Top 10 best practices to secure Microsoft 365 for Business plans

Microsoft 365’s popularity in the business world is growing by the day thanks to the platform's flexibility, versatility, and reliability. In fact, sales of cloud products, like Microsoft 365 and Office 365, generated $17.7 billion in revenue for Microsoft in the first quarter of 2021, up 33 percent from the previous year. This rise in popularity is also accompanied by an increase in security threats and cyber attack attempts.

Small and medium-scale organizations are advised to leverage the Microsoft 365 security tools to protect their data at all times, as new threats surface regularly. When set up properly, Microsoft 365 is a safe environment to work in.

If your organization’s daily workflow revolves around Microsoft 365 for Business, follow the instructions and strategies provided in this blog post to strengthen the security of your internal network and protect your data against ransomware and other malicious software.

Before we start

To avoid data loss due to permanent deletion or malicious modification of your Microsoft 365 data, back up Microsoft 365 data regularly with NAKIVO Backup & Replication.

With the Free Edition of NAKIVO Backup & Replication, you can regain full control of your data in the key Microsoft 365 apps: Exchange Online, SharePoint Online, and OneDrive for Business. Deploy the Free Edition of NAKIVO Backup & Replication in two minutes and start backing up your data right away! No credit card is required.

You should note that to access and manage security settings in Microsoft 365, you need to log in with a Microsoft 365 administration account (or global admin). With that out of the way, let’s get started.

1. Microsoft Secure Score

To form a better understanding of your organization’s current security posture, keep a close eye on the Microsoft Secure Score (MSS) dashboard. Secure Score can be accessed through the quick launch bar in the Microsoft 365 Defender portal.

Secure score in the quick launch bar of Microsoft 365 Defender

But how does Microsoft Secure Score keep your data safe?

At first glance, Secure Score in Office 365 looks to be just an indicator of your organization's overall security status. But upon closer examination, you’ll see that you can monitor, from the main tab of Secure Score, metrics information about the security posture of your entire 365 environment. In the same tab, you can also view a list of suggested actions you can take to improve your security score and keep your data safe.

Microsoft Secure Score provides you with accurate measurements, in real-time, as you activate settings in Microsoft 365 Defender or deploy a third-party security solution. MSS constantly assesses your security status and offers recommendations that, when applied, can protect your organization from malicious threats.

Secure Score main view - accurate stats and recommended actions to improve security

A score below 30%, as shown in the picture above, indicates that your environment is highly vulnerable to threats. In this case, you should take immediate action and apply security best practices to surpass the recommended 80% threshold. A 100% score is attainable when Microsoft 365 Defender is working in full force in conjunction with a third-party security solution.

Let’s take a look at what can be done to improve both your Secure Score in Office 365 and your general security posture.

2. Multi-Factor Authentication

One of the simplest yet effective ways to improve the security posture of your organization is to implement multi-factor authentication for all of your accounts. If you recently signed up for Microsoft 365, multi-factor authentication should be automatically enabled for you as part of the security defaults.

This additional layer of security also referred to as 2-step verification, requires the user to input additional identity verification right after entering the account’s password to log in to Microsoft 365.

When multi-factor authentication is enabled, every user within your organization is required to set up 2-step verification through their devices.

There are two main verification methods your users can choose from to authenticate their login:

  • Microsoft Authenticator app: Download and install Microsoft Authenticator on your mobile device and add your account on the startup screen. This method is set by default and may involve fingerprint authentication or QR code scanning.
  • SMS message: Microsoft sends an SMS containing a 6-digit dynamically generated verification code. To log in to a Microsoft 365 account, enter the login details and the code provided.

According to Microsoft, 99.9% of compromised accounts did not use multi-factor authentication. Multi-factor authentication helps verify a user's identity and enforces protection against security breaches.

3. Employee Awareness

The most prominent cause of data breaches within an organization is employee negligence. Microsoft Office 365 Business users who are not well versed in cyber security threats are often deceived into opening emails received from fraudulent sources and downloading attached malicious content or clicking on phishing links.

To keep your employees well-informed about malicious threats, you are strongly recommended to adopt the following measures:

- Training employees: Appoint a cybersecurity training company to first educate employees on the dangers of malicious threats. The outsourced company then trains employees to recognize social engineering and phishing attacks, have a good understanding of their work device’s security options, and apply password best practices.

- Keeping employees up-to-date: Send emails about cybersecurity news to your employees, on a regular basis. The email can cover the latest malicious threats, a general overview of the methods used by attackers and companies that were recently hit by an attack.

Online security training within an organization is an ongoing process that involves putting in place a robust culture of security awareness. Employees need to be constantly informed about current threats and aware of the detrimental consequences a cyber attack may have on an organization's workflow.

4. Disable Auto-Forwarding for Email

Disabling security features like Multi-Factor Authentication in the admin center weakens your security posture and increases the probability of your Microsoft 365 credentials being compromised. Attackers can use compromised credentials to gain access to any Microsoft 365 applications within your Business plan, including your Exchange Online environment, and modify email rules and settings. Perpetrators often configure transport mail flow rules to duplicate messages and forward all received and sent emails to an external source.

