Office 365 Security Best Practices
Office 365 has quickly become the most popular cloud productivity suite because it enables access to corporate data from any device, anywhere, improving IT flexibility and employee productivity. But those gains come with security and compliance challenges.
With an increase in the number and complexity of security compromises, it is crucial for companies using Office 365 to take action to prevent damage from these incidents. It's important to know that even though Office 365 has numerous security settings and configurations, many at no cost, they are not configured out-of-the-box.
New to Office 365 Security? Watch our webinar on-demand: Office 365 Security Best Practices
Enable Microsoft Secure Score
Check Secure Score now and take action
The overall cyber threat landscape has evolved from traditional opportunistic threats to persistent and determined adversaries. Microsoft Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of).
Secure Score analyzes your Office 365 security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users.
Getting Started with Office 365 Security
5 Ways to Secure Office 365
As a top Microsoft Partner iV4 has identified Office 365 security best practices that you can put in motion to immediately help protect and secure your environments.
1. Enable Multi-Factor Authentication for Global Admins
Security breaches of an Office 365 account, including information harvesting and phishing attacks, are typically done by compromising the credentials of an Office 365 global admin account.
Enabling multi-factor authentication (MFA) for global admins will make it much more difficult for an attacker to steal admin credentials because it requires the user to verify their identity in at least two ways such as a text message, call or notification through a mobile app.
2. Enable Multi-Factor Authentication for All Users
When it comes to protecting your accounts, two-step verification should be standard across your organization. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device.
- You get a free version of Azure multi-factor authentication as part of your Office 365 for business subscription. For a list of features included in your version of Office 365, see How to get Azure Multi-Factor Authentication.
3. Enable Advanced Threat Protection
Advanced Threat Protection (ATP) helps protect against unknown malware and viruses hidden in email attachments and links. With ATP, all messages and attachments that don't have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.
- ATP is included in Office 365 E5 and Microsoft 365 E5 plans. ATP can be added on to the Office 365 plans listed here.
4. Disable Accounts Not Used in 30 Days
While there may be legitimate circumstances where an account is unused for 30 days, these accounts can be targets for attackers who are looking to find ways to access your data without being noticed.
Deleting unnecessary accounts when an employee leaves, changes groups, or does not use the account prior to its expiration helps prevent breaches. When an account is deleted, it becomes inactive. For approximately 30 days after having deleted it, you can restore the account.
5. Complete User Alternate Information
Completing alternate information for all users, such as personal email or cell phone number, will allow you to safely contact users to verify their identity in the event that abnormal activity occurs. (If at any point you do enable multi-factor authentication, users will be able to complete the registration.)
Office 365 Consulting Services