Is Microsoft 365 more secure than Google Workspace?

Is Microsoft 365 more secure than Google Workspace? We put the two big titans to the test, and review their security model plus look at published data breaches.
Last updated: June 15, 2022

Is Microsoft 365 more secure than Google Workspace?

When comparing collaboration tools, the clinchers are often a proven cutback in work hours and increased efficiency. Yet, arguably all collaboration software offers similar benefits, exploring other areas of difference is a must.

The two largest powerhouses competing for the productivity of your business are Microsoft 365 and Google Workspace. Feature-wise, both offer:

  • Shared calendars
  • Online documents
  • Meeting spaces
  • Spreadsheets
  • Online forms
  • Slide presentations

Besides, the difference in pricing is minimal: Google Workspace’s business standard pricing is $12/month, while Microsoft 365 price for the same plan is $12,50/month. Tough call.

For the two big guys above, the decider is security. It’s far easier to use tools when you trust that your data will be safe with them — or at least safer than if you were using a less reputable option.

When analysing the safety of any collaboration software, look for the following features:

  • 2-step verifications (or multi-factor authentication)
  • Endpoint management
  • A centralised security management centre

The trouble is, both Google Workspace and Microsoft 365 include all of the above and more.

Still, both have their pros and cons, which could assist your choice. In order to help you reach a decision faster, we’ll list each product’s separate advantages and disadvantages, security-wise.

Google Workspace (Formerly G Suite)

More and more businesses are migrating to the cloud as a way to seek better remote teamwork and flexibility. To Google, keeping teams connected also means allowing them to have full control of their business data added across Google Docs, Google Sheets, Google Forms, and other apps. Customers may automatically sync their downloads to Google Drive, their cloud storage solution.

Google Workspace’s shielded architecture offers the utmost security and privacy to its customers. After all, Google Workspace was specifically designed after resilient security standards, all of which are described on their Security & Trust Centre. Here’s an excerpt referring to data access:

“The customer – not Google – owns their data. Google does not sell your data to third parties, there is no advertising in Google Workspace, and we never collect or use data from Google Workspace services for any advertising purposes.” 

So far, so good.

As for the drawbacks, Google Workspace’s security could fall short with something as small as a click on a suspicious link in an email, for instance. Accidentally opening a phishing link could result in encryption of all involved emails, and hackers could use the collected data for malicious purposes. This is not, however exclusive to Google as emails are ubiquitous on any platform.

Microsoft 365 (Formerly Office 365)

Microsoft 365 is the cloud-based version of Windows, which combines the fundamental apps you already know: Word, PowerPoint, Excel, and more. Its enterprise-level security features keep all of the customers’ data safely stored in OneDrive cloud storage.

As far as security goes, it doesn’t disappoint. Customers can enable Microsoft 365 Security Centre, which is a dynamic centralised dashboard built to help teams manage security across identities, data, devices, and apps.

Their rigid threat protection system includes Microsoft 365 Defender, where users are able to identify suspicious activities across their cloud-stored information and keep the entire company away from any type of malware.

What’s more, all of your business data is, and always will be, yours.

“No more than 180 days after expiration or termination of a subscription to Microsoft 365, Microsoft disables the account and deletes all customer data from the account. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable.”

However, Microsoft has a number of well-publicised data breaches as you will see below, and it’s worth noting these happen far more often (anecdotally) than Google.

So, where are the slips in security?

Even with rigorous security systems in place, both app suites are still susceptible to cyber-attacks and data leaks. But Google and Microsoft aren’t the only ones to blame.

When it comes to overall security, the responsibility should be shared between the user (by deploying 2-factor authentication), the administrative policies (with user levels & rights, as well as reinforcing password strength), and the tool in question (with data protection policy, hardware, and software security).

Even though this responsibility is shared, human error remains one of the biggest sources of data breaches. Human error can refer to weak passwords, sharing sensitive information through emails and texts, and clicking malicious links known as Phishing Scams.

As for Microsoft 365 and Google Workspace, there have been a few misconfigurations and errors that led to such consequences on both software. Here are some of them:

Google: poor configuration led to data leaks.

Over 10,000 companies (all users of former G Suite) have had their confidential data leaked. The leak has flamed discussions about the problem being a user misconduct issue versus a user interface problem.

According to investigative journalist Brian Krebs, Google Groups users could have potentially leaked sensitive information in their messages, such as financial data and passwords. Although Google has refuted the possibility of a bug, it still has sent out messages to affected users with instructions on how to detect and fix the misconfiguration issue.

Microsoft: 250 million customer records leaked.

Over 200 million customer records, including support logs and customer service details, were released with unprotected passwords. Not only recent customer data but data going back 14 years containing interactions from employees and customers around the globe.

Privacy advocate Paul Bischoff told Forbes that “if a misconfiguration is detected (in a security system), security staff should be notified immediately so it can be remedied”. This was aimed at any organization that wants to steer clear of security hazards.

Both Google and Microsoft: developer and user error.

In 2020, one error resulted in over 150,000 health records being leaked. All of the records in question were kept in both Microsoft and Google documenting apps, and nine health organisations were affected.

At the beginning of this article, two-factor authentication was mentioned as a fundamental step in keeping company data safe — which is exactly what these organisations failed at. This leak could easily have been prevented.

Google: bug in old G Suite tool

Back in 2005, Google account administrators could use a tool to manually set user passwords.  Yet, this tool didn’t contain Google’s password-hashing algorithm, meaning the passwords were stored without being converted to indecipherable symbols or asterisks (****). That exposed every single user’s passwords, which made companies extremely vulnerable to cyber-attacks.

Thankfully, the problem was solved: In 2019, former G Suite admins were notified about the issue and asked to reset their passwords.

Microsoft: Email data breach affects 85% of organisations.

For several Microsoft 365 users, working from home meant falling prey to data breaches. The migration to collaboration tools surely facilitated remote connection, but a report from Egress also brought to light the potential dangers of data loss.

Apparently, data leaks are common for Microsoft users who break yet another rule of thumb: avoid sharing confidential data via an email’s body text. If you have to share confidential data, make sure to send it as an attachment, and that the attachment is encrypted.

Microsoft: Russian hacking group targets Microsoft users

The Russian hacking group Nobelium came to Microsoft users through brute force attacks. According to Microsoft’s official statement about the activity, Nobelium’s main targets were “primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.”

Although most of the attacks were in vain and the activity wasn’t unprecedented, Microsoft still guarded their system against the malware through safety measures such as — you guessed it — multi-factor authentication.

Whichever option you choose, you’re not 100% safe

While both Microsoft 365 and Google Workspaces provide robust, cutting-edge protection against breaches and cyberattacks, there will never be a bulletproof solution against them. As you can see from the above examples, even massive tech companies are prone to data leaks.

Among the steps you should take to protect your company is going for the most secure option. Due to the predominance of Microsoft leaks over the past years, the winner is Google Workspace.

By that, we don’t mean Microsoft 365 is unsafe. Its security system remains one of the most reliable in the industry but it can require more technical knowledge and manpower to manage.

Now that you know all this, which option would you choose?

Duncan Isaksen-Loxton

Educated as a web developer, with over 20 years of internet based work and experience, Duncan is a Google Workspace Certified Collaboration Engineer and a WordPress expert.
Login
Log in below to access your courses.
Log In With Google
Forgot Password
Enter your email address or username and we’ll send you instructions to reset your password.