The 2019 Guide To Securing Microsoft Office 365
The importance of fully securing Microsoft Office 365 cannot be overstated. Recent statistics show that a hacker attack occurs every 39 seconds. Government agencies and retail, technology and healthcare industries are among the most popular targets, but the truth is that cybercriminals are more than willing to hack into any vulnerable business to obtain valuable customer information and company data.
Thankfully, Microsoft offers an array of tips and tools to help businesses and individuals keep Microsoft Office 365 fully secure. There are also some practical steps a company can take to maintain a high level of security at all times. Following is a comprehensive overview of steps any business can take to fully secure Microsoft Office 365 in 2019.
Use Multi-Factor Authentication
Microsoft highly recommends setting up multi-factor authentication, and it’s not hard to see why as it is perhaps one of the most natural yet most effective ways to protect a Microsoft Office 365 account from hacks. With multi-factor authentication in place, employees will be required to not only type in a password but also acknowledge a text message on their phone to access the company account. Using multi-factor authentication ensures that valuable company data is not compromised if an employee uses an easy-to-guess password and/or leaves the company password written in a visible location. While it is crucial for employees to understand the importance of using strong passwords, a compromised password on its own would not enable a malicious third party to access your data as one would need an employee’s phone as well to gain entrance into the Office account.
Use Administrative Accounts with Care
An administrative account provides managers and executives with additional options, privileges and security features to keep Microsoft Office 365 safe from unauthorized access. However, it is crucial for administrative accounts to be used with care or they can cause more harm than good. Following are some steps every business should take to protect admin accounts from breaches:
- Set up regular accounts for each admin user. Admin users should utilize their regular account for non-administrative tasks and reserve the admin account for functions that cannot be completed with a periodic report.
- Have admin users close all unrelated browser sessions and apps before logging onto an admin account
- Instruct admin users to record out of the admin account after each session.
- Provide clear guidelines regarding which data can be viewed and downloaded using an administrative account.
- Use a Cloud Access Security Broker (CASB) to monitor admin user actions. A CASB can detect high-risk activities involving sensitive data and identify unauthorized admin account access attempts.
- Immediately shut down admin accounts for administrative users who leave the company.
OneDrive has much to offer any business. It enables users to synchronize data across various devices as well as share files with other users. Unfortunately, OneDrive can also provide hackers with easy access to company files. It is not uncommon for employees to download files from a secure OneDrive account only to save the data on an unsecured cloud account or personal device. To prevent this scenario, companies should clearly mark files that should not be downloaded from the OneDrive account. It is also essential for the IT department to:
- Know what data is being uploaded to and downloaded from OneDrive
- Be aware of which users have access to information
- Know which files or folders have shared links
- Be able to see which devices are being used to access the company’s OneDrive account and pinpoint the geographical location of the devices in question
Protect Email Communications
Every company should use all the tools that Microsoft Office 365 provides to protect the company from email-based threats. The Office 365 Security & Compliance Center enables admin users to block certain types of file attachments that are commonly used for malware or ransomware. It also allows managers to enable Advanced Threat Protection to check email attachments for malware. This protection extends to files in OneDrive, SharePoint and Microsoft Teams, protecting employees who use cloud-based software from breaches.
Furthermore, Office 365 Security & Compliance Center can be used to create an Advanced Threat Protection plan that will stop email phishing attacks
The Office 365 admin center enables IT, professionals, to set up pop-up warnings for employees who are about to download an email attachment. The warning, which clearly states that employees should not open certain types of files from users they do not know as the files may contain malware, can prevent devastating consequences should an employee click on an attachment without thinking. This handy tool also makes it possible for companies to choose which types of files activate a pop-up warning, thus creating an efficient work environment for employees who can freely access safe files without automatically opening ones that could potentially be harmful.
The Office 365 admin center also has tools that can enable companies to disable auto-forwarding for emails. Many hackers who gain access to one company account use this account to automatically forward emails in an attempt to gain access to other user accounts. The emails can be forwarded without the compromised account user being aware of what is going on, making it impossible for him or her to put a stop to the forwarded emails. By disabling auto-forwarding, companies can limit the damage caused should a malicious third party compromise an Office 365 account.
It’s also wise to enable Office Message Encryption. The program is included with Microsoft Office 365 and can be enabled in Outlook for PC. The encrypted email message program allows users to send encrypted emails both inside and outside the organization and it works not only with Outlook but also common email platforms such as Gmail and Yahoo Mail.
Provide Employee Training
An astonishing 95% of all breaches happen due to human error. Busy employees who are unfamiliar with IT guidelines can make deadly mistakes that will cost companies millions of dollars to rectify. Alternatively, many employees who are familiar with IT security procedures may disregard them because they are time-consuming to comply with or because they do not understand the importance of these guidelines in the first place. It is imperative for every single company to provide its workers with comprehensive, ongoing security training to keep systems secure at all times.
What type of training do employees need to fully secure Microsoft Office 365? Following are some important points that should be emphasized:
- Never use personal devices for work-related tasks. It is all too easy for company employees to merge work-related and personal matters. Important company files may be downloaded onto an unsecured personal laptop, which is then unknowingly breached. A personal smartphone containing valuable business data may be stolen, compromising the company by exposing vital data. Additionally, employees should never email company files to their own personal email account. Many employees do this to work on holidays or on the weekends; however, this move exposes company data to hackers who may be able to access a personal Gmail or Yahoo email account with a weak or easy to guess password.
- Work devices should never be used for personal matters such as checking a personal email account or social media site. It is all too easy for employees to compromise a company’s entire network by downloading a malicious attachment from a personal email account or social media site.
- Employees should be taught the right way to communicate with colleagues and superiors. Internal communications should be secure and follow proper protocol to prevent important data from falling into the wrong hands. Employees should also be taught how to spot fake communications ostensibly from management but actually sent by a hacker attempting to access company data.
- Knowing how to back up important data is yet another aspect of employee security training. Data should be backed up regularly yet in a secure manner so that unauthorized third parties cannot access files as they are being copied to or from a cloud server.
- Companies should also create a plan for handling a malware, ransomware, DDoS or any other type of cyberattack. Even the best Microsoft Office 365 security guidelines cannot guarantee that an attack will never occur. Employees should know how to recognize the signs of an attack and what to do to limit the damage.
- New employees will need industry-specific training on how to handle important data. Healthcare companies, for example, will need to ensure that all employees are aware of current HIPAA guidelines regarding patient data privacy. Government entities will need to train employees to handle sensitive or classified information by existing laws and regulations.
Cybercriminals are always on the job, looking for new ways to access company data from Microsoft Office 365 and then misuse this data by offering it for sale on the dark web or demanding a ransom in exchange for returning company files. Given this fact, it is important for businesses to have a plan in place to keep their Microsoft Office 365 accounts secure at all times. The tips mentioned above are an ideal starting point; at the same time, companies will need to customize their approach to Office security to ensure their files remain safe from unauthorized access. It’s also wise to re-examine security guidelines from time to time to ensure that they are still are effective and efficient as they are meant to be.