If your organization uses Microsoft 365, it's safe to say this software is fundamental to the smooth running of your business. Popular Microsoft services like Excel, Outlook, Teams, and OneDrive form the core of your team’s day-to-day workflows, and without them, your business would struggle to function. 

The importance of these applications to your business is one reason it’s important to evaluate the security of your Microsoft 365 environment. But it’s far from the only reason: these software programs often contain highly confidential customer and business data that represents a goldmine for potential attackers. 

Investing in securing your Microsoft 365 environment is a crucial step toward strengthening your organization’s overall cybersecurity stance. Because of its widespread popularity, Microsoft 365 is frequently targeted by cyberattacks. For the sake of your employees, your customers, and your business, it’s vital to take every step possible to keep your internal networks and systems secure. 

However, it’s often difficult to know where to begin. Microsoft 365 tenants are complex, even in small and medium businesses (SMBs). They’re often used by every single employee and have a wide surface area that makes users vulnerable to various forms of attack. 

This guide serves as your starting point for evaluating the security levels of your Microsoft 365 environment. We’ll cover 12 questions organizational leadership and cybersecurity teams must ask themselves in order to evaluate the current security profile of their Microsoft 365 tenant. For each question, we’ll share an overview of the key concepts to think about and explore targeted cybersecurity strategies you can adopt to better protect your systems. 

1. Does your organization have data residing within Microsoft 365?

It’s extremely likely that your organization has data that resides within your Microsoft 365 environment. There are various types of data that commonly reside within Microsoft 365, including customer data, personal data, administrator data, and more. 

It goes without saying that much of this data is highly sensitive. Your databases might contain customer files, personal details for your employees, or other types of private data. Data breaches are serious incidents with long-lasting consequences. They’re also very common: a 2021 study found that 85% of organizations that use Microsoft 365 have experienced an email data breach.

As data breaches are so common, it’s crucial you track the data that your organization keeps in Microsoft 365. This ensures that in the event of a security incident, you’re able to quickly identify affected data and take steps to recover it.  

2. Does your organization backup files, emails, and other data residing in Microsoft 365?

To defend against the potential downsides of data breaches and other adverse system events, many organizations backup all data that resides in their Microsoft 365 tenants. Even though much of this data is now stored in the cloud, it’s still at risk, and there’s every chance that access to it could be compromised without adequate security measures.

The best approach is to automate the backup of all important data. This not only saves your IT team countless hours manually backing up data; it also minimizes the possibility of mistakes. Consider exploring third-party data backup solutions: these provide an extra layer of security and also allow you to customize data retention policies to suit the needs of your organization. 

Don’t forget to pay attention to industry regulations. Some heavily-regulated industries, like healthcare and financial services, have specific rules that govern data retention policies. It’s the responsibility of the IT team to ensure your organization stays in compliance with these at all times. 

3. Does your organization actively monitor your Microsoft 365 environment for security issues?

Microsoft 365 is an attractive target for hackers, and it’s only become a more popular target as increasing numbers of organizations have shifted toward remote or hybrid working models. Would you know if your Microsoft 365 tenant has been compromised? How quickly would you know and be able to respond?

There are various ways to track this. Microsoft 365 comes with some security features built in (we’ll explore these next), but there are other third-party approaches too, such as Managed Detection and Response: an intelligent, responsive monitoring solution that provides security alerts, and expert support in resolving issues.  

If you lack the expertise to manage your cybersecurity infrastructure internally, working with a Managed Cybersecurity Service Provider represents a great fit for many SMBs. Think of this as outsourcing your cybersecurity needs to an expert provider – giving you peace of mind your security needs are being taken care of. 

4. Has your organization implemented Microsoft 365 Exchange Online Protection?

Exchange Online Protection, more commonly known as EOP, is a fundamental building block in securing your Microsoft 365 tenant. It’s a security product that routes all incoming and outgoing emails through several layers of security filters, flagging risky emails before they get to users’ inboxes. This prevents broad, volume-based attacks such as spear phishing attacks. 

EOP comes with a range of preconfigured security settings built in, but IT teams commonly find it beneficial to customize these to the needs of their own organization. There are various settings that can be reconfigured, including spam confidence levels and email quarantine rules. If you’re unsure whether your EOP is correctly configured, consider partnering with an IT consulting firm to ensure you’re following current best practices. 

Related: Exchange Online Protection Security Overview

5. Has your organization implemented Microsoft Defender for Microsoft 365?

One of the easiest ways to upgrade the security of your Microsoft 365 tenant is to start using Microsoft Defender: an antivirus software program that’s included with Microsoft 365 subscription plans. Defender for Microsoft 365 comes with three key components:

• Exchange Online Protection (EOP): email filtering software that prevents high-volume attacks.
• Microsoft Defender for Microsoft 365 Plan 1: protects against common malware and phishing attacks. 
• Microsoft Defender for Microsoft 365 Plan 2: provides security teams with tools to effectively investigate and respond to attacks, as well as training and simulation exercises that ensure employees are aware of their cybersecurity obligations.  

While every Microsoft 365 subscription includes EOP, you may have to upgrade your Microsoft 365 account to access the additional Microsoft Defender security plans. 

Learn More: Microsoft Defender for Microsoft 365: Security Guide

6. Does your organization have multi-factor authentication (MFA) enabled for administrators of the Microsoft 365 environment?

