While the basic concepts of security are generally much the same wherever you go, as always details matter. In particular, legal details matter and for some companies using Office 365 could raise legal issues. This, however, is only likely to be the case in a minority of instances. In most cases, the question of whether or not to use Office 365 will depend on what the management team thinks of its security. With that in mind, here is what you need to know.
Office 365 gives you the tools, it’s down to you to use them
To be clear, no company in the world can ever guarantee that its system provides 100% protection against cybercriminals (or indeed any other threat). All any company can do is guarantee that they will follow currently-accepted best security practices (which can and do change over time) so as to offer the highest possible level of security at any given time (again this can and generally will change over time).
Microsoft has years of experience in creating secure applications and has put all its knowledge (and massive resources) into creating a secure cloud environment. Office 365 offers enterprise-level security at a price SMBs can afford. Just how secure it is in practice, however, depends on the extent to which you make effective use of the tools Microsoft puts at your disposal.
Multi-factor authentication can really tighten access controls
The vast majority of security revolves around access control in one form or another. When it comes to accessing apps and their associated data, there are two steps to implementing effective access control. The first is to think carefully about who needs access to what and to ensure that everyone gets access to what they need and only what they need (unless they can provide a meaningful business justification for extra access). The second is to make sure that accesses are only ever used by the person to whom they are given.
Both steps are important, but arguably the second is more complex to implement as the main burden of it falls largely on end-users, rather than system admins. Even though IT departments can implement password standards and can do their best to educate users about the importance of creating strong passwords and keeping them secret, there is no guarantee that the message will get through to each and every end-user.
This is where two-factor authentication or multi-factor authentication can be invaluable, but again, only if done in the right way. Up until relatively recently, one of the most common ways of implementing 2FA/MFA involved sending a text to a cellphone. This, however, is now frowned upon due to the growing concern about cellphone interception, especially via SIMjacking. Now the more popular approach is to install an authenticator app on a cellphone and have that generate a code, which is then used to access the app (and its data).
Don’t (always) accept the defaults
Microsoft, like other security-conscious companies, sets its defaults to what it feels is the most appropriate setting for most of its customers at that specific point in time. Firstly, there is a difference between most customers and all customers and so it is always wise to check that the default settings are genuinely the best ones for your organization.
Secondly, as previously mentioned, security best practices can and do change over time and Microsoft has a habit of updating default settings for new customers but not for their existing ones. We’re guessing that the assumption is that existing customers will have had the opportunity to configure their settings how they would like them and it’s not Microsoft’s place to change them.
While this is understandable, it does mean that SMBs do have to take ownership of making sure that they are aware of the latest security guidelines and taking the necessary steps to implement them in Office 365 (and elsewhere in their organization if necessary).
Office 365 benefits from proactive threat-detection measures
Microsoft collects aggregated statistics on service usage and user behavior. These are then used to improve the performance of Office 365 and, in particular, to help predict and prevent cyberattacks. Basically, if Microsoft identifies that many users are all experiencing the same issue, then it knows there is a general problem it needs to fix. That problem may well be a cyberattack and if it is then Microsoft will make it a priority to deal with whatever vulnerability the attackers are trying to exploit and apply it to all its customers at once.
If you’re interested in learning more about Office 365 and security, please click here now to contact Aperio.IT.