Securing Microsoft 365: Best Practices for a Secure Remote Workforce

By Andy Downs – andy.downs@ka2.io

 

The COVID-19 pandemic has pushed organisations of all sizes to adopt remote working practices—a shift that’s bound to stay around. From an employee perspective, the British Council for Offices finds that a majority of people hope to “alternate” how they work, dividing their future time between home and the workplace. This includes employees at all levels, from new hires to executives. A Gartner survey reveals that a whopping 82% of company leaders working in HR, legal and compliance, finance and real estate intend to permit remote working for at least some of the time once people begin to return more regularly to the office.

Managing a hybrid team of at-home or in-office employees can be a challenging balancing act on many fronts. One of those challenges is how to keep your team connected and productive. Digital tools are critical for collaboration. While there are numerous communication platforms available, Microsoft 365 consistently emerges as one of the top choices.

Yet, even a best-in-class subscription service like Microsoft 365 may pose a security threat to your business. This and other platforms are a prime target for today’s cybercriminals who continually seek new inroads and bypasses to built-in or default security defences.

For example, over the summer, attackers carried out a “very sophisticated” yet simple attack in multiple countries, including a highjack of Oxford University’s email server and domains belonging to Samsung. It compromised Microsoft 365 users with a custom email that included a link to an “Office 365 Voicemail”. The link was malicious, but the emails had actually been sent via the Oxford system, and thus the attackers were able to bypass corporate email defences.

However, there are ways that you can help protect your business and your Microsoft 365 environment. By implementing the right processes, training and security measures, you will reduce the likelihood of attack and proactively protect your organization, your workforce and your customers.

Create a Strong Password Policy (Please, No More “123456”)

It’s always interesting, yet alarming to check the most common passwords of the year. Going back to 2015, one of the top contenders is “123456” and “password”, and 2020 was no exception. Those two passwords continue to top this year’s list. One analysis looked at more than 275 million passwords leaked amidst 2020 data breaches and found that the most common passwords were “incredibly easy to guess”. More than 80% of hacking-related breaches are still tied to passwords.

Setting a strong password is one thing. Practicing bad password habits is another. Other bad practices including re-using old passwords, not changing passwords frequently enough or sharing passwords across multiple sites. All of these behaviours come too easily to employees, and all can put your organisation at tremendous risk.

It’s crucial for your firm to develop a clear password policy to encourage employees to create strong passwords and use them properly. This set of rules should be regularly communicated to your entire staff.

Use Multi-Factor Authentication and Conditional Access Policies

Multi-factor authentication (MFA) is an effective strategy to better secure your workforce, both at home and in the office. MFA requires users to provide an additional form of identification, such as a password plus a passcode from a device or a password plus a phone call to a predefined number, or via an authenticator app. Configure all applications, including Microsoft 365, to use MFA upon each login (and advise your team to only access the company server via secure WiFi or VPN).

MFA is a simple, yet sound way to protect against credential theft and email attacks, such as business email compromise (BEC). BEC encompasses a range of attacks, including CEO fraud, phishing, spear phishing and email spoofing.

In addition to setting up MFA, we also recommend setting up conditional access policies to further protect access to your data. Microsoft 365 provides a set of baseline conditional access policies to protect against common attacks, such as password spray, replay and phishing. However, we also recommend going one step further. The team at KA2 can help you enhance your security with the proper Microsoft 365 configurations and make sure that the right policies are in place to keep your data secure.

Set up Segregation of Duties

Segregation of duties (SoD) means that no one person is solely accountable for certain business operations. Imagine, for example, that the person at a business who acknowledges the receipt of goods is also the person to processes payment to the vendor. Or that the person in charge of verifying time sheets is also the person who cuts the pay checks. In technology, this might be a scenario in which the person who develops a security system is the same one who then tests it. In this situation, this individual might not be able to see the flaws that others would.

You can see where the potential conflict of interest and risk might arise with SoD. In fact, GDPR ushered in a renewed focus on segregation of duties, as the regulation requires many businesses to more clearly define roles and duties to mitigate risk and conflict of interest.

Segregation of duties is a fundamental element of risk management and internal controls. The concept is based of assigning various steps in a process to different people. This effectively eliminates those instances where someone could engage in theft or other forms of crime by having an excessive amount of control over a single process. By segregating duties, you can greatly reduce the risk of fraud, more easily detect irregularities and enforce internal control policies.

In technology, SoD is an effective measure to prevent any single person from being in a position to introduce malicious code or data without detection. Invest in an internal audit (preferably by a third party with no vested interested in the output of the report) to articulate roles and responsibilities and identify who has access to what. 

Benchmark your M365 Security

Our last recommendation is to take the time to really understand where your vulnerabilities lie. The best way to secure your Microsoft 365 instance is to know where the gaps and weaknesses are, so that you can most effectively establish a secure baseline configuration that provides the right flexibility and security for your organisation. Too often, businesses revert to a “this is how we’ve always done it and it’s worked so far” mentality. This careless and unrealistic approach can put your business and your information at risk.

If your team lacks the bandwidth to invest in these measures right now, it’s understandable. This past year has been rough on all of us. At the same time, given the increasing frequency and sophistication of attacks that originate via Microsoft 365, there is some urgency here. You might benefit from partnering with a third party to properly configure and secure your various collaboration platforms.

At KA2, for example, we combine unique software with our domain expertise to help you ensure the proper security controls for Microsoft 365, whilst maximising operational effectiveness and productivity. Our Microsoft 365 Assessment is accelerated, outcomes-focused and it can be completed in just 30 days. It’s designed to help organisations like yours to establish the foundational level of security required for Microsoft 365 and is underpinned by our KA2 Smarter Framework—a subscriptive, proven delivery methodology to ensure defined outcomes are met at pace and within budgetary spend. Overall, the framework is strategically designed to accelerate project delivery, while ensuring that all internal and external control, audit and information security points are met and exceeded.

To learn more about our Microsoft 365 Assessment and how we provide a best practice security approach for your environment, please get in touch with us today.