10 Tips to Help Secure Your Microsoft 365 Environment
Not all plans are created equal, you get what you pay for, pick your adage - but don’t underestimate the importance of maintaining a strong and robust cybersecurity posture for your digital environment by using every tool at your disposal. With so many organizations and businesses today relying on the most popular business platform on the planet, Microsoft 365 Business (Standard or Premium), for their daily needs, your team here at GDF wanted to give you some tips on how to best secure your Microsoft 365 platform against the constant onslaught of ever-evolving cyber threats that make up today’s digital reality.
1: Set up Two-Factor Authentication
As far as easy and effective goes, setting up Two-Factor Authentication (2FA) should be priority number one. Once 2FA is enabled, it simply means a code will be sent to your phone to complete the login process. An attacker may have managed to obtain your credentials (username and password) by stealing them or buying them from other criminals on the Dark Web, but ALSO having immediate access to your phone is a much higher hurdle to clear right off the bat. 2FA is by no means exclusive to Microsoft 365, so use it whenever possible on your other accounts as well.
2: Train, Rinse, Repeat
Here at GDF, we’ve responded to a lot of cyber emergencies over the last two-plus decades. One frustrating constant over all that time are the events which could have been totally avoided if a user had better awareness, especially in how to identify and respond to phishing/spear phishing attacks, the initial culprit in a vast majority of the most costly and damaging cyber attacks. Of course, there’s also password practices and security, reviewing security policies/features implemented enterprise-wide, mobile device security, and much more. Meetings, posters, and other reminders are also greatly beneficial, because regularity and consistency will help raise and maintain everyone’s awareness, including at home (and yes, bad practices at home can bleed over to affect organizational security).
3: Dedicated Admin Accounts for Admins Only
One of the foundational tenets of cybersecurity is the Principle of Least Privilege (PoLP). Simply put, it means only giving users minimum levels of access (or permissions) needed to perform their job functions. Microsoft 365 is no different. Administrator (Admin) privileges are prime targets for hackers, coveted like a skeleton key that can unlock full control of a network and/or system. Admin accounts should only be used for administrators when performing actual administrative duties, and they should have another separate account for non-administrative duties. It’s easy to set up and assign privileges in Microsoft 365.
4: Adjust Your Protection Level Against Malware in Email
The Microsoft 365 environment also includes fundamental protection against malware, but it’s also adjustable. You can increase protection by blocking attachments with file types commonly used for malware. Here is a link to a short video by Microsoft to show you how.
5: Ransomware Protection
One of the greatest threats to organizations is ransomware, especially when coupled with the most successful attack vector available to aspiring attackers, targeting the human element. It’s the easiest way to bypass even the most robust security measures. It’s easy, it’s cheap and massively successful, making it an ROI winner for hackers all over the planet, and they do thrive on the path of least resistance. But make no mistake about it, if a ransomware attack is successful, you are at the mercy of one of two things; you either restore your systems from a clean backup (assuming you still have one), or you pay and pray the attacker holds up their end of the deal and gives you the decryption key to release all your data. Trying to decrypt is a fool’s errand. It could take a couple hundred thousand years to crack the encryption code with today’s encryption algorithms.
With Microsoft 365, you can create mail-flow rules which will block file extensions commonly used for ransomware (and other malicious code), or if you don’t want to block those file extensions, you can at least set up a rule which will send a warning to the user to proceed with caution if there is a potentially malicious attachment or macros present in files (even Office files) which can launch an attack. And with Microsoft’s unsurpassed pool of threat intelligence being constantly updated along with their tools, you know your protection is as up to date as possible.
6: Stop Email Auto-Forwarding
A hacker with access to a user’s mailbox is a dangerous beast. They can glean a lot of valuable information monitoring mail, things like how the user communicates with clients, how funds are transferred and arranged, or even idiosyncrasies which will help them very effectively pose as the user in a spear phishing scam. The easiest way to this end for a hacker is to configure a user’s mailbox to forward mail, which can happen without the user ever being aware it’s even happening. This is another place Microsoft’s mail-flow rules can save the day by configuring one to reject auto-forward emails to external domains.
7: Use Office Message Encryption
To this point, every feature mentioned is available in Microsoft 365 Business Standard, but this is where Microsoft 365 Business Premium really starts to separate itself on the cybersecurity front. Office Message Encryption is included with Microsoft 365 Business Premium and it's already set up. Office Message Encryption allows your organization to send and receive encrypted email messages between people inside and outside of your organization. It not only works with Outlook, but also other services like Gmail, Yahoo!, and other email services. Encrypted messages mean only the recipients intended to receive the messages can view the message content, eliminating a hacker-favorite of intercepting clear text and using the knowledge gained to further their own nefarious intentions.
8: Protect your email from phishing attacks
For those of you who’ve configured one or more custom domains in your Microsoft 365 environment, this one’s for you. One of the features available in Microsoft 365 Business Premium is anti-phishing protection. As a part of Microsoft Defender for Office 365, you can configure targeted anti-phishing protection to help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks.
We recommend that you get started with this protection by creating a policy to protect your most important users and your custom domain. Here is link to another short video by Microsoft to show you how.
9: Safe Attachments – Protect Against Malicious Attachments and Files
Email attachments can be as dangerous to an organization as they are vital to the functionality of daily operations. Documents, spreadsheets, presentations, they can all be essential, but it’s not always easy to tell whether that attachment you just received is malicious with nothing more than a naked eye. Fortunately, Microsoft 365 Business Premium offers a feature called Safe Attachment. Also a part of Microsoft Defender for Office 365, Safe Attachment will take a much closer look under the hood to see if an attachment is malicious. But, and it’s a big but, it is not turned on by default (here is the Microsoft video to show you how). You need to create a new rule to turn on this protection, but once you’ve done it, your protection will cover files in Microsoft Teams, OneDrive and SharePoint. And once again, Microsoft’s unrivaled threat intelligence will help ensure its constant vigilance will help protect against the newest known threats as well as the old.
10: Safe Links - Protect Against Phishing Attacks
Hackers sometimes hide malicious websites in links in email or other files. Safe Links, part of Microsoft Defender for Office 365, can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through Safe Links policies. Here is one more video by Microsoft to show you how.
Where GDF Fits In
While Microsoft 365 can do a lot of lifting for you on the cybersecurity front, it’s not infallible or impregnable. Microsoft 365 is much more than email, it’s a connected environment, giving users the expanded ability to store data in personal and/or company storage, share files, collaborate and access/download data at home, or from anywhere. While Microsoft 365 helps productivity, it opens up a new world of ways your data is at risk from internal and external actors. By conducting a thorough assessment of the Microsoft 365 environment, GDF can help your organization lower risk and elevate the security posture of your organization. GDF’s assessments look at the full picture of how your data is exposed and how users can interact with that data. GDF delivers a comprehensive plan to implement the proper settings to secure the environment, protect your data, prevent breaches, and ensure that logging and monitoring is in place to detect and analyze any breach or incident that may occur.
Cyber criminals and other malicious actors are actively looking for their next victim every day, all day. So don't wait to get some locks on the door, contact Global Digital Forensics today.