The COVID-19 pandemic has pushed many companies to ask their employees to work from home, a trend that is likely to stick around long after the pandemic. As more offices go remote, companies are turning to online tools to help their teams stay connected and productive, and Microsoft 365 consistently emerges as one of the top choices. 

Many teams are understandably focused on baseline necessities right now, like implementing solutions and practices to stay connected, collaborative, and productive from remote offices. But we can’t neglect the nefarious elephant in the room: cyberthreats. Amidst the pandemic, coronavirus-themed cyberattacks are on the rise, taking advantage of stressed and exposed teams. (A report shows that “highly stressed” verticals experience 11 times the number of incidents amidst recent shelter-in-place restrictions!) While Microsoft does offer robust, built-in security tools, you do need to know how to properly configure these measures for your unique business.

To help your company stay secure, we're sharing our top five tips for securing your Microsoft 365 instance. Many tips you can implement yourself, but, if you need help with custom configurations or employee training, you can always reach out to N8 Solutions for quick and expert assistance.

Five Tips for Securing Microsoft 365

1. Set Strong Passwords and Configure Multi-Factor Authentication (No More “123456”)

It’s the kind of statistic that is both shocking and yet not all that surprising: 80% of hacking-related breaches are still tied to passwords. Hackers often target passwords as an entry point, especially those tied to privileged access, as it can provide multiple attack vectors from just one password. 

(For some techie levity, check out Security Magazine’s roundup of the worst password offenses from last year, including dingers like “123456” (holding tight in the number one spot, unchanged from 2018), “qwerty”, “iloveyou”, and “111111”.)

Bottom line: Poor password management can put your operations at risk. Beyond just bad passwords (like “password”, at the number four spot), re-using old passwords, not changing passwords frequently enough, or sharing passwords across multiple sites, both professional and personal, can all put your business at risk. On top of this, you need to resource not just your employees with proper password management but also any third-party providers that need access to your systems and information, especially as it pertains to privileged access or comprehensive authentication.

An early step with Microsoft 365 is to set a strong password for admins and users. There are plenty of tips and best practices available, and we’d be happy to provide more details on what makes a strong password. The second step is to set up multi-factor authentication, or MFA, a simple yet highly effective way to boost security. With MFA, users will be required to enter a second form of identification, often by typing a provided code from their mobile phone. MFA can prevent hackers from taking over, even if they know your password. Microsoft offers helpful instructions on how your business can configure MFA; doing so will prompt users to set this up on their phone for the next time they log in. 

 2. Mal-Where? 

Related to passwords is the threat of malware (which includes viruses, spyware, and ransomware); often, hackers will use phishing attacks to gain access to privileged credentials, like passwords. For your business, malware and ransomware attacks can result in the theft or seizure of your most sensitive or critical information and data, which, in turn, can cost your business time, money, and loss of reputation. 

Knowing this, Microsoft 365 already has some protections against malware in place. If your business uses Microsoft Exchange Online (or has mailboxes in the standalone Exchange Online Protection), your messages are automatically protected against malware. Microsoft offers multi-layered protection to catch known malware that travels in or out of your business, including scan engines, real-time threat response, and partnerships with anti-malware developers to ensure the latest in malware definitions and patches, often before these remedies are even publicly released. 

However, you can also implement additional protections in Microsoft 365, such as configuring your email to block attachments with file types commonly used for malware or setting up warnings to users before opening attachments with macros. There’s a short training video available as well as further step-by-step instructions. 

3. Use Message Encryption

Another benefit of Microsoft 365 is that message encryption is already set up, to allow your users to send and receive encrypted messages for an additional layer of security. Encrypted messages will appear in inboxes just like any other email (though depending on what version of Outlook or Microsoft 365 you have; some users may receive an alert about these permissions that has to be opened before reading the message). 

Your technology team can further define the rules for encryption, such as encrypting messages with certain criteria like specific keywords or phrases. Admins can also apply a variety of rules for other messages that don’t meet these criteria or pre-defined rules.

While Microsoft 365 makes message encryption seamless and easy, you will still need to train users on how it works – and why it’s important. After all, your technology is only as secure as your people are. Arm your staff as your front line of defense with up-to-date training and resources. Microsoft shares a helpful resource for this, and, at N8 Solutions, we’re also adept at delivering customized training and materials to engage and empower your team to take responsibility for better data security practices.

4. Protect Against Phishing Attacks

Another startling statistic: More than 70 percent of targeted attacks against businesses involve a spear-phishing attack.  

Phishing attacks pose a serious threat to your business, especially since these attacks are continually evolving. To thwart this, your team can configure targeted anti-phishing protection against impersonation-based attacks within Microsoft 365 as part of its Advanced Threat Protection, or ATP. To begin, create a policy that protects your most important users and custom domains. Then, you can leverage the ATP Safe Links to protect your entire firm through time-of-click verification on web addresses in emails and documents. 

5. Focus on your People

In summary, you can configure your Microsoft 365 instance to be as secure as possible. Just remember what we stated above – you are only as secure as your users. When it comes to protecting your operations, cybersecurity is everyone's responsibility. Even if intentions are good, a whopping 98 percent of incidents are caused by human error, not theft or cyberattacks. Often, this is the simple result of a lack of understanding. 

Invest in baseline training and resources for your team on the basics of cybersecurity, such as how to spot a phishing email. You might want to put together a basic curriculum on topics ranging from the landscape of threats that exist today, examples of common phishing attacks, best practices to prevent email intrusion, and what to do should something go wrong. And be sure to make the training continual as cyberthreats are continually evolving. For more, please see this earlier post on employee cybersecurity training tips.

 Amidst the COVID-19 pandemic, it’s unclear when workplaces will return to “normal”, or what that even looks like. Even after it becomes safe to return to offices, many businesses will make a strategic decision to retain all or some of the work from home measures for cost savings, employee experience, and productivity. There also remains the potential for future disruptions, like a resurgence in coronavirus cases or natural disasters like fire or flood. Each scenario could once again push teams to rapidly transform operations to remote environments. Businesses that invest now in secure collaboration platforms, like Microsoft 365, are likely to weather the storm better than those that insist on business as usual.  

At N8 Solutions, we’re here to help you navigate the current and future “normal”, whatever that may be. Please get in touch with us today to talk about configuring Microsoft 365 for robust protection against evolving threats as well as questions about employee education, IT consulting, and workplace transformation.