Microsoft Office 365 has become the go-to productivity suite for many SMBs because it’s affordable, cloud-based, and easy to use. Unfortunately, Microsoft products have long been a favored target of hackers and other bad actors. To prevent your Office 365 installation and access from being compromised, it’s essential for your SMB to take the steps necessary to secure the application. Below are 10 tips to help you secure Office 365 and keep your data safe while ensuring optimal productivity.

  1. Enable Office 365 Safety Tips: Safety Tips are pop-up dialog boxes that provide appropriate security information for users when they open a program. These tips can also be customized to your company policies as a reminder to users about activities governed by those policies. This must be done from the administrator account. Full details are available on the Microsoft website.

    The Office 365 Security Center is where administrators can enable customized Security Tips.

    The Office 365 Security Center is where administrators can enable customized Security Tips.

  2. Change administrative defaults: Administrative defaults in Office 365 could put your organization at risk, so a best practice for your IT department should be to change default settings where possible when installing a new piece of software. If you have already installed applications but have not changed the defaults, you can still change them, it’s just more efficient to do it during the installation process. Two of the defaults on Office 365 that should be changed include:
    1. The default administrative mailbox. There is really no need for this mailbox, and it represents a point of risk, so disable it.
    2. 10 Microsoft Office 365 Security Tips for SMBs. Be sure when installing Office 365 that you change access capabilities to match your security policies. Default access could allow users to access your data in the cloud from unmanaged devices. Full access from an unmanaged device could allow that user to download sensitive data to an unsecure location.
  3. Implement security policies that govern data storage. It’s not at all uncommon for users to save data from Office 365 to the cloud via Dropbox, Google Drive, and other cloud storage providers. Any cloud services that are not monitored and controlled by your organization are a point of risk for your data, so be sure that users understand using those services is against company policy.

    Create policies and control security settings in the Office 365 Security & Compliance Policy Center.

    Users must have administrative rights to access the Office 365 Security & Compliance Policy Center.

  4. Enable data encryption to prevent data from being compromised during transit. Some versions of Office 365 include data encryption. Others do not. If you are using a version that includes encryption be sure it’s enabled. For versions without encryption, a third-party encryption capability is required to ensure that your data is safe when in motion and at rest.
  5. Limit inactive log-in durations. It’s not at all uncommon for users to log into an application and then walk away from their computer. Those users could be gone for a few minutes or a few hours, depending on what takes them away. Office 365 applications that don’t limit inactive log-in durations leave your data exposed to anyone that accesses the inactive computer. To mitigate unintended access be sure your Office 365 applications are set to automatically log off after a predefined period of inactivity.
  6. Beware of trail accounts converted to paid accounts. When a user signs up for a trial account that is later converted to a paid account, Microsoft can sometimes confuse the two accounts. This could lead to sensitive data being exposed. To prevent this from happening use two different browsers in anonymous mode—which hides your personally identifying information so you look like an anonymous user—to log into the free account and then copy and paste the URL from the paid account into your browser to see if you can access that account without logging in. If you can do this, contact Microsoft to have the issue resolved.
  7. Do not share folders or calendar publicly. Public information is viewable by anyone with the desire to look at it. Public folders grant wide access to the data stored in those folders. Public calendars make it possible for anyone to view the cadence of activities at your organization and time attacks for your most vulnerable moments. An administrator must convert any folders or calendars that are publicly shared to private to prevent unauthorized personnel from accessing that data.
  8. Prevent password sharing. Most people have no concerns about sharing their Microsoft passwords. Even those who don’t will often create simple passwords that are easily crackable, or they reuse passwords from other applications. To combat this, create and enforce strong password policies that are easy for users to follow.
  9. Be aware that data transfer by USB drive can put your organization at risk. USB drives, especially those that are used by employees to transfer data between personal machines and company-controlled devices, are easily infected and can transfer that infection, along with the data, from one machine to the next. Create and enforce policies to ensure users access data through more secure systems like Microsoft OneDrive.
  10. Train users to improve good security hygiene. The way users behave when interacting with any technology is one of the greatest risks your company faces. Users either don’t understand the risk their behavior brings to the organization or they don’t have a reason to care. Train employees to avoid risky behavior and provide the right incentives for them to do so.

Microsoft Office 365 is one of the most used productivity suites because it’s a valuable tool for any organization. However, it’s important that you understand the risks of the application to your organization when it’s not installed and managed right. Take the time to adjust administrative defaults, tweak settings, and properly train users so your company’s installation and use of Office 365 doesn’t increase your attack surface.