communicate hacking processes, both to the wider business and within the cyber security community – the Cyber Kill Chain, and the MITRE ATT&CK framework. We’ll look at the advantages and challenges of each of them, how they compare and how you can use them to fortify your organization’s cyber defenses.

Meet the Cyber Kill Chain

This is the older of the two approaches, having its roots in military kill chains such as the Four F’s from the US military during World War II: Find the Enemy, Fix the enemy, Fight the enemy and Finish the enemy. A more modern version is F2T2EA: Find, Fix, Track, Target, Engage and Assess; it’s called a chain because an interruption at any step can stop the whole process.

Kill Chain Attack

Cyber Kill Chain

Not surprisingly, it was Lockheed Martin, a large military manufacturer in the US that took this chain approach and transformed it into the Cyber Kill Chain, with seven steps (and a very different result at the end compared to the literal kill chains mentioned above).

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control (often shortened to C2)
  7. Actions on objectives

As a communication tool for showing business leaders that there are steps in an attack, and that you want budget to interrupt or make each layer more difficult for the criminals, this is a good approach.

Cyber security after all always comes down to business risk. When you put it those terms, the CEO, CFO, and the board are more likely to pay attention. If you start talking about technical details, you’ll soon lose them, but business risk is something they’re used to dealing with, and cyber-attacks is just one of the many risks businesses faces.

Be aware that attackers may not perform every step, depending on their goals, their target, and any changes along the way, and that “attackers” might refer to different sets of people, where the early steps might be performed by an Initial Access Broker (IAB), who then sells the access to another group to actually run the ransomware and negotiate the payment.

In step one the attackers will gather information about your company and any employees of interest. This could be cursory, if they’re simply after a company with enough turnover to pay the ransom they might look at your financials, and who to target with their spear phishing emails.

It could also be more in-depth, when the scattered spider group went after the helpdesk at the MGM casino, they knew a great deal about the staff they were impersonating to ensure that the helpdesk would help them reset their credentials.

Phase two is taking advantage of the reconnaissance, to start exploiting a found weakness or packaging a payload, whereas step three is delivering the malicious bundle to the victims, via email, web etc.

Once the initial foothold has been established (someone clicked the link in a malicious email for example), step four starts the exploit to run code on the victims system, which may then continue with step five, further installations on other systems. This is often called lateral movement, as the attackers continue exploiting systems in your networks, to gain full Domain access.

They’ll also establish persistence (so they can come back in if you’re trying to expel them from your environment) and Command and Control (C2) in step six for covert communication with their external control systems. The final step, seven, involves the attackers springing their trap and encrypting all your files, after having corrupted your backup systems or perhaps exfiltrating all your sensitive data (or both).

The ”other side” of the cyber kill chain are the defensive actions your organization should take to deal with each phase:

  1. Detect – having sensors throughout your environment that trip when an attacker is present.
  2. Deny – control access and prevent information leakage.
  3. Disrupt – malicious processes and outgoing traffic to the attacker’s infrastructure.
  4. Degrade – means counter attacking the attackers C2 systems.
  5. Deceive – is about interfering with the C2 infrastructure.
  6. Contain – using network segmentation so that a single breached system or identity doesn’t have full access to every other system on the network.

This approach does have its detractors but as a conversation to start looking at different phases of an attack, whether your organization has security controls in place to detect it, disrupt it and contain it, it’s a good start. It also leads neatly in the modern approach of Zero Trust:

  1. Assume breach – work on the assumption that attackers will gain access and work on detecting it, containing it, and disrupting it.
  2. Verify explicitly – authenticate and authorize both human and workload identities at each access point in the infrastructure.
  3. Use least-privilege access – only grant identities access to the systems, data, and applications they need to do their job.

The challenges with the cyber kill chain is that it doesn’t work well for insider risks, the first couple of steps happen outside of the defenders control (unless you stop all staff from having LinkedIn profiles and posting anything, anywhere online) and it’s also quite focused on malware, some attackers now use Living Off the Land methods, only using built in administrative utilities in the systems, thereby often avoiding detection.

