Improving Your Office365 Security Posture to Stop Phishing at Email’s Shores
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
Phishing attacks and other email compromise schemes are not just an annoyance in the modern workspace. A successful email compromise can allow malicious actors to intrude into an organization’s enterprise email accounts, expose sensitive data contained in users’ inboxes, and give cyber criminals the ability to successfully impersonate an employee to others within and without the organization by using the employee’s own email account. Once in control of an employee’s account, a malicious actor can more easily perpetrate other attacks like wire fraud against the organization. These attacks can, in turn, create potential legal liabilities for the organization and prove costly to remediate.
In the Office365 space, Microsoft continues to evolve its ability to effectively safeguard Office365 data through a multi-layered security approach including physical, logical, and data layers of security. Regardless of these advances, customers must do their own part to properly implement the security capabilities – both at the technical and human level – in order to best protect their environment.
Here are some best practice tips we recommend to help defend your Office365 environment; many of these tips can be applied to securing other segments of your network as well:
Turn on Audit Logging
The best way to prevent the next data incident is to learn from the past. Audit logging will give you insight on historical activity within your Office365 environment. The ability to assess all of the events leading up to an incident – including the actions of each employee or network administrator – will help you identify and close compliance gaps to prevent any recurrences.
Importantly, Office365 audit logs are not enabled by default, so users should actively enable them for added security. Logs are kept for 90 days, so it is a good idea to review them periodically or set up alerts – or even better, both.
Should a data incident occur, the first thing a forensics team will ask for when responding to an incident will be your audit logs. Having them immediately available is a key variable in ensuring a successful incident response.
Enable Identity and Access Management
The biggest threat to security landscapes continues to be the harvesting and use of credentials to gain access to networks, typically via business email compromises. Some of the best ways to minimize account vulnerabilities in Office365 are:
- Multifactor Authentication (MFA): require more than one method of user identification to gain network access. One of the most common forms of MFA is the password/cellphone authentication combination: once a user inputs a password, an alert is pushed to the user’s cellphone, requiring the user to acknowledge the separate and independent verification before they can gain access to the network.
- Configure Azure Active Directory Identity Protection: this allows an administrator to easily monitor suspicious user activity from a consolidated view window.
- Password Controls: set specific requirements for the duration, length, and complexity of each account password.
- Limit Administration: administrative capabilities should be limited to separate dedicated accounts and should be few in number.
- Scan for Inactive Accounts: if any network account has been inactive for more than 30 days, it should be immediately disabled. Leaving inactive accounts enabled can increase unnecessary risks to your systems.
Training and Testing
Fully educating your user community about their role in safeguarding data is just as critical as any technical security feature you activate. When training your users, you should use real-world examples that reflect the daily activities of the business. This will give context to what is being taught. Giving your users abstract technical rules, without any concrete examples, will often lead to them tuning out or misunderstanding the training.
Following the training, use tools like the Attack Simulator to conduct exercises, such as spear-phishing, to ensure the educational content is being effectively absorbed by personnel.
Monitor Secure Score
This tool is included in Office365 to analyze and measure the security posture of your environment based on its settings and ongoing activities. It will also suggest potential options for additional protections, some of which may impact overall productivity depending on your organization’s culture. Review the additional protections and choose what works best for your organization. Make sure to regularly monitor your secure score as you implement best practice security controls.