Securing data is nothing new, but it has become more of a requirement in this digital age. You secure your on-premises Exchange Servers and environment, and the same applies to your Microsoft 365 tenant. While you might think, “It’s in the cloud, it is secure,” you are wrong. Yes, Microsoft has security enabled, but you need to ensure your Microsoft 365 tenant is secure. If you think about it, many phishing attempts happen to financial people, and you need to ensure that these emails are filtered. If a Microsoft 365 user opens an attachment, you have the same kind of security repercussions as you would if you hosted your own servers. Once that malware infects the machine on your network, it spreads like wildfire, and too often, you can find your business crippled by ransomware. Fortunately, with Microsoft 365, there are a few things you can do to bump up your security and ensure that your tenant stays safe. Remember, this is not bulletproof in the sense that nothing will ever happen. You still need to train your users on cybersecurity threats as they are real and happen daily.
Microsoft 365 security center policies
Microsoft 365 now has a security center where you can configure policies. These are:
- ATP safe attachments
- ATP safe links
- Mail filtering (anti-spam)
- Email authentication
Note that not all policies are enabled by default, so you will need to either enable them or customize them to your needs. You can also check your Secure Score as it analyzes your organization’s security. These are not the only things you need to look at. For secure mail, you should also do the following:
- Set up SPF
- Set up DMARC
- Set up DKIM
As far as DKIM setups are concerned, you may need a third party or a person familiar with it to help you with this if you are not sure how to set this up.
We know that mail can get through SPF, but if you have DMARC as the next layer and if it fails there, the mail will be quarantined. DKIM is used to validate outbound email sent from a domain — this would be your domain.
You have the ability to set up transport rules to block .exe files sent to users. Please note that you can use ATP or a third-party tool like FileWall that has its own set of policies to block malicious files. And you can run ATP and FileWall together for extra layers of protection and get even more Microsoft 365 security.
The next thing you can do is enable multifactor authentication (MFA). This is recommended for securing your cloud resources and email. If you enable MFA, you will notice that modern authentication is a prerequisite for this. Modern authentication is enabled by default in SharePoint Online, One Drive for Business, and Office 2016.
When it comes to ransomware and malware, Microsoft provides a layer of protection. Still, you need to note how to recover data from an attack, especially on SharePoint Online. As for documents, look at protecting those with rights management and also look at the data loss prevention feature where you can restrict content saved to SharePoint and OneDrive.
Another area you need to look at securing is Azure Active Directory. You can also use Microsoft 365 cloud app security, which can alert you of anything suspicious, and to give you peace of mind, it takes action on its own, which is great. Just take note you need an E5 license to use this.
We all know that users do not like complex passwords and prefer to use either their name or family name or defaults like Month.123 or Pass.123 or Password123 — you get what I mean. These accounts are the most vulnerable as hackers can launch an attack against it with known passwords, and if they get in, they have full control of the account. If this user account is a global admin, then you have trouble as they can do anything in the organization.
Strong passwords are needed, and normal user accounts and global admins should be split. You should also look at enabling MFA on your user accounts, as mentioned above. You can also protect Microsoft 365 user accounts by implementing an additional layer of security with mobile device management. And you can also teach your users to enhance their security by using message encryption in Microsoft 365.
The next thing you can look at is updates. Who loves doing updates? Nobody! But there are many security fixes and enhancements with each update rolled out.
While having all these security tweaks for Microsoft 365 put into place will make you safer, the biggest win will be the education of your users, directors, execs, and everyone else in your organization. Cyber awareness campaigns teach users what to look out for and show them how a simple mistake, like using a company account on a device, can be the downfall of a business. Everyone makes mistakes, but continuously teaching them will ensure the safety of your tenant and your company data.
Lastly, think about the mobile devices your users use for company mail or other company functions. They may have access to company data like SharePoint online. Users who root their device or jailbreak it are basically giving hackers easy access to absolutely everything. If they download apps from sketchy websites, they may also be getting malware along with the apps. This is when your nightmare as an IT pro starts.
Featured image: Shutterstock