Office 365 (O365) ups the ante of productivity, giving users the power to work from anywhere. Whether with Word, Exchange, SharePoint, or Skype for Business, Microsoft’s O365 suite allows users to access sensitive data remotely without a VPN. In the era of Bring Your Own Device and vanishing perimeters, that flexibility and ease of use is a big boost to productivity.
But that “always on” mentality can be problematic for IT, as sensitive data can be exposed if IT or users don’t follow the right protocols. Convenience shouldn’t come at the cost of security for your organization.
Luckily, there are some easy steps IT can take to tighten up O365 security without limiting productivity. Here are five ways you can improve your organization’s security posture while giving users the O365 functionality they need.
1. Strong passwords, stronger authentication: O365 grants users access to data from any device with an internet connection, which is great for convenience, but needs protection. Besides strong passwords with a specified length and complexity, require multifactor authentication for administrators. O365 allows that second form of authentication to come through a phone call, text message, or app (all available as a free add-on), and these controls make it extremely difficult for outsiders to access user accounts via typical attacks, such as brute forcing.
2. Establish better privilege rights: Once IT has protected data by addressing the “how,” the next area of focus is “who.” O365 allows you to bucket users with access based on the Principle of Least Privilege, the concept of giving users access to the minimum level of data/rights necessary to perform their daily tasks.
For example, the marketing department doesn’t need unfettered access to human resources’ SharePoint site, which can include information like medical records and Social Security numbers. Establishing the Principle of Least Privilege allows you to limit data access based on need, and can prevent an attacker from pivoting to other machines/data if a system is compromised.
3. See where data is going: Now that access to sensitive data housed in the cloud has been properly safeguarded, it’s a good time to focus on what data needs the strongest protections. Organizations that need to meet compliance standards, such as HIPAA, PCI DSS, CIPA, or CJIS will need to adopt strong security controls to protect this sensitive data. The ramifications of a data breach — whether directly via compliance violation penalties or indirectly via reputation damage — can be significant.
Fortunately, O365 has built-in Data Loss Prevention (DLP), eDiscovery, and auditing and reporting functionality. These tools can identify, monitor, and protect sensitive data (such as credit card and Social Security numbers) sent via email or moving around the network. But the auditing data and reports these tools generate must be viewed by administrators to better determine what and how data is being used by company personnel.
4. Set up a perimeter: Phishing attacks remain one of the most prominent attack vectors today, so ensure your email gateway has the ability to provide anti-spam/phishing technology. Perhaps even URL link protection and attachment sandboxing are needed.
A cloud-based email gateway makes economic sense and would protect against careless employees who might click links or open attachments from senders they don’t know. This tool provides all of the same features as an on-premises solution with the added benefit of archiving and continuity services functionality. The latter service is especially important as part of a Business Continuity Plan. Another benefit available in email gateways is encryption, which allows users to securely send emails, maintaining the confidentiality and integrity of the message.
5. Don’t skimp on education: Educating users on best practices for maintaining confidentiality, integrity, and availability is an invaluable exercise. There are only so many technical controls you can put in place, as users will find ways to circumvent them with enough motivation.
Providing your users with appropriate training on what phishing emails look like, the importance of using encryption, and proper web usage are great ways to turn uninformed users into “human firewalls.” Aside from internal trainings, third-party security assessments can also be beneficial to your organization by providing phishing campaigns and social engineering exercises that can evaluate and help you improve your security posture.
O365 is a powerful tool, so protect it
The freedoms O365 affords users are well worth the added security you should enable. Many of the necessary controls vital to an organization’s security posture are available within the Microsoft Suite, but need to be activated. Additional security solutions that complement what O365 offers are also easy to find.
These controls will help shore up O365 security and safeguard valuable and sensitive information, while still allowing employees to work from anywhere on their trusted devices.
Whatever your security need may be — whether you’re looking to purchase a specific solution or need implementation services, looking for recommendations based on your needs, or want assessment services to evaluate the solutions you do have — SHI’s Security Practice is here to assist you every step of the way. Contact your SHI Account Executive to learn more.