5 Ways to Strengthen Microsoft 365 Security
The value of business data keeps on growing, so as the cost of a data breach and data loss. The amount of threats across the board is expectedly astonishing: malware, brute-force attacks, aka password spraying, insider threats, network vulnerabilities, etc. The number of ways your business-critical data can be compromised and the price you may need to pay for can be unbearable for most companies.
But Microsoft 365 (previously Office 365) is a secure data management suite, you would say? Well, yes and no. Microsoft does give you a ton of options in the form of customizable settings to enhance your data security. Using those adequately will, for sure, protect your data from many widespread threats.
At the same time, though, in their policies, Microsoft states clearly that they are not a backup service for your data, which means they can’t protect it from losses on the same level. If you don’t have a backup service yet, go ahead and learn how Spinbackup protects O365.
In this article, we will help you to foresee the potential risks for your data and the ways you can eliminate them in Microsoft. Most of them can be configured at Microsoft Office 365 Security and Compliance Center (SCC). Let’s dive in!
1. Set up roles and permissions
The central postulate of Microsoft Office 365 Security and Compliance Center is that admins or CISOs grant access to your business data to accredited users only. If the rule is not applied, it can lead to your important data being accessible by any random third-party. Someone can share data that is not encrypted by this rule or make it public, or view and even edit some important document like compliance documents.
By setting permissions, you take control over which data can be accessed by users and what they can and cannot do with it. For example, some important compliance documents can be vied and altered, or even shared, and can compromise your company.
There are three levels of access control:
Permission. It provides a user with the ability to access some specific data, and this access is usually restricted.
Role. The role is wider and includes several permissions. With the role, a user can perform an action or set of actions.
2. Control sensitive information sharing
The more people work in your company, the harder it gets to control user actions and data flow within this company. One of the problems of this lack of control is the possibility of sensitive information being shared within or, which is much worse, outside of the company.
What is sensitive information? Sensitive information is data that provides:
- Personally identifiable information about the person, such as birth date, medical records, and other health information, security number, etc.
- Financial information, like credit card numbers.
To safeguard this type of data from sharing, you can visit the Data Loss Prevention (DLP) section in the Microsoft Compliance Center and customize your DLP policies.
Most of such policies use keywords and checksums to identify such information. But you can define some specific parameters, and the system will use them to identify sensitive information and blocks it from being shared.
3. Backup all your Microsoft 365 data
We probably should have started from here. As we’ve said in the beginning, Microsoft doesn’t back up your data. What does it mean? It means that if someone from your organization has accidentally or intentionally deleted a relevant shared folder on OneDrive, and have done so permanently, you can say goodbye to this folder once and for all.
Of course, there are ways you can get your data back with the help of Microsoft. For example, if you have Enterprise 3 or Enterprise 5 subscriptions, you can reach this folder in the tool called eDiscovery. The thing is, eDiscovery is also not a backup – it is an electronic discovery that is used to obtain and exchange data that can be used as evidence in a legal case.
In terms of data backup and recovery, eDiscovery is not able to restore high volumes of data (which is the main purpose of backup services). If your system is hit by ransomware and, for example, all your Outlook emails are encrypted, eDiscovery won’t help you to restore them, or you will need ages for that.
If you don’t back up your Office 365 yet, read our Microsoft 365 backup guide.
4. Enable multi-factor authentication
Not so long ago, multi-factor authentication (MFA) could be taken into consideration as some extra security. Nowadays, it must be a norm for all companies with no exception. It is a proven fact that passwords are the least reliable protection that can be. Most of them are too short, too simple, or used multiple times for different sites and services.
This all makes it easy to brute-force them and sell them on the dark web or break into your Microsoft 365 environment and leak your business data. It is especially dangerous if we speak about the accounts with administrative rights.
You can turn on this MFA function from the Admin Center by choosing the particular groups, users, or everyone and pressing Set Up near the Multi-factor Authentication.
5. Use ransomware protection
Ransomware is a type of malware that encrypts your data and restricts you from accessing it. To regain access, cyber criminals force you to pay a ransom and promise you that after that, you’ll get the decryption key.
Of course, you are getting this decryption key after paying a ransom that can reach $40-50 000 is not always the case. This is why most cybersecurity experts advise you not to pay the ransom and invest in preventative security measures. Here are some of the main things you can do about it:
- Train your employees. They must know which file or email looks suspicious, so they don’t click on them or don’t provide them with any information or permissions.
- Create a list of executables that threat actors use to spread ransomware and block those file types.
- Update your software regularly. Ransomware can attack your company using unpatched vulnerabilities in your operating system; you may not know about it. To avoid that, companies roll out updates with security patches that cover these vulnerabilities.