The most crucial and preventative measure to take in this case is to disable the auto-forwarding functionality right from the Microsoft 365 admin center. Follow the steps provided below to stop auto-forwarding in Exchange Online:

  1. Go to Microsoft 365 admin center, and in the left sidebar navigation menu, click Exchange message trace.
  2. Click mail flow in the Exchange sidebar navigation menu.
  3. In the rules tab that appears, click + then click create new rule.
  4. In the popup window, click More options.
  5. Fill in the Name section.
  6. In Apply this rule if, select the sender>is external/internal from the dropdown menu. For the sender location, select inside the organization.
  7. Choose add condition, then from the drop-down menu, select the message properties>include the message type. In select message type, select Auto-forward.
  8. Open the Do the following drop-down, choose Block the message > reject the message and include an explanation.
  9. Fill in the specify rejection reason with your desired message. This message will appear when auto-forwarding is attempted.
  10.  Click Save at the bottom of the page.

5. Email Protection Against Phishing Attacks

Phishing is the most commonly used technique among cybercriminals to maliciously acquire sensitive information like login credentials and credit card details. To prevent phishing attempts, a global administrator can create a new anti-phishing policy in Defender for Office 365 or apply modifications to the default policy.

The anti-phishing feature in Microsoft 365 helps protect your organization’s email addresses and domains against impersonation and spoofing. With the built-in artificial intelligence functionality, Defender for Office 365 builds a database around your employees’ communication routine to improve the detection of malicious content.

Learn more about phishing and how to create an anti-phishing policy in my previous blog post on protecting Microsoft 365 against ransomware.

6. Dedicated Admin Accounts

Microsoft Office 365 administrative accounts are among the most desired targets for cybercriminals. The elevated privileges granted to admin accounts provide attackers with a direct path to system settings and valuable data, thus putting the entire Microsoft Office 365 tenant at risk. Therefore, admins should only use elevated privileges accounts to run administrative tasks and log in to a separate regular account to conduct non-administrative work.

Here are a few helpful tips that administrators should follow to keep their accounts safe:

  • Set up an administrative account with multi-factor authentication.
  • Run Microsoft 365 administrative tasks in the browser’s incognito mode.
  • Log out when your tasks are done and close the browser window.

7. Improve Anti-Malware Protection

Anti-malware in Microsoft 365 for Business offers protection against a wide range of malware types that are sent or received within your organization. An anti-malware policy is set by default in the Office 365 Security & Compliance center to catch malware but there are additional settings you can configure to improve the security posture of your Microsoft 365 environment. For example, you can set up Microsoft 365 to automatically block file types that are commonly used in malware attacks.

Follow the steps below to strengthen your anti-malware policy:

  1. Go to Office 365 Security & Compliance, and in the left sidebar navigation menu click Threat Management then click Policy.
  2. Under Policies, click Anti-malware.
  3. Click Default Policy and in the right pop-up menu scroll all the way down and click Edit protection settings.
  4. Under Protection Settings, check Enable the common attachments filter. Ten blocked file extensions will then appear under the box.
  5. Click Customize file types and check the extensions/file types you wish to add to your policy.
  6. Check Notify recipients when messages are quarantined as malware and type in the custom notification text in the box below to alert a user or employee when a suspicious file is detected.
  7. Check both boxes under Admin notifications and fill in the Admin email address in the correspondent boxes to notify an admin when a suspicious file is detected.
  8. Click Save.

8. Basic Mobility and Security

Protecting your organization's data when employees are accessing Microsoft 365 apps on their mobile devices is crucial. Microsoft has incorporated Basic Mobility and Security in the Security & Compliance Center to help you manage and secure your employees’ mobile devices. In Basic Mobility and Security, you can set device security policies and access permissions. As an admin, you can also remotely wipe the entire memory of a device in case a user’s phone or tablet got stolen or lost.

Devices such as Windows phones, Android compatible mobile devices, and iOS mobile devices can be managed through Basic Mobility and Security.

Basic Mobility and Security has the ability to:

  • Set and manage security policies, like device-level PIN lock and jailbreak detection.
  • Prevent non-compliant devices from accessing corporate email and data from the cloud.
  • Configure device settings.
  • Provision of a native email profile on a mobile device.

9. Safe Attachments

In a Microsoft 365 work environment, where attachments such as spreadsheets, documents, and other work-related files constantly travel back and forth between mailboxes, telling safe content apart from malicious threats can be tricky. Safe Attachments provides an extra layer of security to attachments that have already been scanned by the anti-malware feature. Configuring Safe Attachments, right from Office 365 Security & Compliance, helps in detecting malicious attachments before reaching the recipient’s mailbox.

Safe Attachments covers files in OneDrive, Microsoft Teams, and SharePoint. Unlike other previously mentioned policies, Safe Attachments is not turned on by default and needs to be activated by an administrator.

10. Third-Party Backup Solution

Even with all the security features provided in Microsoft 365, your data may still be at risk. New undetectable malicious attacks can still infiltrate your Microsoft 365 environment and compromise your data. To avoid both financial and reputational damage while trying to recover your data after an attack, adopt a third-party backup solution like NAKIVO Backup & Replication and reclaim full control over your Microsoft 365 data.

NAKIVO Backup & Replication offers reliable incremental backup for Exchange Online, OneDrive for Business, and SharePoint Online data. Use the solution to effortlessly back up and recover folders, files, sites, mailboxes, contacts, calendar items, and individual emails with just a few clicks. Get a whole year of Microsoft 365 Business data protection with the Free Edition of NAKIVO Backup & Replication! No strings attached.