Cloud is a safe place to work, and yes, we know you’ve heard otherwise. Cloud collaboration services like Office 365 invest millions of dollars in security upgrades. Developers are continually implementing enhanced protection in response to incessant new threats.
However, to get the most out of Microsoft security capabilities you must implement some Office 365 security best practices. The range of threats is extensive: a million types of malware, data leakages, and losses take place every minute. How to Secure Office 365 then?
As an expert in the field of data protection solutions, here we want to provide you with Office 365 security best practices. You definitely should take these into account in your work.
Let’s start with your main responsibilities as an administrator in the Office 365 organization. These are the pillars on which you can build security for your company data.
Table of Contents
4 Pillars of Your Job as an Office 365 Admin
Cybersecurity is built on 3 primary components of the CIA Triad: confidentiality, availability, and integrity. To ensure that the organization is protecting those components properly, you need to have security management in place. It consists of procedures, documents, and policies that declare controls that you and other employees must implement and follow.
As an administrator, you may need to participate in the elaboration of a security management strategy, implement it into practice, and directly control its execution by all employees. Regular dashboard reviews and reports are also a part of office 365 advanced security management.
It’s also your responsibility to defend your company data against different kinds of malware, ransomware, and brute-force attacks. Of course, it always requires using some software or managing systems.
Identity and access management
You must ensure that only authorized users can reach specific information. It requires setting up:
- A type of authentication for users. It can be a password, fingerprints, touchscreen.
- A type of authorization. You must manage what users can or cannot do within their accounts. They can be allowed to perform different kinds of tasks, depending on their job responsibilities.
You have to protect company information from losses and leaks and ensure that it won’t be modified, revealed, or deleted. As an office 365 admin, data security monitoring is your obligation.
12 must-dos for maximizing the security of your Office 365
This list is built depending on previously mentioned 4 pillars and best practices our clients use to protect their data. It will help you customize your Office 365 security & compliance and, therefore, to boost it 10x!
Educate your employees
Human error is a more dangerous threat to your company than cyberattacks. However, in contrast with cyberattacks, human errors can be easily prevented. Therefore, mandatory security awareness training for employees is everything.
When a new employee joins your ranks, they always must undergo security training and pass the test. Only then they can start using company devices and interact with sensitive data.
Training will create keen security awareness among users and prevent them from making silly mistakes with notorious consequences.
Read about 7 Cybersecurity Courses Online For Everybody.
Set up a strong password policy
Brute-force attacks are no joke. Especially for big companies. Especially in superior or privileged accounts with access to sensitive information.
The password is the first-line defense. The fewer characters user passwords contain, the easier it is to brute-force them.
Your company must set up a password policy with clear rules:
- Password must contain at least 8 characters;
- It must consist of uppercase letters, lowercase letters, and digits;
- Forbid obvious passwords. For example: “asdqwe123”, “abcdefg”, “123456”, “password”, “1111111”, etc. It is also not enough to add some digits or letters to these passwords since the password cracking mechanisms can still calculate them;
- Forbid using the same password for multiple accounts and services;
- Implement expiration policy. Passwords must have their expiration date and be revisioned every 6 months or less.
Use multi-factor authentication
No matter how good your password is, it is still not enough for proper protection. By enforcing a Multi-Factor Authentication, you configure the system to conduct another test before logging a user in. You can authenticate users by a phone call that requires to press a digit to confirm logging in or a text message with a one-time code user needs to type in a field. This makes access almost 100% secure.
Encrypt Office Messages
If you are like everyone else, you probably use email to exchange some sensitive information. It could be a contract, payment details, marketing plans, confidential data about your product.
Given that, at some point, your mailbox turns into storage of highly valuable data. It makes your mailboxes a desirable target for cybercriminals and creates a massive threat in the case of misdelivery.
Office 365 has a lot of inbuilt security features, and encryption is one of them. You can easily configure the conditions for encryption. For example, you can encrypt all messages to a concrete person or messages that contain some words in it. You can also forbid copying or printing these messages.
