Microsoft 365 (formerly Office 365) is one of the most used software packages in the world. Now with the latest cloud technology integrated directly within users’ favorite Microsoft word processing and business apps, new features for online cloud storage—including automatic backups, easy collaboration between staff and added security—the Microsoft 365 productivity suite is more powerful than every before.
However, like all new technologies, Microsoft 365 is not without its new vulnerabilities. Cloud-based technologies have unique security concerns that need to be understood and taken into account by both IT providers and their customers, such as data being accessed from anywhere and, thanks to the cloud’s remote nature, susceptible to unauthorized access.
A recent study has shown that 71.4% of enterprise Microsoft 365 accounts have, at least, one compromised user each month. This includes accounts with unrevoked privileges (49.5%), ex-employees still having unauthorized access as well as malicious threats from outside the system. This therefore begs the question:
How secure is Microsoft 365?
Very secure. Microsoft has spent nearly a billion dollars on securing their flagship product in the last year. Additionally, now with integrated cloud technologies, Microsoft is also providing a fleet of new security solutions, such as email encryption and threat protection. Plus, the physical data centers which store the raw data are highly secure, with biometric scanners for entry, unknown locations (but still located in the client’s region) and the workers themselves unable to access the data (known as ‘Role Separation’).
As more companies take full advantage of Microsoft 365’s powerful offerings and are moving their data to the cloud, the role of an MSP (Managed Service Provider) is to stay constantly informed on the key best practices to manage the security of their 365 networks and ensure that client data remains secure.
Remove redundant account privileges
As mentioned previously, 49.5% of all unauthorized access is caused by a user having account privileges that are significantly higher than what is necessary. This might be an intern having admin access to delete folders or a graphic designer being able to access financial data in the cloud. A full audit of the Microsoft 365 user base should be necessary every six months, with the highest privilege only available to the MSP.
Revoke ex-employee access
When an employee has their contract suddenly terminated, there is a possibility they might (either consciously or unconsciously) sabotage files. An ex-employee might not be malicious at all, but in cleaning up their space accidentally decide to delete critical files that are shared through the cloud. They might also remove client emails, documents, calendars and more, which thanks to Microsoft 365, is synced throughout the network, to the cloud and might be critical for other departments. MSP’s and IT managers are advised to manage access for these scenarios and ensure any ‘no longer active’ accounts are archived when an employee leaves. A common mistake is that many firms may keep an old profile active ‘just in case’ they need to access the data when they should have proper processes to archive and restrict said data.
Additionally, this principle would also include having a unique login for each employee. Even large firms have been guilty of having one default password for their entire network, which an employee can easily remember before and after they leave the firm. This leads nicely to the next point about passwords…
Avoid having a password file
All the encryption in the world will not matter if a user has access to a password. There has been a recent increase in the number of people having all of their passwords, including their Microsoft 365 cloud passwords, in an unprotected text file on their server and computer. In some situations, the file is even called ‘passwords’. This is the first place that a hacker will look when gaining access to your system. The easy solution is to simply not have an unencrypted password file or any file at all.
Enable multi-factor authentication
A quick way to ensure better security is to enable the included multi-factor authentication that is provided by Microsoft 365. This service asks a user not just for a password, but to enter a special code that is sent to a mobile device (or another method nominated by the MSP). This is very popular for financial firms or when connecting to a sensitive system.
Backup sensitive data offline
To prevent data from being deleted accidentally or tampered with maliciously (such as with a Ransomware virus that encrypts your data and only gives you a key to retrieve it if you pay the hackers), it’s worthwhile to have an offline backup of your sensitive data. This is a failsafe measure just in case the cloud is compromised, or a user accidentally deletes a critical project and should be a cornerstone of a data recovery plan.
Use OneDrive for Business’s per-file encryption
Microsoft 365’s OneDrive for Business offers per-file encryption, not just encrypting all of the files on the server with one key. This means that all data can be separately encrypted and that if a malicious actor got hold of one of the system passwords, they would not be able to access all the files (apart from one).
How Office Protect can help
One of the best ways to protect your files, system, and access to Microsoft 365 is the use of a security platform, such as Sherweb’s in-house solution, Office Protect. Office Protect is a proactive Microsoft 365 solution that integrates into your Microsoft 365 network to prevent all the above threats and ensure simple security management for MSPs and IT managers.
Office Protect provides Microsoft 365 tenants with comprehensive, useful features such as:
- Alerts when a foreign or unknown IP access the Microsoft 365 network, so you are instantly alerted when someone unauthorized accesses the network. If the IP address is set to the office that the users work from, then any external access will be instantly noted, despite the fact that Microsoft 365 is operating from a cloud.
- Admin abuse detection. This is great for finding users with unnecessary admin privileges or when a user accidentally starts deleting files.
- Alerts for suspicious mailbox activities (Such as spam virus emailing the entire database).
- Proficient data logging on all accounts to monitor activity (But without compromising privacy).
- Tools to make it easy to set sweeping changes to user rights and access permissions throughout an MSPs whole Microsoft 365 network.
- A single pane dashboard to break down complex user data into simple security information, to inform and educate quickly.
- User access data can be exported easily to PDF or CSV for data analytics.
- Reports that can be automated into a daily or weekly format, especially useful for reporting to clients or senior management teams.
Thanks to Microsoft’s continued investment into data security and to solutions like Office Protect, Microsoft 365 continues to be a preferred and secure service to use across all industries.