Even though Microsoft’s Office 365 is an easy-to-use platform, securing your data in the cloud is not that simple. Implementing a few Office 365 security best practices can at you’ll have your data in a safer place than it was yesterday.
Office 365 is constantly evolving with new features being added every month. Keeping on top of your security posture is critical. Out of the box, Office 365’s settings for data security are fairly weak. We’ve seen organisations that have been in a far worse position than they thought when it came to cloud security.
By modernising their security, many business are incorporating a zero trust methodology. This helps to secure sensitive data and improve their ability to defend against modern cyber threats. Office 365 can form part of that zero trust framework if security is planned right.
To help get your business in a better position, we’ve put together a list of our top Office 365 security best practices. We aim to configure these principles for all our clients. By implementing this list, we’re sure that your data will be safer and you’ll be back in control.
Office 365 Security Best Practices Start With Your Password Policy
Password policies and best practices have changed. The days of forcing staff to change their passwords regularly are gone. Along with it overly complex passwords that are difficult for people to use.
NIST (National Institute for Standards and Technology) is the US based body who was responsible for complex passwords using letters, numbers and symbols back in the day. Recently they’ve changed their tune around password security.
Today, NIST recommends password policies are changed to prevent staff from having to change their password periodically. People should only change their password only when they have to. This is when there has been a security incident, such as account compromise, or when they are forgotten.
NIST’s other recommendations include password length. More often than not passwords were set to around 8 characters. Now, 8 characters is the minimum. The more characters the better.
Instead of using complex passwords, like ‘:BF-!wVZRC!pEz’, the general recommendation is to use passphrases, like ‘4horse coffee-coin’. It’s much easier to remember a passphrase than a complex password. And it’s less likely to be written down.
You can read more about the NIST Guidelines on their website.
Embrace Multi-Factor Authentication
Multi-factor authentication (MFA) is one of the easiest and most secure changes you can make to securing your Office 365 data bar none.
With the rapid increase of data breaches and the continuous move to the cloud, Multi-factor authentication brings in a new approach to data security.
When you enable MFA your staff will be required to enter a one-time passcode (OTP) using an authentication application on their mobile device when accessing a corporate Office 365 application.
Multi-factor authentication has been proven to reduce the threat of account compromise by over 90%. Phishing emails are increasing in number getting more and more advanced. The extra layer of authentication through MFA will go along way to improving your security posture.
It doesn’t matter if you run a cloud-first strategy or operate a hybrid platform with on-premise applications and data. MFA can secure access to all your data.
MFA can help you secure access to your data through a range of sources:
- Office 365 (Exchange Online, OneDrive, SharePoint, etc.)
- VPNs
- WiFi networks
- Cloud applications
- Application gateways (Netscaler, etc.)
When combined with single sign-on, enabling MFA for all staff is an enabler for your staff to improve security without the normal burden of giving them more hoops to jump through.
Go Further on Your Protection Against Malware and Ransomware
Scanning all emails in and out of your environment for malware and viruses is hardly worth raising an eyebrow over. If you’re in Office 365 already, Microsoft scans your mail out of the box with no configuration.
Best practices state that you don’t have to hope that any email scanning platform to block malware before it gets into your environment. After all, nothing is completely foolproof and guaranteed. Even if it says so on the tin.
Our recommended approach is to build a list of file types that are commonly used to deliver malware and block the email before it gets into your mailboxes.
Files that you want to block as part of your filtering include the usual suspects – BAT, CHM, CMD, COM, CPL, EXE, JS, VB, VBS, etc. We maintain a comprehensive list of attachments that are simply blocked while others are quarantined, just in case.
Ransomware is Still A Threat to Data Security
We haven’t seen an outbreak of ransomware across our client-base for some time. With that being said, there’s plenty of it still out there.
One of the biggest hit was the global shipping company Maersk. Recently, a number of local government networks in the US have fallen victim to ransomware.
Ransomware restricts access to your data by encrypting files. The play for the cyber criminals is to extort money from you to decrypt the data.
Other than tightening up your malware filters, or implementing a 3rd party malware filter, there are a few settings we recommend you make to help keep your staff vigilant.
