Many people wonder whether they can trust Microsoft with their proprietary data, and the short answer is yes. For the most part, you can trust Microsoft with your data, as it’s unlikely this huge multinational corporation will run into a cybersecurity attack large enough to risk losing your data.
That being said, and as we’ve discussed on our blog in the past, it’s very possible that a data leak takes place on your end within Teams, in which case the amount of support Microsoft will offer you is limited. This is because it’s ultimately your responsibility to protect your sensitive information against data security breaches targeting your organisation. Failing to do so can result in hefty fines under GDPR.
While we already touched on cybersecurity in our article on Teams vs. Slack, the topic is important enough to warrant its own dedicated article. Today, we’ll take a look at three potential sources of cybersecurity threats within Microsoft Teams and ways to counteract them.
Potential Microsoft Teams security issues
1. Guest access
We all have to work with people outside our organisation from time to time, and especially when working remotely, it’s important to be able to collaborate with these people using Teams.
However, unless you change the standard settings, guest users from outside your organisation can easily gain access to sensitive information and download content from your organisation’s Teams channels, chats, shared files and meetings. They could also be able to upload files containing malware to your Teams, whether this is done purposefully or by accident.
Sensitive data could also be compromised via screen sharing while in meetings with people outside your organisation, especially if the person within your organisation sharing their screen has pop-up notifications enabled for email or similar apps.
Of course, we all want to believe the freelancers, contractors and other people we work with would never do anything put our organisation at risk. However, when it comes to certain types of sensitive information, even the possibility of someone outside your organisation gaining access to it could be breaking the law. Not only that, if their devices are not properly protected, this could create a crack in your carefully crafted wall of cybersecurity, allowing malware to worm its way into your Teams chats and files.
2. Unmanaged devices
As we’ve talked about on this blog in the past, unauthorised devices can pose some serious cybersecurity risks to your organisation. Especially for team members working from home, dialling into a meeting on their personal phone, tablet or computer is easy and tempting, but these devices don’t usually benefit from the same amount of IT security as the devices your organisation owns and manages.
Additionally, like with guest users, unmanaged devices could be used to upload malware onto your Teams platform, even if the user accessing Teams with an unauthorised device doesn’t mean to do so. This is because hackers can easily use what on the surface level looks like an innocent and normal file or URL to sneak malware into your systems.
3. Third-party apps
Third-party app integrations can be helpful for streamlining your Teams experience by adding things like custom tabs, bots and connectors to your toolkit.
However, apps like this usually require access to your data which always opens you up to more risk, especially if these apps don’t have an adequate level of cybersecurity built in. Whether it’s due to misconfiguration, oversharing or misuse, third-party apps for Teams can lead to data breaches due to user error even when you’re dealing with well-known third-party integrations for Teams.
How to improve Teams cybersecurity
1. Manage permissions
Managing who has access to what will go a long way in protecting sensitive data stored within your Office 365 apps, including Teams.
For people within your organisation, think carefully about how much access each user or employee level needs – chances are that not everyone needs the ability to invite guest users or form teams or channels. You can also limit who has access to cloud storage and file sharing.
As there is no vetting process for guest users within Teams and just an email address is needed for them to sign up, it also makes sense to limit who can invite guest users to Teams and what these guests can access.
For collaborators outside your organisation, you can disable the ability to upload or download files where this makes sense. You can also render them unable to start new channels or groups within your Teams platform, make peer-to-peer calls or share their screen during meetings.
You could also limit the third-party apps Teams users within your organisation can download within the “Manage Apps” page in the Teams admin centre. Here, you can also define which users can download and use specific third-party apps.
In order to protect your organisation against the risks of access from unauthorised devices, you could limit the permissions for devices like this, disabling the ability to download files to them. Enforcing multi-factor authentication can also help mitigate risks, and you can deny anonymous users the ability to join meetings.
2. Educate your team
A good level of cybersecurity awareness goes hand in hand with managing permissions to protect your organisation against human error. Consider investing in IT security awareness training that includes information on phishing scams, malicious URLs and attachments and third-party app permissions. Making sure your team members can handle things like muting and removing participants from meetings and using Teams’ lobby system can also be hugely helpful.
3. Invest in data backup
Data backup provides the last wall of defence against data loss, but this doesn’t make it any less important. In fact, we’d say every organisation using Office 365 should invest in a good backup solution for their proprietary data.
An Office 365 data backup solution paired with something like Microsoft’s Advanced Threat Protection (ATP) will provide your Teams with a high level of cybersecurity, especially if you keep the user best practices mentioned in this article in mind.