Customer Story: Think Up Consulting

Looking to streamline operations, increase efficiency and remain secure?  

Learn from the experience of Think Up Consulting — a young, fast-growing agency in South Carolina that uses Microsoft Teams, Microsoft 365 Business and Windows 10 to increase productivity and do more. 

With 39 team members and 45 ongoing projects at any given time. Think Up Consulting is always exploring and adapting new technology to increase efficiency and better meet customer needs.  

Check out Think Up’s story and contact us to learn how NovaQuantum can help your company use Windows 10 and Microsoft 365 Business to increase productivity and security.

Windows 10 + Microsoft 365 benefits

Work better together and increase productivity

Windows 10 and Microsoft 365 help teams work better together with better tools—from any location:

  • Streamline collaboration—Integrate team chats, meetings, and files in one place to increase productivity with Microsoft Teams.
  • Improve performance with intelligent capabilities—Gain instantaneous analysis from intelligent services like Editor, Designer, and Smart Lookup with capabilities built into Microsoft 365.
  • Enable work from almost anywhere, on any device—Provide secure remote access to employees working from personal devices.

Simplified for you and reduce cost

Free up resources and reduce IT costs over time with Microsoft by simplifying device management and staying up to date:

  • Receive more value—Windows 10 and Microsoft 365 come with features and apps as they are added at no additional cost.
  • Deploy intelligent applications and tools—Work smarter, not harder, with the latest Office apps and intelligent capabilities to enable your employees.
  • Save time on device management—Windows 10 and Microsoft 365 continually update across all apps, so you don’t have to worry about updates, giving you time back.

Securely run and grow your business with enhanced security

Protect against external threats and leaks with security and compliance tools built into your devices.

  • Leverage built-in automated threat intelligence—Threat-protection technologies in Windows 10 help protect against spam, malware, viruses, phishing attempts, malicious links, and other threats.
  • Ensure secure remote access across all devices—Windows 10 and Microsoft 365 continually update across all apps, so you don’t have to worry about upgrades, keeping you compliant and secure.
  • Control access to sensitive business information—Proactively safeguard your organization with enterprise-level security on all apps and devices.

Privacy tips for a digital world

Was that your client’s personal information that
was leaked?

A privacy breach is like having your home burglarized. How would you feel if it happened to you?
What would a privacy breach do to you, as an organization? In addition to the damage to the victim, it would damage our image as soon as it hit the news.
You play a crucial role in guarding your employees and clients’ personal information and fulfilling your legal obligations pertaining to privacy.

Be the strong link!

  • Obtain consent before collecting personal information and only collect what is necessary.
  • Use personal information only for the purposes established by your organization.
  • Destroy, erase or anonymize information when it no longer serves its initial purpose.

CIS Microsoft 365 Foundations Benchmark

CIS 1.2.0 Security Controls for Microsoft 365: a curated list of the most important and least user-impacting security controls that can be audited and remediated.

