12 Apr How to fortify your Microsoft 365 – Access Security
As we have explored previously in the blog series, your Microsoft 365 account being breached could have potentially catastrophic consequences to your business, we explored some security measures that can prevent this from happening, and how to implement those measures in your organisation.
In the upcoming – and last – blog in the series we will explore more from the myriad of security measures that give you peace of mind about the security of your systems.
Allowing your team ‘free’ access to your system is dangerous freedom to give, if access to files, folders, document libraries and email is not secured on a strictly ‘need to know’ basis, your entire team will be able to view any documents and data your organisation holds, some of which may be sensitive and subject to protection under legislation.
Legislation is important to abide by, but, arguably more important is that if a cyber criminal completes a successful breach, this offers the opportunity to the criminal as they will be granted unopposed access to your entire system, opening the door to a major cyber attack that could jeopardise the survival of the business altogether.
The risks – overcome
Controlling access is of the utmost importance, within Microsoft 365 this can be easily achieved by structuring your files and folders, make sure you set the rights needed to view and edit the data to be sure only people with the correct credentials have the power to do so.
It is recommended to organise your files according to the department they are related to – finance, sales, marketing, etc – then user permissions are granted amongst the team members across those departments. Depending on how your business grades its staff (junior, senior, manager, director, etc) permissions can be broken down further to restrict a junior within the sales team accessing data that is for the senior in the sales team for example.
But don’t worry, users are not restricted to one department either – if you are a member of management or have people within functions that cross-departments, multiple permissions may be assigned as access across the system is required; these permission sets are defined within Microsoft 365 as groups.
Don’t know what Microsoft Groups is? Let’s explore it in more detail to learn more.
What are Microsoft 365 groups?
For users to be allowed access to resources and to assign a set of permissions against a group of users (department in your organisation) a group must be set up within Microsoft 365. These groups can be created for you in the background when you create a new SharePoint Library or a Teams Channel – or can be defined through the administrative portal – and by defining the user permissions front-end in those applications.
Here are some of the different types of permission groups that exist within 365:
- Security groups are used for granting permissions to specific resources, such as SharePoint sites and Teams channels.
- Distribution groups are commonly used as a group email list – such as firstname.lastname@example.org being an email address used to email multiple users.
- Shared mailboxes – provide multiple users with parallel access to a single email mailbox.
- Microsoft 365 groups (formerly Office 365 groups) are used for collaboration between users, whether inside or outside of your organisation.
Creating and managing Microsoft 365 groups
Your active groups (across all of the previously outlined types) are accessible by visiting https://admin.microsoft.com/adminportal/home?#/groups and logging in with your administrator credentials.
This is the main hub of Microsoft Groups, from here you can add groups and define the users to go into the groups, you can do this all whilst being able to see and manage existing groups that were created elsewhere (SharePoint and Microsoft Teams for example) or other places within your Microsoft 365 environment.
Permissions for external sharing in Microsoft 365
There are different controls that are in place to define whether and how data can be shared externally.
There are two distinct differences that exist within 365 between different types of external users.
Permits permissions to an individual.
Provides access to all the users within an entire domain.
To control whether to permit external users to be added as guests:
- Go to Admin portal, https://admin.microsoft.com/AdminPortal/Home#/Settings/SecurityPrivacy
- Click ‘Sharing’
- Tick or untick the box.
To control whether to permit external sharing from Teams.
Guest access must be authorised separately for Microsoft Teams.
To control whether to permit external sharing from SharePoint.
You may define this at your organisation level or set the permissions individually within a specific SharePoint site. If a SharePoint site’s external sharing option does not marry up with the organisation’s level of permissions, then the most restrictive rules will apply.
Prevent emails from being automatically forwarded externally from Microsoft 365
Again, it comes back to control, you can disable users from having the ability to be able to set an email rule that automatically forwards emails to external addresses, by having this control, you prevent any email accidentally leaking outside of your internet environment.
There are a number of cyber security defences beyond the tools and features designed solely for Microsoft 365, let’s take a look at some, and further protect your data from criminals.
Email encryption in Microsoft 365 ensures that only the person/people intended can view your email content. Aside from encryption, you can also define permissions that restrict what your recipient can do with your email – such as blocking the email from being forwarded, printed or the content copied elsewhere.
To send a protected email:
- In Outlook for Windows, select the ‘Options’ tab and click ‘Permission’
In the Microsoft 365 ecosystem Malware protection comes as standard; you can further increase its functionality and capabilities by blocking certain file types that are most commonly associated with Malware.
This can be implemented by taking the following actions:
- Visit https://protection.office.com/ and log in with your admin credentials.
- In the Security & Compliance Centre, on the left-hand navigation, beneath ‘Threat Management’, select ‘Policy’ > ‘Anti-Malware’.
- Double-click the default policy to edit this organisation-wide policy.
- Select ‘Settings’.
- Under ‘Common Attachment Types of Filter’, select ‘On’.
Anti-phishing technology, ‘Safe Links’ as a part of the Microsoft Defender service, help protect your users from accidentally clicking on malicious links within emails and files. Safe Links provides time-of-click verification of web addresses within emails and Office documents.
This can be implemented by:
- Visit https://protection.office.com/ and login with your admin credentials.
- In the Security & Compliance Centre, on the left-hand navigation, beneath ‘Threat Management’ select ‘Policy’ > ‘Safe Links’.
Depending on your requirements there are options to change the system defaults if required to do so.
Throughout the blog series, we have explored why implementing the correct security features your business is of the utmost importance, we have also explored a number of top standard security options for you to consider implementing within your organisation to ensure top levels of cyber security. However, not all will be necessary for your organisation depending on the way you work.
Cyber Security for your business with Urban
Are you concerned about your cyber security? Are you unsure what security measures to adopt? We can help! Our team of experts will work with you to learn how you do business to find security solutions that work for you. We provide a trusted, competitive, and impartial service to our wide range of customers throughout Greater London and beyond. Contact us now and see where we can help you.
Contact us now to find out how we can help you!