CISA’s Microsoft 365 alert is a wake-up call: Are cloud misconfigurations exposing your organization to risk?

In 2025, nearly one quarter of cybersecurity incidents were caused by misconfigured IT or cloud security settings, a risk that continues to grow as organizations rely more heavily on SaaS platforms like Microsoft 365.

As cloud adoption accelerates, the attack surface expands, often outpacing the ability of security teams to keep configurations aligned with best practices. The result is a growing gap between how cloud environments change and how often their security settings are formally reviewed.

That reality sits at the center of a recent alert from the Cybersecurity and Infrastructure Security Agency (CISA), which warned that improper Microsoft 365 configurations have already led to real world compromises, including a cyberattack against a healthcare organization triggered by cloud misconfiguration. Healthcare organizations, in particular, remain prime targets for cybercrime.

Why Cloud Misconfigurations Are One of the Most Overlooked Cyber Risks

Cloud platforms change faster than most organizations’ governance, audit, and risk management cycles. New features, default settings, and security controls are released continuously, often without leadership awareness or formal review.

Industry research shows that more than half of cloud breaches are linked to configuration drift over time. These issues don’t arise because cloud providers are insecure. They arise because configuration decisions are often:

• Made at a point in time and never revisited
• Adjusted tactically without holistic review
• Influenced by default settings that may not align with organizational risk tolerance

Over time, small gaps compound into meaningful exposure.

Why Microsoft 365 Represents a Particularly Large Risk Surface

Microsoft 365 is embedded in daily operations for most organizations. Email, file sharing, collaboration, identity management, and data storage all live within a single ecosystem, making it both powerful and vulnerable.

CISA has emphasized that improper configuration of cloud security controls has already resulted in actual compromises, prompting federal mandates to harden Microsoft 365 environments using secure configuration baselines.

Key risk factors include:

• A broad user base with varying security awareness
• Complex permissions across Teams, SharePoint, and OneDrive
• Advanced security features that exist but are not always activated or tuned

For many organizations, Microsoft 365 contains their most sensitive data, yet its security posture has never been independently evaluated.

What Is a Cloud Security Evaluation and Why Is It Different from a Traditional IT Audit?

A cloud security evaluation focuses specifically on how cloud services are configured today, not how policies are written or whether controls exist on paper.

An independent third-party team performs cloud security evaluations by comparing an organization’s Microsoft 365 (and other cloud platforms such as Azure, AWS, and Google Cloud) against Center for Internet Security (CIS) benchmarks, which reflect consensus driven best practices developed by the global cybersecurity community.

CIS Benchmarks are publicly available, regularly updated, and widely regarded as the industry standard for secure configuration across major technologies.

How a Cloud Security Evaluation Works

A typical cloud security evaluation includes:

• Independent review of cloud configurations against the latest CIS Benchmarks
• Read only access to the cloud environment to identify gaps and deviations
• Manual analysis of security settings across identity, data protection, and access controls
• A clear report outlining configuration recommendations tied directly to CIS control IDs

Engagements are efficient, often requiring only one to two days of technical review, and culminate in a leadership ready report.

Common Misconfigurations That Create Hidden Risk

Evaluations frequently uncover settings that were never intentionally chosen by leadership, including:

• Data loss prevention (DLP) rules that are disabled or overly permissive
• Email or file sharing configurations that allow sensitive data to be sent externally
• Identity settings that increase risk when administrators leave the organization
• Inadequate controls over regulated data such as healthcare, financial, or HR information

For organizations operating under privacy regulations, such as healthcare entities or businesses subject to California privacy laws, these gaps can create compliance exposure alongside cyber risk.

How Often Should Organizations Re Evaluate Cloud Security Settings?

As cloud platforms introduce new capabilities and settings on a regular basis, security configurations should be revisited with similar discipline. We recommend:

• An independent cloud security evaluation every three years
• Additional reviews following major system changes, migrations, or new cloud deployments

While internal IT teams should regularly reassess configurations, periodic external evaluations provide leadership with an objective view of current exposure and help determine which issues deserve immediate attention. Without these reviews, unexamined cloud configurations can increase security risk.

We Can Help

Elliott Davis helps organizations take a more disciplined approach to cybersecurity by providing independent, practical assessments of cloud and technology risk. Our services include:

• Cloud security evaluations
• Penetration testing
• Vulnerability scanning
• IT audit services
• Cyber risk assessments
• Cybersecurity consulting

Together, these services help organizations move beyond point in time visibility to a more consistent approach to identifying, prioritizing, and addressing risk. Our cloud security evaluations give leadership an objective view of current configurations, highlight gaps against recognized best practices, and outline clear, actionable steps to reduce exposure before issues become incidents.

Contact us today to get started.

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.