The MITRE ATT&CK Framework

MITRE is a not-for-profit company that works for the common good in the areas of security writ large, but for this conversation we’ll focus on their enterprise matrix (there’s also one for Mobile and one for Industrial Control Systems, ICS). The weird acronym comes from Adversarial Tactics, Techniques and Common Knowledge and it was initially released in 2013.

ATT&CK framework matrix

ATT&CK framework matrix

There are 14 tactics (the “why” of the attack):

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

And each of them has Techniques (and sub-techniques), the “how” of an adversary, so while you can see some overlap with the simpler cyber kill chain in the list above, this is much more comprehensive. I like to think of it as a common language we in the cyber security industry can use to communicate about different attack techniques. There’s also tracking of 143 threat groups and which Tactics, Techniques and Procedures (TTPs) they use.

As you can appreciate the matrix encapsulates all the different techniques, making this a tool to ensure that you’ve got coverage “across the board” in your cyber security strategy. Here’s an example from one client, using the Microsoft Sentinel SIEM, and the analytics rule detection coverage across the techniques.

MITRE ATT&CK Technique Detection Coverage in a SIEM

MITRE ATT&CK Technique Detection Coverage in a SIEM

Each Technique is described in detail, here’s T1563, Remote Service Session Hijacking, in the Lateral Movement Tactic, which has two sub-techniques (SSH Hijacking and RDP Hijacking) as an example. It has four mitigations that you can implement, and four detections that you can use to alert you if this is happening on your network. Most techniques also list Procedures which are the actual technical tasks applying that technique to a specific application or operating system.

Technique T1563 Remote Service Session Hijacking

Technique T1563 Remote Service Session Hijacking

While the matrix is very useful, it can be overwhelming with so many techniques and procedures. It’s also important to avoid thinking of the matrix as a long list of mitigations / detections – even if you have a “tick in every box”, for every technique you can still be compromised. Remember – “Attackers think in graphs, defenders think in lists” (John Lambert), so just implementing long lists of security controls isn’t the right approach, instead use MITRE ATT&CK with the context of your business priorities and unique network environment to build cyber resilience.

Comparing the Cyber Kill Chain and MITRE ATT&CK

The two are related in that they describe the steps in different cyber-attacks, but they have different aims. The cyber kill chain is more generic and is an excellent introduction to the idea of hacking occurring in stages, and it’s a chain that you can interrupt with security controls. I find it very useful when communicating with non-IT and non-security people in business to get that basic understanding of the phases and how it works.

The ATT&CK matrix on the other hand is overwhelming for a non-technical audience (there are over 200 techniques) but is an excellent tool for understanding the technical steps attackers can take during a breach. And it can be used as a tool for evaluating coverage across the entire spectrum – “do we have detections for every technique in every tactic”, whilst not losing sight of the fact that even if you do, you may still be compromised.

It’s also interesting to see how these two fit into the larger landscape of regulatory framework that mandate certain cyber security controls, and other approaches such as the Center for Internet Security (CIS) benchmarks. CIS offers benchmarks for different operating systems, SaaS cloud services (including Microsoft 365) and IaaS / PaaS cloud platforms, and much more, for free.

These cover all the controls that you should implement as a baseline for security controls for that particular technology. Microsoft offers CIS benchmarks for both Azure and Microsoft 365 in their Compliance Manager app. And the upside is that if you implement all these controls you’ll have covered most, if not all, of the MITRE ATT&CK techniques.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


For beginners in cyber security, I recommend studying the MITRE ATT&CK framework, it’s like a common language for talking about different types of attacks.

I warmly recommend the free courses offered by AttackIQ, they’ve got one on Threat-Informed Defense which goes in detail on the MITRE ATT&CK framework. And use the Cyber Kill Chain phases when talking to the rest of the business.

Both have their place and are useful in their own right in helping you build a more cyber-resilient business.


What is the main difference between MITRE ATT&CK and Cyber Kill Chain?

The Cyber Kill Chain in a useful communications tool when conveying cyber security concepts to non-technical people, and a basis for an overall IT security strategy for a business. MITRE ATT&CK on the other hand exhaustively lists every attack technique, grouped by tactics, and mapped to different threat actors, allowing an organization to identify detection gaps.

What are the types of a cyber kill chain?

