The US Department of Homeland Security’s CyberSecurity Division, CISA, recently published a report on the state of security in Microsoft Office 365 implementations. The report echoes our finding over the last few years – many organizations adopted Office 365 without doing a proper assessment of their security needs, and how these should be supported by Office 365. While the report focuses on four critical vulnerabilities, we would argue there are many others that may not be as obvious but are at least as important.

Managing the Lifecycle of People Coming and Going in the Organization

Though this may seem obvious, you would be surprised how many organizations we assess who have accounts, both in Active Directory and Office 365, for people who have left the company but which are still active. Not only are you paying unnecessarily for unused licenses, but you have left a hole in which someone can log in to your Office 365 tenant and interact with others through impersonation.

A solution for consideration is automating at least the creation and removal of user accounts, linked with your HR solution. It’s is not complex to do at a basic level, and will undoubtedly help shut down this security hole.

Mail Hygiene is an Ongoing Battle, not a One-Time Configuration

While the Exchange Online Protection service is adequate for many companies, it may not be enough to protect your organization. Ongoing user education must be done and complemented by regular testing of people’s willingness to click on anything in an email. Since not everyone in your organization has the same level of IT aptitude, inevitably some will click on phishing links if the mail comes to their inbox. They assume that the mail hygiene solution should be good enough to filter out these evil messages, and if something hits their inbox, it’s good to go.

If you are struggling to stop people from clicking, then consider improving user education, or implementing a second level of mail hygiene from a third-party. While the cost may be high for an additional solution, consider the cost of a significant security breach.

Backup of Office 365

At first consideration, it may seem silly to backup a SaaS platform. After all, having software hosted is one way you don’t need to worry about backups or disaster recovery anymore, right? In the first years of Office 365 (and for those of you who remember it, BPOS), backing up Office 365 seemed unnecessary. However, as the use of the platform has matured, and the number of organization breaches has increased, the argument for backing up email, SharePoint, Teams, journals, and other components can now be made. What happens if someone uses one of those departed employee accounts which have not been removed, and modifies a few SharePoint sites, or send emails with confidential information outside of the organization and deletes the sent emails? Recovering these items after the default purge period of Office 365 is impossible.

Wrapping it Up

In conclusion, we would suggest that if your organization didn’t go through a full design process, and have your security department ask the hard questions about the design, it may be worthwhile considering a revisit. There are hundreds of security settings, some obvious and some not so much, which can be implemented. Specialist organizations like ours offer security assessments of your tenant, and you can also use Secure Score as a tool to see best-practice based recommendations to tighten things up. Consider also, if your organization is subject to privacy regulations like GDPR, PCI, or PIPEDA, mapping out the compliance needs against Office 365 settings. Maybe no one will thank you for it, but everyone will sleep better at night.