One of the biggest misconceptions among businesses using Office 365 is that all the responsibility for securing Office 365 rests in Microsoft’s hands. This just isn’t true – Microsoft operates in a shared responsibility model, meaning some of the security rests with you.
Not understanding this can leave your Office 365 environment vulnerable to attack. And cybercriminals are increasingly targeting small and mid-size businesses. This guide will help you understand your security responsibilities, the major threats you need to be aware of, and what you can do to secure your network.
Need help navigating Office 365 security and understanding your Office 365 Secure Score? We're happy to help. Check the bottom of this page for more.
You are responsible for who you give access to your data, whether willingly or unwillingly (client & end-point protection and identity & access management). This responsibility extends to all users in your organization.
You’re also responsible for data classification, meaning it’s on you to treat sensitive or classified data as such and put the proper controls in place to limit access. If you’re in a regulated industry, it’s your responsibility to handle your data in a way that meets industry regulations.
Some of the responsibilities change depending on the type of service. For example, if you have a Windows Server at your office, physical security of the server is your responsibility. If you’re using a cloud service like Office 365, physical security of the cloud server is their responsibility.
Basically, Microsoft protects your data from attack in their data centers and while it’s in motion.
The datacenters where your content is physically stored are guarded and monitored 24/7 and have strict security measures like biometric scanners to prevent unauthorized persons. Furthermore, the personnel onsite at the datacenters don’t have access to your data; they only protect it – a practice called ‘role separation.'
Microsoft uses ‘encryption in transit’ for all data, which means that your data in motion (as soon as you press send on an email or upload a document to OneDrive) is protected against eavesdropping.
The biggest and most prevalent threat to your Office 365 environment is an outside attacker trying to break into your users’ accounts. Once they’re in, they can use these accounts to launch more attacks, steal your information, and make money for themselves.
The most common way cybercriminals target users is through email-based phishing attacks. Phishing was the #1 threat to Office 365 in the second half of 2017, accounting for 53% of threats detected by Microsoft.
Phishing is an email attack aimed at fooling the target into thinking that an email is from a legitimate source to gain access to personal or business information. The most common types of phishing attacks aimed at businesses try to steal your account credentials or get you to wire money to them.
Phishing attacks with the purpose of stealing your credentials will typically have a link that leads to a fake login screen. These usually look like a notification of some kind, like a fake shipping notification or a fake invoice notification. We’ve also seen a considerable increase recently in phishing emails that look like secure email notifications.
We've recapped many of these on our blog:
While these blog cover specific examples of phishing emails we've seen, these should be used as a general guide. Phishing emails are always evolving and can look like anything.
A common tactic among cybercriminals is to target users based on software or apps they user. There are many, many variations of phishing attacks that target Office 365 users specifically.
Most of these look like notifications claiming your account has been or will be suspended. Some try to blend in with other notifications, like phishing emails that look like spam quarantine notifications. As cyber criminals get better, these get harder and harder to spot.
Many phishing attacks rely on spoofing to succeed. Spoofing is when a cybercriminal makes it appear like an email is coming from someone else—basically, they’re forging the “From” address to look like it’s coming from a legitimate source.
A low-tech way to do this is to use a look-a-like email address—like Bob@Acnnecorp.com instead of Bob@Acmecorp.com. It is possible for cybercriminals to make it look like an email is coming from another sender's real email address, though.
Cybercriminals will use this in all kinds of phishing attacks. The tactic works for everything from fake Office 365 notifications to wire fraud emails that look like they’re from someone in your organization.
Recently, cybercriminals have started to combine these tactics into multi-step phishing attacks. They will use a phishing attack to steal a user’s login information—usually an executive level employee. Then, once they’re in the first victim’s account, they’ll use that to pretend to be the victim and get another person to wire them money.
If you are like most people, you use the same, or similar password for all your accounts. Your employees likely do the same thing. Here’s the thing: cybercriminals know you do that, and can use that to access your account.
Every time a website or company gets hacked and their users’ account credentials are stolen, it puts your company at risk. Cybercriminals will use those stolen credentials to try to log into other accounts. It’s not hard to match up personal email addresses with professional email addresses.
To protect your Office 365 users, you need a multi-layered approach to security to guard them at multiple possible points of attack. Office 365 has built-in tools, along with dozens of security add-ons to help.
We typically recommend business start with a few security measures to proactively limit the chances of falling victim to an attack.
Multi-factor authentication (sometimes called two-factor authentication) gives users an extra layer of protection during the log-in process and can stop an account-based attack—even if the attackers have your password.
