The importance of fully securing Microsoft Office 365 cannot be overstated. Government agencies and retail, technology and healthcare industries are among the most popular targets, but the truth is that cybercriminals are more than willing to hack into any vulnerable business to obtain valuable customer information and company data.
Thankfully, Microsoft offers an array of tips and tools to help businesses and individuals keep Microsoft Office 365 fully secure. There are also some practical steps a company can take to maintain a high level of security at all times. Following is a comprehensive overview of steps any business can take to fully secure Microsoft Office 365 in 2019.
Microsoft highly recommends setting up multi-factor authentication, and it's not hard to see why as it is perhaps one of the most natural yet most effective ways to protect a Microsoft Office 365 account from hacks. With multi-factor authentication in place, employees will be required to not only type in a password but also acknowledge a text message on their phone to access the company account. Using multi-factor authentication ensures that valuable company data is not compromised if an employee uses an easy-to-guess password and/or leaves the company password written in a visible location.
While it is crucial for employees to understand the importance of using strong passwords, a compromised password on its own would not enable a malicious third party to access your data as one would need an employee's phone as well to gain entrance into the Office account.
An administrative account provides managers and executives with additional options, privileges and security features to keep Microsoft Office 365 safe from unauthorized access. However, it is crucial for administrative accounts to be used with care or they can cause more harm than good. Following are some steps every business should take to protect admin accounts from breaches:
- Set up regular accounts for each admin user. Admin users should utilize their regular account for
non-administrative tasks and reserve the admin account for functions that cannot be completed with a periodic report.
- Have admin users close all unrelated browser sessions and apps before logging onto an admin account.
- Instruct admin users to record out of the admin account after each session.
- Provide clear guidelines regarding which data can be viewed and downloaded using an administrative account.
- Monitor admin user actions to detect high-risk activities involving sensitive data and identify unauthorised admin account access attempts.
- Immediately shut down admin accounts for administrative users who leave the company.
OneDrive has much to offer any business. It enables users to synchronize data across various devices as well as share files with other users. Unfortunately, OneDrive can also provide hackers with easy access to company files. It is not uncommon for employees to download files from a secure OneDrive account only to save the data on an unsecured cloud account or personal device. To prevent this scenario, companies should clearly mark files that should not be downloaded from the OneDrive account. It is also essential for the IT department to:
- Know what data is being uploaded to and downloaded from OneDrive.
- Be aware of which users have access to information.
- Know which files or folders have shared links.
- Be able to see which devices are being used to access the company's OneDrive account and pinpoint the geographical location of the devices in question.
Every company should use all the tools that Microsoft Office 365 provides to protect the company from email-based threats. The Office 365 Security & Compliance Center enables admin users to block certain types of file attachments that are commonly used for malware or ransomware. It also allows managers to enable Advanced Threat Protection to check email attachments for malware. This protection extends to files in OneDrive, SharePoint and Microsoft Teams, protecting employees who use cloud-based software from breaches.
Furthermore, Office 365 Security & Compliance Center can be used to create an Advanced Threat Protection plan that will stop email phishing attacks
The Office 365 admin center enables IT, professionals, to set up pop-up warnings for employees who are about to download an email attachment. The warning, which clearly states that employees should not open certain types of files from users they do not know as the files may contain malware, can prevent devastating consequences should an employee click on an attachment without thinking. This handy tool also makes it possible for companies to choose which types of files activate a pop-up warning, thus creating an efficient work environment for employees who can freely access safe files without automatically opening ones that could potentially be harmful.
The Office 365 admin center also has tools that can enable companies to disable auto-forwarding for emails. Many hackers who gain access to one company account use this account to automatically forward emails in an attempt to gain access to other user accounts. The emails can be forwarded without the compromised account user being aware of what is going on, making it impossible for him or her to put a stop to the forwarded emails. By disabling auto-forwarding, companies can limit the damage caused should a malicious third party compromise an Office 365 account.
It's also wise to enable Office Message Encryption. The program is included with Microsoft Office 365 and can be enabled in Outlook for PC. The encrypted email message program allows users to send encrypted emails both inside and outside the organization and it works not only with Outlook but also common email platforms such as Gmail and Yahoo Mail.
An astonishing 95% of all breaches happen due to human error. Busy employees who are unfamiliar with IT guidelines can make deadly mistakes that will cost companies millions of dollars to rectify. Alternatively, many employees who are familiar with IT security procedures may disregard them because they are time-consuming to comply with or because they do not understand the importance of these guidelines in the first place. It is imperative for every single company to provide its workers with comprehensive, ongoing security training to keep systems secure at all times.
What type of training do employees need to fully secure Microsoft Office 365? Following are some important points that should be emphasised:
Work devices should never be used for personal matters such as checking a personal email account or social media site. It is all too easy for employees to compromise a company's entire network by downloading a malicious attachment from a personal email account or social media site.
- Employees should be taught the right way to communicate with colleagues and superiors. Internal communications should be secure and follow proper protocol to prevent important data from falling into the wrong hands. Employees should also be taught how to spot fake communications ostensibly from management but actually sent by a hacker attempting to access company data.
- Knowing how to back up important data is yet another aspect of employee security training. Data should be backed up regularly yet in a secure manner so that unauthorized third parties cannot access files as they are being copied to or from a cloud server.
- Companies should also create a plan for handling a malware, ransomware, DDoS or any other type of cyberattack. Even the best Microsoft Office 365 security guidelines cannot guarantee that an attack will never occur. Employees should know how to recognize the signs of an attack and what to do to limit the damage.
- New employees will need industry-specific training on how to handle important data. Healthcare companies, for example, will need to ensure that all employees are aware of current HIPAA guidelines regarding patient data privacy. Government entities will need to train employees to handle sensitive or classified information by existing laws and regulations.
Cybercriminals are always on the job, looking for new ways to access company data from Microsoft Office 365 and then misuse this data by offering it for sale on the dark web or demanding a ransom in exchange for returning company files. Given this fact, it is important for businesses to have a plan in place to keep their Microsoft Office 365 accounts secure at all times. The tips mentioned above are an ideal starting point; at the same time, companies will need to customize their approach to Office security to ensure their files remain safe from unauthorized access. It's also wise to re-examine security guidelines from time to time to ensure that they are still are effective and efficient as they are meant to be.
Maximise your IT investments
Cost effective & scalable solutions
Technology roadmap & planning
Quick resolution of IT issues
Technology aligned to your goals
01753 369 701
BlackStone Associates implemented systems & controls that eliminated hours of downtime we had experienced with past vendors. They consistently recommend the most cost effective systems/procedures and constantly look out for our company's best interests.
Bradley James Executive Search