Many of you use Microsoft 365 (M365) for Hosted Exchange Email, Microsoft Office 2019 (Word, Excel, PowerPoint, Publisher, Outlook), One Drive, SharePoint, Teams, and more. However, most Microsoft 365 users do not use the security features offered by Microsoft to protect their email and Microsoft 365 account. These security features protect against someone getting into your account.
I would like to provide you with an example of how easily an account can be hacked. Imagine you or one of your staff receive an email that looks like an email from Microsoft 365 informing you that your Microsoft 365 password is about to expire. The email looks exactly like the real Microsoft 365 emails stating the same, so you enter your credentials (log in name and password). Once the hacker has your information, he logs into your Microsoft 365 account and attempts to find any personal identifiable information for you or your clients that can be exploited.
An example of this recently occurred to a construction company at the start of September. An administrator at the construction company entered her credentials into one of the phishing Microsoft 365 emails. The hacker then had access to her email account and Cloud documents without her knowledge. The hacker sent an email to the administrator that looked like it was coming from the owner of the company, telling her that he was buying a new piece of equipment. The hacker sent a second email with the amount, $35,000, and where to send the funds. You might be thinking as you read this, “How did the administrator fall for this scam?” Since the hacker had access to her email account, he was able to see emails from the owner and mimic the owner’s signature, wording, and mask the email name so it looked just like the owner’s email. Also, the hacker knew that this type of email was not out of character for the owner since he purchases new equipment often for his business. The hacker had done his homework and had obviously read through many emails. The administrator wired the funds. Luckily, within a short period of time, the administrator was in contact with the owner and mentioned the transfer and they contacted the bank to stop the transfer. This company was lucky and got their money returned. Most firms are not so lucky. The owner of the construction company who was originally resistant to the recommended security that required additional steps, then gave approval to implement Microsoft 365 security features.
One of the Microsoft 365 security features that can help prevent security breaches is Multi-Factor Authentication (MFA). Law firms that have cyber liability insurance or adhere to security audits by their corporate clients receive questions when renewing their insurance and during audits regarding their use of multi-factor authentication (MFA) for Microsoft 365 and two factor authentication (2FA) for remote access.
Multi-Factor Authentication (MFA) is a security feature within your Microsoft 365 account. An app is downloaded from the App Store to your smartphone called Windows Authenticator. This is a free download. Once the MFA settings is turned on within your Microsoft 365 account, you will be prompted to approve access the first time you use any of your devices; PC, Laptop, iPad, smartphone. Once approved, you will not be prompted again for these devices. You will only be prompted if a new device tries to access your account. So, if a hacker is trying to gain access to your Microsoft 365 account, you will be prompted on your smartphone whether to grant access to your account. Of course, if it is not you attempting to access your account from a new device, you will deny access. You should then immediately take precautions to log into your Microsoft account and change your password.
Another Microsoft 365 security add-on that works with MFA is Microsoft Azure Premium P1 which is $6/month/user account. This add-on has several conditional access security settings to protect your email and Microsoft 365 account. One of the conditional access settings turns off access to your account through any non-USA IP addresses. Another conditional access feature is turning off Basic Authentication and requiring Modern Authentication when accessing your Microsoft 365 account via the web. Additionally, your office IP addresses can be excluded from requiring MFA.
Additionally, Microsoft 365 Advanced Threat Protection (ATP) is a very valuable security feature. Microsoft 365 ATP is a $2/month/user account add-on to your Microsoft 365 account. Within ATP, there are settings for several layers of security. You must turn on which features you want enabled on your account. There are three features that are important to implement.
The ATP Safe Attachments should be set to protect against malicious attachments. This helps to prevent against clicking on attachments that can cause malware or ransomware on your computers.
The ATP Safe Links checks links to URL’s within your emails and documents. You will be able to open safe URL links, but malicious links are blocked. This prevents you from clicking on a link within an email that is malicious and can cause malware or ransomware to install on your PC or laptop.
The ATP Anti-Phishing setting is designed to check incoming email messages for potential phishing email attacks and reject any emails that have properties of phishing emails. This protects you from emails that you may think are legitimate but are malicious and trying to collect your personal information.
Updating your Microsoft 365 account to include security features, such as Multi-Factor Authentication (MFA), Advanced Threat Protection, and Azure Premium P1 is very important. The add-ons are a small price to pay for the security protection that is so important to implement and protect your data and your client’s data. Remember, long gone are the days of locking your filing cabinet and office door. Today, you need to digitally lock your files and information.
Alicia A. Slade, MS, MBA, is the President of Plummer Slade, Inc., a computer networking, Managed Services Provide (MSP)r and Managed Security Service Provider (MSSP located in downtown Pittsburgh. Plummer Slade provides IT services and solutions to hundreds of law firms in Pittsburgh and the surrounding area. Plummer Slade is exclusively endorsed for IT Solutions by the Allegheny County Bar Association (ACBA). Alicia has been a Technical Consultant for over 30 years and can be reached at 412-261-5600 x202 or firstname.lastname@example.org.