- Ensure you have warnings configured to let staff know if they are opening Office documents that contain macros. Macro-enabled documents may look inconspicuous to a malware filter. The dangerous payload is downloaded when the macro is initiated.
- Deploy next-generation endpoint protection that includes Endpoint Detection and Response (EDR) capabilities, such as Palo Alto’s Traps, SentinelOne or Trend Micro’s Apex One.
- Make sure you understand the process to recover data to a point in time quickly if you suffer a ransomware outbreak. Remember, Office 365 doesn’t back up your data. You’ll need to develop a plan for recovery.
Another technology that will help out with all forms of malware and ransomware is URL rewriting. We’ll cover this off a little later.
Prevent Auto-Forwarding of Email in Office 365
If any of your accounts are taken over by hackers, one of the methods they use to exfiltrate data out of your network is by automatic email forward rules. This allows the hackers to receive a copy of email sent to the victims mailbox.
In all reality, there’s not many valid reasons why you’d want to allow staff to setup auto forwards on their emails.
It’s important to note that this doesn’t include Out of Office messages. What we are talking about here is custom Outlook rules.
As part of our Office 365 security best practices, we prefer to setup a default rule that prohibits auto forwarding of emails to external domains.
Any time an auto forward is configured, our team gets a notification through the Office 365 Security Centre and Microsoft’s Cloud App Security alerting.
Set up outbound spam notifications in Office 365
Most environments are configured to prevent spam and other bulk email from being delivered internally. You need to do the same for outbound messages too.
Credential harvesting attacks are very common with phishing attacks. Once a user account has been compromised, phishing emails are setup to send to all email addresses within the compromised users address books. This includes all internal staff and external contacts.
By setting up notifications for excessive outbound email, or for spam originating form your internal email address, you might be able to head off a credential harvesting attack.
Outbound spam emails or any phishing emails that are seen to be coming from your network are not only embarrassing, they put your business at unnecessary risk.
Protect Against Phishing Attacks with URL Rewriting
You know that phishing attacks are the biggest problem to email and your staff’s security. Whaling attacks, or Business Email Compromise (BEC) targeting exec teams also on the rise.
The level of sophistication in phishing attacks is incredible. As the cyber crime industry continues to boom, crafted phishing emails are getting harder and harder to spot.
Over recent times we’ve seen phishing attacks that mimic cloud-sharing platforms – including OneDrive. Now, hackers are using compromised SharePoint sites to send links to malware and credential harvesting techniques.
Phishing attacks are harder to defend against than simple malware. In a phishing attack, there is no email attachment or payload. The hacker is relying on your endpoint security and Internet firewall.
To ward off credential harvesting attacks, you can’t just rely on traditional URL filtering to block access to the compromised site based on reputation.
URL re-writing has proved to be successful in preventing phishing attacks. With URL re-writing, the target site is verified at the time of click rather than as the email passed through the mail filter.
What could be an allowed site once it passes the filter may be a blocked site when the potential victim gets around to reading the email and clicking the link.
With Office 365, we can now help you re-write URLs in OneDrive and SharePoint documents for additional security.
Train and Test Your Staff Often
Information security isn’t just a technology challenge. The technology is there to reinforce your policies and procedures – and managing your risk.
Your staff are the first line and the last line of defence when it comes to your data security. Many businesses are investing in applications and services to mitigate their cyber security risk. It makes sense to keep your staff trained, aware and vigilant.
Teaching your staff the right way to secure data in Office 365 through the right way to share OneDrive links is one thing. You should also consider implementing regular cyber security training.
Many training programs are easy to understand and educational. To further bring the message home, you can run random phishing simulations for all or some of your employees.
If you’d like to run a free phishing simulation across your business, let us know.
This list of Office 365 security best practices is by no means complete. Most of the mechanisms to secure your data in Office 365 require a full understanding of your security posture and your risk profile.
Areas such as mobile device management, email encryption, data loss prevention and conditional access all take planning and are unique to each business. Planning your Office 365 security strategy is an important process and shouldn’t be taken lightly.
If you’d like to talk more about how we can help you secure your data and your systems, please get in touch.
