Microsoft Office 365 Security Tips for Small Businesses

office 365 security illustration

Microsoft Office 365 Security Tips for Small Businesses

Microsoft Office 365 is one of the most used cloud-based systems worldwide, with over 70 million users and counting. But with all cloud-based systems, comes with a level of vulnerability. Office 365 security measures need to be considered to make sure your team is working safely.

By employing good simple Office 365 security methods, your company will be placed in a much better position from a cyber security point of view. As more and more staff members are working online and via cloud-based systems, it is important now more than ever to implement a good cyber security policy. By securing Office 365, you are helping to keep your data as safe as it can be online.

Below are some helpful Office 365 security tips and ways to keep your business secure.

Why Office 365 is a target

Firstly, why is Microsoft Office 365 a target for cyber crime? Well, being a highly popular cloud-based (and particularly email) application, Office 365 is a prime target for phishing attacks. Millions of user’s log-in to Office 365 everyday, which makes it easier for cyber criminals to hack into this one system. With so many people using the same system, the rewards for hackers can be just too tempting.

Back in 2016, Skyhigh Networks research reported that out of 600 enterprises and 27 million customers, 71% of corporate Office 365 users had at least one account compromised every month. As technology advances, so does the sophistication of phishing and other cyber attacks.

Every organisation is at risk of a security breach, but particularly small and medium sized enterprises (SME’s), who may have only limited security measures in place. Office 365 security measures may not be good enough, unless you pay extra for additional add-ons, such as the Advanced Threat Protection (ATP). This is available under the enterprise subscription or users can pay for each additional security measure separately. You can imagine this can become fairly costly, quickly.

For users wishing to add advanced cyber security measures for securing Office 365, hiring an expert firm to go through your individual needs could be a better option. Many businesses opt for managed security to help keep their customer and company data safe and secure.

person typing on keyboard

Microsoft Office 365 security tips

Secure passwords

Having strong passwords is essential. Instead of getting staff members to change their passwords regularly or using complex passwords such as ‘!$4763&-(37653@’, you should encourage the use of passphrases. Although complex passwords such as the previous example are strong, there is always the chance for a computer system to generate millions of random letter and number sequences. Although it is unlikely that these complex passwords will be hacked, it is likely however that these passwords will be written down or saved somewhere by the user.

A passphrase is a series of random words, such as ‘fool foil village gravy2’ is much harder for computers to guess, and much easier for users to remember.

Staff training

There is no point in having added security measures if your staff do not know how to use them. Staff should be aware of the most common cyber security threats, the best Office 365 security measures, how to create a strong password and how to use the systems security measures on their devices.

Securing Office 365 should include training how to spot phishing attacks, as these are commonly reported. If staff know the signs to look for when spotting a phishing attack, it is far less likely that they will click on a malicious email link.

Use Multi-Factor Authentication (MFA)

Using multi-factor authentication is one of the best Office 365 security measures you can initiate. Staff members will have to enter another form of login (usually a code sent to their phone), as well as their usual password and username.

This extra step (or multiple steps) adds another layer of security, even if passwords are not particularly strong. Hackers will find it hard to gain access to the user account, as they will not have the use of the user’s phone, which the code is sent to. MFA is one of the most effective ways to secure your organisation.

Protect against malware

Microsoft Office 365 does come with malware protection included; however it is worth going one step further by blocking attachments with file types frequently used by hackers. You should block any file types which are commonly used to inflict malware on systems, so the email is blocked before it even reaches a user’s account. Common suspicious filetypes usually come in the forms of EXE, CHM, CMD, COM, JS, BAT, CPL, VB and VBS.

How to block certain file types from your Office 365 application:

1. Go to the Security & Compliance Centre and go to the left navigation panel. Click ‘Threat Management’ then ‘Policy’, then ‘Anti-Malware’.
2. Click on the default policy and edit.
3. Click Settings.
4. Go to ‘Common Attachment Types Filter’ and switch to ‘On’. Below this, you are able to add or remove file types that are blocked. Then click save and you are done.

staff smiling on laptops

Protect against ransomware threats

Ransomware attacks are one of the most common attacks on businesses. Files will be encrypted by hackers, who will then demand a ransom (usually in a cryptocurrency such as Bitcoin), or even threaten to publish your files online. The files will be compromised until the ransom is paid and you are given the encryption key.

To help prevent ransomware, you are able to set up rules for email which will block the common file types associated with a ransomware attack. For a helpful video on how to do this, please see Microsoft’s training video.

You should also ensure that there is a warning given to staff members before they are about to open an email which contains macros (ransomware is often hidden within these). Be sure to install next-generation endpoint protection for added protection.

Use spam notifications

If a hacker is able to gain login credentials during a phishing attack, they may send out many emails to a user’s contacts. These emails will often contain spam or malicious links. Office 365 security measures should include setting up a notification for when an email has been sent out excessively from a user or contains spam. This will give you a heads up on suspicious activity and a chance to warn your staff members not to open an email sent from the compromised employees account.

Stop email auto-forwarding

If a cyber criminal has gained access to a user’s login credentials, they can easily set up auto-forwarding of that user’s emails. Malware can be attached to these emails, which will be sent out to other employees around your organisation.

To stop this, you can set up an email flow rule which prevents emails being automatically forwarded to an external network. Here is how to set up a mail flow rule:
1. Go to Exchange admin centre.
2. Click ‘mail flow category’ and then ‘rules’.
3. Click the t ‘+’ icon, and ‘create a new rule’.
4. Go down to ‘more options’ to see the full list.
5. Apply the settings you want in the table. Unless you want to change anything else, then leave the rest as the default option. Then save your settings.

At Cube Cyber we have a friendly and dedicated team of experts to help with Office 365 security, and much more. To talk to one of our security experts, please call 1300 085 366 or visit out contact page.

Managed Security Services: Why Small & Mid-sized Businesses Should Consider It
Which Industries Are Most Vulnerable to Cyber Attacks in 2021?