Contributors: Collin Schutz, John Cummings, Konstantin Papadakis, Susan Benz
Introduction
With ever-increasing and more sophisticated cybersecurity threats, such as a 300% increase, nationally, in ransomware in the past year[1], many organizations are choosing to move away from disparate tools that often don’t work together and implement a more streamlined, cloud-based approach. Managing risk using cloud services is more flexible and scalable for small to medium businesses (SMBs), who often face resource, budget, and skilling constraints. It’s not uncommon for a single person to oversee IT and security—from setting up new PCs to protecting against security attacks. An integrated approach to security helps minimize breaches, reduces complexity, and lets you focus on the alerts that matter. Imagine referencing a single pane of glass—a single dashboard—instead of logging into multiple dashboards that aren’t integrated and put the burden on the user to analyze and assimilate alerts.
This blog will provide answers to some common questions to help you evaluate your current security posture as it relates to identity and access management, where you can look to make improvements on your own, and how to recognize when you may need to bring in added help from a vendor like Olive + Goose. We’ll provide a baseline approach to security and include some additional intermediate and advanced considerations you can implement.
If you’re looking for cost savings and to consolidate disparate systems and reduce administrative overhead, we’ll provide some benefits of implementing a comprehensive security solution such as Microsoft Defender for Business or Microsoft 365 Business Premium, which includes Microsoft Defender.
Minimum baseline recommendations for email and identity security
Managing risk should be an ongoing exercise for organizations, regardless of size. In 2022, median enterprise IT budgets were US $12.5m, and SMBs operated with $375,000 median IT budgets. Both SMBs and enterprises expect security budgets to grow by 14 percent over the next three years[2]. One major consideration when assessing your current email and identity security posture includes identifying how many different solutions or vendors you are paying for. Are you in the process of consolidating your security vendors or looking to consolidate? In both scenarios, we highly recommend using cloud-based services like Microsoft 365 to help secure a remote workforce and allow for secure collaboration. Additionally, there’s little need for servers, and less IT cost.
Enable security baseline features
This section provides some security baseline features for identity protection you can easily implement. Many are included with Microsoft 365, and you could already be paying for them. To start, review your Microsoft 365 security features and ensure they are enabled. Not all features are enabled by default so while you may be paying for them, they may need to be turned on. These can include conditional access policies, advanced threat protection features, data loss prevention, and so on. Note that some features may depend on the version of Microsoft 365 you have and not all features may be appropriate for your environment.
- Implement multi-factor authentication (MFA). Setting up MFA goes a long way to help keep your environment secure. MFA requires users to provide multiple forms of identification, often three or more. All users, including administrative roles, should use MFA, which is the last line of defense in the event of stolen credentials.
- Block legacy authentication. Enable policy to block legacy authentication. Legacy authentication is a less secure method of verifying user identity, such as username and password, and has inherent security problems and bugs. Microsoft strongly recommends that organizations move off legacy authentication in favor of modern authentication. MFA, for example, is a modern authentication feature only and doesn’t work with legacy authentication, so while you may have enabled MFA, it won’t work with legacy authentication.
- Enable default security policies. Use default security policies, which encompass anti-spam, anti-malware, and anti-phishing protection. Microsoft 365, for example, provides a broad set of built-in security policies.
- Activate Microsoft Defender for Office 365 (MDO). MDO, part of Microsoft 365 Business Premium, helps guard against viruses, spam, unsafe attachments, suspicious links, and phishing attacks. Features such as link attachment detonation is expensive to try to do on-premises but very cost-effective in the cloud, helping to make it attainable for SMBs.
Run Microsoft Secure Score
Microsoft Secure Score assesses your current security environment and provides a score—the higher the score, the better—and insights into where you can improve. You’ll see recommendations for supported Microsoft products you have a license for. Secure Score shows you the full set of recommendations for a product, regardless of license edition, subscription, or plan. You can also mark the recommended actions as covered by a third party or alternate mitigation to gain points. As with any configuration, though, keep in mind that security should be balanced with usability, and not every recommendation may work for your environment.
Image caption: Screenshot showing Microsoft Secure Score Overview tab with a low score.
Image caption: Screenshot showing Microsoft Secure Score dashboard of the Recommended actions tab.
Set up Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) security beyond the default settings
Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) provide security features as part of your Microsoft 365 subscription and help keep malicious emails from reaching your employee’s inboxes. You should consider going beyond the default settings and use the recommended Standard and Strict settings to enable a more secure environment for features such as:
- Anti-Spam
- Anti-Phishing
- Anti-Malware
- Quarantine
Intermediate and advanced security access features to consider
After ensuring baseline security features for identity and email have been implemented, you should consider which intermediate and advanced features for access management are relevant for your organization such as:
- Implementing application protection policies. Microsoft Intune or other mobile device management (MDM) solutions provide application protection policies to make rules about what users can do in certain applications. For example, you can set a rule so that users can’t take screenshots from their mobile devices.
