Top 5 Office 365 Security Best Practices

Microsoft has done its best to keep the Office 365 platform secure, but does that give you and your business the flexibility to ignore your part in protecting your Office 365 assets?


It’s important to understand a few basic facts about Office 365.

Out of the box, while Microsoft tries to prevent breaches, it’s not secure as it can be. You need to have multifactor authentication (MFA), understand your password policies, and understand how your data is being stored in Office 365.

In fact, Office 365 in of itself does not have a backup. In other words, while Office 365 has some redundancies and is resilient to failures, it’s not set up to remediate against a cyber attack from a malicious actor who succeeds in damaging, destroying, deleting, or changing your data.

So, what steps must you take to secure your Office 365 assets?

1. Multifactor Authentication

First, Multifactor Authentication (MFA) is key. Using just a password to access Office 365 is not secure enough.

Your users are likely using the same password across different applications and portals, which may or may not be secure. You may be syncing your network password to Office 365.

There’s nothing inherently wrong with doing so, but it makes you more vulnerable because a number of your assets are protected by just one password — if it gets compromised, you’re in trouble.

Thus, something as simple as MFA prevents cyber attackers from using stolen passwords to access your Office 365 assets.

In fact, there are a number of effective MFA options that work on Office 365. Office is one of the most prevalent cloud suites in the world, so most large vendors not only work with them, but will also highlight it.

Opt is a great one. Opt integrates heavily with Office 365, and allows you to do a lot of different, interesting things. For example, you can self-provision Office 365 — i.e., when you add a user to your Active Directory network, Opt will automatically add them to Office 365 and provision them.

Opt will also add any groups and security policies you have, which might allow them access to SharePoint or other pieces of information inside of Office 365.

While that’s interesting and valuable at saving time, more importantly, it decommissions those users when you decommission them from your Active Directory.

You can also look at AuthAnvil, DUO, and even Microsoft’s own MFA suite. Each of these has some form of federation that leverages Microsoft’s ability to absorb your security policies into theirs and take-in whatever policies you have set in your internal network onto their network.

2. End-User Training

End-user security support & training is important.

For example, there is a new cryptovirus out there that with one click of a button on a link, can crypto-lock the email that you have in Office 365. Because Office 365 doesn’t have a backup by default, that data could be lost forever. You should train your users to avoid clicking such links.

Over 40% of breaches are caused by employees, which speaks to weak end-user training and email use. You must understand the threats your employees are facing when it comes to Office 365 and email.

Each day, your employees will receive emails, and they must understand how to identify spam, mark mail for spam, release and whitelist things that are not spam, etc.

You must also educate your employees on how to recognize malicious links and how to deal with them, i.e., not click on those links, but raise awareness about it, mark it as spam and to report it to supervisors (so that other employees who might have fallen victim can be made aware and the organization can take steps to remediate).

Don’t Risk Losing Your Business Files
We’ll Help You Backup Your Office 365 Suite

3. Backup

Like any other good cyber practice, backing up your Office 365 data is critical. There are a number of companies that offer Office 365 email and SharePoint backup. Whatever backup solution you choose, you must ensure it’s active.

If there’s a breach and it wipes-out or encrypts your data, you will not be able to recover it through Microsoft. You need an external backup solution.

This also relates to your policies. If an employee decides to quit or become malicious, they can delete all of their emails and data. Unless you have backed it up, you won’t recover it. Backing your data up will ensure that your employees can’t permanently delete company data.

These backups for Office 365 are cloud-based and are inexpensive. There are also hardware solutions — such as Synology — that office free Office 365 backups. In other words, backing up your Office 365 data isn’t a difficult or expensive exercise.

4. Review Your Security Policies

The other thing you can do is look at your security policies:

  • Understand what you’re putting in Office 365.
  • How people are accessing Office 365?
  • What devices are they using to access Office 365?
  • Are you allowing them to access it off of your computer company network?
  • Are you allowing them to access it on their personal mobile devices?
  • Can they download documents off their personal devices?

These are policies that are really important from both a cyber security perspective as well as a company perspective.

Cyber security includes both external and internal employees. If an employee maliciously steals your data off Office 365, that’s a breach of your security. It occurred because you didn’t look at your policies to evaluate your risk of letting employees read documents on Office 365 from their home computer and download them.

These are all things Office 365 allows by default. So, you need to understand your risks and set policies to mitigate those risks. This could include having an employee handbook that states, “You can’t do X.” You can also configure Office 365 to block certain actions, such as copying data down from a personal computer that’s not on the company domain.

See How You Can Secure Your Business’ IT Assets:

5. Refer to the Office 365 Score

The Office 365 score is important and reliable to the extent that it bases a lot of its data on the information you provide it. However, it does give you a good indicator of where you stand as far as Office 365 security is concerned.

As with any other cyber security initiative, the first step is understanding exactly where you’re vulnerable, and that’s where the score comes in. You get high marks for things like MFA and strong password policies. A few little steps like having MFA and a strong password policy will increase your score significantly.

Power Consulting brings over 20 years of experience helping small businesses climb the steep hill of protecting their valuable investments from all manner of cyber threats. Speak to us today to find and close your gaps.

We at Power Consulting will help you keep your Office 365 email accounts and files secure and recoverable at all times. You just need to focus on running your business. Talk to us for a FREE consultation.


Learn More: