CISA, the Cybersecurity and Infrastructure Security Agency (we’re from the government and here to help) recently put out a set of Office 365 security recommendations. With COVID-19, we’ve gone from work being performed in the office (in whole or in part) to work being performed entirely outside the office. We’ve discussed before how working from home presents unique security risks. CISA put forward a set of Office 365 security recommendations; we wanted to give you the TL:DR version here. Visit the CISA report too, as it’s well footnoted with links to “how to” articles for each Office 365 security recommendation.

Quick Hits: CISA Office 365 Security Recommendations

• Enable multi-factor authentication for administrator accounts. Here, here! We’ve been encouraging at least this small MFA step for a while.
• Assign Administrator roles using Role-Based Access Control (RBAC). It’s so easy to just make every Admin a Global Admin. So easy, but so dangerous. Your attack surface just dramatically grew.
• Enable Unified Audit Log (UAL). Sorry, not that UAL. This was a new Office 365 security recommendation to me, and I’m glad to see it. You can easily enable UAL and then schedule regular reporting of security actions across multiple Office 365 services.
• Enable multi-factor authentication (MFA) for all users. Yes! I’ve broadly hinted that the current pandemic situation is IT Managers’ “Y2K Moment”. I’ve seen at least one customer that went forward with MFA for all users (after starting with a subset of users). I hope I see more customers do this.
• Disable legacy protocol authentication when appropriate. Get rid of Exchange Online authentication protocols (POP, IMAP, SMTP) that don’t support MFA if you can. If you have to support these protocols for some email accounts, limit their use to just the needed accounts.
• Enable alerts for suspicious activity. Start with selected suspicious activity (CISA recommends logins from suspicious locations and excessive sent mail). But start!
• Incorporate Microsoft Secure Score. We’ve discussed this Office 365 security recommendation before. Microsoft has done a lot to make Secure Score more prescriptive and less spammy. Take a look and adopt the changes that make sense for your organization.
• Integrate logs with your existing SIEM tool. I demonstrated this at last year’s TAG Conference, using Azure Sentinel.

And a Few Other Recommendations

These are great Office 365 security recommendations. You don’t have to adopt all of them. But you should think about them and choose the recommendations that work for you. I would add a few other Office 365 security recommendations.

• Remote Desktop Server. If you’re using RDS, make sure you’ve done everything to lock it down. This is a big target for hackers these days.
• Don’t forget the end user. Ensure everyone is attuned to phishing emails. Run a phishing test now and then, if it doesn’t stress out users.
• Don’t forget about public cloud security—Google Cloud, AWS, Azure. Review the security you’ve set up and confirm that it’s complete.

Organizations are examining when and how they will start incorporating office-based work back into the mix. Most are taking it slow, so the need for security, considering that remote work is going to be there for a long time to come, will continue to matter. Let these Office 365 security recommendations help improve your cybersecurity stance.