Trying to tackle Microsoft Teams security and compliance? Microsoft MVPs share their top security tips to ensure your data stays secure across Microsoft 365.
Related Reading: Microsoft Teams governance best practices for secure collaboration
ShareGate’s easy-to-use SaaS tools enable organizations to achieve more than ever before with Microsoft cloud technologies. In this excerpt from our eBook, Win as a Team!, Microsoft MVPs offer insights on how you can empower users to use Teams effectively and leverage it to its full potential.
In the rush to deploy Microsoft Teams and transition to all new ways of working, it’s important that questions of security don’t get overlooked. The integrated nature of Teams—aka its role as the “hub for teamwork” in Microsoft 365—means that you might need to re-think your entire approach to security and compliance.
To help get you started on the right foot, we asked some of our friends in the Microsoft community to share their advice. We put together their top tips to approaching data security in Microsoft Teams—so you can be sure that your data stays secure!
Table of contents
Security is a team effort in Microsoft Teams
The number of daily active users in Teams is soaring. And with new teams, Microsoft 365 groups, and modern SharePoint team sites being created at a record pace, how can you keep all of that content secured, protected, and retained?
The integrated nature of Microsoft 365’s productivity suite means you need to think about setting rules that can apply to multiple products at once—to protect your Teams work across Microsoft 365, you need to create a cross-product governance strategy that keeps your content secure across platforms and devices.
Teams is really just a way to link multiple tools, so the security of Teams also relies on the settings of each underlying software program. Think about how SharePoint, OneDrive, Azure Active Directory, etc. all feed what’s happening in Teams.
In this fortress, it’s not just Teams… there are multiple keys to the castle to worry about.
Microsoft Teams security tips according to Microsoft MVPs
To figure out the best way to tackle the topic of security, we reached out to our friends in the Microsoft community. The Microsoft MVPs we talked to shared the following tips to help ensure your Microsoft Teams stays secure.
- Open authentic dialogues—Sarah Haase
- Education is the first step in risk avoidance—Marc Anderson
- Security is a team effort—Joanne Klein
- Go multi-factor authentication, go!—Rick Van Rousselt
#1: Open authentic dialogues
Sarah Haase (@sarahhaase), Collaboration Group Product Manager, Office Apps & Services MVP
“The single best practice that we have to think about to keep our Teams content safe and secure is to make sure we’re having authentic conversations with our users about data security and data classification.
[Have] authentic conversations with users about data security and data classification.
Sarah Haase, Microsoft MVP (@sarahhaase) Tweet this
Whether that data is being stored in Teams or SharePoint—no matter where it is—Microsoft Graph has the ability to expose it throughout Microsoft 365, so we need to make sure that:
- Data is secured appropriately,
- That our users understand what the difference is between a private channel and a public channel, and;
- What kind of things should be safeguarded for only a few people to access vs what can be open to the entire company.”
#2: Education is the first step in risk avoidance
Marc D Anderson (@sympmarc), Co-Founder and President, Sympraxis Consulting and Office Apps & Services MVP
“Security is always a big topic for any IT department these days. If you look at it with the glass-half-empty perspective, there are so many attack vectors, there are so many different ways—in theory—to have someone come in and get your stuff.
Thinking about the security of what you put into Teams, or any other part of Microsoft 365 really… is to think about how to educate your end users about what matters.
Most leaks that I hear about… that really made a difference, that were very screwy… the technology was not the problem, it was the people that made a mistake.
The tools are there to protect the jewels.
Marc D Anderson, Microsoft MVP (@sympmarc) Tweet this
I think most of the time the education of the user base is through sort of a threat perspective as opposed to ‘here’s how and why it’s important for us to protect our stuff.’
Don’t be another brick in the wall: Avoid fear.
Think about how you can educate people without scaring them.
The tools are there to protect the jewels, but you have to make sure you show how to use them.”
#3: Security is a team effort
Joanne Klein (@JoanneCKlein), SharePoint/Microsoft 365 Consultant, Office Apps & Services MVP
“One way to address competing demands and requirements is to leverage a shared responsibility model—a cloud security framework that defines security obligations to ensure accountability.
Microsoft’s shared responsibility models says that you as an organization are responsible for protecting your data, identities, and devices and Microsoft is responsible for protecting the Microsoft 365 services. Together, you can protect your sensitive data from security threats.
How do you keep up with all of this? Leverage AI and automation & have a governance strategy for security in place.
Joanne C Klein, Microsoft MVP (@JoanneCKlein) Tweet this
To get your electronic house in order, so to speak, a coordinated effort is required and involves three key groups:
- Business information workers: These are the people creating the content, sharing with external parties, and some of them are working with sensitive information. This group really needs to know how to work safely and securely in the modern workplace today—if they don’t then IT needs to teach them.
- IT teams: They control the resources that implement the technical controls involved as well as some of the training and configuration.
- Legal, risk, compliance, governance teams: These are the regulatory teams you need to help you define a classification system across your tenant. They’re in a unique position to understand what you need to do to protect data and remain compliant—lean into them, and bring them in from the start.”
#4: Go multi-factor authentication, go!
Rick Van Rousselt (@RickVanRousselt), Managing Consultant/Technical Evanghelist, Advantive and Office Apps & Services MVP
“This setting is still not turned on by default, but it is really your first line of defense against phishing attacks.
Lately, there have been too many cases of people who receive a real email from Microsoft from somebody sharing a document from their OneDrive. But this is coming from an already compromised account.
What these people with less good intentions have done is upload a scam file to the compromised account which includes a link to a fake Microsoft 365 login page. Then they share that OneDrive file to everybody in the compromised account’s contacts list.
Step in early and turn on multi-factor authentication [by] default.
Rick Van Rousselt, Microsoft MVP (@RickVanRousselt) Tweet this
Because the email and the OneDrive are real, people trust their contact, do not see is that the final login page isn’t a genuine one, and then their account gets compromised, and the story repeats itself.
Step in early and turn on multi-factor authentication as your organisation’s default. It might add a few seconds of work for everyone, but when users land on a phishing page, you’ll have that added line of protection that’ll save a lot of time and effort.”
Expand your knowledge further with these tips on Microsoft 365 security best practices.
