If you're using Microsoft 365, that means a huge percentage of your company data, from emails to spreadsheets, are hosted in the Microsoft cloud. The Microsoft cloud platform is incredibly secure on it's own, but it's up to YOU to manage your own environment in that cloud!
Here's the good news - the Microsoft 365 platform has tons of built-in security features that, when configured and maintained properly, can protect your business from cyber thieves. Let's take a look at the controls you need to implement in your Microsoft 365 platform.
How Do I Secure Microsoft 365? Seven Key Features!
There are seven core security features inside Microsoft 365 that are an absolute must for any organization. These all come as part of your 365 licensing, but to be utilized properly, they have to be configured and maintained for your specific business needs.
1. Multi-Factor Authentication (MFA) – In today’s landscape, multi-factor authentication shouldn’t be optional. MFA protects your cloud identities when a password is inevitably leaked or stolen. It can also allow you to adopt a simpler password complexity policy and remove the need for password expiration thanks to the added authentication step.
With MFA, any leaked credential is useless to a cybercriminal, since they won’t be able to complete the authentication process. This extra layer of security only takes a few seconds out of your day and will ensure your accounts (and the data within) are safe. Be sure this feature is enabled in your Microsoft 365 platform!
2. Audit Log Search and Alert Policies – This feature has recently been updated to be automatically enabled, but still is worth checking, just to be sure. With audit logs, you can view history of activity within the 365 tenants.
Depending on which license you’re using, you can create additional customized alert policies to stay informed of any event you deem necessary in 365.
3. Email Authentication: SPF, DKIM & DMARC – These are simply different forms of authentication inside your emails. Notice the lock icon next to the website in the address bar of your browser? DKIM is basically a variation of that, digitally signing your email and marking it with the proper source. This all happens in the background, with no noticeable alteration to your emails or 365 experience.
The purpose of these email authentication pieces is to ensure that no one can impersonate your email address or domain both internally and externally. This is a crucial security combination; it just requires some precise configuration!
4. Exchange Online Protection Baseline – Out of the box, the “protection baseline” is installed and operational. The initial settings are generic and should be configured by your IT administrator for your specific needs.
The policy included in the baseline needs to be reviewed and aligned with your industry’s current best practices. A vCIO can be a great resource if you need a bit of assistance with this tedious process!
5. Disabling Client Auto-Forward – Often, malicious parties will use this feature to quietly forward sensitive emails out of an organization to a mailbox they control. End users typically aren’t aware this is happening.
Generally speaking, corporate email probably shouldn’t be forwarded to private addresses at all. For this reason, we recommend always disabling this feature across the board. From there, it can be re-enabled on a specific per-user basis when needed.
6. Administrative Consent Requests – This is another attack method that is often overlooked. By default, anyone can grant access to a third-party app to be used inside the Microsoft 365 cloud. An example would be Adobe’s document cloud.
To establish this connection, certain access is granted between the third-party and 365. Without administrative consent enabled, a spear phishing attempt with a link asking a user to reset their OneDrive password could actually allow cybercriminals inside the your organization’s 365 tenant.
Administrative Consent Requests take the cybersecurity risks out of the user’s hands!
7. OneDrive Backup for Known Folders – All 365 plans have 1 TB of OneDrive space per user. This space should be used to replace your organization’s old methods for redirecting folders onto your servers.
OneDrive provides automatic cloud backups; which users can restore on their own from anywhere in the world without needing assistance from system administrators!
Configuring Microsoft 365 Security - The Big Picture
There is no magic button or one-size-fits-all option to Microsoft 365 security. It requires serious thought and execution to ensure you’re really protected.
Above, we provided you with the most important security features that are built-in to the Microsoft 365 platform and why you should take advantage of them.
However, you need to start this journey by considering all of your security risks at every layer of Microsoft 365, including users, devices, applications, email, and documents.
Although 365 has many of the features you will most likely need, there are also situations where you may need additional security products to provide the most robust cyber security protection possible.
Let’s break each layer down and see where the vulnerabilities lie.
1. User Risks
- Compromised Login
- Weak Credentials
- Suspicious Locations
- Legacy Authentication Protocols
If you haven’t implemented strict policies, your employees could be using logins with weak passwords, or even credentials that have unknowingly been compromised. You need to ensure that MFA, conditional access policies, and easily accessible password reset tools are enabled.
2. Device Risks
- Unmanaged Devices
- Weak PIN/Login Credentials
With everyone working remotely these days, there’s an abundance of opportunity for cybercriminals to access your data through unsecured personal computers, which can act as propagators for any malware or ransomware attack.
3. Application Risks
- Ability to Copy/Paste/Save Corporate Data
- Potentially Weak Security in 3rd Party Apps
With a small amount of configuration, you can ensure that your sensitive company data stays internal on your secure software. Disabling the ability to locally save or copy/paste data is crucial to security. You also need to be sure that only approved cloud apps are being used to manage your data.
4. Email Risks
- Malware Vulnerabilities
- Ransomware Threats
- Potential for Sharing Sensitive Data
There are huge risks associated with unsecured or improperly configured corporate email, but at the very least, you need to enable Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) to monitor sensitive data and prevent successful ransomware, malware, and other phishing attacks.
5. Document Risks
- Lack of Internal and External Protection
- Improper Folder Security Configuration
- Access Retention for Departed Employees
Maintaining document security may be the most tedious job of all we’ve listed. Most importantly, folder restrictions must be in place, ensuring only the necessary people have access to sensitive data, and these permissions need to be audited routinely, as changes always occur!
Why You Need a Microsoft 365 Audit
We know this is a lot to manage, but maintaining basic security protocols inside Microsoft 365 must be done to ensure your organization’s data and reputation are safe and secure.
When is the last time you did a deep dive into your Microsoft 365 account security?
An external audit is the only way to know for sure that your company email, information, and client data are all safe and secured with the most up-to-date features customized to meet the requirements of your exact industry.
Reach out to us if you’re interested, and our team will be happy to help!
If you’ve enjoyed this piece and would like to learn more, check out our recent webinar “Microsoft 365 Security – Mind the Gap!” at the link below. This recording will provide you with additional information on the built-in security features of your Microsoft 365 platform.