Microsoft Office 365 has many security features and capabilities built in, however with a few simple steps you can greatly increase your cyber-security stance with some easy changes to system configuration and business practices.
1. Use Multi-Factor Authentication
Multi-factor authentication is by far one of the most effective ways to protect your Office 365 accounts from hacking. When you have multi-factor authentication in place, your employees will be required to enter in a unique, constantly changing code along with their usual username and password in order to logon to their Office 365 account. Even better, Office 365 has some super clever features that mean you will not be constantly prompted for this code if you are connecting from a trusted location or device.
Using multi-factor authentication ensures that your valuable data doesn't get compromised should your employees use easy-to-guess passwords or leave the password written down out in the open. While it's important to use strong passwords, this second step ensures that a malicious party won't be able to gain access as they would need the employee's phone as well.
2. Have Dedicated Admin Accounts
Your admin accounts come with elevated privileges, options, and security features. The people who use these accounts can grant rights to other users, install software, and more. This makes them a prime target for cybercriminals and hackers. Each administrator should have their own account, and they should have a separate user account for non-admin tasks.
Every admin account should have multi-factor authentication equipped. You should also routinely monitor these admin accounts to ensure they're not granting unauthorised privileges to users who don't need them because this increases your security risks. When an admin leaves the business, immediately shut down their admin account so they can't use it against the business.
3. Train Your Staff
The Harvard Kennedy School has an excellent handbook to assist you in training your staff on cybersecurity called the Cybersecurity Campaign Handbook. This book can help you set up a culture of cybersecurity awareness that your staff can use from the moment you hire them. You'll train your users to identify phishing attacks through their emails to keep hackers out.
Your staff should know what a strong password is, and how to set them up, how to protect their devices and how to enable security features on Mac PCs and Windows 10. Giving your staff ongoing training allows them to keep up with the latest threats.
4. Protect Your System Against Ransomware
Ransomware is a program that restricts an infected computer's access to data by locking the computer or encrypting the data. Once you get locked out of the computer, it usually asks for a "ransom" to extort money out of the victims. This money is typically cryptocurrency like Bitcoin, and the hackers claim they'll give you access back to your computer once they get the money.
You can create mail flows that block any file extensions that cybercriminals commonly used for ransomware. You can either block all file types that could contain malicious code or ransomware, or you could set up a rule that warns your staff that they're about to open an Office file attachment that has macros.
5. Raise Your Malware Protection Levels
Malware is an umbrella term that covers many types of software that purposely damage a computer. Malware can be Trojans, viruses, spyware, ransomware, or worms. Malware is short for "malicious software," and training your staff on avoiding it is critical.
Luckily, your Microsoft 365 and Office 365 come with built-in protection against Malware. You can enhance this protection by automatically blocking file types or attachments that cybercriminals commonly use for malware.
6. Set Up Office Message Encryption
Encryption adds another layer of protection to any messages you send both inside and outside of your organisation. This way, if a staff member accidentally types in the wrong email and sends it to an unintended party, they can't pass it around. The encryption lets only the intended party see the email when they open it.
You can have your staff use the "Do not forward" or the "Encrypt" prompt each time they send an email. Encryption comes built into Office 365, and it works with Yahoo!, Outlook.com, Gmail and other email providers.
7. Don't Auto-Forward Emails
Your emails are a vulnerable point for your organisation, especially if your staff have a habit of forwarding them. Any hacker that gains access to your staff's inboxes can configure the inbox to automatically forward mail. When they do, they can attach Malware to the email and spread it throughout the organisation.
The first step you take is to make sure your staff aren't forwarding emails on their own. You can set up a mail flow rule that prevents auto-forwarding emails from external senders. This way, even if a hacker does get in, they won't be able to infect the entire system.
Your staff will routinely receive, share, and send attachments like spreadsheets and presentations. It's very difficult to tell which attachments are safe to open and which ones are infected with malware.
Some Office 365 plans come equipped with Advanced Threat Protection built-in. This suite includes ATP Safe Attachment protection. You have to enable it and set up a new rule for it. However, it can protect your staff from spreading malicious software through attachments.
8. Defend Your Email From Phishing
You can configure anti-phishing protection in both Office 365 or Microsoft 365. You can set up a policy to protect your custom domain and your staff. This software protects your organisation from general phishing attacks and malicious impersonation-based phishing attacks. Hackers won't be able to send impersonation emails from any user you have listed in your custom domain.
9. Upgrade from Office 365 to Microsoft 365
Office 365 has many security features built in, but Microsoft 365 has even more. In fact the key difference between Office 365 and Microsoft 365 is the inclusion of Microsoft Enterprise Mobility and Security - a suite of features that provides even more advanced security.
For example, ATP Safe Links is a standard inclusion in the Microsoft 365 plans. Setting it up allows your staff to get time-of-click web address verification in Office documents and email messages. This way, your staff aren't accidentally opening malicious websites and infecting your organisation's email system.
To learn more about addressing your cyber-security stance, the Essential Eight cyber-security framework is a great place to start.