Why Microsoft Is Becoming a Security Liability

Something has shifted with Microsoft, and not in a good way. What was once a straightforward productivity suite that you bought, installed, and owned has quietly transformed into something far more concerning. If you have not noticed the changes yet, you will soon, and they have real implications for your business.

From Office to confusion

Microsoft has rebranded its familiar Office apps into something called Microsoft 365 Copilot. If that name sounds confusing, you are not alone. There are now two apps on the app stores with almost identical names, and when you visit office.com you are greeted by a completely different interface to what you are used to. For anyone who just wants to open their laptop and get on with their work, this has caused genuine frustration.

But the real problem goes much deeper than a clumsy rebrand.

Your documents are no longer just yours

Here is what is actually happening. When you open a Word document on your phone or tablet, you would reasonably expect it to open in Word. Instead, Microsoft now forces it through the Microsoft 365 Copilot app, which immediately offers you things like document summaries and other AI-powered tools.

That might sound helpful on the surface. But think about what is really going on. Your document, which might contain confidential business information, privileged communications, or sensitive customer data, is being sent to Microsoft’s servers so their AI can process it. You did not ask for this. You did not consent to it. It just happens.

And before anyone says Microsoft would never use that data for training their AI models, let me be clear: both Microsoft and Google have been caught doing exactly that. A major law firm has spent two years investigating this and is now preparing to sue both companies for using customer data to train AI without proper consent. This is not speculation. It is a pattern.

The compliance nightmare

For businesses operating in the UK or Europe, this creates a serious compliance headache. The moment your data is processed on a US company’s servers, you are exposed to American laws and regulations that may directly conflict with GDPR and UK data protection requirements. The servers themselves might be located in Europe, but the companies that control them are not, and some data may still be sent to US-based infrastructure for processing.

And the situation is getting worse. US agencies like ICE have dramatically expanded their surveillance capabilities, spending more on surveillance technology in recent months than in the previous thirteen years combined. Reports have emerged of government departments issuing subpoenas to tech companies to access user data, sometimes targeting people simply for what they have posted online.

This is not fear mongering. This is documented fact. And if you are a business that handles client data, employee records, or anything remotely sensitive, you need to ask yourself: can I honestly tell my compliance officer that our data is safe with a US provider?

What you absolutely do not want is one of your employees or clients being detained at a border because of something that originated in a private email or a Teams chat. It sounds extreme, but the evidence shows this kind of overreach is already happening.

What can you do about it?

The good news is that you do not have to stay locked into Microsoft or Google. There are mature, well-supported alternatives that keep your data under your control and within your jurisdiction.

Infomaniak’s kSuite, built in Switzerland, offers email, cloud storage, video conferencing, and collaboration tools with some of the strongest privacy protections in the world. Nextcloud is a fully open source platform that you can host yourself or through a trusted provider. It is already used by several European governments, including German federal agencies and the French Ministry of Interior. If it is good enough for national security, it is good enough for your business.

The demand for these alternatives is growing rapidly across Europe, and interestingly, even American organisations are now looking to European providers because they no longer trust their own government to leave their data alone.

For a practical overview of what is available, the European Alternatives directory is an excellent starting point.

Regain your sovereignty

I have written before about why data minimisation is your best defence and how compartmentalisation can protect your business. Moving away from Microsoft fits squarely into that strategy. The less data you hand to companies you cannot control, the smaller your attack surface and the stronger your compliance position.

I am not saying you need to rip everything out overnight. I still work with Microsoft products, particularly SharePoint, because sometimes the business reality demands it. But if you are at a decision point, if you are considering a new solution or your renewal is coming up, please consider the alternatives. Your data, your customers, and your compliance officers will thank you.

This is about building practical resilience for your business. It is about being able to look your regulators in the eye and say with confidence that you are in full control of your data and compliant with local legislation.

Regain your data sovereignty. Become more resilient. Because the world we are operating in demands nothing less.

What are your thoughts? Have you already started moving away from Microsoft, or are you stuck in a contract you cannot get out of? I would love to hear your experiences. Drop a comment below or find me on Mastodon or LinkedIn and let us talk about it.

Photo by Rubaitul Azad and Manuel Bonadeo on Unsplash