What Are the Best Ways to Secure Our Microsoft 365 Business Account?
Cloud account breaches are becoming all too common these days. As data and workflows have migrated to cloud platforms, like Microsoft 365, so have hacker priorities. The recent 2020 Data Breach Investigations Report (DBIR) found that theft of login credentials has now become the #1 objective of phishing attacks. This makes cloud account security a top priority of any small business in Tennessee and the rest of the world. What can happen when a hacker gains access to an all-in-one cloud platform?
- Hackers gain access to email messages
- They can use email accounts to send spam & phishing
- Files in cloud storage may be accessed by hackers
- They can plant ransomware or other malware in cloud storage
- They can more easily perpetrate internal phishing attacks
- With the right privileges, they can change security settings for your account and access user data
Microsoft 365 has multiple security settings and protections in place that you can use to secure your account. Many of these are not on by default. You need to know where they are and specifically enable them to gain the benefit of their protection.
5 Important Security Settings to Use in Microsoft 365 for Business
Block Email Auto-Forwarding Outside Your Organization
The user isn’t always immediately aware when an account in compromised. Sometimes hackers will do something quietly, such as creating an email forward to their account. This type of hack can easily go unnoticed for months, or longer, and the hacker is receiving a copy of every email sent to a user’s email address. You can create a rule in the Exchange admin center, Mail flow category that stops all auto-forwarding outside your organization’s domain. The main parameters to include in the rule are:
- Prevent auto-forwarding to external domains
- Apply rule if sender is inside the organization
- Add condition: If recipient is outside the organization
- Add condition: If message properties include auto-forward
- Action: Block the message
- Text to add: Auto-forwarding is blocked outside this organization
Enable Multi-Factor Authentication for All Users
It’s common for account hacks to be the result of password security issues. Users may use weak passwords and reuse them across multiple accounts. Entire databases of login passwords can be breached at retailers (Marriott and CafePress, are just two recent examples). When you enable multi-factor authentication (MFA) for all users, this puts another step in place for login, which is the entry of a code that is sent to a device the user has registered in the system. This blocks approximately 99.9% of all fraudulent sign-in attempts.
Improve Ransomware & Malware Protection
Email is used for a majority of ransomware and other malware attacks. This is often done through a malicious link or a dangerous file attachment. You have controls in Microsoft 365 that allow you to add rules on which file types you allow through in your emails and warnings that users receive when attempting to open an email attachment. You’ll access the rules section of the Exchange admin center, under the mail flow category. From there, there are a number of rules you can set up to protect users from dangerous phishing emails. These include:
- Blocking specific file types (.exe, .vbs, .tar, etc.)
- Warning users with a message not to open certain file types
- Creating an anti-malware file type list
Create a Dedicated Admin Account
When you add Microsoft 365 admin permissions to user accounts, those accounts are at higher risk should a breach occur. If you have six account admins, that’s six accounts you need to worry about should they be taken over due to a breach. You can reduce the risk of an admin account being breached by creating one dedicated admin account. Admins will use this instead of their personal accounts. This reduces the risk by reducing the number of accounts that have admin access. That account is only being used for admin purposes, not for sending and receiving email or logging into other online applications. Tips for protecting this admin account:
- You must enable multi-factor authentication.
- Before using the account, close out any browser sessions, apps, and personal email account sessions.
- Logout of the browser session when completing admin tasks with the account.
Turn on Safe Links & Safe Attachments
Two important protections available to Microsoft 365 Business Premium accounts are Safe Links and Safe Attachments. These are designed to block phishing tactics from two fronts, blocking malicious file attachments and blocking malicious links. The administrator activates this protection. It is not turned on by default. To turn them on go to the Security & Compliance Center > Threat management > Policy. Next, look for options for Safe Attachments and for Safe Links.
Get Help Properly Securing Your Microsoft 365 Account
Don’t leave important security features untapped when they could be protecting your business. Copperband Technologies can assist your Tennessee business with proper security configuration of Microsoft 365. Contact us today to schedule a consultation! Call 931.263.8000 or email us!