Enabling multi-factor authentication is vital when it comes to protecting organizations against the potential fallout of compromised credentials. This is particularly true for administrators: employees who have the ability to add new accounts, change passwords, update the permissions of other administrators, and much more. 

If an administrator account is compromised, it could spell disaster for your organization. These accounts are supremely powerful, usually belonging to IT leaders who use them to configure every element of your IT infrastructure. Fortunately, MFA is simple to enable and use and is a huge asset in eliminating account breaches. A 2019 report by Microsoft and Google found using MFA could prevent 99.9% of all account hacks – dramatically strengthening the overall security posture of your organization. 

7. Does your organization have MFA enabled for all users of the Microsoft 365 environment?

It’s not just administrators that should be using MFA technologies; they really should be enabled for every employee that accesses the Microsoft 365 environment. In this tenant, a measured approach is often best: consider only requiring MFA for sign-ins that are flagged as high-risk, or for sign-ins to systems containing highly confidential data.  

There are various ways you can implement MFA for employees but a focus on training during the rollout phase is essential. To make life easier for your employees, allow multiple forms of secondary authentication, including SMS messages, phone calls, and authenticator apps installed on employees’ phones. To easily implement best practices for company-wide MFA, consider adding our Managed Security Service for Microsoft 365.

8. Has your organization implemented network-based URL filters, including category-based, reputation-based, or block lists? Are these filters enabled for all enterprise assets?

Network-based URL filters act as an organizational insurance policy against the potential impact of their employees falling prey to common phishing scams. These filters work by cross-referencing web traffic on an organization's network against databases of sites that are known to be dangerous. When an employee tries to access a dangerous site, access is blocked. There are several ways to do this:

• Category-based: these filters block employees from accessing certain categories of websites, such as gambling sites, dating sites, or sites with mature content.
• Reputation-based: this method blocks websites based on an analysis of the reputation of the URL. Sites with a low reputation score are known to have suspicious behavior and have a high likelihood of containing malware.
• Block lists: administrators can also block access to a pre-selected list of websites that are known to contain harmful content. Using threat intelligence tools is one way to keep track of these sites. 

If you're implementing network-based URL filters, it’s important to make sure that these are enabled for all enterprise assets. That includes company laptops, smartphones, and any other devices employees use to access your Microsoft 365 tenant. 

9. Does your organization restrict (either through uninstalling or disabling) the use of unauthorized or unnecessary browser or email client plugins, extensions, or add-on applications?

Employees may install browser extensions and email plug-ins for legitimate reasons. One example would be a sales manager that installs an email plug-in that links their inbox with their organization's Customer Relationship Management software, helping them to better keep track of their leads. 

But sometimes, employees will install plugins, extensions, and add-on applications that present a security risk. Most of the time, employees won’t even realize their mistake, underscoring the importance of security awareness training. 

Regardless of how well your employees are trained, it still makes sense to restrict the use of plugins, extensions, and add-on applications to a pre-approved list, and to uninstall or disable those not on the list. 

10. Has your organization implemented DMARC policy and verification, SPF, and DKIM to defend against business email compromise?

Microsoft 365 offers a variety of email security settings, and it’s crucial to ensure that they’re all configured correctly to protect organizations against email systems becoming compromised. There are three key email security standards to be aware of:

• DMARC Policy and Verification: DMARC policies route emails that fail security checks to a quarantined inbox, while DMARC verification checks the email sender against the owner of the sending domain. 
• Sender Policy Framework (SPF): this framework provides a list of IP addresses that are authorized to send emails from an organization’s domain, ensuring anyone attempting to spoof an official domain will struggle to successfully land emails in employees’ inboxes.
• DomainKeys Identified Mail (DKIM): this authentication technique adds a secure digital signature to every email, enabling email recipients to verify that an email was sent by the owner of the sending domain. 

11. Does your enterprise block unnecessary file types attempting to enter the enterprise's email gateway?

In addition to the above security policies, it’s also possible to block certain types of attachments from being sent to your employees. Determining which types of attachments to block is situational and should be driven by the way your employees typically use their email accounts. 

For example, some organizations may block all incoming emails with attachments over a certain size. Alternatively, you may block all .exe files as these are commonly used to deploy malware and other viruses into an organization's systems. Taking these steps ensures harmful emails are unlikely to end up in your employees’ inboxes. 

12. Has your enterprise deployed an email-server anti-malware protection technology, including attachment scanning and/or sandboxing?

Adopting additional security technologies that protect your email server against malware is an important investment, adding an additional layer of protection against the most common attack vector: email. 

The best technologies include features like attachment scanning and sandboxing; an advanced technology that allows suspicious emails to be fully evaluated outside of your core email servers. 

Partner with Tech Heads to Secure Your Microsoft 365 tenant

Microsoft 365 security is a complex matter, and it’s vital to take a comprehensive approach that ensures your system is adequately protected. If you lack the specialized skills to do that internally or simply do not have the bandwidth, Tech Heads is here to help. 

We’ve partnered with Microsoft to identify the highest leverage security controls and make them available to our partners in three distinct service levels. With a team of experienced cybersecurity consultants and a 25-year track record, we’re on hand to harden your Microsoft 365 tenant and protect your organization against attackers.