Cloud Security – 8-Step Guide to Securing Microsoft 365

Cloud Security – 8-Step Guide to Securing Microsoft 365

With more businesses making the move to Software as a Service (SaaS) public cloud services, it’s important to understand security is not inherent with Microsoft 365. Like any aspect of IT, if these systems are setup or maintained with security best practices your data will be at risk. Therefore, we put together our 8-step guide to securing Microsoft 365. 

Completing the below steps will make your business data more secure:

1. Setup Multi-Factor Authentication

Enabling multi-factor authentication is one of the easiest and most effective ways to improve the security of your business. It is also included in the price of your Microsoft 365 licence so do not delay. Here is the Microsoft guide on how to configure MFA. 

Enabling MFA will add a second authentication step after entering the correct password, such as using your mobile phone. This means even if a malicious person was trying to gain access to your account with your password, they would not be able to get access.

2. Train Your Staff

According to the 2017 Data Breach Investigations Report, more than 90% of cyber-attacks were traced back to human error. Fostering a risk-aware culture in the workplace is a great way to combat cyber security incidents. Teaching staff about password best practices and how to spot phishing emails is a great start. 

Simulated Phishing Campaigns whereby a fake spam email is sent to everyone in the business and a report is generated, showing which staff require additional cyber awareness training. This will determine your organisation’s current susceptibility to this type of attack, identifying the groups of users most at risk. Allowing you to focus your Cyber Awareness Training on those who need it most.

3. Use dedicated admin accounts

By default when you create a new Microsoft Tenancy a Global Administrator account is made. It is not best practice for this account to be the account used day to day by any staff. Create a dedicated account with a long password with MFA enabled.

4. Enable email encryption for sensitive conversations

Using email encryption for Microsoft 365 means that only intended recipients can view the emails you send. It is recommended to turn this on and set all confidential emails to be encrypted. More information on using Office Message Encryption can be found here.

5. Add external recipient warning in email banners

Adding a warning to the top of emails that originated from outside of your organisation can protect your business from forged emails from malicious hackers attempting to gain access to your data or request that you complete malicious actions.

6. Backup your data

Microsoft 365 enables your business to work anywhere without the need to host your own email, files, and SharePoint infrastructure. 

Even though Microsoft hosts the infrastructure, this does not replace your responsibility to backup business-critical Microsoft 365 data. Having 3rd party backup solutions for your Microsoft 365 data can give you more peace of mind around the long-term security of your data.

7. Setup data loss prevention policies

DLP or Data Loss Prevention policies allow to you define what data should leave your Microsoft tenancy. These policies help administrators maintain and automate rules around how data can be accessed and distributed. Policies create alerts and actions that the system can take if a data loss prevention policy is triggered. For example, if an employee account is trying to share a spreadsheet containing credit card data with an external user, the policy can be set up to automatically warn the user and/or quarantine the file.

8. Run regular security audits on your cloud environment

Auditing your cloud infrastructure including your SaaS configuration on a periodic basis is important. Security threats are always evolving and you need to constantly keep your security ahead of these threats.  

Microsoft includes a tool in the 365 portal which is very helpful in providing on-going health checks and recommendation. It’s called Office 365 Secure Score and you can see more information here – https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score 

As always, you are not alone in your fight against cybercrime. Please do not hesitate to contact us as we can assist in all aspects of cloud security including completing the above checklist on behalf of your business.