Microsoft 365 (formerly known as Office 365) is a productivity suite that includes an online version of Office as well as several powerful cloud solutions like SharePoint and Exchange. Because it's hosted on the cloud, Microsoft 365 eliminates infrastructure support costs and maintenance tasks such as software patching.
However, in May 2019, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report stating that many companies that had migrated to Microsoft 365 had multiple security misconfigurations that introduced cybersecurity vulnerabilities, including:
- Disabled multifactor authentication (MFA) by default
- Disabled mailbox auditing
- Enabled password synchronizations
- Unsupported authentication by legacy protocols
Third-party hosting providers and implementers using poor operational practices can also increase your security risk.
How to keep Microsoft 365 secure
Here are some tips to help you address these Microsoft 365 security issues:
1. Create a Microsoft 365 security task force
This team will be responsible for resolving all concerns with Microsoft 365. Their tasks include:
- Learning about known Microsoft 365 issues
- Compiling best practices and recommending remediation plans
- Developing an effective security plan for migrating to Microsoft 365
- Working with third-party providers to ensure migration to Microsoft 365 is correctly done
- Coordinating directly with Microsoft specialists if problems arise
2. Study Microsoft 365 documentation
Microsoft documents security vulnerabilities related to configuration issues, and users can access information about these in an extensive library. Your security task force should frequently review this library for recommendations and updates.
3. Enable DKIM, SPF, and DMARC
DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication Reporting and Conformance (DMARC) must be enabled. These protocols authenticate and validate email servers, and protect your organization from spoofing and phishing attacks.
4. Enable multifactor authentication (MFA)
Because MFA for Microsoft 365 admin accounts are not enabled by default, hackers who are able to steal admin credentials can access their accounts and steal private employee data. Enabling MFA can resolve this security issue.
5. Enable mailbox auditing
Enabling mailbox auditing allows your IT team or managed IT services provider (MSP) to track an employee's actions using different mailboxes, including the employee's and their colleagues'. It also notifies you when a user sends an email posing as someone else, or if they permanently delete any email.
6. Determine whether password sync needs to be enabled
When users migrate to Microsoft 365, Azure AD Connect combines on-premises environments with Azure AD. During this process, Azure AD passwords are overwritten by the on-premises passwords. Hackers who are able to steal these passwords can gain privileged-user access to systems where password synchronization is enabled. Your IT team or MSP should carefully think about the implications of a premises-based attack on your cloud system if you decide to enable password synchronization.
7. Stop using legacy protocols
Legacy protocols such as Internet Mail Access Protocol 4 and Post Office Protocol 3 cannot support modern authentication methods that use MFA. This puts email and other user accounts relying only on a username and password at high risk of a cyberattack. CISA recommends discontinuing these legacy protocols.
8. Upgrade your operating systems before migration
Early versions of Microsoft Office have security vulnerabilities that hackers can easily exploit. This is why you should upgrade all Microsoft software to the latest versions before migrating to Microsoft 365.
9. Third-party applications must be tested prior to integration
If you're using third-party applications — whether developed in-house or by other companies — together with Microsoft 365, conduct strict cybersecurity testing on those apps before integrating them with Microsoft 365.
10. Create a business continuity plan
Many businesses assume that just because Microsoft 365 is cloud-based, it automatically backs up all their data. The fact is, Microsoft uses replication instead of traditional backup methods. Unfortunately, this doesn't guarantee that your data and files will remain available if they're accidentally erased or if you're hit by a cyberattack. This is why your organization should have its own backup and business continuity plan.
If you're looking to migrate to Microsoft 365 but don't know where to start, Complete Document Solutions can help. Our IT experts will review your current infrastructure and software to ensure the migration process is as seamless as possible. Call us today to learn more.