Why the US Government Warned US Businesses About Office 365 Security
Office 365: it sounds like a safe, secure platform that businesses can use to help aid in document creation, storage, and sharing. Unfortunately, the US government has recently issued a warning about Office 365 security that could pose a substantial challenge for many businesses. Office 365 provides a number of solutions that make it possible for businesses to rapidly deploy remote work environments, including cloud-based email, chat options, and video capability. Without adequate security protection in place, however, many organizations may not get the secure experience they’re hoping for. Is your business at risk due to Office 365?
Security Concerns
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, also known as CISA, has issued a warning for businesses who have rushed to implement an Office 365 deployment for remote employees in the midst of the pandemic. While the platform does offer adequate security when used properly, many businesses, especially in the rush to deploy quickly, have failed to take the vital security measures that can help protect them. The challenge is not that the platform inherently poses security challenges. In fact, when deployed properly, this platform can allow a highly effective transition to remote work in a virtual environment. The challenge is that, in the rush to deploy the virtual platform, many businesses have failed to take the right security precautions and enable the proper settings across the platform.
High-Level Default Privileges
Not every worker in your organization needs to have high-level access to everything in your system. Office 365 comes with a high level of initial privilege, which means that the average user can quickly gain access to information that they’re not supposed to have. Not only that, the more high-level users you have, the more potential security challenges it can pose to your organization: when a high-level user’s information is compromised, it can provide a much greater challenge for the organization as a whole than when a breach is limited to a user with low-level permissions and access.
Mitigating the effect: Use Role-Based Access Control to assign user privilege. Do not use the Global Administrator Account unless absolutely necessary for some purpose. Keep in mind the overall security of your organization and the level of access your users actually need: in many cases, you may discover that your users require less access than you initially thought. Ideally, you want to allow the lowest level of access possible for each member of your team. When you allow universal access or provide excessive access to team members who may not actively need those privileges, you open the door for more potential security challenges. Going with the principle of least-needed access, on the other hand, can provide a substantially decreased risk to your company.
Difficulty Discovering Potential Malicious Activity
Under its default settings, Office 365 does not maintain an audit log, which can make it difficult for administrators to locate and put a stop to potential malicious activity on the network. Not only that, if malicious activity is detected, your administrators may have a hard time tracking down where it originated.
Mitigating the effect: Fixing up this potential problem is as simple as changing the default settings. Office 365 offers a logging platform known as the Unified Audit Log. It can include all activity from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, and other Office 365 services. Once an administrator enables the log, it will track that activity and make it easy for administrators to track, identify, and remove potential malicious traffic on the network.
Lack of Multi-Factor Authentication
Multi-factor authentication is one of the most important steps businesses can take to protect their critical systems, especially when it comes to administrator access. Under multi-factor authentication requirements, users must prove that they have access to another device, usually a cell phone, certified as being allowed to access the account. Multi-factor authentication adds a substantial layer of security to any login process, but does not substantially inconvenience the employee or add unnecessary time to the login process. Office 365, however, does not have those features automatically enabled.
Mitigating the effect: Enable multi-factor authentication for all administrator accounts or, if needed, all user accounts. The administrator accounts in Office 365 are equivalent to the domain administrator in a traditional office environment. Those individuals have access to high-level information within the system. Multi-factor authentication is not enabled in the defaults, but your administrators can enable it either as they create the accounts or when they discover the need.
failure to Default to Secure Access
Office 365 offers a “secure by default” model that can help provide increased levels of security for businesses, not only as they use the platform, but during the migration to the cloud. This migration may show a unique level of risk to many users, since it is hosted in the cloud and, therefore, accessible via the internet. If administrators do not select the “secure by default” model before beginning their migration, they may discover that they have opened their business up to unwanted security challenges during that migration process.
Mitigating the effect: If you have not yet made the move to Office 365, especially if you’re only now considering making those changes, you should enable the “secure by default” setting before beginning your migration. If you have already begun your migration or have already shifted your business to the cloud, enable those security settings as soon as possible.
Unnecessary Legacy Authentication
Exchange Online, which is authenticated by Azure AD, has several legacy protocols that are no longer necessary for current users or based on current programs. These protocols, including Post Office Protocol, Internet Message Access Protocol, and Simple Mail Transport Protocol, were previously used with older email clients. These legacy protocols, however, may offer undue security risk for modern businesses, which use modern solutions for their mail providers.
Mitigating the effect: Disable legacy protocols, either by user or company-wide. You should only leave these legacy protocols intact if you have users who still require access to legacy email accounts and clients. Check with your users to learn more about their needs and, if possible, disable the protocols. If you do have users who still need to use those clients, keep in mind that those clients will remain accessible with a username and password alone, which could compromise security.
Failure to Issue Alerts
Alerts for suspicious activity can substantially cut down on the time a hacker has to operate within a system as well as providing immediate alerts for malware and ransomware, which could cause substantial damage to a company’s systems. Office 365, however, does not automatically provide these alerts. This can, in turn, make it take longer to respond to potential threats and malicious activity. It can also cause you to miss out on vital security problems, which could lead to the compromise of your organization.
Mitigating the effect: Enable alerts within the Security and Compliance Center. Ideally, you want this system to notify administrators of any abnormal events, which will allow them to react quickly to any security challenges. You should also integrate your logs with your existing log management and monitoring solutions. You do not want the security for Office 365 to stand alone, nor do you want to run the risk that you will miss a vital security problem.
Is Office 365 a Safe Solution for Your Company?
Many businesses, after hearing about these warnings, wonder whether Office 365 represents a safe solution for their company. Is Office 365 a reasonable tool for making a fast shift to a remote environment? Certainly. The challenge lies in a fast deployment, where users may not take the time to carefully ensure organizational security before making the transition. As long as your company takes the right steps to mitigate the potential security challenges offered by Office 365, including enabling multi-factor authentication and maintaining appropriate security logs, you can keep your business secure while using a familiar platform designed to improve the virtual working environment and make the transition to remote work as easy as possible for your organization.
Office 365 also provides a built-in tool that can help measure an organization’s security effectiveness, including its use of Office 365. Microsoft Secure Score helps offer recommendations to help enhance your organization’s overall security as you use the Office 365 platform. While utilizing many of the recommendations above can help your organization raise your overall level of security, you may still want to utilize Microsoft Secure Score to get a better feel for the recommendations for your specific company and what potential security holes you’ve left in place.
Maintaining security while making the transition to remote work has proven incredibly difficult for many businesses, who have scrambled to maintain necessary security for both business protection and compliance while simultaneously providing team members with the access and tools they need to successfully make the shift to a virtual environment. If you need additional assistance helping your workforce make the transition to remote work, contact us today to learn more about the services and solutions we have to offer and how they can enhance your ability to continue to deliver high-quality service and support whether you’re working remotely or from the office.
