Modern Security for Modern Threats

Business IT Security needs are dynamic and constantly changing so some of this may change without notice.

We believe security must be simple & seamless to work best.

There will be occasions where security may get in the way, that’s unavoidable if we are to be truly serious about security.
You only have to pick up the paper or almost any current affair or news bulletin to see someone being hacked or ransomed to see what happens when short cuts are taken, patches aren’t applied or staff aren’t trained or someone says 2FA is too hard to see what can happen…

Just ask yourself, “how much can we afford to lose ?” – the bad guys are not doing this for kicks, they are monetising their nefarious activities and making serious revenues doing it too.

Microsoft Secure Score

Microsoft Secure Score is a representation of your organisation’s security posture, and highlights opportunities to improve it so if your IT hasn’t attended to securing your Microsoft Cloud there really isn’t any excuse.

There may be technical or licensing reasons why some secure score recommendations cannot be enabled yet.

We recommend you ask your IT admin or Outsourced IT Company for your Microsoft Secure Score and if it’s under 60% you know there’s work to do.

If they don’t know about Secure Score then please give us a call and we can help you.

Managing your own Microsoft 365 Tenant:

Managing your own M365 tenant is difficult as it’s a specialist field and you cannot possibly run the tenant and your own business.

If you’re managing your own tenant and you get a low secure score, don’t panic… knowing your score gives you a place to start and now you can contact us to discuss how to improve your security posture.

A Typical Secure Score

Here’s a secure score recently reported to us. If your score is anything like this then you are very likely a sitting duck…

A sitting duck typically has no 2FA, no security controls or policies in place to protect their data and is waiting to become the next ransomware victim.

A Good Secure Score

Here’s a Secure Score of a business that’s having a go in the right direction.

Here you can see they have done solid work in Identity, Device and Application protection. There is also room to improve here and no doubt the IT department has a plan for that.

The table here provides a handy guide to scores and actions:

If your Secure Score is less than 40% you should be concerned and begin looking to improve your situation as soon as possible. Give us a call, there are some very low costs options which greatly improve your security.

MFA/2FA

We won’t make you jump through too many hoops and we’ll be there to guide you along the way including helping you prevent many account hacks by enabling 2FA Authentication for your Microsoft 365 and we can extend this further with Conditional Access, Advanced Threat Protection and more.

Conditional Access

Conditional Access Policies give you control. With CA you can limit where and how your Company Data can be accessed from which is important because in a modern workplace the security perimeter now extends far beyond an organisation’s office network to include user and device identity. The security perimeter extends to wherever your data is used.

Conditional Access Policies bring identity signals together, to make decisions, and enforce organisational policies. Conditional Access is at the heart of protecting your data and identity.

Your exposure and risk reduces when we place controls around where or how your data can be used.

An example of a Conditional Access Policy at work would be to limit access to your Microsoft 365 data to a limited geographic region or to a specific IP address.

  • limiting to a country or group of countries prevents data access from countries not on the allow list (for example, countries you don’t operate in).
  • limiting a user account to an IP address might be useful to prevent the reception user accessing data outside of the Company Office Network
  • there’s no limit to the amount of policies you can implement…

Email Security & ATP

Being internet connected and using email means we are subjected to a constant barrage of ever changing threats.

Microsoft’s Advanced Threat Protection policies and tools greatly enhance security.

Email still presents as the most risky & the most leveraged threat vector. Spam Filters, Safe Links, Safe Attachments and Anti-Phishing policies all do a great job evolving to keep pace but inevitably something will get through. That’s where your last line of defence needs to kick in and not open the email, not click the dodgy link and so on… the last line of defence is your staff so keeping them alert, trained and able to spot fakes is important.

3 Essential Free Email Security Tools: DKIM/SPF/DMARC

DKIM (Domain Keys Identified Mail): improves email deliverability

DKIM adds an digital signature (secured with encryption) to every email is an email. These digital signatures are usually invisible to the users as they are in the email headers and the validation is done at the email server level.

This allows the receivers email server to check that an email was indeed sent and authorised by the owner of that sending domain. When the recipient confirms the email is signed with a valid DKIM signature it can be certain that parts of the email haven’t been modified.

Sender Policy Framework (SPF)

SPF provides another way to validate the senders right to send on behalf of the domain.
With SPF we specify which systems can send for a domain (these can be IP addresses or domain names).

When SPF is configured for a domain the emails from that domain either PASS or FAIL the SPF check. This builds on the intelligence and goes towards the trustworthiness of the message and the sender’s domain.

Some systems take the FAIL and dump the message though current best practice is to note the result and feed this into other mechanisms such as DMARC.

DMARC (Domain-based Message Authentication Reporting, & Conformance)

This gives you the confidence to know that senders cannot impersonate your domain and send emails purporting to be from you.

DMARC is open source and links SPF & DKIM results to create an “alignment” and depending on the “alignment” we can control what happens when the message is received.

When the alignment fails we can report it and do nothing or we can tell the receiving server to quarantine or reject the message. Our best practice is to quarantine and let anti-phishing policies determine if it should be rejected as there may be occaisions where a legitimate message may fail the DMARC alignment test.

Advanced Threat Protection (ATP) and the key policies protecting email:

  • SafeLinks helps protect your users from opening and sharing malicious links in email messages and Office apps
  • Safe Attachments policies help prevent people from opening or sharing email attachments that contain malicious content.
  • Anti-Phishing helps protect users from phishing attacks, and configure safety tips on suspicious messages.

These policies are great and filter most of the undesirable content but your staff also need to be trained to spot fakes and dodgy links.

Advanced SPAM and Malware Filters

Exchange Online Spam and Malware Filters are the frontline of your email defence cleaning and filtering the inbound emails as then arrive.

We customise these to elevate these built in protections and increase their effectiveness by utilising our experience and best practices.

In our opinion you do not need third party spam filters in front of Exchange when it’s properly configured. Microsoft have more signals in their system that any of the virus or spam filter providers so using third party products in front of Exchange limits the native signals that Exchange gets about emails and reduces your protections and third party tools add extra costs. Save yourself some cash and let Exchange do the job for you.

But my IT Guy says I am 100% Secure ?

When your someone in IT says you are 100% protected you have to push back and query it! 

It’s impossible to be 100% secure unless you disconnect from everything and turn off your computer.

100% Secure is just a fallacy these days because we all need the internet and as soon as you bring staff into the mix there’s always going to be human error.
Thinking you are 100% Secure can lead to unforeseen consequences and careless practices that can leave you exposed.

Our commitment to all customers:

We will help you get more out of your Microsoft 365 systems and help you do it as securely as practical and we will do our best to help keep you secure.