Office 365 operates under a shared security responsibility model—meaning you are responsible for some of the security of your company’s Office 365 environment.
Most notably, you are responsible for access. You are responsible for who you let into your environment, whether intentionally or unintentionally.
Controlling Intentional Access
Controlling intentional access to your account is pretty straightforward. It just means you are responsible for your users and who you create accounts and share information with—and you’re responsible for taking that access away if someone leaves your company.
Most businesses aren’t creating accounts for anyone who walks in off the street (if, for some reason, you are—don’t do that). Where businesses can run into trouble is disabling accounts when employees leave. You have a few different options for what to do with the Office 365 account when an employee leaves, depending on your needs. We’ve covered them in this blog post.
Controlling access to your Office 365 environment also means controlling the level of access your users have. The most critical aspect of this is limiting the number of users who have admin access. It should be as few as possible. If you have some users who only need occasional access, you can set them up as conditional admins.
Controlling Unintentional Access
“Unintentional access” is basically just another way of saying you’ve experienced a breach. Someone, likely a cybercriminal, has gotten access to your Office 365 account. Your responsibility here is to prevent that from happening.
The most effective way to prevent an unauthorized user from accessing your Office 365 environment is by turning on multi-factor authentication (sometimes called two-factor authentication) for all your employees. The way it prevents unauthorized access is by requiring a second form of authentication during the login process. Without that second form of authentication, the hacker can’t get in.
If you can’t enable multi-factor for everyone, it should be enabled for senior executives, anyone with send-as privileges for senior executives, and anyone with admin access. Those are typically where the most harm will be done if they’re compromised, but this varies by company.
Multi-factor authentication isn’t the only thing you can do to protect your accounts, but it’s the first step (and a major one at that) towards a secure Office 365 environment for your business. If you're a PTG customer, talk to your account manager about Advanced Cloud Defense for Office 365, which includes multi-factor authentication along with several other tools to protect you.