- Applying access control policies. Use Conditional Access policies in Microsoft 365 Business Premium or Azure AD Premium P1 to apply the right access controls after first-factor authentication is completed. Conditional Access can block or grant user access for administrative roles, from specific locations, identify risky sign-in behaviors, and so on.
- Administering email protection features. Use features to protect against threats such as Safe Attachments, including detonation for email attachments, and Safe Links.
- Controlling and Limit Access. Use Microsoft Defender for Cloud Apps to control and limit access to cloud applications and services. Create custom role-based access controls (RBAC) to define what users can do.
- Optimize available Microsoft 365 features. Ensure you employ Microsoft 365 features you have available with your current licensing. Note: Oftentimes, you can purchase just the features you need, you don’t have to buy all of them.
- Information protection with Microsoft Purview for retention, labeling, etc.
- Identity and device protection with Privileged Identity Management (PIM)
- Training your employees. Employ threat assessment tools and attack simulations, such as sending internal phishing links to your users to aid in training what to look out for when bad actors are attempting to obtain user credentials.
- Conducting security assessments. Remember, employees are an important line of defense. Conduct security assessments and awareness training.
Summary
Cybersecurity will remain an ongoing concern for SMBs, especially with a hybrid workforce. While you may not have a lot of resources to put toward cybersecurity, there are some basic—and advanced—controls you can apply to help reduce risk exposure and mitigate a breach. Complexity can increase vulnerability, so we encourage organizations to move away from disparate and siloed solutions to an integrated approach that offers comprehensive coverage across identities, endpoints, applications, email, content, and infrastructure. Remember to turn on features and use what you’re paying for. You may have purchased a solution, but have you turned on the features? Using tools like Microsoft Secure Score provides an overview of your organization’s security stance, which is particularly helpful if you have a small organization or few resources with the right skills to manage security settings.
With multiple disparate solutions, each becomes a single point of failure and troubleshooting can become time consuming. Moving to Microsoft 365 security solutions simplifies this and provides a single pane of glass for troubleshooting and getting support from Microsoft. While other vendors provide siloed solutions, we recommend vendor consolidation to improve cost-effectiveness and security posture, such as those found in Microsoft 365 security solutions.
And while many features or updates are straightforward, it’s important to understand the risks and ask yourself the following questions before implementing something new:
- Do you or someone on your team have the knowledge to implement the recommended updates?
- Do you understand the implications for making a certain update?
- What is the user impact for implementing something new?
How Olive + Goose can help
At Olive + Goose, we have implemented security solutions for over 500,000 endpoints, including workstations, servers, and mobile devices, with the largest implementations involving over 50,000 endpoints. We will work with you as a team working toward a common goal to help protect your digital estate while reducing costs, complexity, and resources required to maintain them in-house.
Our Microsoft 365 Security Workshop is a one-day training session that helps organizations configure and use the Microsoft 365 security solutions to protect their data, identities, applications, and devices. The workshop covers the key pillars of security, such as identity and access, threat protection, and information protection, and shows how to leverage the integrated solutions and features of Microsoft 365. The workshop also helps organizations assess their security posture and improve their security score.
If you’re unsure where to begin or how to consolidate some of your services, we can help. Contact us at [email protected] for a Security Assessment by our team of experts where we evaluate your current Microsoft 365 licensing and provide recommendations as we assess your current security stack licensing and help you fine-tune it to meet your needs. For more information about our security service offerings, read our Security flyer.
Additional Resources
- Microsoft 365 Security Workshop
- Protecting Yourself from Ransomware with Proper Email Security – Olive + Goose
- Increase your email security posture and save cost at the same time – Olive + Goose
- Microsoft Secure Score | Microsoft 365
- Microsoft recommendations for EOP and Defender for Office 365 security settings – Office 365 | Microsoft Learn
- Security for Small and Medium-Sized Businesses | Microsoft Security
- How to secure your business data with Microsoft 365 for business – Microsoft 365 admin | Microsoft Learn
Reach out at [email protected] to learn more.
For information about Olive + Goose consulting services, click Services.
For information about working as a consultant for Olive + Goose, click Careers.
_______________________________________________________________________
[1] ABC News, DHS secretary warns ransomware attacks on the rise, targets include small businesses, May 6, 2021.
[2] Kaspersky IT Security Economics 2022, Executive Summary, 2022
[3] 2022 Verizon Data Breach Investigations Report, Incident Classification Patterns