01 May 2019

Office 365 and Cybersecurity

Office 365 is arguably the finest Business Productivity suite ever created. From email to instant messaging, video and auto conferencing, file storage/sharing, automation, workflows and more, it's a business powerhouse if leveraged properly. However, as with many cloud applications, there are a couple of general (and very concerning) misconceptions.


1. Office 365 is secure (out of the box/off the shelf)

It's an extremely robust product with military-grade encryption and a huge amount of resources (people and tech) working tirelessly on its general security, so that's enough right? Unfortunately not.

The product is designed to be easy to use, highly accessible and without 'over the top' security controls that would impact users in their day to day operations. Great. However, these 'features' also expose it to compromise via phishing, social engineering, or attacks from the numerous devices that are used to access it. It's happening every day, all over the world.

Office 365 needs to be customised by an expert to ensure the security of this ever extending platform - protecting you from the constant and serious threat of email compromise, viruses, ransomware, and other malicious activity. Hardening your tenant is an excellent first step, however, the real solution is multifaceted, taking into account the system itself (Offiec 365 Cloud), devices that are used to access it (laptops, phones, tablets etc), and most of all, people. Even with the most advanced security technology and configuration deployed, we (humans) are the weakest link. Cybersecurity is everyone's responsibility, and we need to ensure users are aware of this.

Whether you're a business of 1 person or 10,000 people, YOU are a target. Ironically, it's those who think they are less of a target who are actually the most at risk - small and medium business. So many small and medium businesses think "no one would bother targeting us...", and therefore do not invest time and money into securing their systems. Hackers are coming for you, and unless you take proactive measures, you WILL become a victim.

Business email compromise (BEC) is when an attacker accesses or takes over your email account, generally for the purpose of extortion or convincing someone to transfer money into an illegitimate account. It's already incredibly common and is further on the rise. An incident such as this could have devastating effects on you and your business with the average cyber incident in Australia costing more than $75,000 (there are reports of several millions being lost in one go!). A severe attack could literally wipe out your business overnight. What are you doing at the moment to protect yourself? and what should you be considering? Our recommendations in this area are

  • Get an Office 365 security expert to configure your tenant - implement multi-factor authentication, enforce modern authentication (block old or insecure applications from logging in), disable automatic external email forwarding (a favourite tool of hackers that have compromised your system), enable system wide auditing, and a host of other changes.

  • Add 'Advanced Threat Protection' to your Office 365, if you don't already have it. These are a fantastic set of tools from Microsoft to enhance protection against malicious attachments, links and malware.

  • Deploy advanced endpoint protection to your desktops, laptops, tablets and mobile phones. Your standard anti-virus no longer cuts it - you need additional tools and features to provide more robust protection

  • Enlist a security service to proactively monitor your systems for unusual, suspicious or malicious behaviour. The average amount of time a business takes to realise they have been compromised is 197 days! Using the right tools, you will know within minutes that there has been an incident and can act straight away to avoid disaster.

  • Lastly, train your users! Phishing is the main cause of Cyber incidents within Office 365, and these are primarily due to a lack of user awareness. Good password hygiene, knowing how to spot dodgy links or attachments, knowing what should and should not be shared via email etc. This is a vital piece of the puzzle to protect your business.

In summary, if you don't know for sure that your Office 365 is secure, it is NOT. Engage with a specialist to begin rectifying these issues and train your users to ensure the ongoing success and prosperity of your organization.


2. Office 365 is backed up

We hear this almost every day, users assume their Office 365 is backed up automatically. It is NOT. The system provides geo-redundancy, in case, for instance, the Victorian data centre goes offline, the NSW one will take over. That's pretty great, but what happens if you delete data? This geo-redundancy means it'll be deleted in both locations (some information will sit in the recycle bin for a period and can be restored, but this is not always the case). Can you afford to lose your precious information?

It's imperative to activate a 3rd party service to ensure all emails, communications and data is securely backed up, regularly, to another location. In the case of ransomware, virus or a malicious attempt to destroy your data by a bad actor or disgruntled employee, you could be left in the lurch. Recently a client reported that one of their staff deleted years worth of information prior to leaving the company. Unfortunately, they had no 3rd party backup, so the data was gone. It's relatively cheap to back up - so don't overlook this absolutely crucial step!

From a company who sees and deals with CyberCrime on a daily basis, I implore you to think about how a Cyber incident could affect your business. With no exaggeration - a single incident could spell the end of your company. Are you willing to risk it?


  • Share on:

Contact us today

It’s our business to protect your business. Contact us today see how we can help.

Contact us

Subscribe to Evisent

If you'd like to receive the latest and most relevant cyber security news, blog posts, and service updates from Evisent, please sign up to our newsletter.

We respect your privacy. We promise we won't spam you.