The past year has brought a massive shift to remote work—and, with it, heightened security concerns. Here are our top recommendations for strengthening Microsoft 365 security for distributed teams.
In a recent survey of IT and security decision makers, 83% of respondents said that “the rise in remote workers increases the risk of a security incident” in the post-COVID era.
Microsoft 365 security encompasses not just external threats but also internal risks related to how untrained users access and share sensitive data. Common examples of data breaches include accidental sharing of confidential files and forwarding sensitive documents to colleagues not authorized to receive them.
As explored in ShareGate’s new cloud computing report, State of Microsoft 365: Migration, Modernization, and Security in 2021, IT teams need to implement security strategies that give remote users the freedom to collaborate while keeping sensitive information secure. Here are our top recommendations for strengthening security for your distributed teams.
How to strengthen Microsoft 365 security now that your team is remote:
- Implement the Zero Trust security strategy
Zero Trust leverages technologies such as multi-factor authentication (MFA) to manage user access based on continual verification.
- Balance self-service with governance best practices
Implement a cross-product governance strategy that gives users freedom while protecting content and data across all the products they’re using.
- Provide data security training to educate end users
Clear protocols and strategic education are your best bets at stopping employees from accidentally creating security risks to your business.
You’ve deployed Teams, now what? Hear it from the experts: how to build a thriving Teams environment
Improve Microsoft 365 security by utilizing the Zero Trust strategy
As remote team members work with personal devices spread across the globe, extra precautions need to be taken to mitigate data breaches and leaks. Enter the Zero Trust strategy, which leverages technologies such as multi-factor authentication (MFA) to manage user access based on continual verification.
What is Zero Trust?
Based on the principle “never trust, always verify,” the Zero Trust security strategy protects organizations by maintaining security through the continuous authentication of identities, devices, and services.
For ShareGate’s State of Microsoft 365 report, we surveyed IT professionals about a variety of security-related issues related to remote workforces. More than half of respondents (67.2%) said they allow employees to use personal devices for work. Unfortunately, this also creates an increased risk for sensitive data to be stolen or shared from unmanaged devices.
For the report, we also discussed Microsoft trends with Benjamin Niaulin, ShareGate Head of Product and Microsoft Regional Director. The use of personal devices is “common and necessary,” he said, “especially with distributed work.” When the pandemic spurred widespread work-from-home mandates, many companies allowed the use of personal devices to support remote users and get distributed teams up and running quickly. Said Niaulin, “the question now becomes how are [companies] controlling the data” on those personal devices?
In an interview about Microsoft trends with Microsoft MVP Joanne Klein, she underscored the importance of Zero Trust for remote users. Zero Trust is “just a sound practice,” said Klein, “and it’s particularly important when organizations are distributed and not contained within a confined network anymore.”
According to the survey conducted for our cloud computing report, 86.2% of companies have enabled MFA in their organization. Niaulin thinks that percentage should be even higher.
“Everyone should have [MFA],” he said. “It costs nothing to have an extra factor of authentication that makes sure the right person is accessing a device. People have a perception that it is extra work to put it in place, but it’s nothing, it’s simply a check box [in Microsoft 365].”
Improve Microsoft 365 security by balancing self-service with governance best practices
Self-service features give users greater freedom to access functionalities around group/team creation, external sharing, and guest access—without going through an IT-led approval process. With more user freedom, however, comes more security risks. IT can mitigate these threats by implementing a cross-product governance strategy to protect employee content and data across all the products they’re using.
It’s no secret that we’re big proponents of self-service. When paired with the right guidance from IT, we also believe that self-service can help improve Microsoft 365 security.
You want to empower employees with self-service functionality to avoid having users rely on IT for even the smallest changes. Enabling self-service also encourages users to stay within Microsoft Teams and approved apps, where IT can keep an eye on what’s being created and shared. Too many restrictions and employees may turn to backdoor approaches and tools, i.e., shadow IT.
But go too far, and you risk having untrained users accessing the wrong things in the wrong places and creating security problems. Here at ShareGate, we recommend a middle ground via self-service, wherein users can access the tools they need, in the ways they want, with some guidance and solid governance.
In Microsoft 365, cross-product governance includes setting rules that can apply to multiple products at once. To implement cross-product management, IT professionals first need to understand how all the tools and apps within Microsoft 365 connect from an administrative perspective. Then use that knowledge to create a governance strategy that keeps content secure across platforms and devices.
Improve Microsoft 365 security by educating users
More than a technology problem, Joanne Klein noted that security is “a people problem, and you need to inform and educate your users so you can protect against this at scale across your environment.” Clear protocols and strategic education are your best bets at stopping employees from accidentally sharing confidential corporate information and forwarding sensitive documents to colleagues not authorized to receive them.
While user education is critical, it’s not automatic for many companies. In a survey conducted for our cloud computing report, we asked how much Microsoft Teams training was offered to end users during rollout. Only 19% of respondents said that they provided employees with official training that included extensive training material and activities.
IT can help make security a team effort through user training and by promoting healthy data habits. According to Klein, security should be more than just a team on your org chart. “It doesn’t matter what your role is in the organization. [Every employee has] a role to play and [needs] to be aware of the threats that are out there and then act securely and safely in your environment.”
If you’re wondering where to begin, start with employee training that focuses on the fundamentals of Microsoft 365 security. This includes education around your organization’s definitions for different levels of sensitivity/classification and general best practices around sharing documents via email attachments.
For more tactical advice, see our step-by-step guide on how to educate users to avoid putting sensitive data at risk. It includes tips for protecting sensitive data by keeping users informed and promoting healthy data habits.
Read the full report on the State of Microsoft 365
Seventy percent of the IT professionals we surveyed expect the majority of their workforce to continue working remotely through 2021. In this new world of work, enhancing Microsoft 365 security for a remote workforce is more important than ever.
Learn about more trends in digital transformation in our full report, State of Microsoft 365: Migration, Modernization, and Security in 2021. Get data-backed insights and expert recommendations to better leverage Microsoft for your business. The report also outlines what makes for a successful, scalable, and secure distributed workplace—now and in the future.