Account / Authentication
Ensure multifactor authentication is enabled for all users in administrative roles
Ensure that multi-factor authentication is enabled for all non-privileged users
Ensure that between two and four global admins are designated
Ensure self-service password reset is enabled
Ensure that ‘Number of methods required to reset’ is set to ‘2’
Ensure Azure Active Directory Password Protection for Active Directory is enabled in order to protect against the use of common passwords.
Enable Conditional Access policies to block legacy authentication protocols in Office 365.
Ensure that password hash sync is enabled for resiliency and leaked credential detection.
Enabled Identity Protection to identify anomalous logon behavior: Azure Active Directory Identity Protection monitors account behaviors and enables organizations to configure automated responses to detected suspicious actions related to user identities.
Ensure Security Defaults is disabled on Azure Active Directory. The use of Security Defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark.
Ensure modern authentication for Exchange Online is enabled
Ensure modern authentication for Skype/Teams for Business Online is enabled
Ensure modern authentication for SharePoint applications is required
Ensure that Office 365 Passwords Are Not Set to Expire
Application Permissions
Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed
Ensure calendar details sharing with external users is disabled
Ensure O365 ATP SafeLinks for Office Applications is Enabled
Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled
Ensure Office 365 SharePoint infected files are disallowed for download
Data Management
Ensure the customer lockbox feature is enabled: It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data.
Ensure Data Loss Prevention(DLP) policies are enabled
Ensure DLP policies are enabled for Microsoft Teams
Ensure that shared access signature tokens expire within an hour
Ensure that external users cannot share files, folders, and sites they do not own
Ensure external file sharing in Teams is enabled for only approved cloud storage services
Email Security / Exchange Online
Ensure the Common Attachment Types Filter is enabled
Ensure Exchange Online Spam Policies are set correctly
Ensure mail transport rules do not forward email to external domains
Ensure mail transport rules do not whitelist specific domains
Ensure the Advanced Threat Protection Safe Links policy is enabled
Ensure the Advanced Threat Protection Safe Attachments policy is enabled
Ensure that an anti-phishing policy has been created
Ensure that DKIM is enabled for all Exchange Online Domains
Ensure that SPF records are published for all Exchange Domains
Ensure DMARC Records for all Exchange Online domains are published
Ensure notifications for internal users sending malware is Enabled
Ensure Microsoft 365 audit log search is Enabled
Ensure mailbox auditing for all users is Enabled
Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly
Ensure the self-service password reset activity report is reviewed at least weekly
Ensure user role group changes are reviewed at least weekly
Ensure mail forwarding rules are reviewed at least weekly
Ensure the Malware Detections report is reviewed at least weekly
Ensure non-global administrator role group assignments are reviewed at least weekly
Ensure the spoofed domains report is review weekly
Ensure the Account Provisioning Activity report is reviewed at least weekly
Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly
Ensure Guest Users are reviewed at least biweekly
Ensure the report of users who have had their email privileges restricted due to spamming is reviewed
Ensure document sharing is being controlled by domains with whitelist or blacklist
Ensure expiration time for external sharing links is set
Mobile Device Management
Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks
Ensure that mobile device password reuse is prohibited
Ensure that mobile devices are set to never expire passwords
Ensure that users cannot connect from devices that are jail broken or rooted
Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data
Ensure that mobile devices require a complex password to prevent brute force attacks
Ensure that settings are enable to lock devices after a period of inactivity to prevent unauthorized access
Ensure mobile devices require the use of a password
Ensure that devices connecting have AV and a local firewall enabled

Microsoft 365 Business: the best edition for SMBs

Many SMB customers have been purchasing Office 365 E3, but we recommend evaluating if the customer is using any of the capabilities that aren’t provided by Microsoft 365 Business. Microsoft 365 Business provides additional device management and protection capabilities that would need to be added to an Office 365 E3.

Comparison of Microsoft 365 Business and Office 365 E3

If Microsoft 365 Business doesn’t include all of the Microsoft 365 capabilities that a you need, you can add many of these services as additional SKUs.

Microsoft 365 Business Premium: Features

Securing each & every layer of productivity seamlessly!

Identity Security

  • AAD Features like MFA
  • Self Service Password Reset
  • Conditional Access

Device Security

  • Microsoft Defender AV
  • Full Centralized Management of Mobile and Laptops with Intune
  • Remote wipe of data of lost & stolen devices
  • BitLocker Encryption
  • Enforce Strong Pin requirements along with WiFi, VPN profiles

Application Security

  • Restrict copy/paste/save corp data to personal apps
  • Accessing sensitive apps securely (Windows Virtual Desktop)

Email Security

  • Advanced Threat Protection for protection against malware and zero day attacks
  • Data Loss Prevention to monitor sensitive data from being transmitted
  • Email restrictions like “Do Not Forward” or “Encrypt Email”

Document Security

  • Azure Information Protection protects, classifies Documents for secure sharing
  • Revoke access to Documents
  • Track Sensitive documents

Microsoft 365 Business will help you to compete more efficiently, sell more services and retain customers because it brings all of the technology that small business need at a single per-user/per-month price point.

Microsoft 365 Business brings together the security and innovation of Windows 10 with the power and familiarity of Office 365 and streamlined management and maintenance capabilities built specifically for small and mid-sized businesses. Microsoft 365 Business is designed to help keep company data secure while ensuring employees are their most productive, in the office or on the go.

With productivity apps such as Word and Excel, cloud storage, email and calendaring, and an exceptional chat-based workspace to bring teams together, your customers will be able to achieve more as they create and collaborate with people inside and outside their company in ways that they never dreamed possible.

Microsoft 365 Business standardizes your customer’s devices on Windows 10, the most secure Windows ever. Building upon this strong foundation, Microsoft 365 Business adds cloud-based management and servicing which helps ensure that customer devices are properly configured to take advantage of the security innovations in Windows 10 and significantly reduces the businesses risk profile.

Microsoft 365 Business also includes mobile application data and device management, even on personal devices. With this functionality, when an employee leaves the organization, or loses their device, for example, you are going to be able to protect your customers’ company data, while reassuring the employee that her pictures and text messages remain private on her personal device.

