Have you ever heard ‘cyber-security’ and thought ‘my business is too small to worry about it’?
According to the FSB, small businesses are collectively subject to almost 10,000 cyber-attacks a day. The annual cost of such attacks to the small business community is estimated to be £4.5 billion, with the average cost of an individual attack put at £1,300.
Those numbers are proportionally higher for bigger businesses.
Luckily there are quite a few things you can do to protect yourself and your company, especially with Office 365 and Microsoft 365 Business.
Multi-factor authentication two or more types of authentication provided by a user to access their accounts. This is normally a password alongside a number of extra ways to authenticate, the most common being a code generated by an app on your phone.
You probably already use that kind of security measure for your online banking. It prevents hackers from taking over if they know your password. Of course, it is unsuccessful if your users allow logins that they don’t recognize, which brings us to point two:
Technology is not enough if the end users don’t know what security measures they should take on their end. Train your staff, let them know what solutions you put in place and how they should respond to them. Explain the importance of using strong passwords and storing them in a secure way. Train users on how to recognize phishing emails. Make sure they protect their devices with passwords, run regular software updates and install apps that come from a legitimate source (such as app store on your device). Introduce encrypted emails as a secure way of sharing sensitive information and make sure that all the end users in your company take extra caution when dealing with such information. Some of the tips you can give them are to hover over the link and check if the website address is spelt correctly, search for the website instead of clicking on the link and double checking in person or over the phone
The admin accounts that you use to administer your Office 365 or Microsoft 365 include elevated privileges. These accounts are valuable targets for cybercriminals. Make sure you use those accounts only for administration and not regular use. Admin accounts should also be set up for multi-factor authentication. Microsoft also recommends closing out all unrelated browser sessions and apps (including personal email accounts) before logging into the admin account and logging out of the browser session as soon as you’ve finished your administrative tasks.
Your Office 365 already includes basic protection against malware. However, you can take extra security measures and block attachments with file types that are commonly used for malware or step up to Microsoft Advanced Threat Protection.
Ransomware is a type of malicious software that denies access to data or a computer system unless a ransom is paid. By creating mail flow rules you can protect against ransomware. Create rules to block file extensions that are used for ransomware, or to warn users who receive these attachments in email (which brings us back to point two: train your end users to use the technology provided).
If a hacker gains access to a user’s mailbox, they could exfiltrate mail by configuring the mailbox to forward emails automatically. 365 Administrators can stop this behaviour for the whole tenant.
Office Message Encryption is included with Microsoft 365. It allows you to send and receive encrypted emails between people from inside and outside your organization (it works with Outlook, Gmail, Yahoo!, and other email services). Message encryption ensures that your email can be opened only by the person it was intended for (you can encrypt the message as well as prohibit the forwarding of it).
ATP also allows anti-phishing protection to help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. It works according to policies that are set by your Office 365 global or security administrators and can apply to a specific set of people or groups in your organization, or to an entire domain or all of your custom domains.
Sometimes it’s not easy to tell whether the attachment is malicious just by looking at an email. Office 365 Advanced Threat Protection includes ATP Safe Attachment protection checks to see if email attachments are malicious and then takes action to protect your organization. It can also be extended to files in SharePoint Online, OneDrive for Business, and Microsoft Teams.
Office 365 ATP Safe Links can help protect your organization by providing verification of web addresses (time-of-click) in email messages and documents. The protection is defined through the policies set by you
Fight phishing, spoofing and domain impersonation by enabling DMARC on your domain.
It will rule out which emails are legitimately yours and will bounce back or quarantine whoever else will try to counterfeit forge your domain.