Microsoft Office 365 Security Risks

Understanding Office 365 security risks

Storing data is risky. It doesn’t matter whether you do it online (e.g. in the cloud) or offline, there is always a security risk. You, therefore, have to take an appropriate level of precautions to protect it. With that in mind, here are the key Office 365 security risks and how to deal with them.

1. Being exposed during the migration

Essentially remember to keep your guard up during the actual move. Preparation is key here. Look at your existing security protocols and see if any of them will become compromised/redundant as a result of the cloud migration. If so, decide if you need to find alternatives either in the short-term (until your migration is complete) or over the long-term (post-migration), then do so and be prepared.

Keep any software you currently use fully up-to-date right up until the point when you are ready to decommission it. Even though finding time to apply security patches can be a real pain, especially when you’re busy, it still needs to be done.

2. Data loss

Remember that data protection is a shared responsibility. It’s Microsoft’s job to protect the platform in general. It’s your job to protect your data from being accidentally or maliciously deleted by someone in your organization.

Take this seriously because you will not have the option just to pull out a hard drive and get a data recovery service to fix the problem. On the plus side, (at least for SMBs), when you are working in the cloud, preventing data loss isn’t really a technical issue, it’s about having robust processes in place and ensuring that they are enforced.

3. Misuse of accesses

Administrator accesses are the most vulnerable to abuse for obvious reasons. That said, you don’t particularly want anyone abusing regular access either. Take steps to fortify your data security with added protection layers and robust data security protocols.

One of the most obvious ways to do this is through two-factor authentication. Basically, this combines something you know (your password) with something you have. Traditionally, this was an RSA token, these days it is more likely to be a phone, preferably a smartphone.

The reason that it’s preferable for it to be a smartphone is that sending access codes by text message can actually constitute a security risk in itself. This is why increasing numbers of companies are now opting to use code-generating apps instead. These are basically RSA tokens but are installed on smartphones on smartphones instead of carried separately separately.

For the sake of completeness, this is in addition to having policies regarding the use of strong passwords and making sure that they are actually enforced.

4. Third-Party email service providers letting through malicious emails

The best advice here is just don’t use third-party ESPs. Just stick with Microsoft Exchange, which, as you’d expect, integrates fully with all of Microsoft’s products and hence gives you the highest possible level of security in an Office 365 environment. If, for some reason, you absolutely must use a third-party ESP, then at least make sure it has DKIM, SPF, and DMARC protocols in place.

You also need to train your staff on how to spot malicious emails and have a process for reporting them. This point is important because Microsoft is currently less good at picking up on targeted cyberattacks than it is at picking up on well-known, general security threats.

For the sake of completeness, please be aware (and make your staff aware) that malicious links can be included in other types of files, including SharePoint documents.

5. Third-Party cloud apps

Third-party cloud apps are to Office 365 what third-party plugins are to browsers. Some are genuinely both reputable and useful, most do no harm (but can add bloat) and a small percentage is trouble. Make sure you do your research thoroughly before you add one.

How to manage Office 365 security vulnerabilities in general

Most Office 365 security vulnerabilities come under one of the above categories, but listing them all out individually would be lengthy, exhausting and ultimately pointless. What’s more, any list would almost certainly go out of date very quickly.

Instead of just focusing on dealing with specific security threats (although that is important), you need to develop processes and practices which keep you on top of both current and emerging threats. You may also want to team up with a managed services partner who will have greater expertise in that area (because it is their business).

As a minimum, you should know your Office 365 Secure Score and understand what it actually means in practice. You should also get to grips with the dashboards and reports within the Security & Compliance Center.