Since Microsoft 365 Business is cloud-delivered and enabled, you can count on automatic updates to keep your customers’ apps and devices current with the latest and greatest security protection and features from Microsoft. Your customers will get to host their data on the same cloud that hosts data from over 85% of Fortune 500 companies.

This is all made more efficient for you through the Admin Console. The admin console not only simplifies things on your end, but gives you self-service tools that can create lower delivery costs and increased consulting and managed services margins. This frees up time on your end to invest in new capabilities that expand your business into new market areas.

Microsoft 365 Business Premium: Checklist for securing remote work

Because Small and Medium Businesses have different security needs and attitudes, the checklist includes suggested recommendations for two common scenarios.

  • The normal scenario is designed for a typical business that wants to enable secure remote work and balance ease of use with security.
  • The high risk scenario is more appropriate for a business that wants to maximize security protections and has higher concern for risk (for example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also willing to put more effort into maintaining security and control of the work from home environment.

Both sets of defaults are intended to provide a starting point for a serious discussion around the security and compliance options available, rather than prescriptive guidance. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities.

Recommend settings – normal scenarioRecommended settings – high risk scenario
Set up tenant
Decide between hybrid & cloud-only identityHybrid, Azure AD ConnectHybrid, Azure AD Connect
Azure AD Connect – sign-in methodPassword Hash SyncPassword Hash Sync
Azure AD Connect – single sign-onEnabledEnabled
Azure AD Connect – On-premises attribute for Azure AD usernameuserPrincipalNameuserPrincipalName
Azure AD Connect – Password writebackEnabledEnabled
Decide on email migration strategyHybrid AgentHybrid Agent
Configure DNS domainsSituationalSituational
Configure identity protection
Plan for administrative accessRequiredRequired
Configure dedicated admin accountsRecommendedRecommended
Multi-factor authentication (MFA) for adminsSecurity defaultsRequired, Conditional Access
Multi-factor authentication (MFA) for usersSecurity defaultsRequired, Conditional Access
Self-service password reset (SSPR)Enabled-AllEnabled-All
Combined security information registrationEnabled-AllEnabled-All
Configure email protection
Enable Common Attachment Types filterRecommendedRequired
Enable transport rule for attachments with Office macro extensionWarnBlock
Enable transport rule to block auto-forwarded emailRecommendedRequired
Enable Sender Policy Framework (SPF) to help prevent spoofingRequiredRequired
Enable DomainKeys Identified Mail (DKIM) to help prevent spoofingOptionalSigned, all domains
Enable DMARC policy to validate emailEnabled, p=quarantineEnabled, p=reject
Enable Office 365 ATP PoliciesRecommended policiesRequired, with spear phish
Configure information governance
Set up Data Loss Prevention (DLP)Recommended, using default policyEnabled for sensitive data types (GLBA, HIPAA, etc.)
Enable email encryptionOffice 365 Message EncryptionSensitivity Labels
Enable retention policiesNoneEnabled
Enable sensitivity labelsOptionalEnabled, Default or custom labels
Configure Teams security
Teams governance (to allow users to create Teams on their own)DefaultsRestrict groups settings
Guest access (to allow external users to fully participate in teams & channels)EnabledEnabled
External chat (to allow external users to initiate chat)Allowed, default policyRestricted
3rd party cloud storageDefaultsOff
Meeting policy and settingsDefaultsBlock anonymous
Messaging policyDefaultsDefaults
OneDrive for Business sharingAnyoneRequire login
Migrate files to Teams & OneDrive for Business (to enable recovery)RequiredRequired
Manage devices
Onboard existing Active Directory joined PCsHybrid Azure AD JoinHybrid Azure AD Join
Provision new/refreshed company PCsAzure AD join
Autopilot recommended
Azure AD join Autopilot recommended
Configure app protection policies for company owned PCsEnabled, encrypt data onlyEncrypt + block relocation
Block/Allow access from employee owned mobile devicesAllowed, default app protection policyBlock client app access, block web downloads
Block/Allow access from employee owned PCsBlock client app access, block web downloadsBlock client app access, block web downloads
Enable device configuration profilesBasic config profileEndpoint security profiles
Enable device compliance policiesOptionalEnforced, Conditional Access
Secure remote access
Access to on-premises data & apps (existing VPN)Split-tunnel VPNSplit-tunnel-VPN
Access to 3rd party cloud appsAzure AD Single sign-on (SSO)Azure AD Single sign-on (SSO)
Access to on-prem webappsAzure AD App proxyAzure AD App proxy
Access to desktop appsWindows Virtual Desktop (WVD)Windows Virtual Desktop (WVD)
Enable your business to run from anywhere, with peace of mind.