We’re hearing about local, national, and international cyber-attacks on what seems like a regular basis these days. It’s not just large corporations and governments that are vulnerable; we’ve seen many small businesses and educational institutions end up as targets as well.
If your business is running in the cloud or you’re considering a cloud migration, there’s little doubt that security is on your mind. Microsoft 365 has tons of features to help keep your data safe in the cloud. So many, in fact, it can be difficult to know where to start.
At Regroove, we have eight standard Microsoft 365 security recommendations that help our clients get started on the right foot in the cloud. These recommendations stem from a quarterly security assessment we offer our clients and they often form the foundation of our client’s security and compliance plan. We work to develop additional policies that supplement that plan depending on the client’s industry, type of data, and access requirements.
In this blog, we’ll outline out Microsoft 365 security recommendations to help you build your own security and compliance plan in the cloud!
1. Turn on Audit Logging
One of the first steps we take with clients who are new to the cloud is to turn on audit logging in the security centre. Not only does audit logging allow you to track and manage end user and administrator actions throughout Microsoft 365, but it can also help identify holes in your security by collecting and analysing events that occur in Microsoft 365.
To turn on audit logging in Microsoft 365:
- Log in to the Microsoft 365 Admin Portal, then click Security from the left-hand navigation.
- Click Search from the left-hand navigation, then Audit log search.
- Click Enable audit logging.
It can take up to 24 hours for information to begin appearing in your audit log. You can regularly check the log for unusual actions, refer to the collected information when issues arise, and use it as a baseline to determine your end user and administrative requirements.
2. Implement Multifactor Authentication
Implementing multifactor authentication can block up to 99.9% of all incoming attacks. With stats like that, it’s one of the most beneficial steps you can take to secure your data in the cloud.
Multifactor authentication requires the user to prove their identity through multiple means. With multifactor authentication, your user needs:
- Something they know, like a username and password
- Something they have, like a cell phone or USB
- Something they are, like a fingerprint or face scan
Typically, a user will download and set up the Microsoft Authenticator app on their cell phone. When they enter their username and password to log in to a company resource, a prompt is sent to the app on their phone. They open the app, approve the sign in, and confirm with a fingerprint or face scan. This process can be modified for those users who don’t have or don’t want to use their personal cell phone for logging in.
In our quarterly assessment, multifactor authentication is the first thing that we assess. We ensure the feature is set up correctly and applied to new users, and that it’s functioning as expected to help protect your data.
3. Configure Security Policies
Anti-malware, anti-spam, and Outlook message encryption policies help protect your users, your email, and your data from malicious attacks.
Anti-spam policies help prevent spam emails from reaching your user’s inbox. Anti-malware policies protect your devices from software designed to obtain or damage your company data. Outlook message encryption works to protect your users by enabling encrypted email messages both internally and externally so that only the message’s intended reader can view its contents.
Microsoft applies many of these policies automatically so that you’re protected when you start your journey in the cloud. However, you can edit these security policies at a more granular level based on your organization’s requirements and can even block specific senders that target your organization.
To access and modify these policies:
- Log in to the Microsoft 365 Admin Portal. Click Threat management from the left-hand navigation.
- Click Policies from the left-hand navigation.
There are many policies you can configure here. We recommend determining which policies you need based on the type of metadata you work with and how your users share it. Alternatively, we suggest working with a Microsoft 365 consultant to determine what policies are best for your organization’s needs. At a minimum, we recommend ensuring your anti-spam and anti-malware policies are configured. We’ll review your email security policies quarterly as part of our Microsoft 365 assessment.
4. Manage Your User Devices
Securing organization-owned and personal devices that access your data helps to stop attacks at the device level by ensuring only approved devices can have access. Devices are secured using Microsoft Intune which supports all mobile operating systems and a wide range of devices. Using Intune, you can ensure that devices which access your information meet security standards. You can also control how your data is shared between devices.
