- Enabling and enforcing Office 365 multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA) for all users. Two-factor authentication isn’t just a great idea for Office 365 accounts, but should also be put in place for other online services where available as it makes it more difficult for phishers to access accounts even if they have successfully stolen a password.
(Of course, Microsoft hasn’t done the promotion of multi-factor authentication any favours after suffering an outage last November which locked users out of their Office 365 accounts for a period of time.)
- Hardening account security by enforcing password rules related to length and complexity. Businesses should seriously consider using an enterprise-grade password manager to make it easy for staff to generate unique, complex passwords rather than letting them fall into bad habits.
- Running security software to analyse visited webpages and downloaded files for suspicious content.
- Training and educating staff about the latest threats and risks.
Every day there are news stories about organisations being phished, data being lost to hackers, and damage being done to a company’s brand.
Often the details of what email system the organisation was using aren’t detailed in the media reports, but with the growing uptake of Office 365 it’s likely that a fair proportion of them do involve Microsoft’s cloud-based services.
Earlier this month, for instance, Missouri Southern State University admitted that it had suffered a data breach after several employees fell victim to a phishing attack back in January 2019.
The breach meant that remote hackers could have potentially accessed emails and attachments containing names, dates of births, home addresses, email addresses, telephone numbers, and social security numbers.
According to the university, it was directed to delay notifying potentially affected individuals while law enforcement completed its investigation, but it wisely immediately reset all employees’ Office 365 passwords, and put into process a plan to enhance its IT systems to reduce the chances of future attacks.
Whatever email system you’re using inside your business it makes sense to strengthen your defences against the increasingly sophisticated tricks being used by online criminals.