Four ways to secure your Microsoft 365 Business Subscription

We take a look at four ways that small businesses can improve their security on the Microsoft 365 Business subscription.

In this article, we look at four ways small businesses using the Microsoft 365 Business subscription can improve their security.

This is by no means an exhaustive guide, and we recommend that home users and businesses alike invest time in improving their cybersecurity.

Getting Started

First things first, we’re assuming that you already have a Microsoft 365 Business subscription, and as such, you’ll have access to Microsoft Security Center.

The Microsoft Security Center is an easy to use, centralised security dashboard that allows you to review the overall security posture of your Microsoft 365 tenancy.

This makes it the first stop on our security journey. To be more specific, we’re going to take a look at your Secure Score.

You can access the Secure Score dashboard at this link: https://security.microsoft.com/securescore/.

The Microsoft Secure Score dashboard is a great way to assess your security posture.

The Secure Score dashboard, shown above, gives you a percentage based score for your security configuration; but more importantly, it provides you with actionable advice on how to improve it.

From the Secure Score dashboard, you can see action items that typically include guidance on configuring security options throughout your Microsoft 365 tenancy.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a must-have for organisations to use cloud services securely. It prevents unauthorised access to user accounts by requiring users to prove their identity using multiple means.

A typical MFA login would require a user to enter their password; then, it would require them to approve the log in via an application on their personal mobile phone.

Other methods such as accepting a call, entering a code sent by SMS are also used.

For the Microsoft 365 Business Subscription, you can utilise MFA by enabling Security Defaults.

Administrators can enable or disable security defaults from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal.

  1. Sign in to the Microsoft 365 admin center with global admin credentials.
  2. In the left nav choose Show All and under Admin centers, choose Azure Active Directory.
  3. In the Azure Active Directory admin center choose Azure Active Directory > Properties.
  4. At the bottom of the page, choose Manage Security defaults.
  5. Choose Yes to enable security defaults or No to disable security defaults, and then choose Save.

After you set up multi-factor authentication for your organisation, your users will be required to set up two-step verification on their devices.

Training Your Users

Keeping your users informed and aware of threats is a key measure to preventing attacks. It helps them remain vigilant to Phishing, Spear Phishing, Social Engineering and other attacks.

If you’re unsure where to start, a great resource for businesses of all sizes is the Australian Cyber Security Centre (ACSC) – Cyber.gov.au website.

The ACSC website offers targeted guidance, educational material and even online quizzes to check your skills. You can even register for regular cybersecurity updates.

Using Dedicated Admin Accounts

Administrator accounts are accounts that have privileged or elevated access to information technology systems within your organisation. It’s important to ensure that these accounts are kept secure and only used on an as-needed basis.

Administrator accounts are valuable targets for malicious actors seeking to exploit them for their own gain.

As a rule: Use admin accounts only for administration.

Some key recommendations:

  • Require all Administrator accounts to use Multi-Factor Authentication.
  • Close out all unrelated browser sessions and apps, including personal email accounts prior to accessing administrator accounts.
  • After completing administrator tasks, be sure to log out of the session.

Increase Malware Protection In Emails

The Microsoft 365 environment includes built-in protection against malware. But you can take it even further by blocking attachments that may be malicious. 

Microsoft allows you to filter out common malicious attachments types that may be malicious. To do this, follow these steps:

  1. Go to https://protection.office.com and sign in with your admin account credentials.
  2. In the Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy > Anti-Malware.
  3. Double-click the default policy to edit this company-wide policy.
  4. Select Settings.
  5. Under Common Attachment Types Filter, select On. The file types that are blocked are listed in the window directly below this control. You can add or delete file types later, if needed.
  6. Select Save.

Whats Next

In this article, we’ve covered four basic steps to improving cyber security for businesses using the Microsoft 365 Business subscription.

But cybersecurity doesn’t stop here. If you want to learn more about cybersecurity and how it applies to you, we recommend the https://cyber.gov.au/ website.

It’s a great starting place for small businesses looking to improve their understanding of and improve cybersecurity.