MS 365 alone does not offer secure cloud storage

As our partners at Altaro will confirm, you may believe that Microsoft fully backs up Office 365 data at source, but this is not the case.

To be fair to Microsoft, O365 Business Essentials, was never built to provide data protection. There are limited data recovery options for loss of Office 365 emails, attachments, contacts, and calendars, let alone the files stored within SharePoint and OneDrive. That’s because Microsoft does not back up data.

As a business, it’s important to have a third party backup solution in place linked to your separate cloud storage that has long or unlimited data retention.

Is your O365 set-up leaving you open to security threats?

It may seem alarmist, but over 70% of O365 business users suffer at least one compromised account each month. One of the main problems is that hackers understand businesses all too well. They know that they neglect to put in place robust security.

The reality is that entire O365 account takeovers are growing. Attackers use login credentials that have been stolen through data breaches and shared across hacker forums.

That’s why it’s so important to have robust business-grade endpoint antivirus protection. The difference between antivirus and endpoint security is that antivirus can only block against threats, whereas endpoint actively finds threats dwelling on devices. Now that employee’s access O365 on their own devices in addition to work computers, endpoint antivirus is essential.

Multi-factor authentication

Although only part of the solution, there are some options freely available to you within O365. Multi-factor authentication (MFA) is one. This is where you are sent a text when you are logging on to verify it is you. However, you must enable this feature by ‘switching it on’ in the first place.

As the Cybersecurity and Infrastructure Security Agency (CISA) warned in its MS Office 365 Security Observations report, accounts without MFA are:

“Exposed to internet access because they are based in the cloud. If not immediately secured, they place an organization’s data at risk.”

Protecting against phishing emails

Phishing emails are another common cause of data breach within the O365 digital workplace. In some cases, these emails appear to come from Microsoft, with company logos, Office 365 logos, or Teams logos.

Attacks are becoming even more sophisticated though, as Microsoft MVP, Brien Posey, reports in Redmond magazine:

“We have probably all seen phishing attacks in which an e-mail message is meant to appear to have come from Microsoft…These attacks have been around for years.

“Recently, attackers have introduced a new spin on these types of attacks. Instead of trying to spoof Microsoft in the message’s Sender field, the attacker will send the message from another domain that has been compromised. The idea is that because the message comes from a legitimate domain (albeit one that has been compromised), filters will be less likely to block the message.”

That’s why it’s important to have the right third-party business-grade SPAM filters in place that are monitored on an ongoing basis. This will help prevent malware and SPAM emails.

Your O365 admins are ‘key to the kingdom’

Hackers know that your MS 365 Business Essentials admins hold the keys to your kingdom. This sounds quite dramatic, but it’s a fact.

That’s why it’s always alarming when a business is unable to provide a quick answer as to who has admin access to O365 and what their permissions are.

Unassigned accounts that are rarely monitored, unprotected by MFA, and secured with poor passwords are a real problem. Often, they are used to gain access to business Office 365 email accounts for data-theft, phishing and so much more. More to the point, you could be paying unnecessary MS Office subscription fees for the privilege!

At the very least, you should be assigning administrator roles using Role-based Access Control (RBAC).

Once you’ve decided who should have admin privileges, you may choose to implement a single sign-in process.  This is where you have the same password for your existing network and O365. By bridging the two, password changes and best-practice can be managed at source to increase IT security.

How secure are your API integrations?

The great thing about O365 is that it has the API capability to intelligently integrate with other third-party applications.  What often gets forgotten, however, is how data is secured between the two entities, and monitored for unusual behaviour.

Even API integrations with Microsoft products are not without their problems. For example, in March this year, Microsoft made an announcement. It stressed that hackers had grabbed API authorisation tokens and were using them to leverage a subdomain takeover in Microsoft Teams.

That’s why introducing a business-grade third-party threat management solution is best practice. Without this crucial layer of protection, your data is at risk of being compromised.

There are some incredibly clever tech solutions out there. They monitor every single transaction within your O365 architecture to identify and defend against threats. You can see the entire path – how a user accessed it, with what mobile device, what MDM policy the device had, which department they work in, admin access, when the activity took place and from what IP address.

Have you encrypted your business devices?

In the haste of getting every employee ‘live’ and working from home in an O365 environment, many laptops or PCs may not have been encrypted. When an employee is working remotely, the risk of a PC or laptop being stolen is beyond your control. If hardware is stolen and it is not encrypted, it is incredibly easy for someone to access an O365 account.

There are also GDPR issues to consider too. A lack of encryption can leave your business wide-open to being fined for breaching GDPR.

The ‘right to be forgotten’ challenge

Whilst we’re on the subject, compliance can be a big security if you fail to take the right steps when introducing MS 365 Business Essentials. As we all well know by now, under GDPR, people have a ‘right to be forgotten’. This means you must be able to locate personal information and delete it.

However, there’s a lack of visibility into the O365 infrastructure. The oneness is on you as a business to account for your data and how it is accessed and shared.

Your organisation must be able to track and audit individual user accounts. You must be able to comply with the request and have the processes in the place to tell the difference between users.

This can be quite a complicated area, but one we can advise you on at Agile Technical Solutions.