Ever since organizations have transitioned to work from home and hybrid working environments, statistics for Microsoft 365 data breaches have increased at a staggering pace. The numbers show that regardless of industry and size of the company, M365 breaches may be more common than you think.

Cybercrime increased 600% due to the COVID-19 pandemic (PurpleSec)

Is Your Organization’s Data Secure?

As much as Microsoft 365 has been the trusted “go-to” platform for organizations worldwide, it may also be a not-so-hidden security liability for those that have chosen to ignore the vulnerabilities. The justification for looking the other way seems to increase with smaller businesses. The feeling that they are too small or don’t house enough data seems to rationalize the decision to overlook even the most basic security measures.

43% of recent cyber attacks directly targeted Small Businesses (fundera)

The truth is cyber criminals also know that small businesses think this way. With sophisticated attack patterns, advanced tools, and unmonitored access to open networks, today’s modern cyber criminals are feasting on small businesses.

What Can you Do?

Microsoft 365 has created a huge blind spot for organizations thinking that Microsoft itself is fully taking care of security with updates and fixes, however, this is not the case. Hackers, Ransomware, accidental/malicious deletion are some examples of things that aren’t covered by M365’s native security services.

In the last 12 months, 85% of Microsoft users have experienced an email data breach. (Egress)

With new threats constantly emerging, there will never be a point where an organization can say that they are fully protected. What we can do is create layers and constantly update the security features that we do use in order to help protect our sensitive data.

Here are some simple tips to help you keep your Microsoft 365 Data Secure:

5 Tips to keep your M365 Data Secure and 5 Stats Why It’s Important

 1) Limit/Disable Administrative Accounts

Most IT professionals would advise against the creation of admin accounts simply for the fact that when an admin account is compromised the consequences can be severe. An open admin account can grant access to an organization’s entire system. If unauthorized access is unseen an attacker can freely authenticate and use privileges as they please.

Limiting your organization to only one Global Admin with 24/7 monitoring (or services such as Privileged Identity Management) can ensure all privileges and activity are closely controlled and monitored while still following security best-practices. This practice should be highly considered for any organization that doesn’t have the resources or ability to effectively monitor M365 accounts and usage on an ongoing basis.

75% of businesses believe they don’t have enough personnel to address their IT security. (Ponemon)

2) Configure Your Security Settings and Find your Microsoft Secure Score

M365 has several security settings that tenants can enable in order to bolster their M365 data protection. Within the new and improved Microsoft 365 security center, organizations can gain insights on their current level of protection by viewing their Microsoft Secure Score.

The Microsoft Secure Score measure’s an organizations security posture to help identify which areas need to implement more improvement actions in order to better align themselves with Microsoft’s best security practices. By analyzing your group’s regular activity and your current security settings, recommendations will be provided with steps on how to improve your score and establish better security posture. Microsoft Secure Scores will provide a full analysis on how to reduce the overall risks and the vulnerabilities currently present within your organization.

Actions are organized into several groups:

• Identity (Azure Active Directory accounts & roles)

• Device (Microsoft Defender for Endpoint protection)

• Apps (email and cloud apps, including Office 365 and Microsoft Cloud App Security)

Your lead account with administrative privileges will be able to view the score and configure your security settings accordingly. Utilizing this service not only helps recommend which security settings to turn on, but it may also show you settings that you may not have even known about.

37% of Canadian small businesses affected by a data breach estimate the attack cost over $100,000, while 20% (one in five) had no idea of the cost of the breach. (Insurance Bureau of Canada)

3) Update Your Data Loss Prevention Policy (DLP)

Although Microsoft 365 implements its own security and offers various tools and services to address many items we mention in this blog, many of the native safeguards are not robust enough to offer dynamic protection against the ever-changing threats that organizations are now facing. Consider the fact that remote workers are relying on email and virtual communication methods more now than ever before. This means most organizations are facing greater external data risks:

• Accidental data exposure

• Deletion/Data loss

• Unauthorized access

• Malicious threats.

Combining these risks with breach reporting laws, requirements for insurance qualifiers and reputational costs at stake, equates to even more pressure for organizations to consider compliance & reporting and file sharing policies in place.

On average, only 5% of companies’ folders are properly protected. (Varonis)

4) Raise The Level of Employee Awareness Training

This one is more of a continuation of updating your DLP. While using guidelines and setting up services to help block emails that might accidently share sensitive data from going out, employee awareness training will be vital to help remote, and in-house, employees stay committed to a strong security-first culture. Microsoft tenants need to have understanding that continual education is necessary. Regardless of the extra layers of cyber security, policies and updates from Microsoft, things can still slip through the cracks and ultimately it is a human that either clicks on something they shouldn’t have or uses sensitive materials in an unsafe manner.

The goal of Employee Awareness Training is to turn your weakest link into your strongest security asset.

95% of cybersecurity breaches are a result of human error (IBM Threat Intelligence Index)

5) Bolster Your Security Layers

Relying on business grade antivirus alone isn’t exactly considered a robust approach to keeping Microsoft 365 data out of the hands of cyber criminals. But when you add layers of protection (additionally with employee awareness training), it can start to increase your cyber security posture and create barriers to help bolster your defences.

Simple yet effective additions can be added with tools and services such as:

• Turning on Multi-Factor Authentication (MFA) to provide two-step verification processes

• Using Virtual Private Networks (VPN) when connecting remote devices

• Uilizing Password Vaults to ensure complex passwords are safeguarded and not reused across platforms.

40% of small businesses experienced eight or more hours of downtime due to a cyber breach costing an average of $1.56 million in losses. (fundera)

Data breaches are rising at an alarming rate since cyber criminals understand where the low-lying fruit is as they continue to target M365 as a primary source of unguarded data amongst small businesses. Overall, M365 is still, without a doubt, a very productive and useful tool for businesses. However, organizations need to fill in security measures to make sure their data is securely accessed, managed, and monitored, especially while providing remote and hybrid working environments.

Take your Microsoft 365 Protection Further with Live Monitoring 24/7/365

Sophisticated security threats and modern working environments are constantly threatening the security of our organizational networks. That is why our business grade services go above and beyond native security solutions.

Integrated Managed Detection & Response (MDR) helps you tackle:

• 24/7/365 live monitoring

• Added security

• Threat Response

• Enforce Stronger Security Policies

• Reporting & Compliance configured for your organization

Find out how we can help protect your Microsoft Data with 365Protect. Designed to help you professionally manage and secure your M365 account, our powerful Microsoft 365 Security Software and Security Analysts actively monitor for threats, investigate alerts, eliminate false positives, and provide guided response and remediation for your organization.