The past few years have brought a massive shift to remote work—and, with it, heightened security concerns. Here are our top recommendations for strengthening Microsoft 365 security for distributed teams.
The realization of remote work’s strategic value is fairly recent. While companies have been experimenting with digital collaboration for quite a while now, all of us have been able to see if it can really work post-covid when we were forced to adopt it en masse.
And to everyone’s surprise, it was as if the solution to digital collaboration was staring everyone right in the face this whole time! But, with innovation comes new challenges. While remote work and technologies that enable it (such as Microsoft 365) are changing how we collectively work, we’re also faced with the need to update how we think about security.
In a 2021 survey of IT and security decision makers, 83% of respondents said that “the rise in remote workers increases the risk of a security incident” in the post-COVID era.
For starters, we’re faced with team members working from home and using devices connected outside of a central network. Unsecure devices or networks are major vulnerabilities that hackers will now target, knowing companies with remote teams can be exploited in this way.
Even popular collaboration platforms such as Microsoft 365 are limited in protection if your company’s employees are not taking necessary measures on their end.
And on top of that, the self-service nature of Microsoft 365 keeps many organizations on their toes. Confusion over how to streamline increasing end-user requests, effectively using resources in Microsoft 365, unmonitored guests, external sharing, etc., are some of the pain points that keep IT managers from thinking about value-add projects.
Companies must automate processes and become proactive rather than reactive, especially when we’re talking about security. Policies must be in place that help alert you about security instead of you actively trying to find where they might be.
To close all doors that hackers can enter from, we’ve highlighted 3 crucial points that IT managers should keep in mind when looking to strengthen security in Microsoft 365. Let’s see what they are and how they can transform your organization to become proactive rather than reactive:
How to strengthen Microsoft 365 security now that your team is remote:
Tip 1: Zero Trust strategy to boost remote work security
What is Zero Trust security?
As the name suggests, Zero Trust security is based on the principle, “never trust, always verify”. The implication isn’t that end users can’t be trusted but that organizations simply cannot afford to take the risk.
In a Zero Trust framework, every user and device is verified to be safe before being allowed to interact with the organization’s network. Privilege to information is limited based on what the employee is required to see. Continuous checks and balances are maintained to make sure the employee’s device or network does not pose a threat at any point in time.
But most importantly, the motto “never trust, always verify” becomes the bedrock of the company’s security policy in all aspects. In Microsoft 365, a Zero Trust security policy should start with enabling Multi-Factor Authentication (MFA).
In an interview about Microsoft trends with Microsoft MVP Joanne Klein, she underscored the importance of Zero Trust for remote users. Zero Trust is “just a sound practice,” said Klein, “and it’s particularly important when organizations are distributed and not contained within a confined network anymore.”
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) adds an additional layer of security by verifying the user’s identity during login only after the user has correctly entered the password. Microsoft 365 verifies user identity through text messages, phone calls, or app notifications.
We call it ‘Multi-Factor’ because two or more verification factors are involved in proving the user’s identity. Outside of Microsoft 365, factors besides the password can also be a fingerprint, e-mail, facial recognition, etc.
“Everyone should have [MFA],” said Benjamin Niaulin, Microsoft MVP and ShareGate Head of Product. “It costs nothing to have an extra factor of authentication that makes sure the right person is accessing a device. People have a perception that it is extra work to put it in place, but it’s nothing, it’s simply a check box [in Microsoft 365].”
How to enable MFA with Microsoft 365?
To set up Multi-Factor Authentication on Microsoft 365, follow these steps:
- Log in to the Microsoft 365 admin center.
- Select ‘Show All’.
- Then, select ‘Azure Active Directory’.
- Now, select ‘Azure Active Directory → Properties → Manage Security Defaults’.
- On the top right corner of the screen, you’ll see the ‘Enable Security Defaults’ section. Press ‘Yes’ on the toggle button to enable security defaults.
- Click ‘Save’, and you’re done!
Tip 2: Balancing self-service with security risks
The modern Microsoft 365 environment is designed around the philosophy of self-service. The idea is that IT managers should have control and flexibility in approaching IT infrastructure management, of which security is a part. But does this create chaos for IT teams that are pushed into a reactive change management environment?
Well, unfortunately, yes, it does. To get out of this reactive mode, aspects of IT management, such as security risks, need to strike a balance with the level of self-service that Microsoft 365 encourages.
Let’s see how this balance can be created.
Good governance from the start means data security
Sounds simple enough, right? Well, yes, it actually is! The moment you decide to create a hybrid or fully remote work environment is the moment you need to revise your data security policy. Having rules, such as MFA being enabled or providing access to only secured networks for all employees, is the start of a good governance policy.
Self-service features give users greater freedom to access functionalities around group/team creation, external sharing, and guest access—without going through an IT-led approval process. With more user freedom, however, comes more security risks. IT can mitigate these threats by implementing a cross-product governance strategy to protect employee content and data across all the products they’re using.
It’s no secret that we’re big proponents of self-service. When paired with the right guidance from IT, we also believe that self-service can help improve Microsoft 365 security.
You want to empower employees with self-service functionality to avoid having users rely on IT for even the smallest changes. Enabling self-service also encourages users to stay within Microsoft Teams and approved apps, where IT can keep an eye on what’s being created and shared. Too many restrictions and employees may turn to backdoor approaches and tools, i.e., shadow IT.
But go too far, and you risk having untrained users accessing the wrong things in the wrong places and creating security problems. Here at ShareGate, we recommend a middle ground via self-service, wherein users can access the tools they need, in the ways they want, with some guidance and solid governance.
