Strengthening the security of your Microsoft 365 - Access Security

As we explored in the previous blogs in the series, small businesses are not immune to cyber threats and it is essential that they equip their arsenal with tools capable of defending their systems against any attack a cyber criminal can throw at them. We have also discussed why you should secure Microsoft 365, how to do so, and some of the ways that cyber criminals could attack your systems.

In the coming blog – the last in the series – we will explore more security measures that can ensure your system is well defended against cyber criminals.



Access security

The risks

If access to files, folders, document libraries and email is not secured on a ‘need to know’ basis, your team will have full and free visibility of any documents and data your organisation holds, any of which could be within or outside of their job role and responsibilities. This is not acceptable; you are asking for something to go wrong just by letting your users roam through sensitive information at their will and with no control over them.

More concerning are the opportunities offered to a cyber criminal - if a breach is suffered the cyber criminal will have access to the entire system and all your digital environment, allowing for a potentially business-defining cyber attack.

Overcoming the risks

Having control over access is essential! Within Microsoft 365 this can be easily achieved by structuring your files and folders and the rights needed to view and edit that data. Typically, the best way to organise files is departmentally, with the user permissions being granted amongst the team members across those departments.

Permissions can also be broken down according to your position in the hierarchy of the organisation - junior, senior, manager, etc - and then further restricted, for example, to prevent juniors from accessing accounts that are meant for a member of the team further up the hierarchy (managers, for example).

Users are not restricted to one department either – if you are a member of management or have people within functions that cross departments, multiple permissions may be assigned; these permission sets are defined within Microsoft 365 as groups.

Let’s take a closer look at Microsoft 365 groups.

Microsoft 365 groups – What are they?

For users to be allowed access to resources and to assign a set of permissions against a group of users or department in your organisation a group must be set up within Microsoft 365.

These groups can be defined through the administration portal, which will have been created for you in the background by the system automatically when you create a new SharePoint Library or a Teams Channel, or by defining the user permissions front-end in those applications.

Different types of permission groups exist within 365:

• Security groups are used for granting permissions to specific resources, such as SharePoint sites and Teams channels.

• Shared mailboxes – providing multiple users with parallel access to a single email inbox.

• Distribution groups are commonly used as a group email list – such as info@xdomain.com, being an email address used to email multiple users.

• Microsoft 365 groups (formerly Office 365 groups) are used for collaboration between users, whether inside or outside of your organisation.

Creating and managing Microsoft 365 groups

Your active groups (across all of the previously outlined types) are accessible by visiting https://admin.microsoft.com/adminportal/home?#/groups  and logging in with your administrator credentials.

Clicking the link will direct you to the main hub. From there you can add new groups and define the users included in those groups; you can all see and manage your existing groups that were created elsewhere within your Microsoft 365 environment (such as directly within SharePoint or Microsoft Teams).

Permissions for external sharing in Microsoft 365

There are a number of controls that are in place to define whether and how data can be shared externally. There are two distinct differences that exist within 365 between different types of external users:

External access – Provides access to all of the users within an entire domain.

Guest access - Permits permissions to an individual.

To control whether to permit external users to be added as guests:

1)     Go to Admin portal https://admin.microsoft.com/AdminPortal/Home#/Settings/SecurityPrivacy

2)     Click ‘Sharing’

3)     Tick or untick the box.

To control whether to permit external sharing from SharePoint

You may define this at your organisation level or set the permissions individually within a specific SharePoint site. If a SharePoint site’s external sharing option does not marry up with the organisation’s level of permissions, then the most restrictive rules will apply.

To control whether to permit external sharing from Teams

Guest access must be authorised separately for Microsoft Teams.

Prevent emails from being automatically forwarded externally from Microsoft 365

You can retain control of your email content and prevent email from inadvertently leaking outside of your internet environment by disabling users from having the ability to be able to set an email rule that automatically forwards emails to external addresses.

Cyber security defences.

There are a number of other cyber security defences that exist beyond the tools and features designed to secure access to your Microsoft 365 environment which will go even further to protect your data from cyber attacks.

Malware protection

Malware protection comes as standard in the Microsoft 365 ecosystem; however, this functionality can be further improved in its capability by blocking certain file types that are commonly associated with Malware.

This can be implemented by taking the following actions:

• Visit https://protection.office.com/ and log in with your admin credentials.

• In the Security & Compliance Centre, on the left-hand navigation, beneath ‘Threat Management’, select ‘Policy’ > ‘Anti-Malware’.

• Double-click the default policy to edit this organisation-wide policy.

• Select ‘Settings’.

• Under ‘Common Attachment Types of Filter’, select ‘On’.

Email encryption

With Email encryption in Microsoft 365 you can be sure that only the person/people intended can view your email content. Along with encryption, you can also define permissions that restrict what your recipient can do with your email – this allows you to control whether they can forward, print, or copy the Email.

To send protected email:

1. In Outlook for Windows, select the ‘Options’ tab and click ‘Permission’

Anti-email phishing

Anti-phishing technology, ‘Safe Links’, help protect your users from accidentally clicking on malicious links within emails and files. Safe Links also provides time-of-click verification of web addresses within Emails and Office documents.

This can be implemented by:

1)     Visiting https://protection.office.com/ and log in with your admin credentials.

2)     In the Security & Compliance Centre, on the left-hand navigation, beneath ‘Threat Management’, select ‘Policy’ > ‘Safe Links’.

There are options to change the system defaults as necessary, depending on your requirements.

Email spoofing.

Your custom domain can be protected from being ‘spoofed’ through Microsoft 365’s Anti-phishing protection. This protection includes the support of email security best practices, including SFP, DKIM and DMARC protocols.

Throughout this blog series we have covered a multitude of best security practices to ensure that your Microsoft 365 environment can stand up to cyber criminals.

Are your systems now fully protected? Would you like any assistance or advice?

.

Ensuring your systems are secure – 1-Fix

Our team of specialists at 1-Fix offer a range of business IT services ranging from desktop to server management, to network design and cyber security assistance. Our experts want to become a vital member of your team and help you strengthen the security of your Microsoft 365 ecosystem.

We can help you achieve a level of security that allows you to feel confident 100% of the time that you are not going to be a victim of a cyber attack. Please do not hesitate to contact the 1-Fix team for a conversation on any aspect of your IT.