There are a few different versions of the Cyber Kill Chain, FireEye (now part of Mandiant, which is now part of Google) proposed their variant which also has seven steps but which focuses more on the persistence of threats, whereas the Unified Kill Chain has 18 unique phases and attempts to marry the best of the original Cyber Kill Chain and MITRE ATT&CK.

What are the types of MITRE frameworks?

Generally, when people mention MITRE ATT&CK they’re referring to the enterprise matrix, but there’s also one for Mobile and one for ICS. Furthermore, there’s the D3FEND matrix of cybersecurity countermeasures which is sort of the other side of the attack techniques, all the different controls that an organization can implement to mitigate the attacks outlined in ATT&CK.

Microsoft 365 Permissions and Copilot Security – a ticking time bomb for Security and Compliance

Microsoft 365 Permissions and Copilot Security – a ticking time bomb for Security and Compliance

File sharing in business is one of those technologies that mostly happens “under the radar”. New SharePoint sites are spun up for projects or groups, or new Teams are created with lots of files shared.

This sharing can be both with internal users and external users. And mostly, no one thinks twice about it, until sensitive documents and data end up in the wrong hands.

In this article, we’ll look at the challenge of data governance, document sharing in Microsoft 365 and how it applies to compliance regulations and getting your business ready for Copilot for Microsoft 365 – all with the help of Hornetsecurity’s 365 Permission Manager.

The Dangers of Unmanaged File Permissions

As CISOs and IT admins know – file sharing, both with internal groups and external collaborators is designed to be as easy and frictionless as possible to cater for the reality of the modern, mobile, collaborative digital workplace.

From a compliance point of view however, this approach can be a ticking time bomb, plus there’s a new player on the scene that might accelerate the timer on that bomb – Copilot. Microsoft is keen to push the value of Copilot security for Microsoft 365 (at $360 USD per user, per year, you can’t pay per month) and here’s the rub – Copilot has access to the same documents as the user has.

Remember Delve? That was Microsoft’s earlier tech for suggesting documents to you, created by people you collaborated with that you might find valuable. Except sometimes business got a shock when they realized which documents were shared with different groups of people.

The Copilot situation is worse, because you won’t necessarily know which documents it has accessed to answer your prompt or create a new draft of a document for you.

Easy Sharing

Teams file sharing is possibly one of the most easily misunderstood avenues – when you share a file in a Teams channel, it’s actually stored in the team’s site in SharePoint. Whereas if you upload a file to a one-on-one or group chat, it’s stored in the Microsoft Teams Chat Files folder in your OneDrive for Business (which is actually a SharePoint site underneath the hood).

If you have a private channel, it gets its own, separate SharePoint site with a document library that only the members of the private channel have access to. So, the documents are all stored in various SharePoint sites, rather than in Teams itself.

And if you share a file with an external collaborator, depending on the settings your IT department has set in SharePoint online, this might send them an email with an invitation to create a guest account in your tenant.


By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

If you’re a CISO, you’re probably concerned at this point. Business data is easily shared internally, possibly with staff that shouldn’t have access to it, and you have limited control over this sharing.

It’s also (likely) shared with external collaborators, and you don’t have a lot of insight into this sharing either. But you must thread carefully, a knee jerk reaction of locking down file sharing completely, with no external sharing and default tight permissions for internal sharing will just lead to users looking for an alternative way to get their job done.

Sensitive documents might then be shared via third party cloud storage, where you have even less visibility into the risks.

On the other hand, if you’re an IT admin, tasked with managing file sharing (on top of all your other duties) this can seem like an overwhelming challenge.

Where do you even begin? Even if you can produce reports on permissions granted, and files shared externally, you don’t know what’s oversharing and what’s legitimate business. You’ll have to work with various business departments to identify this, on a site-by-site basis.

Finally, if you’re an end user, understanding what control you have over sharing documents internally and externally (which will depend on the tenants configuration), and how you can inventory your own role in oversharing is near impossible to do with the built in tools.

Data Governance

Getting a handle on your current file sharing situation (in most businesses this is something that’s been part of the landscape for so long, that no one has the full overview to see just how bad it is), using the built in tools is challenging.

