Four simple tips to keep your Office 365 secure from breaches

Securing Office 365

We’ve been busy here at BSI recently, in particular looking after clients who have had data breaches. We have seen a big increase in the number of clients requesting our assistance after Office 365 compromises in the past 12 months. In some cases, weeks or months have gone by before the breach has been noticed. This means that over the course of this time the entire contents of the mailbox, including all inbound and outbound messages, could have been accessed, downloaded or read.

Depending on the compromised user, this can often mean very sensitive and personally identifiable information has been breached. Our forensic specialists and incident managers have put together four simple steps that can be taken which will minimize the risk of experiencing a breach.

Cloud applications offer great advantages and flexibility for businesses: IT staff are able to control and monitor their data from a centralized location and the business users can conveniently work remotely, easily share information with each other and have all the information they need at their fingertips.

These advantages are why IT departments are expected to spend 80% of their budgets on cloud solutions in 2018*. There is nothing to fear about the cloud: most of the functionality you need to ensure you are protected is built into the application and available to you from the start. However, these may not be the default settings. You might have to run checks to ensure that you are choosing the right security options that best suit your organization and to ensure your business users and their data are protected.

As technologies evolve so do the attacks. As organizations take on new applications and tools, this creates a new path for hackers to explore and make their way into organizations. There have been over 53,000 incidents reported so far this year*. Most attacks are financially motivated. But they look for easy money and easy access: they target the ill-prepared*. 

The following covers the bases that we have seen to be the most common avenues for a breach. Ultimately, it is important to understand how the business operates and what the users need to do; security will then need to be balanced with the needs of the business. Each of the tips outlined below can be tweaked to satisfy the majority of business needs.

1. Disable email forwarding to third party domains

The most common form of attack seen by BSI’s Incident Management team usually results in email traffic being forwarded to another address. This is always a third-party domain, usually a free service such as Gmail, Hotmail, Yahoo, etc. but sometimes another organization that has also been compromised. When an attacker puts an auto-forward in place, it can often go unseen for days, if not weeks or months, as users rarely examine these settings or notice their impact. During this time, the attacker receives and stores a copy of everything sent or received from the mailbox – naturally a privacy and security disaster!

O365 provides a simple way to prevent this from happening. A system administrator can easily disable the ability of any user to forward all emails to a third party domain. This means that such a bulk forward rule will be blocked by the Exchange server and no emails will leave your organization.

To do this, the simplest way is to create a remote domain rule. Create a new rule which covers the remote domain “*” and disable the option for “Allow automatic forwarding”. For more information on setting up remote domain rules click here.


2. Enable multi-factor authentication

The single best control for protecting against phishing attacks is to enable multi-factor authentication. With proper multi-factor controls in place, a phishing attack resulting in breached passwords will still mean that the attacker has no access to your email systems.

Multi Factor AuthenticationThere are many different options for the second factor to use, from text messages, smartphone apps, RSA token fobs, and security keys. Consideration should be given to the value of the account you are protecting compared to the security you are employing. Security keys in particular are so secure that Google confirmed that not one member of its 85,000+ employees has been compromised since requiring security keys as a second factor to login since 2017*.

Typically, attackers target senior board members and executives, members of the finance team or members of the IT team. These users should, therefore, have the tightest controls on their login methods. Ideally, multi-factor authentication should be enabled for all users, but where other considerations limit its rollout ensure you secure the most likely targeted members of your organization first.

For more information on multi-factor options for O365 please click here.


3. Conditional access for Office 365

Azure Active Directory, which is the mechanism that often manages logins for O365, has many options for restricting and further securing login attempts. Conditions are defined, and when certain rules are triggered a multi-factor authentication will be required, or indeed a request will be blocked outright. For example, rules could be created to allow direct login for requests from within your organization’s IP range, require multi-factor authentication for logins from your home country but not on your network, and block access to all logins from other countries. Different rules can be applied to different applications such as Exchange and SharePoint, and indeed the type and status of the connecting device.

Combining conditional access rules together with a multi-factor authentication regime can significantly improve your Office 365 security. For full details click here.


4. End-user security awareness training

PhishingMost attacks originate at the end-user level. In fact, 90% of data breaches or hacks originate from phishing*. However, organizations are still hesitant to investing much in training employees on working securely online*. To system administrators out there, it’s vital you push for a dynamic, engaging, and measurable training programme for your staff. Attacks will always evolve, and to stay ahead of the latest trends in security technology solutions can be a challenge. A well-versed workforce who knows the do’s and don’ts of web security can be the last line of defence for your organization.

BSI works with some very innovating software platforms that provide engaging, interactive training material. This is combined with the ability to test your users by creating mock phishing attacks and measuring their success. When these tests are paired with further training clients always see a measurable decrease in the user’s succumbing to the next test – which in turn protects your organization against the real thing. 

Following our four tips above will help you keep your Office 365 secure from breaches but in the event that the worst happens, our team are here to help you!