26 February 2020
By Justin Gibbs – firstname.lastname@example.org
The modern workplace is ever evolving. Today, organisations’ turn to technologies and digital tools to connect and support employees, wherever they are. These tools encourage productivity, engagement and collaboration. (For more, please see this post from my colleague Andy Downs on the role of employee experience in the modern workplace.) When properly implemented, these technologies can also improve customer satisfaction and drive better business outcomes, like growth or increased revenue. However, the same tools that will modernise your workforce also present their own unique set of security challenges.
When it comes to modernising your mobile workforce to transform your business, Microsoft 365 leads the way, and for good reason. Microsoft 365 offers a wide range of tools that can be bundled together to create a smart, efficient operating system with mission-critical enterprise-grade security tools and seamlessly integrated workplace productivity apps. While Microsoft 365 offers built-in and customisable security tools, you do need to know how to properly set these up to secure your data. This post is a starting place. In it, we share just a few of the many simple ways you can better secure your modern, mobile workforce using Microsoft’s security tools.
Set Up Multi-Factor Authentication
One step to better secure your modern, mobile workforce is via two-step or multi-factor authentication (MFA). MFA is a simple, yet highly effective strategy to increase the security of your organisations’ data. Not too long ago, many businesses used a single login (typically username and password) to access various platforms, like email. Unfortunately, the stakes have changed quite a bit, and your organisation faces greater cyber vulnerabilities, threats and consequences.
MFA requires users to provide an additional form of ID; most commonly this is a password plus “something else” like a passcode from a device, a phone call to a predefined number or an app installed on a mobile device that prompts confirmation.
If you use Microsoft 365 or Office 365, it’s easy to set up an MFA protocol. Often, this access will come via a code from your phone. Essentially, you’ll add a setting through the Microsoft admin centre that will require users to log in via MFA. Users will then be promoted to set up their phones before they log in again. At a minimum, set up multi-factor authentication for your organisational email; beyond this, you may want to add it for other key accounts, like storage services or social media accounts. You can also add MFA to other email clients, including personal Microsoft accounts or Google.
Protect Against Malware and Ransomware
Another strategy to secure your modern, mobile workforce is to protect against the top threats you face, including malware and ransomware. Malware, which includes viruses and spyware, is designed to perform damaging operations to your IT infrastructure. Spyware, for example, can “spy” and obtain confidential information via your computers (or even your webcam), steal sensitive data and exploit vulnerabilities on your endpoint security, like desktop computers and mobile devices.
Ransomware is another form of malware, in which an attacker demands a payment (ransom) to restore access to your data. It’s a real and growing threat. The Guardian just published “The Five” about some of the notable recent ransomware attacks, including an attack on the currency exchange service Travelex on New Year’s Eve. Attackers stole customer data, including national insurance numbers, and the attacker, Sodinokibi, demanded a ransom of £4.6m in return. The company has yet to respond; the company website in Europe states that it is down for “planned maintenance”.
One of the most effective defences against malware and ransomware is to create one or more mail flow rules at your organisation. This will block file extensions that are commonly used in such exploits. Both Microsoft 365 and Office 365 include malware protections, but, as an admin, you can also increase or customise this protection as your business grows or changes. For example, when adjusting your settings to filter common attachment types, you can add or delete types as you need, over time.
Ransomware attempts can also be thwarted in a similar fashion, through two recommended rules in Microsoft 365. The first step of the rule is to warn users before opening attachments with macros (ransomware is often hidden inside macros); the second step is to block file types that could contain malicious code.
Protect Against Email Faking Attacks
Another threat facing your business is an email faking attack, like spoofing. While some attacks attempt to obtain information from your organisation, spoofing, on the other hand, attempts to deliver an attack by tricking your team into performing dangerous actions. Spoofing attacks are intentionally designed and delivered to appear legitimate and from trusted senders.
To mitigate the threat of an email faking attack, make sure you use Domain-based Message Authentication and Reporting Conformance (DMARC) technology to actively block attacks. A DMARC policy can safeguard you by either blocking malicious email from reaching your inboxes or quarantining it via a spam folder. In Microsoft 365 and Office 365, you can also configure the Sender Protection Framework (SPF) and Domain Keys Identified Mail (DKIM). Combined, these strategies form the cornerstone for protecting your company domain.
Protect Against Phishing Attacks
Phishing attacks remain a pervasive threat to organisations’ of all sizes. This is where an attacker attempts to obtain valuable information through fraudulent emails to your company. Phishing is a form of “social engineering”, meaning it’s a manipulation tactic in which attackers pose as someone trustworthy.
The first step to protect against phishing is to install the right security software. If you’ve configured custom domains in Office 365 or Microsoft 365, you can also configure targeted anti-phishing protection, a feature of Office 365’s Advanced Threat Protection (ATP). Start by defining your anti-phishing policy in the threat management/policy settings. Then, you can leverage Office 365’s ATP Safe Links to protect your firm through time-of-click verification on web addresses in email messages and Microsoft Office documents.
Train your Users
Our last recommendation to secure your modern, mobile workforce is just as important, and it’s all about your people. Once you establish your cybersecurity policies and protocols, be sure to train your entire staff on the basics. This will help you establish a strong and sustainable culture of security awareness at your organisation and arm your staff as your front line of defence against threats.
Proper training will help your staff understand common dangers, like the risk of using public Wi-Fi networks, or what to look for, such as common elements in a phishing attack. In educating your team, strive for a customised, people-first and holistic training plan and follow-up with resources and support after the training ends. This is another area where a trusted partner, like KA2, can help. Many firms offer customised training to help you identify, plan and conduct regular cybersecurity training across your entire business.
We hope you’re starting to pick up on a theme here. While your business faces more cyber threats than ever before, there are several ways you can protect your organisation and your reputation. Many of the most effective strategies come part and parcel through modern workplace tools like Microsoft 365 and Office 365. These and other built-in tools will help protect and transform your business, no matter where your workforce is located.
On top of all that, Microsoft also offers tools and settings for simplifying compliance with GDPR and securing Office 365 in line with the UK Government’s security principles. It can be daunting to know where to start and what practices will be best for your firm. However, our cybersecurity specialists can help ensure that you’re making the most of your modern workplace technologies and properly securing them in the process. Our Smarter Security Controls for Microsoft 365 are designed to help you establish – and maintain – a secure configuration posture by providing you with best practice security implementation and actionable insights.
Make sure your modern workforce is secure – whenever and wherever they choose to work. Get in touch with me at email@example.com to discuss your Microsoft 365 security.