Securing Office 365
When companies move to Office365 they are often told that they are moving to a service that is always up-to-date and a much more secure environment then their on-premise solution. However, while this is true to some degree a number of recommended security settings are NOT configured by default in Office365.
In fact, a recent report by the Cybersecurity and Infrastructure Security Agency (CISA), a federal department within US homeland security, found that many so called Office365 partners and “experts” had either not enabled recommended security settings or just misconfigured the configuration when setting up the service.
These omissions resulted in a lower than expected security posture and put users of Office 365 at risk of security breaches.
The UK governments National Cyber Security Centre (NCSC) have also expressed their concern regarding the default setup of Office365 and have published an advisory detailing how to protect Office 365 accounts against credential stealing attacks.
To their credit Microsoft have responded, publishing a guide on how to secure your Office365 in order to meet these government guidelines. The guide, endorsed by the NCSC, provides recommendations such as, increasing auditing, enabling MFA, disabling legacy protocols etc…
At PureNetworking, everyday we see Office365 environments that haven’t been setup insecurely. We strongly recommend that all businesses aim to implement the recommendations within Microsoft’s report. Even if you believe your setup was initially setup securely, cloud products change and develop all the time and a review against best practice should be done periodically.
If you want a review of your Office365 environment or help improving the security of your business then please do contact us for a informal chat