Top 3 Tips for Rock-Solid Microsoft Office 365 Security

Microsoft Office 365 Security – Best Practices

Microsoft Office 365 is among the world’s most widely used software suites, and its popularity continues to grow. Organizations large and small can benefit from Office 365’s always-on convenience, which enables employees to be productive anywhere and everywhere, reliability, and predictable monthly cost. But will your data, intellectual property, and other valuable information assets truly be safe in the cloud? How can you be sure you have rock-solid Microsoft Office 365 Security?

Here at Edge Networks, we’ve seen firsthand how devastating the effects of an Office 365 breach can be. We’re also highly familiar with the world-class enterprise grade security-hardened infrastructure that Microsoft maintains, and we understand the strength of their commitment to physical, logical, and data security. 

We believe that your data can be at least as safe—if not safer—in Microsoft’s Office 365 cloud environment than it is when stored on premises. But we also know that the Microsoft Office 365 environment is highly customizable and configurable.

 

Man looking at green numbers

In the vast majority of cases, Office 365 breaches occur not because of vulnerabilities in Microsoft Office 365’s physical and network infrastructure—which is among the safest in the world—but because users or administrators have not properly configured their Office 365 tenant for security and threat management. Often, making a few small changes can go a long way when it comes to reducing the cybersecurity risks your business faces.

Here are a few quick-to-implement tips that can dramatically improve your safety and security while you continue to enjoy Office 365’s many benefits:

 

Tip #1: Notify users in the subject line of emails that come from outside the company

Email spoofing, which involves forging message header information to mislead the recipient about where it comes from, is more common than ever before. According to Verizon, email fraud accounts for more than 90% of cyberattacks targeting enterprises, and the FBI reports a 136% increase in business losses due to email fraud between 2016 and mid-2018. 

Email spoofing statistic

 

Anything you do to make it easier for users to spot a forged or fraudulent message will make your organization safer. In Microsoft Exchange Online or Office 365, you can add a prepend like [EXT] or [EXTERNAL] to the subject of all incoming messages that originate outside your organization. This makes it easy for team members to identify those that don’t come from the person who is said to have sent them—so that attempts at email spoofing will be glaringly obvious to their intended targets.

Adding a prepend to incoming messages from senders outside the company is easy to implement. It’s a low-cost, low-effort way to boost security, and thus it’s a very good idea.

 

Tip #2: Enable multi-factor authentication (MFA) for your organization’s Office 365 users.

This is probably the most important step you can take to protect all the accounts throughout your business from the consequences of password loss or theft. It adds a second layer of security to all user sign-ins and other system interactions. Microsoft makes it simple to set up MFA centrally for all users, though it can also be done individually.

Most people are familiar with multi-factor authentication because it’s widely used for consumer applications like online banking. They understand that they’ll need to check a secondary device, like their phone, for a code that enables them to access their sensitive personal or financial information. Office 365 supports authentication via mobile app, phone call, or SMS messaging.

Global surveys indicate that only about 20% of enterprise Office 365 users have set up MFA, despite the fact that password-based attacks are the most common reason for Office 365 account compromise. But the prevalence of these types of attacks means that enabling MFA is very much worthwhile. It’s a powerful means of protecting your account, your data, and the security of your entire organization.

 

Laptop displaying Authentication Failed

Tip #3: Enable mailbox audit logging within your tenant

Business email compromise is a serious and ongoing threat. Even the best-informed and most careful employees can fall victim to spear-phishing or other social engineering tactics. Cybercriminals have used everything from fake invoices to keylogging software that steals users’ credentials to trick their targets into transferring funds to their bank accounts. 

By enabling mailbox audit logging, you’re essentially transforming your Office 365 tenant into recording device that will track hackers’ every attempt at tricking, misleading, or deceiving your users via email. It’s a critically important forensic tool that will allow investigators to look back at all the login events and suspicious activities that occurred within mailboxes in your tenant. 

The capacity to maintain these logs is built into Office 365, but audit logging has not always been enabled by default. Turning it on is a simple process, but it must be done ahead of time—you can’t search data from before the time you enabled audit logging capabilities. This is another area where thinking proactively about Office 365 configuration settings can make your business far more secure.

 

Conclusion

At Edge Networks, we’ve made many of our clients’ transition to the cloud easier and more secure. We have the know-how to help you prevent an Office 365 breach from devastating your business. To learn more about how to configure your Office 365 tenant to maximize productivity and security, contact us today for a free, 30-minute consultation.

