Misconfiguration is one of the main threats to cloud data security. When companies don’t properly configure cloud platform security settings, they can leave accounts unprotected and susceptible to a data breach, business email compromise, or account takeover.
Approximately 90% of organizations are currently vulnerable to breaches due to misconfiguration of their cloud security settings.
What often happens is businesses will sign up for a service like Microsoft 365 and then assume that they can just leave the default settings where they are. But defaults are not designed to work for everyone, they’re set to provide the most flexibility with an understanding that companies will have their accounts configured according to their needs.
Microsoft 365 offers a lot of additional security protections that don’t come defaulted. Users need to go into their settings and use the tools they’ve been given, or have it done by an IT professional.
Here are some of the best configuration additions you can make to increase the security of your Microsoft 365 accounts.
Enable Multi-Factor Authentication (MFA) for All Users
We put this one at the top because it’s one of the best things you can do to prevent credential compromise (which is now the main cause of data breaches). Enabling multi-factor authentication on your user accounts in M365 can reduce your risk of a fraudulent sign-in by 99.9%, according to Microsoft.
You can turn on MFA for your users in the Microsoft 365 admin center by logging in with global admin credentials.
Look for the Azure Active Directory, under the Admin centers area in the left navigation, then choose Azure Active Directory > Properties. Go to Manage Security defaults to access the MFA setting.
Once this is enabled, users will receive a prompt to set up two-step verification on their devices.
Use a Dedicated Admin Account
Administrator accounts are particularly attractive targets for hackers. If they can access an admin account, they can do a lot more damage and steal more information than if they breach a lower-level user account.
You can reduce your risk of a privileged account being breached by setting up a dedicated admin account in Microsoft 365.
This is an account that you don’t have to pay additional for because it’s only used to access administrative settings. It’s not used for email or other user activities, which keeps it more secure (no phishing being sent to the address, etc.).
Your admins will have a normal user account and then will switch into the dedicated admin account when they need to do administrative activities. When finished, they switch back into their own user account.
Block Auto-forwarding of Email
A hacker that compromises a user account doesn’t always make themselves known. They may access the account in order to put an auto-forward on the email, which could allow them to receive things like password reset notices and sensitive company information.
Most users aren’t looking at their email forwarding settings unless they need to change them, so this could go undetected for months.
This security tip removes that potential issue by blocking the automatic forwarding of emails outside your company domain.
To set this up:
- Visit the Exchange admin center
- Select rules from the mail flow category
- Click “+” to create a new rule
- Select More options at the bottom
- Apply the following settings:
- Apply rule if sender is inside the organization and recipient is outside the organization
- Message property should be message type – Auto-forward
- Do the following – block the message (you can also add an explanation if you like)
- Click Save to save the rule
Increase Your Level of Malware & Ransomware Protection
You have a good deal of protection against ransomware and other malware by default in Microsoft 365, however, you can increase it. For example, you can block more file types than the default, so you include all those commonly used to spread malware.
- Visit https://protection.office.com and sign in with admin credentials to do this.
- Look in the Security & Compliance center and under Threat management, choose Policy > Anti-Malware.
- Double click to edit the default policy.
- Select Settings.
- Under Common Attachments Types Filter, select On.
Use Safe Links to Protect Against Phishing Attacks (Business Premium)
Links are used more often than file attachments in phishing emails, but many companies don’t have protection against those links in the same way. If you have Microsoft 365 Business Premium, you can use the safe links feature to have the system scan and rewrite any malicious links as needed to protect your users from getting tricked by a phishing URL.
Policy recommendations for safe links to improve the level of security are:
- Use the setting to apply safe links for all recipients in the domain
- Turn on the setting that rewrites URLs and checks them against a list of known malicious links when a user tries to click the link
Use Microsoft Secure Score
Microsoft Secure Score is a tool you can use to see where you stand on your security in Microsoft 365 against a benchmark of all companies, companies with a similar number of seats, or companies in the same industry.
You can access the tool at: https://security.microsoft.com/securescore with the proper administrative credentials.
It provides helpful recommendations for increasing your security score and help on how to do it.
Need Help Securing Your Microsoft 365 Account?
Most companies would not try to handle their onsite network security configurations themselves, and they should not do it for cloud platforms either. Getting help from a pro is recommended. C Solutions can provide your Orlando area business with expert management of your Microsoft 365 or other cloud security.
Schedule a free consultation today! Call 407-536-8381 or reach us online.