Microsoft Office 365 Security Health Check

A New Way of Working

In this current uncertain global climate workers are needing to work remotely.  The uptake of collaboration tools has exponentially grown.  Cloud Services usage and in particular Microsoft Office 365 has exploded in the current climate.  Microsoft Teams usage has at last check grown by 12 million users, up 33% from before the COVID-19 crisis.

https://www.businessinsider.com/microsoft-teams-coronavirus-daily-active-users-2020-3?r=US&IR=T

The traditional office way of working like “water-cooler” moments, and a quick chat over the desk partition has given way to video conferencing and online chat.  True digital collaboration has become even more focused now than it ever was.

In the rush to roll-out these toolsets, organisations may forget to implement some of the fundamental basics that should underpin all its infrastructure.  Opting for productivity over paperwork, perhaps meaning to come back to it later.  There are still bad actors out there waiting to pounce if you don’t have your “ducks in a row” as we like to say.

User Devices

Organisations are having to rely more and more on user owned devices to get their workers up and running – affectionately known as BYOD – Bring Your Own Device. Organisations simply can’t roll out enough corporate devices quick enough.  This could be phones, tablets and even PCs.

The security landscape for organisation is dramatically changing because of this.  Often user-owned devices are not as secure and locked down as corporate devices.  The possibility of corporate data loss from infected or non-locked down systems because of user behaviour or even worse – Ransomware infections is a very real possibility.

Did you know that in a lot of cases Office 365 can roll your data point back to before the ransomware attack?

Solutions exist in the form of products collectively down as MDM – Mobile Device Management and MAM – Mobile Application management.

MDM manages the whole device from top to bottom with configuration policies affecting all running processes on the device/workstation and perhaps forcing device encryption and minimum password length & complexity plus restrictions on what can be installed. Whereas MAM targets just the corporate applications and data on the device, but leaving the users free to install Candy Crush.  MAM can be configured to restrict copy & pasted data across apps. E.g. A user cannot copy text form a Word document to their personal email client.

Delivering these new services rapidly without a comprehensive understanding of Microsoft Office 365, Microsoft Teams, SharePoint, Exchange Online, Exchange Online Protection and Azure can be daunting for small organisations without a dedicated IT team of specialists.

Security Considerations

Security posture will vary from business to business.  Of course, not all business need banking, government and military type IT system lockdowns – but there is a scale of which your business will land somewhere.  At the very least you have responsibilities to meet your GDPR obligations or even perhaps data retention requirements for legal compliance.

Identity

• Are your Global Administrators accounts restricted and using two forms of authentication to perform privileged tasks?
• Are Administrators logging on as a matter of course and using elevated credentials all the time?
• Have you implemented minimum password length and complexity, perhaps with MFA to ensure user accounts are safe?
• How often should passwords expire?
• Can users reset their own passwords without flooding you with support calls?

Data Leakage Prevention (DLP)

• Can end-users copy corporate data from your environment into their personal folders and share with anybody?
• Can your users share corporate documents directly with external people, and can you remove that access when you need to?

Email

• Can someone spoof an email from your CEO to your Finance Director asking for money?
• Are your end-users educated about Phishing scams?  Are you doing your very best to limit those phishing emails from getting through?
• Are your work emails getting to the recipients Inbox or going their spam folders? There are standard checks the receiving systems make these days to give a relative score for mail.  Breach a score of 7 and your recipients are unlikely to ever see your mails.  This can be mitigated against by the correct implementation of SPF, DMARC and DKIM
• Can old applications or devices with potential security flaws connect to your tenant and send emails you do not want?

Devices

• Do your devices meet the minimum requirements?  Are they on the latest OS, fully patched, running a firewall and have antivirus software running?

Trusted Devices

• Have you considered locking down devices to only connect from trusted locations and networks or are you OK with your end-users connecting in across an open Wi-Fi from the coffee shop?
• Should devices meet a minimum level of configuration?  Would you still be OK with Windows XP devices connecting in with no firewall or antivirus software installed?
• Have you considered the use of secure VPNs?

Office 365 Security Score

• Microsoft provide a measurement too to analyse your current security posture.  How does yours measure up?  Do you understand the report, recommendations and configuration changes need?

Our offering

We want to provide a low-cost solution to help you with this, so what we’re offering is a one-day free review of your Office 365 tenant to produce the following:

• A simple traffic light report, produced by one of our Office 365 Consultants, looking into your configuration to highlight if there are any areas of concern and to give you an increase comfort level that you have a good security posture
  • Identity
  • Admins configuration
  • Sharing policies – SharePoint, OneDrive and Teams
  • Email configuration
  • Microsoft Teams configuration
• If we identify any critical, urgent or high-risk issues we will guide you, or implement for you, the changes required, and help you understand the impact to you can communicate these changes to your users
• A recommendations list of best practice items to consider

Licensing and Adoption

Whilst not included in a security review, you might want to consider reviewing your licensing options.  Do you have the best license type for your users, could you pay less?  Are your users really getting the best out of Office 365 and adopting all the cool features they have access to?  Are you using 3^rd party products that are already included as part of your Office 365 subscription, or might be cheaper if migrated to Office 365.

What we ask for in return

• If you have specific areas of advanced security that drill deeper than the above, we can put together a simple proposal to deliver these for you.  Some of these items take time and a collaborative effort between us and you to hit the right mark balancing security with usability
• Ultimately, we want to help your business on its Cloud journey.  We would ask that as part of this relationship with you, that you will consider us for any future IT Cloud requirements you may be considering.  Expansion to Azure, devices, merges and acquisitions and such like.
• So that we can be “seen” by Microsoft to be helping you, we will ask for 1 year CPoR association. More details on CPoR here: https://www.microsoft.com/microsoft-365/partners/CPOR-partner-incentives It will give us access to help you in the event of problems you have, or an emergency situation
• You will need to sign our T&Cs – this is normal for any IT organisation’s help and guidance.  We are used to signing Mutual Confidentiality Agreements.  We have our own, but happy to work with yours upon review

Contact Us

Interested?  If you feel your Office 365 should undergo a health check, then email us at Office365HealthCheck@neroblanco.co.uk  or call us on +44 20 3880 2299