The sheer volume of users makes O365 more likely to face attacks
Affordable and easy to use, Microsoft Office 365 (O365) has grown to become a popular enterprise cloud application. But O365 also has proven popular with hackers.
The sheer volume of users makes O365 more likely to face attacks. Additionally, users often lack the time, knowledge, and resources to correctly implement the platform to reduce the chances of security breaches.
Thousands of companies, government units, and other organizations have installed O365 since its introduction in 2011. It enables employees to use a cloud-based network to access popular tools such as Word and Excel, Outlook email, and Skype teleconferencing. It fosters mobility by allowing users to work and collaborate from any location.
But many users have failed to activate important security features. Because O365 is so easy to implement, organizations are tempted to begin using it immediately without activating crucial security features. These security features are not automatically enabled to give users greater flexibility to customize O365 to fit their organization’s environment and work processes.
Since many O365 users are small- to medium-size companies, it is more understandable if their IT departments lack the know-how to enable the security measures. But large companies, with seemingly more sophisticated IT professionals, also have been hacked as a result of incorrectly implemented O365.
Phishing scams have included hackers using Outlook emails to induce users to reveal their passwords, and phony IRS notices inviting users to click on a link and enter sensitive personal information, including Social Security numbers and bank accounts.
And the attacks aren’t only staged by basement hackers on laptops. Nation states, including China and Iran, have been linked to O365 phishing expeditions on major corporations and U.S. government agencies.
Organizations considering the purchase of O365, or that already have installed the software, should consider using the services of an information security consultant who can audit the implementation and enable the critical applications to make O365 more secure.
Meanwhile, here are five steps Navigant Consulting, Inc.’s cybersecurity team suggests doing to make O365 more secure:
1. Activate Audit Log
Turning on the audit log function enables organizations to have a record of every activity on O365. It tracks system logins, email activity, and the creation and deletion of files. Activating the audit log function allows an IT department to examine records of all system actions and discover the source of suspicious activities.
Unfortunately, many companies discover too late that the audit log application has not been activated. Scrambling to uncover the source of a cybersecurity breach or employee fraud, the IT department must revert to a cumbersome manual search of system activity.
To help companies avoid a time-consuming and costly manual audit log search, Navigant has developed a custom script that allows it to pull information directly from Microsoft’s database. This capability is a real advantage, since Microsoft doesn’t make audit log information readily available.
2. Two-Factor Authentication
Activating the two-factor authentication function on O365 is the best way to prevent hackers from gaining access to a network through email phishing or similar scams.
Two-factor authentication requires users to not only log in using their password, but also a second method, like a dynamic pass code, to confirm their identities. The unique pass code is sent by text message to the user’s mobile device or is available using the Microsoft Authenticator app, and must be entered as the second form of authentication.
Two-factor authentication might prompt some employees to complain about the extra hassle to log in. But it will reduce the chances of a hacker tricking an employee through email, the most frequent way cyber criminals gain access to a system.
3. Administrative Controls
Organizations should give careful thought to which employees have access to critical data stored in O365. This is where turning on O365’s administrative controls comes in handy.
O365 allows companies to categorize employees by their job responsibilities and limit what data they can access. While top executives and IT personnel might need access to the entire platform, other employees might have more limits.
Too often companies install O365 without setting administrative controls, giving every employee complete access to the entire platform. All a hacker needs to do is trick an employee into providing a password into the system. Once inside, the hacker can create a new administrator account and probe for sensitive data unnoticed.
4. Data Loss Protection
Organizations can create a data loss protection policy that automatically identifies, monitors, and safeguards sensitive information within all O365 products.
Healthcare organizations and financial institutions are accustomed to having such protections as part of the regulatory process. But all companies need to have protections against the leaking of health records, financial data, or personally identifiable information such as Social Security numbers and credit card accounts.
O365 can help companies identify and block outside access to financial information or account numbers that might appear in emails or collaborative applications. It also can identify and monitor sensitive information that appears in documents on platforms such as Excel or Word.
5. Enabling Alerts
O365 also has a setting that can alert administrators when a system update occurs. For example, an alert can be sent when an employee updates a password or when a new administrative account is created.
Alerts help system administrators prevent outside attacks. Getting an alert when an employee password is changed could be a sign that a hacker has entered the system. A new administrator account could be a similar signal.
O365 is an innovative enterprise cloud application because it enhances employee mobility and access through software that is affordable and easy to use. Unfortunately, cyber criminals also find O365 easy to use for nefarious activities.
Microsoft built O365 with many security features, but purposely leaves the choice to each organization as to which tools are activated. While Microsoft is offering companies the broadest flexibility to customize O365, many organizations simply install the software “as is,” leaving them open to security breaches.
Companies using O365 need to do some proactive prevention, activating the security tools available in the software. Organizations lacking the time, resources, or expertise to enable these security tools would do best to seek the help of a security consultant who can learn about a company’s business and culture, and help develop a strong security plan for O365.