12 August 2021
The Microsoft 365 Security Tips Every Business Should Know
Even now, after recent cyber attacks hit the mainstream news, there is still a common misconception that cyber-criminals aim primarily at big business and government. Unfortunately for smaller organisations, the truth is that small business is the target of 43% of cyber-crimes. After all, for a hacker, it can be easier to breach the defences of a business that doesn’t employ a cyber-security expert.
But surely now we’re using Microsoft 365 and our data systems are all in the cloud, that’s more secure, right? Not entirely. Microsoft has indeed included some outstanding security features in its flagship product line – but they need to be set up to suit your particular business needs. The platform starts out with generic settings designed to suit a wide range of circumstances. Spending some time locking down your Microsoft 365 set-up is enormously valuable.
Know Your Security Score
That may sound daunting, but the product suite is very good at guiding companies through the system. There’s a lot of good information in the Microsoft portal to get you started. Still, there are a lot of features, with new additions landing most weeks, and knowing which to focus on can be tricky if you don’t specialise in this aspect of technology. A good starting point can be checking the security score feature for your business. Anyone with admin rights can view the score, and read suggestions about what to improve. Even if you don’t execute every suggestion, it is a good prompt to focus on security.
Choose the Right Plan
There are many Microsoft 365 plans to choose from, each with different inclusions. Typically, we recommend Microsoft 365 Business Premium as a minimum, because the base products below that level, has limited capability when it comes to securing an organisation. That leaves you adding capabilities from other products, such as spam protection filters, that can end up costing more overall. Juggling separate products also makes you more likely to miss the occasional update or security patch, and may cause a few integration headaches, making it a painful false economy.
When your emails and data reside in the cloud, multi-factor authentication is a must. The business-level Microsoft 365 packages all make this easy to set up, and it is one of the most important security measures you can take. This doesn’t take away the need for strong passwords, of course, but rather reduces the risk involved when a password is compromised. The combination of cyber-smart users and strong processes is highly effective. Read our blog about two factor authentication here.
Identity Management and Device Control
One of the great things about Windows 10 and Microsoft 365 is the ability to have computers managed via the cloud. You can, for example, set up policies around devices so that when a computer is added to your organisation, it will get the same settings as every other computer in your business. You can enforce password complexity requirements, prevent installation of unauthorised apps, and auto-install anti-virus software, so that you can create a consistent level of security.
The generic settings in Microsoft 365 allow users to share files with anybody. Let’s face it, we all make mistakes, especially when we’re juggling tasks during peak times, and users can accidentally (or otherwise) share private information. Microsoft 365 has some file sharing settings that are worth exploring – you can stipulate rules at a file, folder, or department level that determine who can view the contents.
When we work with new clients, we typically go through a review process, and find that data is open to everyone in the organisation. It is important to know that when data is accidentally or inappropriately shared and it contains any personal identity information, it is a reportable data breach that the organisation is obligated to report to the Office of the Australian Information Commissioner (OAIC).
Backups and security go hand-in-hand, because when there’s a problem, this is what stands between your business getting quickly back online or facing crippling losses. Most people don’t think about backing up cloud data because of a mistaken belief that this already happens. In fact, most cloud services have retention rather than backup – and if data is lost or stolen, the built-in capabilities do not offer a sufficiently granular level to work efficiently in the aftermath. If your industry has strict regulations, in particular financial services, health, or legal services, the included data retention will not meet your obligations.
For this reason, when you move to cloud, it is important not to forget the best practice you depended on when your systems resided on-premise, such as keeping a backup tape in a fire-proof safe. Moving to cloud is, though, a very good time to revisit your backup processes, as there are many more options nowadays that can save you time and effort.
When you’re moving some or all of your systems to the cloud, there is a lot you can do yourself, but it is still worth a discussion with your trusted IT provider to ensure that you are not inadvertently leaving an easy way in for cyber-criminals. In fact, if security features are not a topic frequently raised by your Microsoft 365 provider, why not?