If you’re a small business, then Office 365 may be your lifeblood.
By Randy Nieves, CTO, NexusTek
It’s where you store all your documents, send all your emails, and potentially keep records of your employees and customers. Office 365 can be secure, if configured correctly. Microsoft itself is responsible for providing availability of their platform, datacenter hardware and security and a plethora of software as a service options that work seamlessly with Office 365.
In terms of securing your Office 365 email and file data, as well as backing it up, small business customers are responsible for this and most don’t realize it. Most small business leaders know that they’re vulnerable to hackers, but 47% of companies don’t know the best methods for protecting themselves. If you don’t know how to protect yourself, you’re an easy target – and here are the ways that hackers will hurt you:
File Deletion or Encryption
Ransomware attackers are like small businesses, which is why over 70% of ransomware attacks targeted SMBs in 2018. Many SMBs don’t have the resources (generally speaking) or expertise to stave off attacks. They may not have thorough backup and recovery plans, and they’re more likely to pay a ransom. If you store mission critical documents (marketing collateral, intellectual property, legal documents, tax records, etc.) in a document share such as OneDrive, it becomes a target for ransomware. While OneDrive does include ransomware protection, it requires a subscription – plus a clever attacker could still get around it. Are your files secure?
Identity Theft
How much information do your store in Office 365 account? You’d probably surprise yourself if you took inventory. Companies often store things like password databases (sometimes in plain text), credit card numbers, email addresses, phone numbers, and other lists of customer information. An attacker who decides not to encrypt your files could still wreak havoc by using these troves of information to steal customer identities – and the resulting fines and lawsuits very likely could put you out of business.
Eavesdropping on Secure Communications
Your Office 365 is equivalent to Ground Zero for all of your communications with your clients. Everything goes through Outlook, which means that attackers can find out the names, email addresses, and phone numbers of your customers and vendors. This isn’t harmless – at the very least, attackers could monetize this information directly by selling it on the dark web. At the most, they could gather enough information about your company to pull off more sophisticated attacks.
Spear Phishing and Business Email Compromise
Let’s say that you do business via wire transfer. One day, one of your customers receives an invoice from you with instructions to wire their payment to a certain address; formatted in exactly the way you’d do it and contains your letterhead and contact information. When they pay the invoice, a criminal on the other end – who has forged every aspect of your communications after eavesdropping on you for a month – simply takes the money and runs. In this scenario not only is this damaging to the customer, but it’s also detrimental to your company’s image and reputation which could lead to losing business.
Spam Emails
Most of the time, spam emails in your name are the product of “spoofing.” In this case, your account isn’t really sending out emails, but it’s actually an attacker using software to make it appear that way. If your account is in fact compromised, however, an attacker can and will use your account to send spam. If this happens, Microsoft may deactivate your Office 365 account – and until you get your account back, you’ll be unable to send or receive any emails at all. What would that do to your business?
Taking Steps to Protect your Office 365 Account
Here are a few simple steps that businesses can take to protect their Office 365 account:
- Mandate strong passwords that aren’t easily guessed.
- Implement multi-factor authentication in Office 365, encouraging users to log in using a mobile MFA app like Microsoft or Google authenticator, biometrics or a USB key in addition to their strong password.
- Use the encryption features of Office 365 with industry-specific policies to ensure sensitive data detected is encrypted automatically as you click send. This prevents attackers from spying on your communications if they breach your account with a simple password
- Backup your email, SharePoint and OneDrive data via a 3rd party tool. There are several available on the market.
These simple precautions will make it more difficult – but not impossible – to attack your account. At the very least, ensure you have a backup plan as a last resort defense, should you get hit with ransomware. If you want to add a further roadblock to your attackers, I recommend you engage a managed IT services provider that is hyper-fluent in cyber security, Microsoft Office 365 and managed cloud services.
Randy Nieves is Chief Technology Officer and SVP of Product Development for NexusTek, an award-winning cyber security, cloud and managed IT services provider. NexusTek conducts Microsoft 365 Security Assessments to help companies better secure their Office 365 environment and ensure that their critical data is protected. In addition, NexusTek also offers 24/7 monitoring and support to detect and mitigate suspicious activity.
Office 365 stock photo by dennizn/Shutterstock