Microsoft 365 provides companies with numerous protective measures that ensure a high level of security for all applications and data. However, a prerequisite for the secure use of Microsoft 365 is that the security functions are actually licenced, activated, used and actively managed. In addition, all users and administrators must be informed about the risks and trained in secure use. Our checklist provides information on the security aspects you should consider when using Microsoft 365.

 

Microsoft 365: Popular with companies – but also with hackers

When companies move their data and applications to the cloud, this offers greater efficiency, benefits in terms of collaboration and a high level of security. Microsoft 365 is no different: Microsoft protects its services with numerous security features. However, as Microsoft 365 is a cloud service, the security precautions differ from applications in the company’s own data centers. This is because the threat situation is fundamentally different when using the cloud compared to on-premise use. Irrespective of this, it should be noted that not only must the security features be configured and utilized correctly, but that people – i.e. all users including administrators – must also be taken into account as a risk factor.

Microsoft 365 is one of the most widely used cloud services in the area of productivity services. Over one million companies worldwide use the cloud-based version of Microsoft software such as Exchange, Sharepoint, Teams and the associated apps such as OneDrive or the communication and collaboration solution Microsoft Teams, Planner, PowerBI and Co. According to the Workplace Study 2023 by MSM Research, around 91 per cent of companies in Switzerland use Microsoft 365.

In the future, even more companies will move to the cloud and data traffic will increase accordingly. According to the Swiss IT 2022 study by IDC, the value of newly generated data will be 176 zettabytes in 2025, compared to 18 zettabytes in 2015. In addition, the amount of stored company data will increase to 9 ZB by 2025, compared to around 0.8 ZB in 2015, i.e. less than 1 ZB. The annual growth rate of new data is around 26 per cent. Precisely because Microsoft 365 is so widespread, cloud services are also an attractive target for cyber criminals. The threats are omnipresent and attacks are constantly taking place.

Integrated standard protection in Microsoft 365 Microsoft 365 offers effective security functions that can be used by companies at no additional cost. These protect against a wide range of threats. However, because users can be careless when using them or lack the expertise, the overall protection may be inadequate.

Cyber criminals use stolen or manipulated identities of users and administrators to gain access to company data and services,” says Andreas Schmid, Product Manager at Swisscom. As identities are often stolen via phishing, employees should be particularly sensitized to the dangers of phishing emails and the associated procedures. This is because the attacks are usually not aimed at the Microsoft cloud, but at Microsoft 365 customers. The consequences of such attacks are manifold and range from data loss and high costs incurred by companies to the takeover of Azure resources used to secretly mine cryptocurrencies.

 

Practical tip Microsoft 365 in practice

  • All users and administrators should protect their accounts with multi-factor authentication (MFA).
  • Configure and actively monitor all security alerts (e.g. Exchange Online Protection, Password Protection, etc.).
  • Regulate the usage options for employees in rights and identity management

 

Microsoft 365 offers the following security functions

  • Multi-factor authentication (MFA): In addition to the user name and password, a second factor (e.g. a device registered to the user, Microsoft Authenticator app on the smartphone) secures the secure login process. This prevents unauthorized persons from being able to log in to the account with just a username and password.
  • If the Password hashsync function is activated, compromised identities can be recognized.
  • Password Protection: Prevents frequently used passwords such as company names, surnames, car brands, etc. from being used.
  • Microsoft Information Protection: Detects, classifies and protects your confidential information in documents or emails – from storage to transmission.
  • Mobile Device Management (MDM): Enables selective deletion of business data on mobile devices and makes secure resets of mobile devices.
  • Conditional Access: checks the “health status” of end devices that want to connect to Microsoft 365 services. Blocking access from untrusted locations (dark web).
  • Information Rights Management: Controls access to company data.
  • Secure Score: Provides information on the current status of how secure the services are currently configured. Risks and vulnerabilities are highlighted and suggestions are made as to how security can be increased

 

Basic security features: Activate, Use and manage

Activate multi-factor authentication
MFA is one of the most important and effective security measures,
as it secures access to data and applications. However, in practice
this option, which is available to every user, is rarely used: According to a
study from 2018, only 3 per cent of all administrators are said to use
have used multi-factor authentication. Therefore, the company must
Therefore, it is important to ensure that as many users as possible use the
use MFA.

Reporting
Activate and configure DLP: including real-time monitoring and reports
on incidents

 

Correct use: Sensitize and train employees and administrators

Increase identity security
Increasing identity security is one of the most important measures.
The number one gateway is identity theft. Hackers take over the access data in order to launch further attacks via the hijacked account. In this way they can
This allows them to penetrate the company network and obtain data.

Create dedicated admin accounts
Sensitize administrators and separate their accounts from their user accounts
from their user accounts.

Introduce password guidelines
Introduce strict password guidelines for all users and administrators.

Train users
Training, sensitization, building security awareness. Inform all users specifically about phishing.

Use strong passwords
Only use strong passwords and manage them in a password manager.

Use admin accounts correctly
Only use admin accounts for activities related to administration.
administration.

Using the cloud consistently
Use the cloud consistently. If data is stored locally, it should
always be synchronized with the cloud.

Raise awareness
6 out of 10 Microsoft 365 users neither use the integrated data protection functions nor does their company have a data protection prevention plan.