I’m on calls often these days with firms wanting my opinion on their “cybersecurity” strategy. We usually have a lengthy spirited discussion about what they aught to be doing about it, or aught not be doing. I then hang up and have a little chuckle to myself because I quickly realize they don’t even know what cybersecurity means – but sure as the dawn, they’re convinced they need to do something about it… and fast! And then I think about the cloud and believe that’s where they should be, for obvious reasons, and being a managed Microsoft 365 cloud service provider, I am fully behind the Microsoft Cloud (as an option for companies to run their complete operation). However, nobody has stepped and said: “to be secure on the cloud; here’s the first step you need to take …and here’s the second step ..and step three – then – BE DONE WITH IT!“

Now at this point I know what you’re going to say : “But cybersecurity is complicated these days, and hackers are launching new and improved attacks every day, it’s always changing.” Not really. The basic rules of protection still apply yet the reality is you’re being twisted by all the new security vendors trying to up-sell you on add-on products you don’t need. But in any case, let’s focus on a typical company that’s on Microsoft 365 and what it means to make it “cybersecure”. Because when you transplant your whole office to the cloud, you immediately become a target since hackers can simply do an internet lookup on you and they’ll know you’re on the Microsoft cloud, then they’ll pull out their bag of tricks.

But, let me be clear now when I say, “you can use the built-in tools to make Microsoft 365 cybersecure.” I am NOT talking about large firms. I don’t mean banks or insurance companies or the government because they are constantly targeted and will surely use third-party tools to help them make Microsoft 365 cybersecure. Also, they will outsource this to a dedicated team of professionals, and that works for them.

I am talking about the typical small firm. A firm with 10-25 employees without a dedicated IT person, and who wants to keep it that way by choosing a Microsoft 365 Cloud solution that’s preconfigured — with cybersecurity already setup — without having to worry if they are open to basic attacks or need to spend hours trying to configure tools or pay for additional add-ons to make them cybersecure.

The first thing you want to avoid is a hacker getting someone’s password who’s on Microsoft 365. Which can be so easy. Let’s do a real-world example now with a typical employee – we’ll call him Bob. Now Bob goes off and signs up for the monthly newsletter to his favorite fly-fishing site; legendaryflyfishing.com in Montana by giving a username and password. Meanwhile, legendary fly fishing has a totally insecure, wide-open site for any hacker who happens to scan it. This time a hacker finds Bob’s email address and the password he used on this site. (Bob also uses the same password for everything). Now the hacker is excited!

“Hackers get excited when they find out your employees use the same password for everything, especially when they sign up for a wide open site like you’ll find at legendaryflyfishing.com in Montana“

He’s got Bob’s email address and password and knows he is on Microsoft 365. He brews himself a fresh pot of coffee, sits at his laptop and gets to work hoping you’re company also signed up for Microsoft 365 before October 21, 2019, when MFA was not a requirement, or he might get really lucky and find out you happened to turn off MFA for your 365 tenant. (Which is quite easy to do by click of an admin anytime).

But you’ve gone ahead and made sure to enable MFA, so the hacker attempts to login to Bob’s Microsoft 365 account but immediately an alert pops up on Bob’s phone because he has the authentication app installed on it, Bob clicks cancel since he didn’t login and the hacker is shutdown. MFA has done its job and a potential hack is thwarted.

Alright, lets stay with our hacker since he still has his pot of coffee on the go and see what he does next. We know he can’t control your employees on Microsoft 365, i.e., use their email or steal documents from their OneDrive or SharePoint, so he will now go phishing (not for flies in Montana), but for passwords. However this time he’ll target third party apps a company like yours typically uses such as accounting or a CRM. (Which by the way are cloud based now, and also use Bob’s email address as his login, and who knows if MFA has been set on these apps. Probably not.)

At this point the hacker can see Bob is an accounting associate, so he cleverly customizes an email for him that actually looks like it comes from the director of accounting – he also knows who she is from the contact page on your website. The email says “Bob! We need you to urgently reset your password to QuickBooks ASAP since you have been recently locked out of your account and your profile must be updated immediately!”