Auditing hundreds of sites manually is impossible, and even scripting PowerShell reports to gather the data is difficult.

Certainly, take a look at your current settings and the options you have in the SharePoint admin center which we covered in this article. But even if you tighten those settings today (they’re tenant wide), they only apply to new sharing, not existing shared sites, and files.

Remember that one of the tenets of Zero Trust (and it has been around long before that) is least privilege access. In other words, only give users access to the data they need to do their job, no more. And keep this up to date as they change roles in the organization or are promoted.

This rarely happens, instead people keep existing access and just accumulate more permissions. And inventorying exactly who’s got access to what documents is hard to do with the built-in tools.

Different regulations that you might have to comply with have varying approaches to controls around file sharing, in ISO 27001:2022, “Information security, cybersecurity and privacy protection” there’s A.8.12 Prevent the sharing of sensitive information within business communication platforms and under A.8.3 there’s Block access to files for specific users and Create and manage access reviews.

In HIPAA, the Health Insurance Portability and Accountability Act in the US, under § 164.308(a)(4) Standard: Access control you have Review user groups and applications with access to ePHI for example.

In the US, organizations doing business with the Department of Defense need to comply with CMMC, Cybersecurity Maturity Model Certification with a new version v2.0 in the works, here for example, SC.L2-3.13.16 has controls for Data at rest, and AU.L2-3.3.1 has System auditing.

As a last example, the CCPA, California Consumer Privacy Act, control 1798.150(a)(1) Data Security Breaches involves audit logging and Data Loss Prevention policies.

These are just a few examples, depending on where your business is located, and what vertical you’re in and the type of data you store and process, different regulations will apply.

What’s common across many of them is that you not only must control access to data with least privilege access, and audit access, often with regular access reviews – you must also be able to demonstrate to an auditor that you’re doing so. It’s not enough to say you are, you must collect and present evidence for how you’re doing it.

365 Permission Manager

What’s needed is a scalable tool that can span large tenants with thousands of SharePoint sites, which is easy to use and gives you a centralized management interface to apply policies, find deviations from those and remediate over permissioned access in bulk.

We looked at the basics of how 365 Permission Manager works here and this great video animation shows it visually. Instead of having to visit several different portals in Microsoft’s native tools, an IT administrator has a single console, and a single most important page – the To Do list.

This lists all the violations of the policies applied to every SharePoint Online site and let’s you remediate in bulk, as well as provide exceptions when there’s a business justification.

To do list - the IT administrators best friend

To do list – the IT administrators best friend

There are a number of built in compliance policies that you can apply to SharePoint sites, and you can also create your own customized ones.

This is a fundamental difference between the native approach and 365 Permission Manager, instead of having a single tenant wide default for all sites, that you must then further customize for each site, you apply a policy to each site, out of a library that you have adapted to your business.

The concerned CISO we mentioned above, he’s going to love the three reports that’ll show Full Site Permissions, User & Group Access and External Access.

And end users are also involved, receiving regular emails if their sites are violating policy, with links to 365 Permission Manager to remedy issues.

End user email notification

End user email notification

365 Permission Manager was initially built at Hornetsecurity to manage our own SharePoint file sharing challenges, and our CISO, Olaf Petry, loves having such a powerful tool, saying:

It is critical for a CISO to effectively oversee the company’s strategy and programs to ensure adequate protection of information assets and technologies, and yet this process can be very complicated. My peers often discuss what a great pain point it is for them. Hornetsecurity’s new 365 Permission Manager will set CISO’s minds at rest by enabling security and compliance managers and administrators to efficiently and easily control Microsoft 365 permissions, and help prevent critical data from getting into the wrong hands.

The ability to enter a username and see exactly what sites and documents a user has access to also really helps with preparing for an audit.


By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.


Whether you’re working towards compliance with a regulation, preparing your business for users with Copilot for Microsoft 365 or just want to make sure sensitive data isn’t shared too widely, the answer is simple – 365 Permission Manager.


What are the risks associated with unmanaged file permissions in Microsoft 365?