To set up managed devices:
- Log in to the Microsoft 365 portal, then click Azure Active Directory from the left-hand navigation.
- Once you’re in the Azure Admin Portal, click Azure Active Directory, then Devices.
- In this list, you’ll see all the current joined and registered devices and can enable or disable devices.
- When you click on a device, you can see information and actions available for that device.
- You can also manage devices in Microsoft Intune.
The benefits of ensuring devices are joined or registered to your organization in Azure are abundant. Azure and Intune help ensure that devices accessing your organization’s data are compliant with your security requirements and can help control how and where information is shared.
5. Use Principles of Least Privilege Access
The principle of least privilege access requires that every individual access only the information, resources, and powerful administrative tools necessary to accomplish their role. In Microsoft 365, least privilege access can be applied by implementing Azure Privileged Identity Management.
Privileged Identity Management (PIM) is a service in Azure that allows you to monitor and control access to resources and administrative functions in your organization. This is a great option for companies that want to minimize the number of people who have access to secure information. Privileged Identity Management provides time-based and approval-based access to mitigate the risk of unnecessary or malicious access to secure resources.
To set up Privileged Identity Management:
- Log into the Azure Admin Portal, then search PIM in the search bar at the top of the screen.
- Select Azure AD Privileged Identity Management.
- Select Quick Start to walk through the set-up process.
Privileged Identity Management requires users to have a Premium P2 Azure license, so we recommend that you only implement PIM for users that need access to complex administrative roles or highly secure data.
6. Get a Handle on Shadow IT
Shadow IT refers to the unofficial solutions employees use to fill gaps in their day-to-day process. It might be because they don’t know a tool is available to your company resources or they’re more comfortable with an application they used previously. It sounds harmless, but shadow IT can be a real threat to your company’s security. Data shows that up to one-third of successful attacks on a business are related to data located on shadow IT solutions that are not properly managed by an organization’s IT department.
One obvious way to limit shadow IT is to restrict everything down to a bare minimum. However, we recommend working with your employees to understand their basic needs and determine what tools work, what tools don’t, and what they might be lacking in accomplishing their day-to-day roles. It’s also important that your team understands the security risks behind things like shadow IT, which is where our next recommendation fits in!
7. Provide Coaching to Employees
It’s crucial to ensure your team understands data security, at least at a basic level. Providing examples of companies who have suffered malicious hacks, explaining what policies you have in place to prevent them, and helping your team understand why these steps are so important helps to supplement your Microsoft 365 security plan.
Keeping data security as part of your regular conversations with employees will help your team know the risks and understand your policies. Plus, it might prevent them from clicking on a link in a phishing email, entering their personal information where they shouldn’t, or downloading files from untrustworthy website. This alone goes a long way to keeping your data safe.
8. Review Your Microsoft Secure Score
The Microsoft Compliance Center provides a snapshot of your organization’s security and compliance, including how you compare to others in your industry, and steps you can take to improve your posture.
To access your security score:
- Log into the Microsoft 365 Admin Portal
- Click Security from the left-hand navigation.
- Click Secure score from the left-hand navigation.
Your secure score compares your security posture to other organizations of the same size in the same industry. Microsoft will provide a list of steps you can take to improve your secure score, as well as how much each recommendation will affect your score.
Some of the recommendations in this section rely on extra licensing and administrative set-up and may not provide a great cost-benefit for your organization. We recommend reviewing the improvement actions with a Microsoft consultant to determine case by case which actions will provide you with the greatest benefit.
Security in the cloud is a serious topic. There are dozens and dozens of security settings in Microsoft 365 that you can implement to ensure your users, your data, and your company are protected. The recommendations outlined in this blog represent a starting place for many organizations making their way into the cloud.
Feeling a bit queasy about your organization’s security posture? We can help! Our quarterly assessment will help ensure your company meets Microsoft best practices and industry standards for security and provide recommendations for implementing new features that protect your end users and your data. Complete the form below and one of our specialists will be in touch.