With the increase in cyber-attacks in India specially targeting Small and Medium Businesses, it is important to protect your business technology systems, here are 10 ways to secure your Microsoft 365 account. You are reading this as you may have already invested into Microsoft 365 system and on its own the folks there guarantee enough measures to protect your data that lies with them. Having said that, Microsoft has repeatedly reminded its clients that security is an equal responsibility between them and the client.
Microsoft 365 is one of the secure platforms for Email, Communication, Collaboration, Data Protection, Monitoring and Control but It is effective only when you secure it as per best practices defined around your business requirement.
Here are 10 actionable, easy and important steps to improve the security of Microsoft 365 on your own.
This is one of the easiest and most effective method to protect your email and data and increase the security of your organization. Multifactor authentications add another layer of security to your account authentication, in addition to the password. This is like the OTP that you receive on your phone when you do a bank transaction.
Microsoft provides multiple ways for second authentication. You may choose OTP as SMS, or a call from Microsoft for verification of your account or you can use the Microsoft Authenticator App which provides you with a code, which you must enter for access to your account.
The feature is available with every Microsoft 365 subscription, but one must enable it for all the users.
Use dedicated admin accounts!
We have noticed that the Admin account has the highest level of privileges and is the easiest vulnerability to exploit because, either it has been shared with too many people including IT Vendors or used for day-to-day routine work by the IT team. It has become a practice to make the IT Head account as Global admin account. Any compromise with the personal account of this individual would lead to unauthorized access to the company’s critical assets. Make sure that the admin account has:
- Have a dedicated account for Global Admin.
- Enable Multi-factor authentication on Admin ID.
- Use admin ID only on secure system and never on a public system or shared computer.
- Make sure to close unwanted browser sessions and apps, including personal email accounts. Use it in “InPrivate” window to access this account.
- Once you are done with your task, make sure you LOG OUT before closing the browser window. Do not leave the admin login on the system.
Protect your password
Do not use same password on multiple accounts. Use unique password for your Microsoft 365 account. Using same password, even if its strong, keeps your Microsoft 365 ID at risks as any compromise of that password, on other platform, increases the risk on Microsoft 365 account compromise.
One of the key factors which plays very important role in maintaining the security of your organization is the user. That is why User Training is the key element to protect your organization from Cyber-attacks. The training is the key elements other than technology for protection of the organization and information.
- Users should be enrolled for using strong passwords, adapting to multifactor authentication.
- They need to be aware of the recent attacks and how they can identify and protect themselves from such attacks.
Protection against malware in mail
Microsoft 365 provides the default protection against malware for email. You should strengthen it by blocking the file types that are commonly used for malware. This will increase the protection.
This is the scourge that has made organizations lose data, time, and reputation. Once the hackers get access to your network, the trojan encrypts the data that may be impossible to decrypt. Even paying ransom to the hackers (I seriously do not recommend you ever do that), there is no guaranty that you could get your data back. Ransomware spread quickly over the network and attacks any device it can access.
- Here, you can use the power of mail flow rule and block the file extensions that are commonly used. Block the files that contain other malicious code.
- Ransomware can be hidden inside the file macros. So, warn the users on opening such attachments and inform IT department immediately if they have done so.
- Backup up your critical data assets and ensure that they are not in the same network as your primary data.
Use message encryption in Outlook
Office Message Encryption is the default feature that comes with Microsoft 365. It ensures that the emails sent within and outside the organization are encrypted. This allow the message content to be viewed by intended recipients only. This works with popular email platform like Outlook.com, Yahoo!, Gmail and other email services.
Office Message Encryption provides two protection options when sending mail:
- Do not forward
You may also configure additional features like marking the email as Confidential or other labels based on the organization need.
Protection against phishing attacks
Phishing is one of the common methods to target the victim for any attack. You will need to enable the settings that protect your users from targeted phishing. Microsoft Defender for Office 365 will help your organization to protect from malicious phishing attacks. This is primarily recommended if you have configured custom domain in your Microsoft 365 environment.
Another feature called “Safe Links” which is again part of Microsoft 365 Defender for Office 365, verifies the URL in an email to ensure that the URL does not have malicious code hidden inside.
Protect your apps
Ensure that only allowed and verified apps can be installed on the company device. Microsoft 365 provides “Microsoft apps” to access apps in more secure manner. One should also make sure that the all the apps including the operating system are up to date.
Monitoring your Microsoft 365 account
Monitoring…..and…..Monitoring Security is an ongoing process as new viruses and new way of cyber threats keep developing. One should not assume that after deploying a tool (software/hardware) you can protect your organization completely, it’s a myth. Ensure that security is part of your organization’s culture and you must keep evolving. This will only happen when you monitor your Microsoft 365 platform regularly.
- Keep monitoring your security score and keep improving it.
- Check are there any new threats which require protection, if yes then activate it.
- Check if Microsoft has released any new security patch of function or feature, if yes then immediately enable it.
Microsoft 365 provides various features to protect your organization. I have mentioned the 10, you can easily and urgently do. You should implement others too based on your business requirement and the history of your organization to threats. If you have already become victim of any such attacks, then you should follow the given steps immediately.
I can help you to improve the security portal of your Microsoft 365 platform and increase your Security Score. I can also advice on various Microsoft deployment as per the best practise and making it secure.
You can send me your feedback and questions on Nazmeen.firstname.lastname@example.org and follow me on Twitter – @nazmeenansari and LinkedIN – Nazmeen Ansari, CISA | LinkedIn to get my thoughts on Microsoft technologies, Security and other happenings in the Tech World.
You can read my earlier article on Microsoft Defender Advanced Threat Protection here – https://www.matrix3d.com/microsoft-defender-atp-antivirus-endpoint-protection/