When companies begin using cloud platforms like Microsoft 365, many of them fail to change the security settings from their default state. They may think that they should already be set at “good” security levels or may not realize the additional options they have to safeguard their account.
As cloud use has grown, so has a security problem called misconfiguration. This doesn’t simply mean putting in the wrong settings in a cloud account, it means failing to use the security settings needed to stay protected.
The problem with misconfiguration is widespread. In a 12-month study over 2 million assets, it was found that misconfigured accounts were responsible for 82% of security vulnerabilities.
Verizon’s 2020 Data Breach Investigations Report noted that misconfiguration has grown in the last year and is now the #1 error-related cause of data breaches and one of the top 5 threat actions, along with things like stolen login credentials.
Is your Chicago business leaving your Microsoft 365 account at risk because you haven’t put the proper security settings in place?
Following are some of the most important settings that extend critical cybersecurity safeguards to your account.
1. Warn Users Before They Open a Macro File
One way that hackers plant malware is to hide it in a macro-enabled MS Office file. Unsuspecting users believe they’re opening a safe file because it’s a Word or Excel document, then the macro runs and infects their device.
Set up a warning message for users that triggers based upon known macro file types that tells users they could be opening a malware infected file.
- In the Exchange admin center, go to the mail flow category
- Add a new rule
- Click the bottom of the window to get a full set of options
- Name the rule
- Apply rule if: Any attachment, file extension matches a designation
- Add file types: dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm
- Add the action: Prepend a disclaimer
- Add message text: “Do not open these types of files—unless you were expecting them—because the files may contain malicious code and knowing the sender isn’t a guarantee of safety.”
2. Turn On Multi-Factor Authentication for Users
77% of all cloud account breaches are due to hacked or stolen passwords. Multi-factor authentication (MFA) is one of the most important settings you can use because it’s very effective at stopping fraudulent sign-in attempts, even if the hacker has the correct password.
According to Microsoft, MFA can stop 99.9% of these sign-in attempts designed to breach accounts.
To enable MFA:
- A global admin should visit the Microsoft 365 admin center
- Choose Show All in the left-side navigation, then Admin centers > Azure Active Directory
- Choose Properties
- At bottom, choose Manage Security Defaults
- Choose Yes to enable security defaults, then click save
3. Don’t Apply Global Admin Privileges to Users
Certain employees need to have global administrative privileges to access account activities in Microsoft 365, such as turning on MFA. But there is a more secure way to do this than to give each admin’s user account expanded privileges.
Instead, reduce your risk of an admin account being breached by setting up one dedicated global admin account. You do not need to purchase another license to do this. Then, administrators log into that one account when needed, and log back out when finished with admin activities.
Because the account is not used for email or other activities, it reduces the risk of the password being compromised. You also reduce the number of global admin accounts you have, further reducing account vulnerability.
4. Block File Attachments Known to Contain Malware
Phishing is the main cause of ransomware and other malware attacks, as well as data breaches. Phishing emails have only become more sophisticated and harder for users to discern from the real thing.
You can help your users avoid infecting your network by blocking email attachments that have file types known to be used for malware.
- Sign into the Security & Compliance Center
- Choose Threat Management > Policy > Anti-Malware
- Double-click to edit the policy
- Select Settings
- Select On under “Common Attachments Types Filter”
- Add additional files types to further beef up the security (recommendations below)
Microsoft recommends adding the following file types to the block list: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
Sign Up for Tailored Cybersecurity Services
ProdigyTeks offers customized cybersecurity action plans for small businesses in the Chicago area. Don’t leave your data at risk, ensure it’s protected whether on-premises or in the cloud!
Schedule a free phone consultation today! Call 312-600-8357 or reach us online.
Leave a Reply