Office 365 is a popular cloud-based productivity suite that offers various applications and services for businesses. However, as with any online service, Office 365 also faces security risks and challenges. Here are some best practices to secure Office 365 and protect your data from hackers and cyberattacks.
1. Enable multi-factor authentication (MFA)
MFA, also known as two-step verification, is a security feature that requires users to provide more than one piece of information to verify their identity when signing in to Office 365. For example, after entering your password, you may also need to enter a code sent to your phone or use an app like Microsoft Authenticator. MFA adds an extra layer of protection to your account and makes it harder for attackers to access your data.
You can enable MFA for all users and admins in Office 365 by using security defaults or conditional access policies. Security defaults are preconfigured settings that apply MFA to all users and block legacy authentication protocols that do not support MFA. Conditional access policies allow you to customise MFA requirements based on user groups, locations, devices, apps, and risk levels.
To enable security defaults, go to the Azure Active Directory admin center, select Azure Active Directory, select Properties, and select Manage security defaults. To enable conditional access policies, go to the Azure Active Directory admin center, select Security, select Conditional Access, and create a new policy.
2. Use a dedicated admin account
Admin accounts have high-level privileges and permissions that can access and modify sensitive data and settings in Office 365. Therefore, it is important to protect your admin accounts from unauthorised or malicious use. One way to do this is to use a dedicated admin account that is separate from your regular user account.
A dedicated admin account is an account that you only use for administrative tasks and not for daily work or personal activities. This way, you can reduce the exposure of your admin credentials and limit the impact of a potential compromise. You should also create an emergency access admin account that you can use in case your primary admin account is locked out or compromised.
To create a dedicated admin account, go to the Microsoft 365 admin center, select Users, select Active Users, and select Add a user. Fill in the user details and assign the appropriate admin role. To create an emergency access admin account, follow the same steps but assign the Global administrator role and enable password reset.
3. Use preset security policies to protect email and collaboration content
Office 365 provides various preset security policies that help you protect your email and collaboration content from spam, malware, phishing, spoofing, impersonation, and other threats. These policies include:
– Anti-spam policy: This policy filters out unwanted and unsolicited email messages from your inbox.
– Anti-malware policy: This policy scans incoming and outgoing email messages for malicious software and attachments.
– Anti-phishing policy: This policy detects and blocks email messages that try to trick you into revealing personal or financial information or clicking on malicious links or attachments.
– Spoof intelligence: This feature identifies email messages that use a forged sender address or domain name to impersonate someone you trust.
– Impersonation settings: These settings allow you to specify users or domains that are likely targets of impersonation attacks and apply additional protection to them.
– Safe Links: This feature checks the links in email messages and Office documents for malicious content and redirects you to a warning page if the link is unsafe.
– Safe Attachments: This feature scans the attachments in email messages and Office documents for malicious content and blocks them if they are unsafe.
To review and apply these preset security policies, go to the Microsoft 365 admin center, select Security & Compliance Center, select Threat Management, and select Policy.
4. Protect all devices, including personal and company devices
Office 365 allows you to access your data from any device, such as computers, tablets, and phones. However, this also means that your data can be exposed or compromised if your device is lost, stolen, or infected by malware. Therefore, it is essential to protect all devices that you use to access Office 365, whether they are personal or company-owned.
Some of the ways you can protect your devices are:
– Install Microsoft 365 Apps (Word, Excel, PowerPoint, etc.) on your devices to get the latest security updates and features.
– Upgrade your Windows devices to Windows 10 or 11 Pro from Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro to get enhanced security capabilities.
– Enable advanced threat protection for your devices using Microsoft Defender for Endpoint or Microsoft Intune.
– Encrypt your devices using BitLocker or FileVault to prevent unauthorised access to your data if your device is lost or stolen.
– Use strong passwords or biometric authentication (such as fingerprint or face recognition) to lock your devices and prevent unauthorised access.
– Enable remote wipe or device lock to erase or lock your device if it is lost or stolen.
To manage and protect your devices, go to the Microsoft 365 admin center, select Devices, and select Endpoint Manager.
5. Train everyone on email best practices
Email is one of the most common ways that hackers and cybercriminals use to target Office 365 users. They may send you phishing emails that try to trick you into revealing your credentials, clicking on malicious links or attachments, or transferring money. They may also send you spoofing or impersonation emails that pretend to be from someone you trust, such as your boss, colleague, or partner.
To protect yourself and your organisation from these email attacks, you should follow some email best practices, such as:
– Do not open or reply to suspicious or unexpected email messages.
– Do not click on links or attachments that you do not recognise or trust.
– Do not provide your personal or financial information in an email message or on a website that you are not sure about.
– Do not use the same password for multiple accounts or services.
– Do not forward sensitive or confidential information to external recipients without proper authorisation.
– Do check the sender’s address and domain name for typos or inconsistencies.
– Do verify the identity and authenticity of the sender by calling them or using another communication channel.
– Do report any suspicious or malicious email messages to your IT department or security team.
Need assistance? Please reach out of schedule a call with one of our awesome team.
