Over the past two decades, companies have invested billions (probably even trillions) in converting analogue content into digital information. At the same time, we are producing data at a rate unimaginable just a generation ago. Today, we generate and save vast amounts of critical information in the cloud, primarily in Microsoft 365.
Data breaches and ransomware attacks regularly make headlines. So how can you be sure that corporate data, whether located in the cloud with Microsoft 365 or on-premises, is protected?
Is the Microsoft 365 platform not secure enough?
Microsoft 365 has native security features providing a certain level of protection, such as encryption. The platform’s native security does not allow unified control of data on-premises and in the cloud, resulting in duplication of processes, applications, alerts and reports in hybrid environments. Quickly knowing which OneDrive folders, SharePoint sites, and Exchange mailboxes a user or group has access to can be complex. It is even more difficult to locate data at risk, identify sensitive folders and objects shared externally, and revoke permissions that are no longer required.
Cloud-centric security is not enough.
To strengthen security, organisations should conduct regular data risk assessments and demand more comprehensive security features from SaaS / IaaS software vendors. Any remaining gaps should be filled with third-party security solutions. Cloud-dedicated security solutions attempt to answer some of these questions and address some of the associated security issues.
For example, Cloud Access Security Broker (CASBs) prevent unauthorised use of cloud services (hidden computing or shadow IT), block access to untrusted cloud applications, and prevent unauthorised external data sharing. They generally act as a direct and reverse proxy between users and cloud services.
Where to begin?
Organisations that decide to take it up a notch and automate file retention and disposal policies (with automatic archiving and deleting data they no longer need) can better protect against insider threats.
Analysts and security professionals agree that maximum visibility and protection in Microsoft 365 comes from optimising native Microsoft functions through integrated security products, especially in hybrid environments.
Here are eight tips to better protect your business:
1. Prepare for a hybrid future
While businesses continue to take a “cloud-first” approach, mission-critical applications will remain hosted on-premises for some time to come. The transition is a slow process, not a sprint. Therefore, the security strategy must make it possible to know who has access to the data, on-premises, and via the cloud. It must provide visibility to ensure that only authorised people can access information, monitor its use, and be alerted to misuse.
2. Locate hidden sensitive data
If the business relies on Microsoft 365, it’s essential to know where sensitive data resides. A company must label them for protection, comply with regulations and strengthen their defence in the event of a data breach. The built-in Microsoft classification not only requires manual rule-making and markup operations, which can be exceptionally tedious in large environments but does not cover on-premise data stores. Corporate security must provide contextual information about sensitive data so that it can regain control of that data.
3. Strengthen security
Microsoft provides basic (static) threat modelling. Still, native tools do not offer in-depth contextual insight into user behaviour across different products and cannot detect suspicious behaviour of on-premises accounts. These tools, however, are no substitute for dynamic behaviour-based threat detection. If a corporate security team is overwhelmed by false positives, it is critical to strengthen security with an advanced enterprise-wide User and Entity Behavior Analysis (UEBA) solution.
4. Raise employee awareness of the risks posed by a security breach
Approximately 80% of company data breaches occur because of weak passwords.
One of the primary Microsoft 365 security issues is password carelessness. Research shows that nearly three-quarters of employees regularly reuse familiar passwords. Most have passwords any hacker with basic code-cracking software could hack in under five minutes. It’s easy to understand why workers do this as it enables them to remember multiple passwords easily, but doing so is a massive security breach for company data.
A strong password alone is not enough to ensure complete safety. Your employee’s password to Microsoft 365 might get stolen during phishing cyberattacks. To guarantee the security of your data, get a backup for Microsoft 365.
6. Adopt owner-oriented data access governance
Involving data owners in authorisation verification is essential for the sustainable implementation of the least privilege model. Unfortunately, Microsoft does not make it easy to identify data owners in the Office 365 suite or involve them in critical access governance workflows, such as checking access rights. Automating access and authorisation verification workflows saves you valuable time, relieves IT technicians, and helps make better access control decisions.
7. Restrict sharing permissions
Via SharePoint in particular, employees are encouraged to share links to corporate documents. However, these links could also be shared with outsiders who could use the information to their advantage.
To avoid a security breach, you can restrict or forbid external linking to some or all documents. To do this, head to Admin > Service Settings > sites and Document Sharing. Choose to Turn off external sharing.
8. Provide security training for employees
One of the leading Microsoft Office 365 security issues is not cyberattacks – it’s human error. Human mistakes are among the biggest cyber threats, and this is what makes these mistakes so dangerous.
Security training for employees acts in the same way as preventive medicine for animals, saving thousands in vet bills. Organisations often don’t care about potential dangers until they become urgent issues with massive losses.
At the same time, human error is on the top of cybersecurity concerns. People’s carelessness and ignorance in security matters cause notorious losses for businesses.
Here are just a few human mistakes classed as security breaches that could harm your organisation:
- Sharing confidential company data with a third-party
- Accidentally clicking on malware
- Accidentally deleting crucial data
- Being easily deceived by social engineering tactics.
Organise a security audit
The ubiquity of Microsoft 365, and the vast amounts of unstructured data that resides within it, pose data security challenges but are not insurmountable. It’s time to take back control of your data in your working environments with a security audit that includes high-quality security awareness training for all employees. Why not drop us a message and find out how we can help to keep your data secure on Microsoft 365.