One of the many benefits of Microsoft 365 is the powerful security capability, not only in an ever-increasing suite of security features but the sheer scale of Microsoft’s cloud security operations. Microsoft has a vast number of security professionals, resources and capabilities. So, it’s reasonable to believe that once you’re in, you’re taken care of. However, whilst this is true in some sense, it’s definitely not always the case. Reading the fine print, it’s important you are aware that “You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control”.
A critical point with any cloud service is the concept of the shared responsibility model. In essence, Microsoft will provide the functionality, but it is generally up to the customer to configure that functionality correctly, balancing your own needs and appetite for risk, with the grip of security controls that can in some cases become overburdensome for users. With the sliding scale of zero security to maximum security, it can be difficult to know where to land the slider, but just as difficult to know is where the settings are!
#1 Secure your identity
Multifactor authentication, the use of your mobile phone as an additional password to your account is now the norm. In fact, multi-factor is enforced as default in the new Microsoft 365 tenants, as, according to Microsoft, it stops 99.9 per cent of login-based attacks. But, as with most security solutions, attackers have learnt to adapt. SMS-based multi-factor authentication is now viewed as one of the least secure methods of multi-factor authentication. You may be more familiar with the notification method where you have to approve a notification prompt on your phone, but this too is now prone to attack. Users now face multi-factor fatigue, which according to Microsoft, 1% of Microsoft 365 users will accept a simple approval on the first try when an attacker is attempting to get in with your compromised username and password. Additional security features in Microsoft 365 for multi-factor authentication have been around for some time which help to overcome these fatigue-based attacks, but as with multi-factor authentication some time ago, are not enabled by default and must be turned on. There is an obvious benefit in staying ahead of the game to ensure you are always using the latest Microsoft 365 security configuration to improve your security, but you must know where to go to turn those features on.
Take action: Firms should expect to move fast with changing Microsoft 365 security feature sets, in an attempt to outpace increasing and evolving security threats. This is far more than what would be the norm in a traditional on-premises environment.
#2 Maximise your controls
Typically, when migrating to Microsoft 365, you come from a traditional environment of file servers, business applications and VPNs. With Microsoft 365 your data is available from any web browser or device by default. The entry key to this data is no longer you physically being in the office or your company laptop over a VPN from home, but just your username and password, from any location in the world. As per the previous point, multi-factor authentication is one of the best ways to start protecting your data in Microsoft 365, however, you cannot rely on a single security control. Historically, you would have a firewall, protecting what people can do inside your network and from the internet. The same exists for Microsoft 365 with Conditional Access. This is a powerful tool that is both highly configurable and by default, fairly open. Conditional Access allows you to control exactly where people can log in from, what types of devices or applications people can use and much more, but it requires organisation-specific settings to define those controls. Often, Conditional Access is left as default or is configured with the basic levels of settings. Some of these controls require additional Microsoft 365 technologies to be enabled, such as Intune, further increasing the barrier to entry for more robust security settings.
Take action: Firms should spend time defining what normal looks like for their people accessing corporate data and applications and seek security advice for building the controls in Conditional Access to meet those requirements, whilst balancing risk with usability.
#3 Train users to improve security
People in your organisation are often targeted as an entryway into your Microsoft 365 environment. A typical attacker will send a convincing email that appears to be from Microsoft and fool them into logging in to a Microsoft 365-looking sign-in page, unwittingly revealing their credentials to an attacker. A key to protecting people from attack is to train them on what to look out for, how to identify someone trying to compromise their credentials and provide a first line of defence outside of the technology. A place to start is Phishing simulations which are a way to carry out tests on Microsoft 365 users and to help understand what training is required. They provide a measure of your success as you move to utilise security training tools to educate people on Microsoft 365 security.
Take action: Firms should be mindful that the technology in Microsoft 365 won’t necessarily protect them from all eventualities and should educate users to improve overall security.
#4 Have an additional backup
In the unfortunate scenario that a hacker gets in and does something precarious with your Microsoft 365 environment, your last line of defence is Backup. Quite often, the backup of Microsoft 365 is often overlooked. Microsoft backups up your data and takes care of this is a reasonable expectation when your data is all stored on Microsoft servers. Whilst this is true, in some circumstances it’s not always in the way you’d expect. Intentional or not, files, emails, and conversations can be deleted. Microsoft does provide many different guardrails such as recycle bins, all of which can be permanently deleted, but they also periodically back up the overall Microsoft environment. In the event of an attack, it can be difficult to reliably restore your data to an acceptable point in time before an attack occurred. There are many third-party backup products for Microsoft 365 that store copies of your data outside of the environment for reliable restoration in a worst-case scenario.
Take action: Firms should seek additional backup capability outside of Microsoft 365 to reduce the effect of a compromised Microsoft 365 account or a compromise of the whole environment.
Whilst these are our top four considerations, there are naturally many more.
At Lanware, we have standardised our Microsoft 365 security configuration for financial services firms to help them quickly achieve a security good practice starting point when adopting Microsoft 365. This includes the use of credible third-party tools to plug the gap where Microsoft 365 is lacking.