 

While you’re here, check out our video to hear advice from our former CIO, Josh McKinney, on how to stay safe in Office 365. 

 

Boosting Productivity and Security with Single Sign-On Authentication

Save Time and Hassle with Single Sign-On Authentication (SSO)

If you’ve ever logged in to Candy Crush with your Facebook account, or confirmed your identity before making an online purchase by signing in via Amazon or Google, you’ve used single sign-on authentication. 

With single sign-on (SSO), a centralized user authentication service allows you to use one set of login credentials to access multiple applications or platforms. In other words, one website relies on another trusted site to verify your identity. 

It’s practical and convenient. Single sign-on can save you time and reduce the hassle of repeatedly resetting forgotten passwords. Because you need to remember fewer passwords overall, you’re more likely to choose longer, stronger, and more complex credentials—the kind that are more difficult for attackers to compromise. And you’ll probably make fewer help desk calls.

 

How Does Single Sign-On Authentication Work?

Single Sign-On systems were designed for security. Rather than passing your actual username and password between websites and apps, these services instead share an access token. An access token is like a notification of approval: it indicates that a user has been authenticated, and is authorized to perform certain functions, but access to their private data or credentials is not given. 

An access token works somewhat like a credit card transaction approval number. It’s a code or key that enables one website or application to use the services of another, without sharing all of your account details.

Most of the companies—including Microsoft, Facebook, Amazon, Twitter, and Google—that provide SSO login services to individuals rely on the same standard protocols. Called OAuth, these protocols are intended to be secure, simple, and highly standardized, making them suitable for widespread use. 

Businesses usually instead employ Security Assertion Markup Language (SAML) based protocols in their internal single sign-on access systems. With increasing numbers of small and mid-sized organizations making use of cloud-based services, using these SSO systems can improve security and make it easier for IT administrators to manage access to diverse web-based applications and resources. 

 

SSO secured phone

Is Single Sign-On Authentication Secure?

Generally speaking, single sign-on is no more or less secure than the centralized authentication service that you’re using. For instance, if you’re using Facebook to log in to third-party applications, your credentials are being stored in accordance with Facebook’s encryption standards, and access to your account information is governed by Facebook’s privacy policies.

Most SSO authentication providers are deeply concerned about security and devote a great deal of attention and resources to it. Their systems usually have extensive security measures in place and protect user passwords with strong encryption, so they can’t be accessed even if they provider’s systems are compromised. 

In contrast, smaller e-commerce businesses usually don’t have the time or money to develop their own login and security systems, and those that do may not be able to implement systems that are as robust as those of major SSO providers. 

 

What Are the Drawbacks to Single Sign-On?

SSO establishes a single, centralized point of failure for multiple account logins. So if, say, Google stops working, you cannot access all the accounts that you usually log into with Google. And if Facebook suffers a data breach, hackers may be able to compromise the access tokens that Facebook issues as well. 

Because SSO increases the number of accounts and resources that you can gain access to from a single account’s login credentials, if that account gets compromised, a hacker might be able to gain access to more of your personal data or account information than if you weren’t using it. 

 

frustrated girl in front of laptop Single Sign-On Authentication

All in all, creating strong and unique passwords for each of your user accounts individually might well offer better security than SSO, but only if you can remember these passwords, change them regularly, and keep them long, un-guessable and containing a good mix of numbers, letters, symbols, and special characters. In the real world, for the majority of users, single sign-on is likely to be a better solution.

 

What are Best Practices for Single Sign-On Security?

Implementing Single Sign-On Authentication has numerous benefits for businesses. It improves productivity and reduces password fatigue. Coupled with employee training, it can significantly improve overall password hygiene within your organization. SSO can also make it easier to introduce secure bring-your-own-device (BYOD) policies.

It’s important to select an SSO system that supports secure storage of authentication credentials and encryption keys. It’s also critical to ensure that you’ve properly segmented your network to protect your main identity service within your IT environment. 

Adding multi-factor authentication (MFA) to your SSO implementation can improve security significantly without compromising convenience. With MFA, users are required to verify their identify through additional means, such as via a second device or with a separate security token. MFA can be implemented for access to high-risk or sensitive systems only, or more broadly throughout your organization.