To read this message recipient must be logged in their Outlook. If they use another email platform like Gmail, they get a notification with a link in it. They need to click on it and sign in their Office account or request a one-time passcode to read the email.
Configure Rights Management
To ensure that only intended users can open and modify some documents, you need to configure document sharing settings. These settings encrypt documents and protect them from outside interference. It works the same as with Google documents: you point a user or a group of them and let them only read, or read and change some files.
In this case, even if you accidentally misdeliver this document to wrong users, they won’t be able to read or change the document. You can also revoke access to files remotely, which gives you full control over the documents.
But note, that shared documents can still be deleted or infected with malware. The user account with management rights can be brute-force attacked by cybercriminals, or a leaving employee may have malicious intentions. So you must always have your company data backed up beforehand to avoid troubles!
Control your Security Score
Microsoft has its baseline of security for businesses. To measure whether or not your company meets those basic security requirements, you can use its inbuilt analytics tool, Microsoft Secure Score.
It analyses the protection state of your data, apps, infrastructure, devices, and makes the suggestions on how you can improve security.
Enforce ransomware protection
Ransomware encrypts your files and demands money in exchange for access to the encrypted files. You can ‘catch’ ransomware by clicking on the wrong link or opening an infected attachment in your email.
But you can reduce a chance of catching ransomware by setting up mail flow rules for specific file types, commonly used to hide ransomware in these files. You need to create three rules:
- Warning rule. Security system warns users in case an email contains file attachments with macros, which is often used to hide ransomware in it. Microsoft will warn users to not open those attachments from unknown people. But you are still able to open those files from people you know.
- Blocking rule. If your organization doesn’t use some file formats you can block them altogether. Here is a list of the file formats that can potentially contain ransomware:
- Automated everyday backup on trusted storages. Backing up your data will save you lots of time and money on taking your data back from cybercriminals.
Manage Data on Corporate devices
We all use our smartphones for work. Either your employees need to check their Outlook or make edits in their Excel table, they may use their phones or tablets for this purpose.
To allow your employees to use their devices for work and make this process secure, you need to register all employees’ devices as ‘Corporate compliant’. In this case, you’ll be able to manage access, see changes, and remove access to corporate data if needed.
Detect Suspicious Activity and Risky Apps with Cloud App Security For Office 365
This tool helps you to monitor data migration, detect abnormal behavior, catch sensitive data sharings, and assess if your cloud apps meet relevant compliance. You can define a policy to alert you in case of any suspicious user activity or cyber threat to your Office 365 cloud app security.
Set Up Active Directory
You can use Active Directory to detect and block any attempt to access data from an unusual place. Let’s say, your assistant always works from the office in Chicago, but suddenly she is trying to reach corporate data from London. You can configure settings to inform you every time something similar happens, to be able to block the unusual access attempt.
Restrict OneDrive for Business Sync
Your employees may need to synchronize their OneDrive files with their computers. It enhances mobility and lets them work on their documents wherever it is comfortable for them. To do so, they can use OneDrive for Business Sync. It is part of Office 365, but you can also install it as a stand-alone client.
As an administrator, you can determine in which devices this app will synchronize. Only authorized users must be able to synchronize their local computer with OneDrive for Business. To guarantee it, set up the restriction that allows synchronization only for users joined to your domain.
Save all data
As you see from all the above, there are tons of threats to your data. Even if you do everything right, there is always something out of the intended scenario that can take place. So last, but not the least: always be prepared. Which means, save all data beforehand.
Unfortunately, the ability to backup your data is included only in Office 365 Enterprise E3 subscription, which costs $20 user/month. Which means, there are no backup options for small and medium businesses.
This is why our clients opt to use third-party services like Spinbackup to save their data. Using them, they are protected due to:
- Automated daily backup to an unlimited secure cloud storage
- Accurate point-in-time restore of data using the same hierarchy of folders
- Centralized admin panel to monitor the status of all data
- Ability to migrate data from one O365 account to another
- Weekly reports and fast search for your backed up items.