Office 365 Email Security – Username and Password Alone are Not Enough

Lew Smith, Director of Consulting Services

Recently, Nasdaq.com posted an article indicating that Office 365 email attacks are increasing.  This is consistent with what we’re seeing and hearing in conversations with partners and prospective clients who have felt the impact directly (their email has been compromised).  Companies tend to forget that the Office 365 login portal is a web page open to anyone who wants to attempt a login.  Limiting login by country is a hot topic on the Office 365 UserVoice page, but even this will not be enough to stop malicious login attempts.

Unfortunately, users do not always follow best practices regarding password complexity and password use.  What I mean by “password use” is that we consistently discover passwords are not unique to each service or portal.  In other words, people apply the same passwords to many different sites and services.  While this is understandable from a memory recall perspective, this approach increases the security risk for your business.  Once any of these services is hacked, that password becomes available to hackers.  We have seen this happen countless times, which is why we’re launching a Dark Web scanning and alerting service.

Considering these details, how do you add another layer of security to protect your Office 365 email?  The easiest next step is to enable and deploy Multi-Factor Authentication (MFA), which is included in your Office 365 plan already.  MFA adds an additional “factor,” or data point, to the login process.  Once a username and password are entered, the user is prompted to associate the MFA details to finalize the login.  This additional factor can be delivered via several methods within Office 365, but we find that most companies prefer to deliver that factor via text message or the Microsoft Authenticator mobile app.

After reading that last paragraph, I know what you may be thinking.  Implementing a process such as this is going to add another layer to the login process for you and/or your team.  They will not be happy.  I’ve heard this exact same response, and many others, but the question you should be asking is: “Can my business survive an email attack?”  The potential financial, reputation, and business loss that can result from such a compromise can cripple your business.  With that said, 5-10 additional seconds during a login process is well worth the time to avoid such a catastrophe.

From a security perspective, the Microsoft Authenticator app is the most secure option available, and the easiest method to use, in my humble opinion.  Using this method, you simply need to tap “approve” once the app prompts you to verify your login, and then Office 365 finalizes the login process.  Should the app prompt you for an approval when you’re not actively logging in, you know that someone is attempting to access your account.  In such a situation, it might be a good time to change your password.  Better safe than sorry.

This may seem somewhat overwhelming, and you may not be sure of the next steps to take.  Rather than attempting to figure out this process by yourself, simply contact our team via our web form and we will set up a call to answer your questions.

SLAM gets connected with Office 365

Is your move to the Cloud stalled, failed or non existent? Interphase Systems can help your firm truly leverage Cloud as a competitive advantage. Your workforce can stay connected from anywhere on any device with Microsoft Office 365.

See how one of the UK’s largest mental health service providers uses Office 365 and Azure to help clinicians collaborate on patient care. Contact Interphase Systems, Inc. to help get your teams working seamlessly with Office 365.You can reach us at 610-276-5500 or CE@interphasesystems.com. Contact us today for a free consultation.