Unmanaged file permissions pose a significant risk to data security and compliance. While file sharing is designed to facilitate collaboration, it can lead to sensitive documents ending up in the wrong hands. With the introduction of Copilot for Microsoft 365, the risks are further exacerbated, as it has access to the same documents as users, potentially compromising data privacy.

How does Teams file sharing contribute to data governance challenges?

Teams file sharing, although convenient, adds complexity to data governance efforts. Files shared in Teams channels are stored in SharePoint sites, while those uploaded to chats are stored in OneDrive for Business. Managing permissions for these shared files, especially when collaborating with external users, can be daunting for IT administrators, leading to oversight and potential data breaches.

How can businesses address data governance and compliance issues related to file sharing?

To address data governance and compliance challenges, businesses need effective tools like Hornetsecurity’s 365 Permission Manager. This tool offers centralized management of SharePoint permissions, allowing administrators to apply policies, identify violations, and remediate over-permissioned access. It provides customizable compliance policies, comprehensive reports, and end-user notifications to ensure data security and regulatory compliance.
Cyber Insurance: A Shield for Your Business in the Digital Age

Cyber Insurance: A Shield for Your Business in the Digital Age

In an increasingly interconnected world, where businesses rely heavily on technology, the risk of cyberattacks is ever-present.

As cybercriminals continue to evolve and become more sophisticated, the need for robust cybersecurity measures is greater than ever. Cyber insurance has emerged as a vital tool to protect your company from the financial and reputational fallout of a cyber incident.

In this article, we’ll explore why companies should consider taking out cyber insurance and how 365 Total Protection can make this process even more advantageous.

The Evolving Cyber Threat Landscape

The digital age has brought about a myriad of opportunities for businesses, but it has also given rise to new and constantly evolving risks. Cyberattacks, including data breaches, ransomware attacks, and phishing scams, are becoming more prevalent, targeting organizations of all sizes.

As a result, companies face the risk of financial loss, legal liability, and damage to their reputation.

The Case for Cyber Insurance

Here are compelling reasons why your company should strongly consider cyber insurance as part of its risk management strategy:

  1. Financial Protection: Cyber insurance covers the financial costs associated with a cyber incident, including expenses for investigating and mitigating the breach, notifying affected parties, and recovering lost data.
  2. Legal Liability: In the event of a data breach, your business may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover legal expenses and compensation.
  3. Business Continuity: A cyber incident can disrupt your business operations, resulting in revenue loss. Cyber insurance can provide financial compensation to help your company maintain its stability during and after an attack.
  4. Assistance Services: Many cyber insurance policies offer assistance services, such as access to IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an extension of your team in navigating the complex aftermath of an attack.
  5. Data Protection: Cyber insurance can also cover the costs associated with the loss, misuse, or compromise of physical and electronic data, ensuring that your valuable information is safeguarded.

The Challenges of Cyber Insurance

While the benefits of cyber insurance are evident, it’s essential to acknowledge the challenges that come with it. To give some perspective: The global cyber insurance market reached $7.8 billion in 2020 and is expected to grow to $20 billion by 2025.

In recent years, the cyber insurance landscape has seen premiums rise globally by an average of 20% per year, driven by the increasing frequency and severity of cyberattacks. Insurers are also imposing higher minimum IT security requirements on policyholders. These changes can be particularly burdensome for small and medium-sized businesses.

The 365 Total Protection Advantage

To help our customers overcome these challenges and secure comprehensive cyber insurance on favorable terms, we’ve partnered with Hiscox, a leading cyber insurance company in Germany. This partnership offers special conditions exclusively for Hornetsecurity customers using 365 Total Protection or any of its components. The special conditions include:

  • Discount on Premiums: Enjoy a discounted insurance premium, ensuring cost-effective coverage for your business.
  • Reduced Deductible: Benefit from a lower deductible, making it more manageable in the event of a claim.
  • Higher Indemnity Limit: Receive a higher indemnity limit to cover potential losses during a business interruption.
  • Simplified Application Process: We’ve streamlined the application process for our customers. All you need is proof that you are using 365 Total Protection or just one of its included services, making the process hassle-free.


As the digital landscape continues to evolve, the importance of protecting your business from cyber threats cannot be overstated.

Cyber insurance is a critical tool that provides financial protection, legal assistance, and peace of mind in the face of cyber incidents.

