Microsoft 365 Security Audit

If you ever wonder how secure is your Microsoft/Office 365 environment, there are lots of online resources that can guide you to perform your own security audit. Unfortunately most of those resources lack a standardized approach and of course they don’t take in consideration YOUR particular needs.

Consider this: there are over 60 security controls that you can audit for any Microsoft/Office 365 environment; there are over 10 different security oriented services that can configured in the office admin portal.

As part of our security services, we perform the following tasks:

  • Initial security assessment of your Microsoft 365 services: a comprehensive security assessment against CIS Benchmark Security framework(over 50 security checks that have zero or very limited impact to be implemented). The report includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Skype/Teams, Azure Active Directory, and Mobile Devices.
  • We schedule a planning session to identify all the Microsoft 365 security features that make sense for your business.
  • We configure all the security features identified above.
  • We provide a Security training/education session for the whole team. Explaining in non-technical terms security best practices(Phishing, Privacy and Protection of your own computer topics) that should be followed by everyone.

Not convinced yet? Read the following short presentation.

Turn to NovaQuantum for the expertise you need to help you safeguard your business data.  We know IT security and we know Microsoft 365. We can help you control and manage access to sensitive information, protect company data across devices, and guard against unsafe attachments, suspicious links, and other cyber threats.

You can expect guidance, recommendations, and best practices to keep your business data safe from both internal and external threats with a simple, cost-effective solution.

Book your FREE Office/Microsoft 365 security consultation with us, today!

Security defaults for Microsoft/Office 365 subscriptions

As a managed cloud security company we often get asked as to why “my environment” is not secure by default, as designed by Microsoft. This question is even more relevant in the context of Microsoft/Office 365 environment: majority of small and medium businesses that use Office 365 probably do not have a dedicated security department that is well versed in Cloud Security. To answer the question above let’s take a look at the following example.

Here is what the Secure Score looks like using all the default settings as provided by Microsoft ( your own results might vary, as you might have different options/features enabled in your own subscription). This sample subscription is using the E3 Office 365 plan.

Let’s take this example one step further: we’ve audited the same subscription using the CIS Microsoft 365 Foundations Benchmark version 1.2.0 framework. We tried to be practical, therefore we used only the E3 Level 1 profile from this framework. Items in this profile apply to customer deployments of Microsoft M365 with an E3 license and intend to:

  • be practical and prudent
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

What we’ve discovered was a bit sobering:

  • In total, 44 of the security controls audited had a “Fail” mark
  • Only 8 security controls had a “Pass” mark
  • Account / Authentication section : 7 Failed , 4 Passed
  • Application Permissions section: 2 Failed , 0 Passed
  • Data Management section: 4 Failed , 0 Passed
  • Email Security / Exchange Online section: 9 Failed , 2 Passed
  • Auditing section: 10 Failed , 2 Passed
  • Storage section: 3 Failed , 0 Passed
  • Mobile Device Management section: 9 Failed , 0 Passed

Obviously by now you started to form a well informed opinion about the quality of the default security settings of Microsoft/Office 365.

I don’t think anyone can answer very clearly our initial question, maybe someone from Microsoft can, but we can show unequivocally that even without having an in-depth review of the business requirements as they relate to the security of the data in the cloud, there is plenty of opportunity to improve the security of ANY Microsoft/Office 365 security environment.

I would strongly advise all the businesses using Office 365 to perform an in-depth review of their security settings to make sure their business data is secure in the cloud. Remember that even in this Software-as-Service platform that Microsoft/Office 365 offers, the security of the data falls upon YOU as a responsibility and not on Microsoft. You are being given a multitude of security controls that can be enabled and configured, but in the end you need to analyze them and make sure they meet your particular business requirements.

Run your business from anywhere, with peace of mind
NovaQuantum can help you in this endeavour: book your FREE Office/Microsoft 365 security consultation with us, today!