It does this by requiring an extra form of authentication on top of a password. This is usually a code from an app or secure key fob, but can also be something like a fingerprint scan. Without that second form of authentication, the attacker can’t get in.
Office 365 has a few options for multi-factor authentication. There is a built-in version or a more robust add-on available. We typically recommend the add on because it allows for more controls, including adding the ability to whitelist IP addresses, so you can just your password when you're in the office.
Outside of Office 365, we recommend enabling multi-factor authentication on any account possible, including your personal accounts. Most free email providers, like Gmail, social media sites, and financial institutions offer multi-factor authentication (or two-step verification, which is a very similar process) for free. Check your account settings to turn it on.
Advanced Threat Protection (ATP) is an add-on that keeps malicious emails out of your employees’ inboxes. It goes above and beyond a typical spam filter by scanning emails for malicious links and attachments before they hit your inbox.
It also works with OneDrive for Business, SharePoint, and Teams by scanning files to make sure nothing malicious has been uploaded.
Customizing your Office 365 login screen can help alert employees that something is wrong when they see a fake login page. This will take a little bit of training with your staff, so they know to look for the logo when they log in.
There are more security add-ons, based on your needs. If your company is in a regulated industry, or if you deal with a lot of sensitive information, you’ll likely need to add on one of the following:
Every Office 365 plan comes with Audit Logs, and every company running Office 365 should turn them on.
Audit logs record activities in your Office 365 environment (Exchange, SharePoint, OneDrive for Business, Yammer, PowerBi, Sway, and Azure Active Directory are all included). Activities recorded include:
It can feel a little Big Brother-ish, but you really should have Audit Logs turned on. Audit logs are one of the first places we check when helping customers diagnose if they’ve experienced a breach. They’re critical to figuring out what’s going on if someone has gotten access to your system—because the data is all in the logs.
Let’s look at an example: One common tactic cybercriminals use when launching wire fraud attacks is to get access to a high-level employee’s account. They’ll send emails from that account requesting wire transfers. They’ll also set up new folders and rules in Outlook to automatically send any replies to those folders. That way, the real owner of the account won’t see them and know something is up. Audit logs can capture that activity.
Office 365 audit logs are not enabled by default, so to start using them, you'll need to turn them on and set up a few configurations (please note, your Office 365 Admin will need to do this):
Logs are only kept for 90 days, so if you don't set up alerts, it's a good idea to review them periodically for suspicious activity.
Keeping track of how you’re doing with security can be tough. Unless you deal with cybersecurity all the time, knowing what you need to do—and what’s most valuable to do—is difficult.
Microsoft does have a tool that can help, called Secure Score, which grades your security efforts in Office 365. It assigned a numerical value to security measures to give you your Office 365 Secure Score. Different activities have different numerical values, based on their potential impact.
You’ll also get a list of recommendations for what you can do to make your environment more secure (and in turn, increase your Secure Score). At the moment, it’s impossible to get a “perfect” Secure Score. Not all of the activities that Microsoft recommends currently have numerical ratings. This doesn’t mean you shouldn’t do them, though!
You'll also be able to compare your Secure Score with the average Office 365 Secure Score. This can be tricky, though—doing better than average doesn't mean you aren't vulnerable to attack.
Looking at your Secure Score can be overwhelming, to say the least. There is a lot to look at, and if you’re not familiar with it—and not familiar with cybersecurity—it can hard to know what you need to do. We’re happy to help you navigate your Secure Score. Check the bottom of this page for more.
Quick Note: You will need admin level access to see your company's Secure Score. If you try to access it and it tells you that you don't have permission, check with your company's admin.
If you’re technically savvy and have the time to do it, you can buy the licenses and set up these add-ons yourself. But for businesses without a dedicated IT team, we recommend working with a Microsoft Partner with experience in Office 365 security. Security is critical, and setting it up wrong could mean major holes you don’t know about.
About PTG: Palmetto Technology Group (PTG) is an outsourced IT company and Microsoft Partner headquartered in Greenville, SC. We take the guesswork and frustration out of IT by working with businesses to help them align their technology to meet business goals. We’ve been named the Microsoft Southeast Cloud Partner of the Year three times, and in 2017, we were named the Microsoft East Region Office 365 Partner of the Year.
Need help making sense of your Office 365 Secure Score and figuring out what to do next? We're here to help. Schedule a time for a Secure Score consultation and we'll help you make sense of it. There is no cost to you.
During this call, we'll cover:
Fill out your information to the right, and we'll be in touch soon.