Office 365 is probably the easiest, fastest, and most convenient way to store your company’s files, and allow everybody to collaborate on them. However, that level of convenience also opens your organization to security risks. Your Office 365 files will be a prime target for hackers because they can get everything you have, from trade secrets to promotion and marketing plans, and even e-mails and documents. They can also get customer information.
Office 365 does not have to be a vulnerability to your company. Microsoft has made sure that features and services are in place to help you get a more secure platform for sharing and storing your files.
- Let’s know how to keep your company’s data safe on Office 365
- 1. Use policy alerts.
- You can also assign the alert to any five categories:
- 2. Secure your devices.
- 3. Multi-factor authentication… stat!
- 4. Use session timeouts.
- 5. Use Office 365 Data Loss Protection.
- 6. Use dedicated admin accounts.
- 7. Train your users.
- 8. Say no to calendar sharing.
- 9. Use role-based access controls.
- Share this:
- Like this:
Let’s know how to keep your company’s data safe on Office 365
1. Use policy alerts.
With Office 365, you gain access to a Compliance Center that can help your organization with data security obligations. Remember that a majority of breaches, or around six in every 10, are caused by insider threats. These insider threats include those employees with compromised credentials.
It could also be intentional, or rogue employees sending data outside of your network. For the most part, however, it is because an insider is careless. The thing is, breaches caused by insiders can cost an average of $8.76 million per year, globally.
Some employees are considered as non-responders. These people are those who have been given proper training and awareness but still behave negligently. Notably, negligent employees cause around 63 percent of breaches.
The best thing about alert policies in Office 365 is that you can monitor any activity you want, the specific conditions that will warrant an alert, as well as the time when an alarm is triggered.
For instance, you can set up an alert that will only be triggered if an employee sends confidential information over an unsecured Wi-Fi connection. You can set it to alert you every time it happens, or only after a certain number of instances.
You can also assign the alert to any five categories:
- data governance,
- data loss prevention,
- mail flow,
- permissions, and
- threat management.
If the alarm doesn’t fall under any of these, you can just choose “others.” After that, you can also set the alert’s severity attribute. You can set an alert to low, medium, or high in severity. You can even have Office 365 send e-mail notifications to specified users when an alert is triggered.
The good news is that Office 365 already has some built-in alert policies. Some examples of these default alerts include:
- A user clicking a potentially dangerous URL, which falls under the threat management category with a high severity setting.
- A user starting an eDiscovery search, which has a medium severity rating and falls under the threat management category.
- When a large number of outside users access files on your SharePoint. This data governance alert has a high severity rating.
Setting policy alerts can help you deal with negligent insiders who may inadvertently send data outside of your organization. For instance, a policy alert can warn them about sending sensitive files to contacts who are not listed in the company’s network. Not only does this prevent data leaks, it can also educate employees about the right way to share data.
2. Secure your devices.
In the past, it was easy to secure devices that accessed the company’s network. All IT had to do was to grant access only to computers that are connected to the system. However, more and more employees are now using their own devices to perform work-related tasks and communication, with many of these devices connected to company networks and systems. Around six out of 10 organizations, or 59 percent, allow employees to use their smartphones, tablets, laptops, and other devices for work. Approximately 87 percent allow their employees to use personal devices to access business applications.
As such, you need to install data device management tools for your Office 365. These tools help you manage policies and access restrictions. It also enables you to wipe confidential data and files from these devices if they are stolen or lost.
Interested in using Mobile Device Management in Office 365? This page will help you set it up.
3. Multi-factor authentication… stat!
While strong passwords are a great start in securing Office 365 accounts, these are not enough. Multi-factor authentication should be a requirement for all user accounts. When a user logs in, he or she will get a temporary code on his or her phone. The user will need to enter this code to access the Office 365 account.
Even if hackers get hold of your password, they will not be able to get into your account without your phone.
Check this page to learn how to set up multi-factor authentication.
4. Use session timeouts.
Employees often leave their Office 365 accounts logged in on their computers and mobile devices. If a hacker is in your network, that scenario might give them unlimited access to company files and sensitive data.
When you apply session timeouts to all accounts on your network, users will be automatically logged out within 10 minutes of inactivity. Microsoft has different default session lifetimes for various services:
- Office 365 Admin Center: 8 hours
- SharePoint Online: 5 days
- Outlook Web App: 6 hours
- Azure Active Directory: 1 hour
- SharePoint and OneDrive: 1 hour
- Yammer with Office 365 Sign-in: Lifetime on the browser
5. Use Office 365 Data Loss Protection.
Data privacy and retention regulations are in place, which makes you responsible for the way you store, secure, and delete data. Europe’s General Data Protection Regulation requires you to put up stringent security for your customer’s data and to report a breach within 72 hours after you detect it. Meanwhile, the Sarbanes-Oxley Act lays down criteria on what data you should hold on to and what you can delete.
Violating these regulations can come with stiff financial penalties, and a tremendous hit to your reputation. Additionally, losing sensitive data can severely and negatively affect your business. Data loss prevention will block any attempt by a user to send confidential data outside of your company’s domain and even prevent users from storing it in public cloud storage services such as Google Drive or Dropbox.
DLP uses a set of policies and rules that specifies what types of data or files are considered to be critical, sensitive, or confidential. DLP works like alerts, in that if somebody tries to send a secret file, you will be notified. Here’s how to set it up.
6. Use dedicated admin accounts.
Administrative accounts are sacred because of the degree of control and high-level privileges these accounts have. If you are an administrator, it will be a good idea to have separate admin and user accounts. Use the regular user account for everything, and log into your admin account only when it is absolutely necessary.
Be sure that even your admin account has multi-factor authentication in place. Before logging into your admin account, you should also close all browser sessions and apps that you are not using. Lastly, be sure to log out after every session.
7. Train your users.
The numbers do not lie. Humans are, indeed, the weakest link when it comes to security. You can have the best anti-virus and other technologies working for you, but a careless employee might just be your Achilles’ heel. With this in mind, companies should train users on various security best practices, using strong passwords, and other tips. It would help to raise their awareness of social engineering, malware, and what to do if they suspect to have been victimized by hacking attacks. Teach them how to use software that can help them be more secure.
8. Say no to calendar sharing.
It is quite tempting to just share your calendar publicly, but don’t do it. Imagine hackers having access to everyone’s schedules. They can send a phishing e-mail to somebody who is busy, know who reports to whom, and even know when an employee is out of the office or not. It sets your company up for social engineering, where a hacker could pretend to be a colleague asking you to send some files to a different or non-company address because that employee is out of the office.
Or worse, hackers could see that an administrator is away on vacation. This would signal the perfect time to attack the company.
9. Use role-based access controls.
You should categorize users and allow them access to files and data they need to do their work. There is no reason for a front-office clerk to see high-level business data and confidential files. The good news? Office 365 has role-based access controls that allow you to do just that.
* * *
Office 365 is probably the easiest way for you and your employees to work with a variety of documents, spreadsheets, and presentations either individually or as a group. Knowing these security best practices and learning how to implement them are the critical first steps in making sure that you are secure on the platform.
Microsoft has made it easier for everyone to protect their Office 365 files. With these in place and a bit of training for your people, you may never have to worry about a data breach in the immediate future.