Many business are now using Office 365 as a subscription model for the desktop Office applications installed on computers and laptops.
Other businesses are using the Office 365 Business Premium or higher tiers like the newer Microsoft 365 to host their Exchange server and with that they get Onedrive, Sharepoint and other applications as standard such as Teams. The higher tier will give Windows 10 Business and even unlock features like native email encryption and Mobile Device Management.
The consultancy has been asked to audit Office365 for many clients. In these audits we see a common trait with the default settings that allow the external sharing of data at the most unrestricted level. This, amongst other important security tweaks should be checked.
Most companies just switch on the Office365 system for e-mail and desktop and don’t quite understand what other features exist. We use Office365 E3 and have 25 online apps at present in our toolbox. All of these have features that users can jump straight in and use.
By default you have no governance or secure controls enabled for the use of Exchange e-mail, Sharepoint, Onedrive or Teams and indeed the plethora of current and newer apps that Office365 provides.
Mailbox auditing is not enabled by default. Shared mailboxes are rarely properly understood or deployed with a view to data loss prevention.
Data can and will be leaking from improperly configured cloud services. Office365 is not alone in this. We see serious data leak concerns with Dropbox and even 3rd party based cloud backup solutions.
Is that a breach? Is it negligence? Why wait and find out as a result of someting bad. I hope this and other posts in our blog will help you to improve your IT security.
Office 365 Security Tools Built In
Microsoft offer some excellent controls to help you secure the platform. By using https://protection.office.com you can see a huge toolbox of settings.
There is an important feature on https://securescore.microsoft.com too. This is very helpful as it guides you through the options they recommend to switch on. It shows your company score against the global average, same industry average and size of company average.
It’s important to note how low the global average is; with 37 the average score as shown on the left. It proves the need for companies to use the services we offer so we can help bolster the security settings and improve upon the average score. ACITConsultancy’s score is 216 here, twice the industry average for IT.
Also this updates regularly as your application and tenant use grows. Since Office365 is an online service delivery new features and apps are released quicker than what we are traditionally used to with offline software.
Office 365 Security Tips:
- Think about the digital perimiter in which the business data needs to operate. Should anything be allowed to be shared publicly and exposed via Sharepoint or Onedrive? Should any sharing if allowed be offered to Anonymous recipients? Use the options for sharing in the Admin portals for Onedrive, Sharepoint and Public connectivity in Teams.
- Follow as much guidance through the Microsoft Secure Score as possible and work on the reports given to you in the Protection portal.
- Think about who has access to the Global Administrator role. Lock this down and seperate it from any daily accounts used for things like e-mail. The Secure Score pages will guide you towards adding Multi Factor Authentication on these accounts too.
- Regularly check the reports that are offered by Microsoft. You can even schedule these to be delivered to your inbox. Highlighting any users that are suddenly increasing their sharing or using an increased amount of storage in Onedrive that may indicate an employee leaking your data.
- Turn on MFA (Multifactor Authentication) for important accounts. This will be all your admin users and any important VIPs.
- Think about using Azure Active Directory P1 or P2 tier (this is also included in some of the higher tiers) and your business will get insight into employee usage and also what accounts are targetted or most at risk in your organisation.