Microsoft 365 is one of the most used cloud platforms in the world. 58.4% of sensitive data saved to the cloud is stored in MS Office documents.

Tucson businesses often have a false sense of security when they upload data into cloud platforms like Microsoft 365 because they figure the security is all taken care of by default.

While large SaaS providers like Microsoft do have robust security and offer several protective features, much of the configuration of those features is left in the user’s hands.

For example, an important security feature like multi-factor authentication (MFA) is not turned on by default. It has to be specifically turned on by the account administrator. This is the case for many of the business IT security protections in the platform.

Misconfiguration is one of the top threats to cloud data security cited by IT professionals.

So, if you’re using your Microsoft 365 business account “out of the box” without any custom security configurations, you could be leaving your sensitive data at risk of being infected by ransomware or stolen through hacked login credentials.

How to Secure Your Microsoft 365 Business Account

Use Rules to Protect Against Ransomware

Ransomware can infect cloud files, and it makes them unusable by encrypting them or otherwise locking the user from access. Ransomware often comes in via a phishing email, and you can boost protection against it by adding two rules in your Microsoft 365 account.

  1. Create a message that will warn users of opening Office file attachments that include macros, which can hide ransomware.
  • Block certain file types that can contain malware (such as .exe or .tar)

To add these, you’ll go to the Exchange admin center and look for the mail flow category.

Select Rules, and then Create a new rule. Look for the additional options at the bottom of the dialog box.

  • File types you’ll want to specify for a macro warning message are: dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm
  • File types to block because they may contain ransomware or other threats are: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

Enable Multi-factor Authentication

67% of data breaches are caused by compromised login credentials, and this can easily cause data loss from the cloud. A hacker that gets into a user account can also send phishing emails from your company domain.

You can significantly increase the security of your Microsoft 365 user accounts by enabling MFA for all users. This will prompt them to add a device, which will be used to send a code at login.

MFA blocks most account hacks because the hacker may have the password, but they don’t have a way to access the MFA code.

Turn On Advanced Phishing Protections (Microsoft 365 Business Premium)

Microsoft 365 Business Premium subscribers have added protection through Microsoft Defender for Office 365. One of the areas they can utilize is the anti-phishing protection.

This allows one or more custom domains configured for Microsoft 365 to have targeted anti-phishing safeguards that protect from impersonation-based phishing, along with other types of phishing attacks.

To access this area, go to: Security & Compliance Center > Threat Management > Policy > Anti-phishing.

Create One Dedicated Admin Account

If you have four Microsoft 365 administrators at your company, that’s four highly sensitive accounts that need protection. Administrators can change security policies, access other user information, and have levels of control that a hacker could use to cause a great deal of harm.

If you have just one dedicated admin account rather than four, that reduces your risk. Each admin simply logs into that one dedicated account when they need to handle administrative duties and logs back out after they’re finished.

The account is additionally protected by the fact that it’s not being used for email of any other activities, so there’s less risk of a hack through phishing.

Stop Emails from Being Forwarded Outside Your Domain

One tactic that hackers will use after gaining access to someone’s Microsoft 365 account is to auto-forward email to their own email address. Unless the user specifically checks the forward settings, they may never realize this is happening.

You can set up a rule to block any forwarding of your internal messages to any address outside your organization, which improves your email and data security.

To do this, you create a mail transport rule in the Exchange admin center:

  • In the mail flow category, select rules
  • Click + to Create a new rule
  • Select More options at the bottom
  • Appy a rule that if the sender is internal and the recipient is external and the message type is Auto-forward, that the message be blocked

You can also add a message to the rule that notes forwarding outside the domain is prohibited.

Does Your Microsoft 365 Account Have the Security Configurations You Need?

ECN IT Solutions can help your Tucson business take full advantage of the security controls you have in Microsoft 365 by customizing them to fit your needs.

We’re here and ready to talk cloud security with you! Reach out at 520-355-7553 or through our website.