29% of its customers had their Microsoft 365 accounts breached by hackers.
If you’re a Microsoft 365 business user, then a good deal of your data is going to be stored in the platform, and “out of the box” security is not going to be enough to protect it. For business network systems to run effectively and securely in the cloud, they need to be properly customized.
Customizations to Secure Your Microsoft 365 Account
Here are several ways you can easily increase the security of your Microsoft 365 business account to prevent account breaches and malware infections.
Use Only One Dedicated Admin Account
Rather than granting a user account admin privileges, set up a special “Admin Only” account that won’t be used for email, app use, or any other Microsoft 365 activities other than account administration.
This reduces the risk that the account login will become compromised and reduces the number of accounts with admin privileges. For example, if you have four employees that act as Microsoft 365 admins, instead of four accounts with advanced privileges, you only have one. Each user logs into the dedicated account when needed and then logs back out.
Turn On Multi-Factor Authentication (MFA) for All Users
A majority of cloud account breaches happen due to hacked or stolen login credentials. You can significantly reduce the risk of your accounts being taken over by turning on MFA for all your users.
According to Microsoft, MFA is 99.9% effective at stopping fraudulent login attempts.
When MFA is enacted, the user will be prompted upon next sign-in to set up a device to receive the MFA code, which will be entered along with their password when they login to Microsoft 365 services.
Add Anti-Phishing ProtectionsPhishing emails are the main delivery method for all types of cyberattacks from credential theft to ransomware. You can beef up your anti-phishing protection for your email in Microsoft 365 by doing two things. Both of these are done by setting up rules in the mail flow category of the Exchange admin center.
Create a warning message for your users when an email contains an attachment that holds a MS document with a macro. Let them know to be careful because macros can hold malicious code hidden in seemingly innocent file types like Word. Set this up for the following file types: dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm
Block known malicious file types from making it through to user inboxes. You’ll do this through a blocking rule for the following file types: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
Use Safe Links in Microsoft 365 Business Premium Premium users of Microsoft 365 business have additional protections for their account through Microsoft Defender for Office 365. But again, these are not on the most secure settings by default, they have to be customized. Safe Links helps solve a growing problem, which is that most phishing emails now use links to malicious sites rather than malware attachments to skirt past email security. Safe Links addresses this by examining any links in incoming emails and elsewhere in Microsoft apps, and if it finds they are dangerous, it removes them from the message. You can increase your protection in this feature by doing the following:
In the Security & Compliance Center, choose Threat Management
Select, Safe Links
Update the existing policy under “Settings that apply to content except email”
Choose: “Office 365 applications, Do not track when users click safe links,” and “Do not let users click through safe links to the original URL.”
Block the Ability for Email to be Auto-Forwarded Outside Your Domain One common tactic taken by hackers is to auto-forward a user’s email to their own address without the user’s knowledge. This can give them access to all types of sensitive company data, password reset emails, and more. You can block this capability account-wide by doing the following:
Go to the Exchange admin center
Select “rules” under the “mail flow” category
Create a new rule
Select “More options” at the bottom
Apply a setting that notes: If sender is internal and recipient is external, and message type is Auto-forward, then block message.
You can also add a message to the rule to warn that this function is prohibited