Office 365 Security Best Practices

Home >> Office 365 Security Best Practices

What you need to know about Office 365 security best practices

For many SMBs, working in the cloud, even the public (shared) cloud, will actually give them a far higher level of security than they could have managed on their own. At the same time, Microsoft cannot micromanage everything for every client because what suits one SMB perfectly may be a serious issue for another. That’s why SMBs do still have to take some responsibility for maximizing their own security. With that in mind, here is a quick guide to Office 365 security best practices.

Make use of Microsoft Secure Score

Office 365 Security Best Practices

Microsoft actually gives users a dashboard where they can see how your configuration compares to current best practices. The key point to note is that security best practices can and do change over time, so it’s strongly recommended to make time to visit your dashboard regularly to see if you need to make changes.

In this context, it’s also worth noting that Microsoft has a habit of setting its defaults to the current best practices when onboarding new customers, but tends not to touch the settings of existing implementations. This is understandable, since Microsoft will presumably not want to touch an active application for fear of doing something which would cause their client inconvenience. The onus is therefore very much on customers to use the tools Microsoft puts at their disposal to take care of their own security.

Always enable Office 365 multi-factor authentication

This tip is generally found high up in any list of Office 365 security recommendations and for good reasons. It is possibly the single, most effective security tool in Office 365. Basically MFA works by requiring the user to enter a password plus a one-time access code which can be communicated to the user in a variety of ways.

The standard ways are by phone call or text message, although these are being phased out due to the fear of interception e.g. through SIMjacking. There are now alternatives such as having code-generator apps on a person’s cellphone.

To reduce pushback from users, you might wish to consider deactivating MFA in locations which are known to be safe, for example, the office.

Implement effective access control

This is another tip which generally ranks highly on any list of security recommendations and also for good reason. Accesses should be granted on a need-to-have basis. You may be willing to stretch a point if someone can demonstrate that a certain access is really useful to them, even if it’s not strictly necessary, but nobody should ever have access to data for which they are never going to have a business need, not even the C-Suite and certainly not the admin team.

On that point, there should be a policy of making regular checks to confirm who has access to global admin privileges and also who is listed as the Exchange administrators, SharePoint administrators and User Management administrators.

There also needs to be a clear policy regarding the creation of 365 Groups and Teams. This needs to define who can set them up (and each group should have at least two owners) and clear expiration policies for groups. Make sure this policy is being followed by undertaking regular spot checks to identify inactive groups and follow through with the owners to request proof that there is a justification for these groups to continue to exist. This will go a long way to avoiding groups turning into an unmanageable mess and hence a potential security threat.

Enable mobile application management for OneDrive and SharePoint

Mobile devices have long since graduated from being executive toys to being genuine productivity tools and now have many legitimate uses in a work environment. This brings all kinds of benefits with regards to flexible working, but it also means that companies do need to stop and think about what policies they need and how to implement them. They also need to educate their employees on what to expect and why.

Redirect Windows common folders to OneDrive for Business

You can educate users until you are blue in the face, but you can take it as read that there’s always going to be (at least) one who is going to store their files in My Documents (just like they do at home) regardless of everything you say. You can either have a big fight about this or just put on a forced redirect to OneDrive for Business so the user can go on doing what they’re doing while your rule takes care of everything in the background.

If you’re interested in learning more about Office 365 security best practices, please click here now to contact Aperio.IT.