Here at Edge Networks, we have in-depth experience helping our clients balance their needs for security, usability, and convenience. To learn more about choosing a single-sign on solution for your business, contact us to schedule a free, 30 minute consultation, or take our free, self-guided IT Security Risk Assessment.

You can also watch this video to hear Josh McKinney, our former CIO, give a brief overview of this technology and how it can work for you.

Don’t Be the Next Company Sending Out a Notice of Data Breach Letter

Don’t Be the Next Company Sending Out a Notice of Data Breach Letter

Why do so many companies fail to take data security seriously? From what we have seen, companies fail to take data cybersecurity seriously enough for the following reasons:

 

  • They believe that ensuring compliance with a security framework, such as FISMA or NIST, is enough.
  • They haven’t experienced a security breach in the past, so they don’t believe they’ll deal with a security breach in the future.
  • They don’t want to deal with the hassle and/or don’t have the knowledge to find and implement the right security solutions.

 

Does anything listed above sound familiar? Most businesses are surprised when reality strikes them and they must write their clients, consumers or patients a letter with the subject line: Notice of Data Breach.

To help you get prepared for if disaster strikes, we have created a FREE Cybersecurity Incident Response Plan template that you can implement in to your business, which you can find at the end of this post.  

 

Yet another example of a company’s failure to take preventive measures against computer security breaches

Today that “Notice of Data Security Incident” letter came to me from The Oregon Clinic , and alarms went off in my head. For the past 2 ½ weeks, I have lived, breathed and dreamt about cybersecurity and what the implications are to a business who does not take the steps necessary to prevent these “incidents” from occurring in the first place. And now I am seeing it not only as it pertains to The Oregon Clinic, but to their patients.

Their letter starts like this: “I am writing to inform you of a data security incident that may have involved your personal information. At The Oregon Clinic, we take the privacy and security of your information very seriously. This is why I am contacting you, offering you identity monitoring services, and informing you about steps that can be taken to protect your personal information.”

 

Person doing paperwork for notice of data breach

It goes on to outline the when, what, and how they plan to resolve this “incident”.

  1. On March 9, 2018, The Oregon Clinic learned that an unauthorized third-party accessed an email account.
  2. The Oregon Clinic immediately disabled the account and began an investigation to determine what had occurred and whether protected health information (PHI) may have been affected.
  3. Cybersecurity experts were engaged, including a digital forensics firm, to determine the nature and extent of the incident.
  4. On April 19, 2018, the investigation determined that PHI may have been affected. This information included patient’s name, date of birth, and certain medical information (that may include medical record numbers, diagnosis information, medical condition, diagnostic tests performed, prescription information and/or health insurance information).
  5. They determined that the incident was restricted to one email account and did not affect any other aspect of The Oregon Clinic’s network.
  6. In addition to their investigation, they are offering additional steps patients can take to protect personal information. This is an identity monitoring service for 12 months at no cost through Experian.
  7. And, lastly, they give recommendations to protect your personal information, (which is a long and arduous task as anyone that has had their personal information/identity put at risk knows). 

 

In an article by Scot Gudger, CEO at The Oregon Clinic, he issues the following statement to Health Data Management:

“We are very sorry this happened and apologize to the patients who have been affected by this incident. We value our patients and will continue to work closely with cybersecurity experts to remediate this situation, and, most importantly, are taking steps to help prevent similar incidents from happening in the future.”

 

This mindset of “Oh we’re sorry, and NOW we will take steps to prevent this” is becoming less and less acceptable in a world where hackers are always looking for that one company with an out of date AV or Firewall, or no IDS/IPS, or the plain and simple mindset of “it won’t happen to us”.

Don’t let yourself become another number in the world of cyber-attack statistics. Your staff and customers deserve the best from you. 

If you’re looking to be more proactive in your cybersecurity incident response plan, we’ve created an outline of five critical components yours should have. Read more about it below.

If you’re unsure of whether or not your network is secure, take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.

 

Download a Free Cybersecurity Incident Response Plan Template

Bulk configure handheld scanners Intermec CK3 via CloneNGo

Josh McKinney, chief technology officer with Edge Networks with a tip of the week. 

What I have in my hands here is an Intermec CK3. It is a bar code scanner that one of our clients uses to scan inventory and to also process orders for customers. 

One of the cool things that Edge Networks did, is this device uses what’s called CloneNGo an application that allows you to configure a master device with certain settings like wifi connectivity applications and other configuration settings…