As we addressed a previous post, Microsoft Office 365 is a secure cloud-based platform for information and document management. We already have a fairly good overview of why Microsoft cloud services are secure options for businesses looking to increase internal data security. So here, we will only give a brief summary of that post:
- Microsoft has zero access to cloud-based services from within them.
- No system is 100% secure from hacking in today’s day and age. But Office 365 gives you access to additional Microsoft security products and services.
- Microsoft does not retain any data for longer than 90 days after you cancel your cloud subscription. They also have no right of ownership or use-rights for any information on their platform.
- There are strong protections in place to prevent access to customers data. This includes data from both internal employees of Microsoft and unapproved 3rd party access.
- While each industry’s compliance regulations are different, we think many regulations can still be fulfilled with Office 365. But, we recommend you always talk to an experienced IT legal professional in your industry. Get their advice before making commitments to change infrastructure or software platforms.
Today, Microsoft has made several updates to their cloud services. And Office 365 is a leap up from many businesses’ internal data security systems. Yes, many businesses have their own great security systems. But Microsoft continues to invest significant amounts of thought, energy, and money into keeping the most secure software and infrastructure they can.
Reasons why Microsoft Office 365 is Secure
2-Factor Authentication in Office 365
According to Microsoft’s internal data, 80-90% of security breaches on the 365 platform are due to phishing attacks. In order to prevent this, Microsoft recommends businesses install two-factor authentication to log in to Office 365 products. They have also released a phishing attack simulation software system businesses can use to train employees about the dangers of phishing emails and help prevent breaches along this line.
Lessons Learned from a Malicious KeyLogger
A recent keylogging software attack against a CPA named John gave some interesting lessons on how internal security can be improved in business data management. We think the lessons also show how a business without the resources of Microsoft can make use of Office 365 to provide better data security than they can keep on their own.
Teach Your Users Tips to Avoid Phishing Emails
One of the most noticeable issues Krebs addresses in the article is the fact that the most likely way the keylogger was installed on accountant John’s security system was from an attachment he thought was legitimate. Training employees and business owners on the need to avoid phishing emails is essential to good IT security. But so is using email software with best-in-class phishing prevention algorithms. Part of Office 365, Outlook provides Microsoft’s junk email filters have been preventing much (not all) of spurious and fraudulent emails from ever reaching their intended targets.
Using a quality email control like Outlook drastically reduces the level of spam and malicious emails your non-IT users receive. This, in turn, reduces the chances they will click on one by mistake. It’s time-saving, even if you engage the best simulation and training software to help them understand why not to click on phishing emails or download attachments from unverified sources.
Never Download Attachments from Untrusted Sources
Again, this was the most likely carrier for the accountant’s security breach. And the keylogging software that was installed on the CPA’s computer caused significant issues with his business. While man-in-the-middle and clickjacking attacks are legitimate concerns from phishing emails, the easiest way for a phishing attack to work is still to hide malicious code in an attachment.
Microsoft products are updated continuously to help prevent a successful phishing attack via these methods. Updates include requiring administrative approval to activate any executable code. Using Microsoft cloud services gives you the capability to monitor and limit naive users from installing code on the cloud or on local machines through opening document type files.
Always Keep Antivirus Programs and Software Patches Up-to-Date
The keylogger took photos of the accountant’s computer screen at regular intervals to collect more information than the keyboard was inputting. These images included multiple screenshots of notifications that certain software programs including Intuit Quickbooks were out of date. And it showed required patches had not been installed.
We like to think no IT professional worth the name would forget to patch programs. But we all know basic users at many businesses are not so sophisticated. Adding word processing, spreadsheets, and presentation updates to your list of regular individual computer updates is a hassle. But a cloud-based service will give administrators of the platform control over devices on the platform, updates to software, and user access.
Don’t trust Joe the accountant to install updates and patches on his PC. Because as the malicious keylogger demonstrated so clearly, many professionals in other fields are not professionals in IT security.
A cloud-based platform with user-based controls, multiple factor authentication, and centralized updates and monitoring gives you the capability to secure the data you are responsible for.
Lessons Learned from Other Large Software Cloud Providers
Perhaps the largest caution against trusting big-name software providers with your internal data is the Adobe security breach. It provides lessons to every company and IT professional. Adobe’s CSO, Brad Arkin, discussed the lessons he learned from Adobe’s world setting data breach in 2013 (CSO). Several of the lessons he learned apply directly to why we believe Office 365 is a best-in-class secure product. And other lessons he learned apply to how CSOs and other IT professionals can approach security in their own businesses.
Remove Silos in Software Teams
When Adobe started their cloud-based product in 2013, their software engineers and security engineers still used a legacy approach to security. There was no cross-functionality in their processes. The security team focused on code, other teams entirely focused on infrastructure security, and user-based securities.
After the security breach, Adobe actually promoted Brad Arkin from mid-level management of the IT security teams to a newly created C-suite position, the CSO. This lets him focus on security across different departments. And it also ensured they did the best job possible to prevent security breaches and reported them faster when they happened.
What Adobe had to do after the 2013 security breach, Microsoft had already done. And they did it before they faced a world-record setting level security breach. While Microsoft was forced to remove the silos from their departments because of innovative competition from Google and Apple, it has created positive momentum for their security operations as well (ZDnet).
Work to Determine Authorization
Another aspect of security Adobe implemented applies to how Office 365 works is authorization management. While 2-factor authentication is essential to any modern user login, it is not enough in the face of how attractive a target an office system is to hackers. Adobe has implemented machine learning to monitor account activities. It notifies their IT security teams when users are not behaving normally. Microsoft also announced they are implementing machine learning in their software security.
How Microsoft is Ahead of the Curve in Data Security
While we can learn much from looking at other’s mistakes, the fundamental question is still before us. Does Microsoft Office 365 offer a more secure platform than many businesses internal data security can provide? Read below for more on why we believe Microsoft Cloud services provide high-value security systems.
Good Artists Borrow, Great Artists Steal
Acquiring Israeli security firm Hexadite in June of 2017, Microsoft continues to demonstrate they are willing to invest the money to advance in security. The phrase quoted from Pablo Picasso came from none other than Steve Jobs. But it definitely applies to Microsoft when considering whether their cloud products will keep your information secure. Great artists steal. And Microsoft is not above buying out competitors in order to use their experience, software, and infrastructure to improve their own products.
If you are building internal cloud systems, can you say the same about your company? Many businesses don’t focus on doing everything they can to keep their data secure, but Microsoft is. So who can secure it better?
Use the Best in Machine Learning
Microsoft applied key aspects of machine learning to Office 365 in 2017, and they have not stopped updating their machine learning for cloud security. As a competitive contender in the marketplace of machine learning, Microsoft’s resources in machine learning keep pace with other Fortune software companies: Google, Amazon, and Apple. Microsoft still has the lead in word processing. So their machine learning teams have the greatest impact on document delivery options.
Microsoft keeps their place at the forefront of cloud security. They are industry leaders in implementing machine learning for cloud security. And they have recently released additional products like phishing simulators. Therefore, we think their services are the best-valued security a company can find.
Yes, you can increase internal data security yourself. But, you have to spend a high percentage of your budget on creating and managing the systems internally. In addition, you’ll need to prevent accessing the internet at all from internal computers (needed for many businesses, we know). But, for the majority of businesses and industries, Office 365 online provides better security and user management than the company can provide on their own.
To find out more about implementing Office 365 to increase internal data security in your company, please contact us today.