As more and more businesses move to the Cloud, the misconception that the cloud isn’t safe is slowly going away. Business owners understand that Cloud companies like Microsoft and Google have more resources dedicated to security. Don’t believe it? Here’s how Microsoft keeps Office 365 secure.
But it’s up you to make your own environment secure. If you’re an Office 365 user, there are plenty of apps and features in Office 365 (and availble add-ons) to help you do that. These are our favorite Office 365 security features and add-ons. We use all of these in our own organization.
Please note, features vary by plan so some of these may not be available on your current subscription. If you’re not sure, please contact us and we can help you figure it out.
1. Multi-Factor Authentication
Multi-factor authentication (MFA) adds a layer of protection to the log in process. Typically, you just use one way to verify you are who you say you are - a password - to log in to most services, including Office 365.
MFA uses more than one way. It combines two or more of something you know (a password), something you are (biometrics like a fingerprint or retinal scan), and something you have (like a passcode on a dongle or on your phone). If a cyber-criminal is able to get your password, they still won’t be able to access your files without the other verification method(s). We’ve covered this in depth in this blog post.
There are two options for MFA for Office 365 users: Office 365 comes with a basic, built-in option, which will work well for many companies. It gives you the ability to activate at the user level and several different options for the second verification method.
Companies who want more control, or need to meet specific compliance requirements may be better off with the other option: Azure Multi-Factor Authentication (this is an add-on, so there will be an additional cost).
2. Mobile Device Management
Mobile device management (MDM) isn’t about spying on your employees – it’s about controlling access to your company’s data. Regardless of whether your company has a Bring Your Own Device (BYOD) policy, your employees are likely accessing company data with their phones and tablets. Say that phone gets lost or stolen – then what?
MDM is another feature with multiple options, depending on what level of control you need.
The built-in MDM for Office 365 is a good entry and works well for companies where employees will only be accessing email via their company-issued mobile devices. Check supported devices and how it works here.
If you need more control, or if your employees will be accessing more than just email, or using their own devices, you can use Microsoft Intune (this is an add-on so there will be additional cost). This will give you much more control over how corporate data is used on mobile devices (example – you can restrict the ability to copy data from a managed app into another non-managed app).
3. Advanced Threat Protection
One of the most popular forms of cybercrime right now is ransomware (read our deep dive into ransomware here), which is spread almost entirely through malicious links and attachments in emails. These are getting more and more sophisticated and realistic looking, making them harder to spot – especially for employees who aren’t trained in what to look for.
Advanced Threat Protection helps by stopping these malicious links and attachments before they get to your inbox. It opens the attachments and links in a virtual environment (complete separate from your environment) and checks for malicious activity before the email gets to your inbox.
Advanced Threat Protection is an add-on ($2/user/month) and available for most Office 365 licenses. It's also already included in Office 365 Enterprise E5.
4. Encrypted Email + Data Loss Prevention
Companies who deal with sensitive information like credit card information, social security numbers and/or health records need to prevent this information from leaking outside their organization. This is where encrypted email and data loss prevention come in.
Encrypted email basically ensures no one other than the intended recipient can open and read emails you send. This is usually required for companies to meet regulatory needs like HIPAA.
Data Loss Prevention (DLP) ensures sensitive information doesn’t get sent outside of your organization to begin with (applies to more than just email – also includes SharePoint Online and OneDrive for Business and Office programs like Excel and Word). DLP policies monitor your environment for sensitive data and prevents users from sending that information outside your organization.
There are already templates set up to fit most major regulatory and compliance needs (like HIPAA). You can also create and customize the DLP policies to fit your specific needs. You can customize the rules to fit everything from the location of the data, type of information (credit card numbers, social security numbers, etc) conditions (type of information and in what context it’s being used) and the action taken (block the content completely or send a notification).
Encrypted Email and Data Loss Prevention is available on Office 365 ProPlus and Office 365 E3 plans and higher. It can also be added as part of Azure Information Protection.
5. Azure Identity Protection
Knowing that your account has been compromised can be almost impossible until it’s too late. You usually don’t find out until the hacker has already gotten into your system and taken some sort of action. Azure Identity Protection can catch this – and help stop the hacker from actually getting in.
Azure Identity Protection uses machine learning to understand how you work and flags unusual activity. For example, it will learn where and when you typically log in, so if you log in from an unusual place and time, it can flag that. It’ll also detect multiple log ins in a short amount of time from multiple locations (like your office and a hacker in another country).
If suspicious activity is detected, there are steps you can take to keep the hacker out. You can force the user to perform multi-factor authentication to verify their identity or stop the sign in completely.
Azure Identity Protection is available in Azure Active Directory Premium P2 Edition and works with Office 365 and Azure. You can also get a lightweight version of this with Azure Information Protection (available as part of Microsoft Enterprise Mobility + Security or as a stand alone add-on for $2/user/month or $5/user/month depending on the plan you need).
6. Privileged Identity Management
As with any system, in Office 365, you should try to limit the numbers of users with admin privileges. The consequences of these accounts being breached are usually much worse than a regular user account being breached. But often there are users who need admin privileges for some task but don’t necessarily need admin privileges all the time.
That’s where Privileged Identity Management comes in. It gives you the ability to assign users as what’s basically a temporary admin (“Just in time” admins). It works by marking specific users an “eligible admins, who can request admin privileges when needed. The request is customizable, so you can control how long they will have access to admin privileges and what information they need to provide (like why they need admin access) before it is activated.
Privileged Identity Management works with Office 365 and other Microsoft Cloud Apps (including Intune, mentioned above) is an add-on and available in the Azure Active Directory Premium P2 plan.
Get a gut check
Want to get a sense of how you’re doing with security in Office 365? Secure Score is a new feature in Office 365 that tells you exactly how you’re doing with security. It looks at your entire tenant and gives you a score based on what security features you’re using. To help you improve, it gives you a task list of exactly what you need to do to improve your score.
It’s in preview so you’ll have to take the score with a grain of salt right now, but it’s helpful for seeing where you need to improve. Keep in mind, though, it only looks at your Office 365 security – not your full cybersecurity set up. If you’re an admin, you can access it at https://securescore.office.com/