December 1, 2022
min read
Man working on a laptop

Hackers love Microsoft 365 for the same reason that users do: It’s a centralized hub for valuable business data, user credentials, and applications.

Fortunately, Microsoft is no slouch when it comes to security. Across its three options for Business plans (Basic, Standard, and Premium), users can leverage a robust set of built-in features to help control information flow. 

Premium users enjoy even more protection through Defender for Business and Microsoft Intune, and while these advanced security controls are great for some businesses, others will get by fine with the built-in features inherent to the 365 suite.

These tips will help you get the most out of 365’s capabilities and show you how to improve your security posture.

1. Set Up Multi-Factor Authentication (MFA)

Establishing an MFA policy is an easy first step. MFA is enabled as a standard setting in 365’s security defaults but users can verify that it’s turned on by checking the Microsoft 365 admin center. Here, users can check settings and determine whether more advanced security controls are needed.

Those with certain 365 plans can go even further and set up stronger Conditional Access policies that provide more granular control and a stronger security posture. Although helpful for businesses with strict security requirements, most businesses will be adequately protected by security defaults. 

2. Review Preset Security Policies

Security policies are added to either your security defaults or Conditional Access framework, building on top of the foundation to establish specific policies for anti-malware, anti-phishing, and anti-spam protection. There are three levels of protection offered:

  • Standard protection as a suitable baseline for most users
  • Strict protection for businesses with additional security requirements
  • Built-in protection for email, enabled by default and applied to all active users

While the policies themselves can’t be changed, users can define certain exceptions and specify different users, groups, or domains to receive preset policies.

3. Safeguard Administrator Accounts

Hackers benefit from stealing credentials with elevated privileges, making your administrator accounts prime targets. 

Restrict access as much as possible by adhering to principles of least privilege. Users should have separate accounts for daily 365 functions and administrative work and set admin roles to restrict access further (aka role-based access control) as part of youraccess management strategy.

It’s recommended to establish between two to four global admins, with all additional admin accounts assigned their least permissive roles. By doing so, users retain control of operations while limiting the risk posed by a breach of any individual account.

4. Protect Devices

The boom in remote and hybrid work means a broad adoption of bring-your-own-device (BYOD) and a greater cultural understanding of the need for endpoint security.

Users with 365 Business Premium or Defender for Business can follow thisMicrosoft's step-by-step process to set up managed devices and gain the ability to remotely configure settings, push updates, enforce policies, and more. 

Those with 365 Basic or Standard will need to take additional measures to protect unsecured devices that fall outside the 365 protection suite:

  • Establish basic security through Windows
  • Set up MFA on all devices
  • Supplement with device encryption
  • Run Windows Defender Firewall

5. Make Email Training a Priority

Email remains one of the most common vectors for attack, largely because emails are touched by every user in the company. Email security is a question of employee training, good judgment, and security best practices. 

Make sure everyone understands the differences between phishing, spam, malware, and spoofing. This training should be integrated into onboarding and updated regularly based on emerging trends in the threat landscape.

As an aside, you can do your customers a favor by making your own emails look more legitimate. Help them trust communication by using a digital signature—a unique digital ID that tells recipients that the content of your email hasn’t been changed in transit.

6. Leverage Microsoft Teams & 365 Apps

All users interested in data security should start using Microsoft Teams for collaboration and work. It’s a simple environment that securely stores all messages, data, and work files, giving all teams a centralized place to be productive. 

While Teams is included in all Business plans, those with stricter security needs can upgrade to Premium and unlock even more security features – such as 365 Apps, Defender for Business, and Microsoft Intune, which allows complete management of all BYOD and mobile work devices.

7. Update OneDrive and SharePoint Settings

In accordance withzero trust principles, some businesses might find that the default settings for SharePoint and OneDrive aren’t restrictive enough. 

The standard is set to the most permissible, so business users will want to log in to the SharePoint admin center and update sharing settings.

You can also update your alert policies to set up various security and compliance notifications across your organization. This dashboard includes breakdowns of activity:

  • Suspicious/flagged activities
  • Threat severity
  • Affected area
  • and more

For complete visibility into your SharePoint and OneDrive ecosystems, there’s nothing better.

8. Block Auto-Forwarding

Auto-forwarding rules allow hackers to extract email and automatically forward that data to their external mailboxes. Given that auto-forwarding isn’t a standard practice, it’s a good feature to eliminate.

Open your Microsoft Exchange admin center and create a new rule to block auto-forwarding. You can set up custom exceptions as well to accommodate your own business’s practices, ensuring that you won’t miss anything important.

9. Protect Calendars

Calendar sharing is a great feature for collaboration, but it’s worth reviewing your company’s calendar settings to—again—ensure that you aren’t accidentally sharing more details with others than you expect. 

In the Microsoft 365 admin center, you can adjust your calendar-sharing options and set specific rules. It’s good practice to clear the external sharing option to ensure you aren’t accidentally sharing calendar details with those outside your organization.

10. Develop a Maintenance Strategy

Data security in 365 isn’t a one-and-done thing. As your organization changes, you’ll need to continually update these processes and ensure that you don’t leave any holes in your infrastructure. 

Every time you integrate a new application, or process, or bring on a new employee, you should have a standardized process in place to maintain security. 

Set workflows for adding/removing users, managing old passwords, and wiping device data. Again, it helps to restrict user access to the least permissive roles, thereby minimizing the risk of compromised user accounts.

Ensure Continuous 365 Security and Compliance

These strategies are just a few ways to harden your 365 implementations and shore up common vulnerabilities, but it’s by no means an exhaustive list of security measures. 

Companies with strict requirements for compliance, data management, and security will need to go beyond the basics and implement customized security plans that create a comprehensive security posture.

To learn more about how CoreView can help with your Microsoft 365 data security, request a demo or contact us today!

Get a personalized demo today

Created by M365 experts, for M365 experts.