YOUR OFFICE 365 INSTALLATION IS INSECURE

Well it certainly is if you have not spent considerable time configuring it to be secure.  The fact is that Microsoft Office 365 is one of the best suite of workplace productivity tools I have come across in the 25 years I have worked in I.T.

 

The problem is that nearly all organisations assume that because it is Microsoft it must by default be secure.  Well this is only partially correct.  Microsoft produces excellent products that can be as secure as Fort Knox.  The problem is if you leave the key in the door or you forget to close the windows it does not matter what security measure Microsoft gives to you in their arsenal of protection, the thief will simply walk in basically with your permission.

This is exactly the situation with a Microsoft Office 365 implementation that is not specifically configured to be secure.  So for example, let’s give you a few stats that should scare you, and if they don’t then please feel free to stop reading – but don’t complain when you get hacked.

Microsoft provides a “secure score” that analyses how secure your installation of Office 365 is.  With zero custom configuration you would get a score of around 20-25 out of about 550.  General consensus is that a score of around 300 is considered acceptable, but not particularly good.  To demonstrate how dire the situation is, of all the installations of Office 365 globally for organisations of between 6-99 licenses the global average (at time of writing) is 36.  I did not miss a zero, you read it correctly.  36 out of 550 when the minimum standard should be in excess of 300.

What is incredible here is that Microsoft even provides you with clear guidelines on how to improve your score.  These “actions” are either administrative and have little user impact, or they may be more of an impact on the end user, but regardless of this it is an organisations responsibility to protect their data assets by ensuring the score meets the minimum acceptable standard at least.

Examples of actions that should be implemented in all organisations: –

  1. Implementation of multi factor authentication.
  2. Implementing complex passwords.
  3. Enabling logging and auditing.
  4. Disabling users from performing some tasks themselves.
  5. Adding mobile device security.
Out of the box Microsoft will provide you with about 80 action items all of which have different levels of impact and benefit.  However, all should be considered and either implemented or not implemented within reason.

Please understand that implementing some of the more advanced features would require you to increase the license costs to Microsoft, but the cost to benefit ratio should not be a consideration in the decision-making process.  There is also an associated cost to make all the setting changes to improve the score and to maintain and monitor the environment.

If you are an Organisation using Office 365 and you are not sure what your secure score status is please contact FunctionEight.  We will check your score for you at no charge!  Then we will give you a quote to bring your score up to an acceptable standard, giving you peace of mind that this technical part of your organisation is being well maintained.

Written by Phil Aldridge.  COO of FunctionEight Limited