With our partnership with Hiscox, 365 Total Protection customers can enjoy special conditions, making the process of obtaining cyber insurance more advantageous than ever before.

Don’t wait until a cyber incident threatens your business – take proactive steps to safeguard your digital assets and secure comprehensive cyber insurance.

Reach out to us today to learn more about the exclusive benefits of our cooperative agreement with Hiscox and how 365 Total Protection can help you protect your company in the digital age.

Learn more about 365 Total Protection and request a free trial:


What is cyber insurance, and why do businesses need it?

Cyber insurance is a type of insurance that helps protect businesses from financial losses resulting from cyberattacks and data breaches. It can cover costs associated with data recovery, legal fees, and reputation management. As cyber threats continue to evolve, businesses need this insurance to mitigate the financial impact of potential cyber incidents.

What types of cyber threats does cyber insurance typically cover?

Cyber insurance policies can vary, but they often cover a wide range of cyber threats, including data breaches, ransomware attacks, DDoS attacks, social engineering, and insider threats. Some policies, like Hiscox’s, may also cover third-party liability, such as claims from affected customers or partners.

What factors influence the cost of cyber insurance?

The cost of cyber insurance can vary based on several factors, including the size and industry of the business, its cybersecurity practices, the amount of coverage needed, and the location of the company. Companies with strong cybersecurity measures in place may pay lower premiums than those with weaker protections.

Does cyber insurance cover the full cost of a cyberattack?

Cyber insurance policies typically do not cover the full cost of a cyberattack. They provide coverage up to the policy limit, and there may be deductibles or waiting periods before coverage kicks in. It’s essential for businesses to carefully review their policy terms and limits to ensure they have adequate coverage.

Can small businesses benefit from cyber insurance?

Yes, cyber insurance is not limited to large corporations. Small businesses are often more vulnerable to cyber threats due to limited resources for cybersecurity. Cyber insurance can help them recover from the financial impact of an attack and provide peace of mind. Many insurance providers offer policies tailored to the specific needs of small businesses.

Protecting Your Business: The Importance of Cyber Insurance

Protecting Your Business: The Importance of Cyber Insurance

In today’s digital age, the threat of cyberattacks looms larger than ever, and businesses are increasingly becoming targets of sophisticated cybercriminals. In this landscape, safeguarding your company against potential risks is paramount.

One crucial aspect of this protection strategy is investing in comprehensive cyber insurance. But simply having cyber insurance isn’t enough; it’s equally essential to ensure that you meet the stringent requirements set by insurers to secure favorable terms.

One way to achieve this is by employing an all-encompassing IT security solution like 365 Total Protection. In this article, we’ll explore the reasons why your company should consider cyber insurance and how 365 Total Protection can help you obtain favorable terms on your policy.

The Rising Cyber Threat Landscape

Cyberattacks have surged in frequency and sophistication over recent years. Hackers are targeting businesses of all sizes, seeking to exploit vulnerabilities in digital infrastructure, steal sensitive data, disrupt operations, and cause financial and reputational damage.

As a result, companies are exposed to a growing array of risks, including data breaches, financial loss, legal liability, and reputational damage.

According to the Hiscox Cyber Readiness Report 2023, the median cost of a cyber-attack has reached in Germany 16.000 Euro, down 32.4% from 2021. Although this is a welcome development for Germany, the average cost of a cyber-attack to a company is still considerable. And who can guarantee that it will be just one attack?

For other countries in the Western Hemisphere, things don’t look quite so favorable. In the UK, the average cost of a cyberattack was 24,200 euros in 2023, and 20,000 euros in the US.

The Importance of Cyber Insurance

To mitigate these risks effectively, businesses should consider investing in cyber insurance. A robust cyber insurance policy can offer comprehensive protection against the financial and legal ramifications of a cyberattack. Here’s why purchasing cyber insurance is a wise decision:

  1. Coverage for Incurred Damages: Cyber insurance typically covers the costs associated with defending against a cyberattack, restoring data and systems, and mitigating the impact of the attack on your business.
  2. Liability Protection: In the event of a data breach or cyber incident, your company may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover the costs associated with legal liability and compensation.
  3. Business Interruption Support: Cyber insurance may provide financial compensation in case of a business interruption resulting from a cyberattack, helping your business maintain stability during challenging times.
  4. Assistance Services: A good cyber insurance policy includes assistance services such as IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an outsourced cyber crisis department to help you navigate the aftermath of an attack effectively.
  5. Data Protection: Cyber insurance can also offer protection for both physical and electronic data, including laptops, smartphones, and paper files. If data is lost, compromised, or misused, your policy can provide coverage.

