Top tips to improve your Microsoft 365 security
Find out how you can further protect your data with a range of Microsoft 365 security measures.Cybersecurity continues to pose a major challenge for businesses. It is important that all businesses, regardless of their size, take cybersecurity seriously. Recent compelling stats of the state of the cyber security landscape include:
- 66% of small businesses experienced a cyber attack in the last 12 months. Despite common misconceptions, smaller businesses are a prime target for cyber criminals.
- There were more than 500M ransomware attacks attempted globally in 2021.
- Phishing attacks account for over 90% of all data breaches.
More and more businesses have adopted Microsoft 365 thanks to its productivity gains and flexibility. The ability to work anytime, anywhere has now come to be expected. A cyber-attack however can seriously threaten this business continuity by corrupting your systems or holding your data to ransom. Fortunately, there are steps you can take within Microsoft 365 to further protect your data. We provide our top tips to improve your Microsoft 365 security below.
Microsoft 365 Security Checklist
1: Set up multi-factor authentication
Protect against lost or stolen passwords by using multifactor authentication (MFA), also known as two factor authentication. When set up, multifactor authentication requires people to use a code on their phone to sign into Microsoft 365. If hackers have deciphered your password, this extra step can prevent them accessing your Microsoft 365 account. This feature is included in your subscription and can be turned on with security defaults.
2: Train your users
As a business owner, you are responsible for reducing risk by training staff and leading by example. It is important to establish a strong culture of security awareness and to train staff to identify phishing attacks. Human error is the number one cause of breaches and phishing continues to be the leading method of attack. We recommend performing security skills assessments, regular training and penetration testing.
3: Use dedicated admin accounts
Admin accounts have elevated privileges which are valuable targets for hackers and cyber-attackers. As such, you should only use admin accounts for administration purposes. Admins should have a separate user account for regular, non-administrative purposes and only use their administrative account when necessary. Before using an admin account, admins should close all unrelated browser sessions and apps, including personal email accounts, and log off once they complete their admin tasks.
4: Remove former employees
This is a simple administration task but one that is often overlooked. We recommend old accounts are removed when staff leave, or at the very least, that you block login access if a mailbox is being maintained to service messages it might receive.
5: Protect against malware
Your Microsoft 365 environment includes protection against malware. You can increase your malware protection by:
- Blocking attachments with certain file types that are commonly used for malware
- Using antivirus/antimalware protection on your devices. Microsoft Defender Antivirus provides strong antivirus and antimalware protection and is built into the Windows operating system.
6: Ensure your software is up to date
It is equally important to make sure you are only using supported versions of Operating Systems and Office software, and that they are fully patched. Windows 7 has now reached end of life and is no longer supported, making it more vulnerable to security breaches. For more practical suggestions, read our Top Tips to Secure your Endpoints.
7: Protect against ransomware
Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for a ransom in exchange for access to data. The good news is that you get ransomware protection for email hosted in Microsoft 365 and for files that are stored in OneDrive. If you have Microsoft 365 Business Premium, you also get additional ransomware protection for your organization's devices. You can protect against ransomware by creating one or more mail flow rules to block file extensions that are commonly used for ransomware. You can also warn users before opening Office file attachments that include macros received via email. Ransomware can be hidden inside macros, so it is worthwhile warning users to not open these files from people they do not know. For more information, read our top tips to protect against ransomware.
8: Stop auto-forwarding for email
Hackers who gain access to a user's mailbox can exfiltrate mail by configuring the mailbox to automatically forward email. This can happen without the user even being aware. You can however prevent this from happening by setting up a rule to block auto-forwarding of emails to external domains.
9: Use Office Message Encryption
Microsoft Purview Message Encryption is included with Microsoft 365 and already set up. With Microsoft Purview Message Encryption, you can send and receive encrypted email messages between people inside and outside your organization. It works with Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content. It scrambles the data so that even if a message is intercepted, it is very unlikely to be read. Microsoft Purview Message Encryption provides two protection options when sending mail. These include
- Do not forward
- Encrypt
You can also configure other options that apply a label to an email, such as Confidential.
10: Protect your email from phishing attacks
If you've configured one or more custom domains for your Microsoft 365 environment, you can set up targeted anti-phishing protection. Anti-phishing protection, a part of Microsoft Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you do not need to do this. You can get started with this protection by creating a policy to protect your most important users and your custom domain. We also recommend implementing DMARC as part of protecting against spoofing. DMARC stands for 'Domain-based Message Authentication, Reporting & Conformance' and is an email authentication, policy, and reporting protocol. It helps prevent hackers and other attackers from spoofing your organization and domain by forging the From address of an email message. We recommend doing this alongside ensuring any email domains associated with Office 365 have the correct SPF record.
Increase protection for your organization's devices
The Microsoft 365 security recommendations above should all be included within your subscription. As mentioned previously, Microsoft Defender Antivirus is built into the Windows operating system and provides good protection against viruses and malware. However, you can increase protection for your organization's devices by implementing Microsoft Defender for Business. This is a new offering for small and medium-sized businesses and provides additional protection from ransomware, malware, phishing, and other threats. It is also included within Microsoft 365 Business Premium. For more information or advice on the Microsoft 365 security measures listed above, please get in touch.