Top 10 tips for securing Microsoft 365
A robust cyber security strategy should effectively address the following questions:
- How can I make my organisation more secure?
- How can I improve my cyber resilience?
- How can I be confident that we can detect and respond to cyber-attacks and limit their impact?
Such a strategy should ensure that the core technologies in use are secured or ‘hardened’ appropriately to make it harder for attackers to successfully compromise the business.
M365 is a fantastic productivity tool and with some simple configuration, it can be made much harder for attackers to be successful. This is often referred to as Attack Surface Reduction, Exposure Management, or Posture Management. When combined with well-developed detection and response capabilities, it can dramatically reduce your cyber risk and allow you to become ‘cyber resilient’.
Spending the time to secure your M365, largely using the features and services it already provides, is also the most cost-effective strategy. This is because it ensures you’re not unnecessarily purchasing other cybersecurity technologies when you could have just enabled or changed something in your M365 configuration.
The best advice here is to try and balance security and useability and to take a risk-based approach where possible (i.e., implement an appropriate and proportionate level of cyber security). That said, we have prepared the checklist below which is a good starting point for your organisation. In practice, we would look to work with you to identify where you can get the most effective return on your investment.
Enable Multi-Factor Authentication on all accounts. This is probably the biggest ROI in cyber terms. It’s worth the perceived hassle of implementation and can be done in ways that are not negatively impactful to business operations. We recommend going one step further and using the Microsoft Authenticator App (not SMS/text) and using ‘Number Matching’. Number matching is a key security upgrade that works with the Microsoft Authenticator App and eliminates a lot of the residual risks when compared to SMS or the app on its own. It really is the number one thing to configure now (we believe Microsoft will soon make this the default setting, it’s that good!).
Use separate accounts for admin activities. Don’t use a highly privileged account such as administrator level as the same account you are using to log into your email, browse the web, etc. If you do this, then any attacker who compromises you (e.g., you click and run a phishing email that executes malicious code) is doing so with admin-level permissions. Even if all they manage to do is steal your credentials, they now have admin-level access, which is their goal! Make it much harder for them by using M365 day to day as a normal, low-privilege user. This will mean that attackers will need to find another way to get administrator access even if they compromise your device or user account.
Lockdown admin accounts as much as possible. As mentioned above, make it as hard as possible for attackers to compromise admin-level accounts. This means you should maintain and monitor a small number of admin accounts and audit them regularly.
Use the principle of least privilege – all your users, service accounts, and applications should be granted access and assigned permissions only to the data and operations they require to perform their jobs. Remember, this is the privilege assigned to the account, not the user.
Use conditional access policies. Microsoft provides recommended security policies that can be used to enhance security. It’s a bit more involved but when done following a repeatable process (initially set policies to ‘report-only’ and test them/simulate before enabling enforcement.) It’s also a good idea to exclude your ‘break glass’ accounts (see below) from these policies.
Audit and review unused accounts and disable them and have a slick joiners and leavers policy and process. It can be easy to forget to remove or disable user accounts on M365 when people leave. Other types of accounts such as service accounts can also be created for certain projects, trials, etc. If these are forgotten about, they can be compromised and it’s even harder to detect this (unless you are specifically looking for it). So, schedule a regular task to review all those accounts.
Use advanced M365 features like DLP (Data Loss Prevention) – your business has sensitive information to control, process and protect – it could be financial data, health records, or business strategy plans. It is your responsibility to protect this data and prevent your users, accounts and applications from accidentally or even intentionally sharing, losing, or deleting. DLP alerts need to be monitored and responded to.
Set and monitor your sharing settings in OneDrive and SharePoint to prevent oversharing and your critical data being accidentally spilled or compromised. Educate people in your organisation about the danger of oversharing (‘share with care’) – why you share, what you share, with whom and for how long.
Consider setting up ‘Break Glass’ Accounts. ‘Break Glass’ or ‘Emergency access accounts’ are for emergencies only. These emergencies could be a cyber-attack or another failure where you can no longer log on to your usual admin accounts. If you decide to use these types of accounts, we recommend auditing and monitoring their use. Any use of them that is unexpected is a security alert in itself! They shouldn’t be associated with any actual user so that they persist through staff changes, people leaving the business, etc. When these events occur, they should have their credentials changed. Authentication methods for these accounts should also differ from your other regular admin accounts and it could be for example a physical, true phishing-resistant hardware key (FIDO).
Use Secure Score. This is a feature that provides a very useful measure of how secure your M365 environment is and provides recommendations on what to do and how to remediate. This is an excellent place to start improving the security posture of your business using M365. It does require some thought and consideration as to which recommendation is best, but it is a valuable resource that is giving you expert advice and a perfect starting point.
Use an M365 backup solution. Ensure you have a backup. If a worst-case scenario occurs, at least you can restore your data. The key is ensuring you have some sort of backup and that you are confident you can access that backup and restore it. Remember - Microsoft 365 storage solutions like OneDrive and SharePoint are not backed up by default!
Do not allow guest access if possible. This one is nice and simple. By default, users can add guests, and this can create ‘oversharing’ scenarios. Start with disabling this ability and if you need to add guest access, ensure you restrict it and review it regularly. When adding guests, it is always a good idea to use, where possible, Access Packages that define what guest users are able to see, the permissions they are granted and also user access reviews can be set in days, weeks, months, or specific dates to ensure that guests can be removed very easily. This works especially well when working in B2B scenarios.
This list is a good place to start but it’s also key that you keep up to date as M365 is updated regularly. A good cyber resilience strategy for M365 is to regularly review tips and advice such as these and monitor the audit logs or use a 24/7 security monitoring service. By doing so, you will significantly transform the security of your M365 environment by reducing the attack surface area and improving your security posture.
For users who consider their cyber risk to be high, there are many options to enhance this baseline security by adding features, such as:
Azure AD Identity Protection, Microsoft 365 Defender (with Defender for Endpoint, Defender for Identity, Defender for Cloud, etc), or working with a threat detection and response provider who can implement a SIEM platform such as Sentinel and provide expert cyber services such as attack simulation, security posture management and rapid incident response.
For organisations with little or no cyber resources, we advise finding a ‘trusted advisor’ who can provide the right level of expert cyber services. This may be a cyber consulting firm or a specialist cyber-MSP/service provider. We do not recommend this is your existing MSP, helpdesk provider, or IT team. Cyber is a specialist area and you can get far more value from specialists who can work with your team to make your business more resilient and transform cyber from a headache to a competitive advantage, while keeping costs low and in control.
When an incident happens you need a partner whom you can trust. Experts are there around the clock to help detect and respond to attacks before they become major incidents.
Should your MSP manage your cyber security?
Cyber as a competitive advantage white paper
Rob Demain, CEO