The Challenges of Cyber Insurance

However, there’s a catch. As the frequency and severity of cyberattacks continue to rise, insurers are adapting to the changing landscape. They are striving to make their cyber insurance products profitable again. This translates to increasing deductibles, higher premiums, and more stringent minimum IT security requirements for policyholders.

According to the World Economic Forum, cyber insurance premiums have increased globally by an average of 20% per year over the past five years. For small and medium-sized businesses, these rising premiums and stricter security requirements can become a substantial financial burden.

How 365 Total Protection Can Help

This is where 365 Total Protection comes into play. 365 Total Protection is a comprehensive IT security solution that offers a multitude of benefits, including:

Email Security: Protect your business from email-based cyber threats, including phishing, malware, and spam. 365 Total Protection ensures that your communication remains secure; and thanks to a self-learning AI-based service, it ensures that email recipients are validated so that even outgoing emails don’t fall into the wrong hands.

Backup & Recovery: In the unfortunate event of a cyberattack, 365 Total Protection provides a robust backup and recovery system, ensuring that your data is safe and can be quickly restored.

Compliance for Permission Management: 365 Total Protection helps your organization comply with data protection laws, ensures that you effectively protect sensitive data in Microsoft 365 thanks to clear permissions management, and reduces the risk of data loss and legal liability.

Security Awareness Training & Phishing Attack Simulation: Educate your employees about the importance of cybersecurity. Well-informed staff can be your first line of defense against cyber threats.

With the Security Awareness Service included in 365 Total Protection, you can train your employees at the touch of a button to recognize and report even advanced spear phishing attacks and learn safe behaviors to build a sustainable security culture. The Security Awareness Service runs continuously and fully automatically.

It includes advanced spear phishing simulation to continuously measure the security behavior of all employees, and then automatically manages the right level of training for each employee.

By implementing 365 Total Protection, your company can substantially enhance its cybersecurity posture, which, in turn, can lead to more favorable terms when purchasing cyber insurance. When insurers see that your organization has taken significant proactive measures to protect against cyber threats, they may be more inclined to offer competitive rates.

In Conclusion

In an era when cyberattacks are becoming increasingly prevalent and severe, cyber insurance is an essential component of your business risk and continuity management strategy. To secure favorable terms on your cyber insurance policy, invest in an all-encompassing IT security solution like 365 Total Protection.

By taking proactive steps to protect your digital infrastructure and educate your employees, you can demonstrate to insurers that your company is a responsible and secure entity, potentially leading to more cost-effective coverage.

Don’t wait until it’s too late – protect your business today with a combination of robust cyber insurance and 365 Total Protection’s comprehensive IT security offerings.

Learn more about 365 Total Protection and request a free trial:


What are the benefits of having cyber insurance?

Cyber insurance can help businesses to:

  • Recover from a cyberattack more quickly and efficiently
  • Protect their reputation
  • Avoid financial losses
  • Comply with regulatory requirements

How much does cyber insurance cost?

The cost of cyber insurance varies depending on the size of the business, the industry it is in, and the level of coverage it needs. Other factors included in the insurance premium are:

  • Risk assessment and deductibles
  • Type of information and data a company stores and processes
  • The type and quality of security measures implemented, such as security awareness training for employees
  • The company’s cyber history
  • Any global presence the company may have. Companies with a global presence typically pay higher premiums for cyber insurance because they are exposed to a broader range of risks.

What can businesses do to lower their cyber insurance costs?

Businesses can lower their cyber insurance costs by:

  • Implementing strong cybersecurity controls
  • Conducting regular risk assessments
  • Training employees on cybersecurity best practices
  • Having a comprehensive incident response plan in place