Hi, Elias Atie from Cloud Context here. Today, I’m going to give you a few tips that are going to help you ensure that your Microsoft Office 365 subscription is secure. These tips are by no means are definitive list, but, whether you are a large organization or a one employee shop, they should get you on the right track.
As per any SaaS product, there’s always security settings and configuration that needs to be checked and monitored when an organisation is heavily utilising software such as Microsoft Office 365.
No matter what size, and what licensing tier a business has purchased, Microsoft gives administrators and sometimes users access to do certain things that not all organisations are okay with. For example, the ability to automatically forward emails or the ability to share data with external domains.
In this article, I’m going to give you four tips that you can do yourself to make sure the security standards of your Microsoft 365 tenant meet your organisation’s cybersecurity stance and frameworks.
1. Multi-factor authentication
As usual, this is my favourite.
According to Microsoft, enabling MFA can stop 99.9% of malicious attacks on user accounts. That’s a massive figure. If you are yet to turn on MFA and enforce the use of it on every single user account in your organisation, that knowledge alone should be enough to get you to turn it on right now. I’m not going to go on and on about it, just do it.
2. Data Sharing
The introduction of external data sharing in apps like Microsoft Word, Teams, Excel, OneDrive for Business, SharePoint Online, etc has been beneficial in allowing users and staff members share documents and data easily with each other and external parties.
Unfortunately, malicious actors have been quick to attempt to exploit this by gaining access to data via the means of sharing.
My suggestion is to prevent this by managing who users can share with outside of your own domain. For example, if you know your users are sharing data with an organisation named ACME, then put ACME.com on an allowed list. Do this with all your domains that you allow but make sure you keep it controlled, ie, don’t add domains like gmail.com or live.com which allows for a massive attack vector.
3. User Account Sharing
Many of my fellow IT admins and consultants will share this one pain point with me – user account sharing. Since the beginning of my career, I’ve seen time and time again, the user of generic accounts within organisations to either save money, save time or for some other excuse.
Regardless the reason, it needs to stop. If we want a safe, secure environment where people remain accountable and actions remain traceable, you CANNOT HAVE SHARED ACCOUNTS.
If you’re organisation or your client’s organisation is doing this, find other solutions. Understand why it is occurring and resolve the issue by other means.
4. Legacy Authentication
Are your users still using native mail clients on their mobile devices like the Apple Mail app or the Samsung Mail app? If so, chances are that legacy authentication is still enabled in your environment to allow this to happen.
Going back to number 1, enabling multifactor authentication on your user accounts can stop 99.9% of malicious attacks on user accounts. The use of Legacy Authentication bypasses MFA. In other words, if you have MFA enabled on an account, but that account signs in using an old mail client that uses Legacy Auth, THEY WILL NOT BE SUBJECT TO MFA.
Security is larger than a user who wants to use an old mobile phone for their mail client. Make the change and do it ASAP because evidence and experience shows that once an attacker learns someone’s password, Legacy Authentication is often the first attack vector that is exploited, giving them access to mail, calendar and organisational data.
Hope that helps! Don’t forget, if you’re in doubt, reach out to an IT professional!
Got questions, ideas, or just want to chat? We'd love to hear from you! Reach out to us anytime, and we'll get back to you with all the help and information you need.