Also included at the bottom of the email is a link to reset his password which will send it to our hacker. And boom!… our hacker sits back and waits for Bob to bite. In other words, he hopes Bob will click the link, put in his password to QuickBooks, where he can use it to login to your client database where the real fun can begin, and he’ll start spoofing credit cards from your clients.

Unbeknownst to our coffee swilling hacker though, is Bob has been diligently taking your company’s Security Awareness Training Program and he doesn’t bite, meaning he doesn’t open the email or click the link in it, instead he immediately forwards this email to IT support who recognizes it as spam and blocks any messages coming from this person again.

The Security Awareness Training you signed your company up for was designed specifically for your employees because you know the risk involved when you move your company to the Microsoft 365 Cloud. Luckily, the security training included a baseline test of all employees to assess how prone they were by performing regular simulated phishing attacks. This was designed to flesh out those who frequently got duped and may expose their Microsoft Exchange email user accounts or files in SharePoint or OneDrive. Then they get emailed video training on how to spot suspicious emails in the future. What you want your Security Awareness Training to do:

By now our hacker is almost halfway through his pot of coffee, but now he knows that you know your being targeted. At the same time, you’ve got MFA configured, and all employees are taking Security Awareness Training to help protect their accounts on Microsoft 365 from being attacked, however our hacker is not done. He’ll simply start spoofing your people from a different address, but no worries, Microsoft 365 has the built-in tools to help with this as well.

However, you need to know that these built-in tools included with Microsoft 365 to block further threats aren’t enabled by default, they are also hard to find and configure. On the other hand, they are free. But what’s important here about these security tools built-in with Microsoft 365 is you don’t need to buy or configure third party security add-ons from the big boys trying to get in this space. (AvePoint, Mimecast, Proofpoint, etc.) Also, you must understand that if you use these third-party add-ons, they sit between you and the rest of the world. Meaning you’ll need to do an MX record redirect where they’ll filter all email between you and everyone else (adding another support company to call if email’s not working). Nonetheless, we’re going to continue with my theory that you can use the built-in tools from Microsoft to protect yourself from any additional threats via our highly motivated (and caffeinated) hacker today.

Ok, our villain is pouring his last cup of coffee and getting jittery. He’s going to pull out his last trick: Ransomware. But don’t worry I’m not going to rattle off dozens of stats telling you how bad ransomware is or that it’s on the rise or that so and so company got compromised and had to pay a million bucks to get their data back. Also, I am not going to point out one simple fact that the solution to ransomware is just doing your daily backups – yes, that’s all you need to do. And in reality, if you do get “ransomwared”, (I’m not sure if that’s a word) and some data gets locked by the bad guys, just restore last night’s full data backup over top of it. Oh, and then don’t forget to forward a huge smiley face emoji to them when they ask for your bitcoins.

But the really funny thing about ransomware and Microsoft 365 is, that by default, nothing is backed up by Microsoft, this means all your data is kept on their systems ready to be locked. When you think about it, it’s a hacker’s wet dream unless you add a third-party offsite backup tool, everyone’s Microsoft Exchange data (email and everything), their personal OneDrive, SharePoint, and Team Chats can be locked out at anytime…but I’ll rant about that in another blog. In the meantime, we’re going to pump-up the ransomware protection for your Microsoft Cloud users, since we now know nothing is backed up off the Microsoft Cloud.

Again, to protect your employees from ransomware on Microsoft 365 you’re going to use another built-in tool called the Microsoft Exchange Admin, included with your subscription. For this you’ll have to go to a whole other portal on Microsoft (I don’t know why) and create a Mail-flow rule that’ll apply to all incoming email for all your users. You add a list of file types that could have Malware. Such as .bat, .cmd, a whole bunch of them. It will block any files containing ransomware, quarantine them and finally send an email to your IT admin that you are getting “ransomwared.”

Our hacker finished his coffee by now and moved on to another Target. We can see, for many companies who want to be cybersecure on Microsoft 365, the built-in tools will do the job. Although its true that you become a bigger target to hackers when your firm is on the Microsoft Cloud, you will face all kinds of attacks. However, you can setup, MFA, do Security Awareness Training an enable Anti-Phishing policies, Spoof Intelligence, block malware and enable Safe Attachments with Safe Links also blocking ransomware. to get full protection. To learn how we can get you on Microsoft 365 fully secure, out-of-the-box , contact us.