In Microsoft 365, cross-product governance includes setting rules that can apply to multiple products at once. To implement cross-product management, IT professionals first need to understand how all the tools and apps within Microsoft 365 connect from an administrative perspective. Then use that knowledge to create a governance strategy that keeps content secure across platforms and devices.
Enforced security policies that ensure all employees are constantly checked for security compliance are a blessing for IT managers. You don’t have to continually be on the lookout for blindspots that hackers can exploit. You know there’s a procedure being followed that protects against this very thing.
Types of data security
So, what does data security actually look like? Well, for starters, let’s look at what we’re trying to achieve: we want to protect against unauthorized access. To do this, let’s look at all of the data security types that can help make this happen:
- Encryption: Encryption converts data into an unreadable format and assigns a security key to the authorized user. Hackers would look at the data but wouldn’t be able to decipher what it means without the key.
- Data erasure: In many cases, hackers might still gain access to data after it’s deleted. Data Erasure helps by overwriting the original data to ensure it’s completely wiped out. For IT managers that have to dispose of sensitive information, data erasure ensures that sensitive company data is deleted forever as intended.
- Data masking: In data masking, companies tamper with the original data by changing values to create a ‘fake version’ that is unusable for hackers. It might sound similar to data encryption, but it isn’t. Here, values are changed, but the data is still readable. But in encryption, data is scrambled to make it completely unreadable. For example, the hacker might read an employee record but wouldn’t be able to find anything meaningful since names were purposely changed to “John Doe”. But in encryption, the hacker would see an unreadable text format such as “PA$1#K@” that doesn’t even indicate that it’s an employee record.
- Data resiliency: Data resiliency is the ability of a company to absorb any kind of system failure or intrusion and recover. Resiliency can be measured by observing how quickly the company was able to redeploy after unforeseen circumstances.
Four principles of good governance
The principles of good governance apply to your data security policy as well. IT managers should look to incorporate the following principles to craft the perfect balance between self-service and security:
- Fairness: Shifting from a reactive management environment also means ensuring employees are not overburdened with security measures that they must constantly follow. While a zero trust policy should be enforced, it should also be fair to employees to sustain their productivity.
- Accountability: Zero trust by design screams accountability. Organizations need to hold everyone in the hierarchy accountable for keeping data secure. Whether it be the CEO, IT manager, or the new intern, the security policy should apply and be enforced upon everyone.
- Responsibility: For IT managers, ensuring sound security measures is a responsibility that carries a lot of weight. Responsibility also implies ensuring the ability to monitor staff does not cross ethical boundaries with the pretense of keeping everyone safe. Good governance means understanding your responsibilities and the weight they carry as well as creating processes that ensure you live up to them.
- Transparency: Even within a zero trust security policy environment, ensuring employees know the extent to which they’re monitored is how you develop trust. Being open about security measures that need to be taken actually helps communicate why you need to take these measures.
Tip 3: Security routines to overcome threats
Alongside the benefits of the democratization of work and technologies such as Microsoft 365 that enable it, there are bound to be certain limitations.
But since it comes with the territory, how can you ensure IT teams can streamline security tasks?
First, be aware of the types of security risks that can threaten your Microsoft 365 environment. And second, make sure certain security tasks are carried out daily.
Types of security risks IT teams need to keep in mind
To ensure maximum security, IT teams should keep in mind all types of threats that can pose security risks. The most significant security risks can arise from:
- Phishing
- Malware
- Cloud Data
- Ransomware
- Data exposure
- Insider threats
To overcome these threats while remaining proactive, IT teams can implement a daily routine explained in the next section.
Daily IT security tasks to stay on top of security risks
The following daily tasks should be performed to be proactive rather than reactive:
- Centralized, actionable reports: One way to be proactive is to create custom pre-built reports tailored for your organization’s internal needs. Daily reports that keep you up to date, provide a bird’s eye view of the entire decentralized remote work environment, and generate actionable insights allow problems to reveal themselves rather than force you to actively look for them.
- Risk-assessment: One daily security task to drill down is performing routine risk assessments. Creating a structure where you can automate reports highlighting the level of security risk your IT infrastructure is currently facing keeps you aware of the security threshold your organization can absorb.
- Automate policy compliance: Setting security policies is one thing, but ensuring they’re enforced throughout the organizational hierarchy is another. One crucial routine task to execute should be to right-size permissions settings and verify that everyone’s complying.
Now, the logical question that every IT manager is probably asking is, how is this even possible with Microsoft 365? Automating activities like policy compliance and custom reports requires diving deep into Powershell scripts to get the job done.
Luckily, ShareGate automates security monitoring in Microsoft 365 and much more. A centralized platform is available to monitor everything in one place and ensure your IT team doesn’t have to seek out any security flaws. Being proactive means creating policies where problems reveal themselves without requiring reactionary measures.
Get proactive
It’s fair to say that Microsoft 365 has done a lot to enable remote teams. And, it wouldn’t be too far off to claim remote teams going all in on Microsoft 365 have solid reasons for doing so.
The fact that we’re talking about how to improve upon the nature of remote work in Microsoft 365 is a testament to the fact that we’re past the initial stages.
But, it’s essential to address how internal processes can be automated so we can move past the reactive management structure that comes with distributed work. A lack of control can prove fatal, especially when we’re talking about security.
Organizations constantly in a reactive mode, where IT managers are constantly dealing with issues that could have been automated, are prime targets for hackers. To avoid being sitting ducks, solutions such as ShareGate can help where Microsoft 365 itself might be limited.