A New Way Of Working
Microsoft Office 365 Security Health Check
In this current uncertain global climate workers are needing to work remotely. The uptake of collaboration tools has exponentially grown. Cloud Services usage and in particular Microsoft Office 365 has exploded in the current climate. Microsoft Teams usage has at last check grown by 12 million users, up 33% from before the COVID-19 crisis.*
The traditional office way of working like “water-cooler” moments, and a quick chat over the desk partition has given way to video conferencing an online chat. True digital collaboration has become even more focussed now than it ever was.
With organisations having to rely more on user owned devices to get their workers up and running – affectionately known as BYOD – Bring Your Own Device. Organisations simply can’t roll out enough corporate devices quick enough. This could be phones, tablets and even PCs.
The security landscape for organisation is dramatically changing because of this. Often user-owned devices are not as locked down as corporate devices. The possibility of corporate data loss from infected or non-locked down systems because of user behaviour of even worse Ransomware infections is a very real possibility. Solutions exist in the form of products collectively down as MDM – Mobile Device Management and MAM – Mobile Application management.
MDM manages the whole device from top to bottom with configuration policies affecting all running processes on the device/workstation and perhaps forcing device encryption and minimum password length and complexity plus restriction what can be installed, whereas MAM targets just the corporate applications and data on the device, but leaving the users free to install Candy Crush. MAM can be configure to restrict copy and pasted data across apps. E.g. A users cannot copy text form a Word document to their personal email client.
Delivering these new services rapidly without a comprehensive understanding of Microsoft Office 365, Microsoft Teams, SharePoint, Exchange Online, Exchange Online Protection and Azure can be daunting for small organisations without a dedicated IT team of specialists.
Security posture will vary from business to business. Of course not all business need banking, government and military type IT system lockdowns - but there is a scale of which your business will land somewhere. At the very least you have responsibilities to meet your GDPR obligations or even perhaps data retention requirements for legal compliance.
- Are your Global Administrators accounts restricted and using two forms of authentication to perform privileged tasks
- Are admins logging on as a matter of course and using elevated credentials all the time?
- Have you implemented minimum password length and complexity, perhaps with MFA to ensure user accounts are safe?
- How often should passwords expire?
- Can they reset their own passwords withoutflooding you with support calls?
Data leakage prevention
- Can end-users copy corporate data from your environment into their personal folders and share with anybody?
- Can your users share corporate documents directly with external people, and can you remove that access when you want?
- Can someone spoof an email from your CEO to your finance director asking for money?
- Are you end-users educated about Phishing scams? Are you doing your very best to limit those phishing emails from getting through
- Are your work emails getting to the recipients Inbox or going their spam folders. There are standard checks the receiving systems make these days to give a relative score for mail. Breach level 7 and your recipients are unlikely to ever see your mails. This can be mitigated against by the correct implementation of SPF, DMARC and DKIM
- Can old applications or devices with potential security flaws connect to your tenant and send emails you do not want?
- Do your devices meet the minimum requirements. Are they on the latest OS, fully patched, running a firewall and have antivirus software running?
- Have you considered locking down devices to only connect from trusted locations and networks or are you OK with your end-users connecting in across an open Wi-Fi from the coffee shop
- Should devices meet a minimum level of configuration? Would you still be OK with Windows XP devices connecting in with no firewall or antivirus software installed?
- Have you considered the use of secure VPNs?
Office 365 security score
- Microsoft provide a measurement too to analyse your current security posture. How does yours measure up? Do you understand the report, recommendations and configuration changes need?
We want to provide a low cost solution to help you with this, so what we’re offering is a One Day Free Review of your Office 365 tenant to produce the following:
- A simple traffic light report, produced by one of our Office 365 Consultants, looking into your configuration to highlight if there are any areas of concern and to give you an increase comfort level that you have a good security posture
- Admins configuration
- Sharing policies – SharePoint, OneDrive and Teams
- Email configuration
- Microsoft Teams configuration
- If we identify any critical, urgent or high-risk issues we will guide you, or implement for you, the changes required, and help you understand the impact to you can communicate these changes to your users
- A recommendations list of best practice items to consider
Licensing and Adoption
Whilst not included in a security review, you might want to consider reviewing your licensing options.
Do you have the best license type for your users, could you pay less?
Are your users really getting the best out of Office 365 and adopting all the cool features they have access to?
Are you using 3rd party products that are already included as part of your Office 365 subscription, or might be cheaper if migrated to Office 365?
What we ask for in return
If you have specific areas of advanced security that drill deeper than the above we can put together a simple proposal to deliver these for you. Some of these items take time and a collaborative effort between us and you to hit the right mark balancing security with usability.
Ultimately we want to help your business on its Cloud journey. We would ask that as part of this relationship with you, that you will consider us for any future IT Cloud requirements you may be considering. Expansion to Azure, devices, merges and acquisitions and such like.
So we can bee “seen” by Microsoft to be helping you, we will ask for 1 year CPOR association. More details here on that https://www.microsoft.com/microsoft-365/partners/ CPOR-partner-incentives. It will give us access to help you in the event of problems you have, or an emergency situation.
You will need to sign our T&Cs – this is normal for any IT organisation’s help and guidance. We are used to signing Mutual Confidentiality Agreements. We have our own, but happy to work with yours upon review.
My colleague Twan had an interesting case recently. A user logged into their Outlook and a saw an additional mailbox for a colleague that they had never been granted access to, and should not have had access to. ...