Security breaches make great blogging fodder, but what are the odds that it will happen to your Office 365 account? Simply defined, a security breach occurs anytime an unwanted person gains access to your account. If anyone other than one of your end users signs into one of your Office 365 accounts, that’s a security breach.
Of course, digging a little deeper you'll find that there are two kinds of security breaches: a “hard” breach and a “soft” breach.
A hard breach occurs when the software itself is compromised. In other words, hackers have found a way to get around your defenses and get at your data. While Microsoft have architected and built their data centers from the ground up to protect user data from both physical and digital intrusion, most security breaches are not the result of an attack against the data center – but in errors on the customer end of the connection. Microsoft secures their data centers through restricted access, biometric scanners, 24/7 continuous video surveillance, and two-factor authentication methods. I was able to visit one of these data centers a few years back while still working for Microsoft, and saw first-hand some of these measures…including the "blast door" that reminded me of the scene in the original Tron movie where they slip through the massive security door to enter the building.
Few organizations will experience a hard breach. But show your users a list of the most popular and easily guessed passwords, and see if their faces go pale with recognition.
A soft breach occurs when an attacker tricks one of your users into granting him “legitimate” access to your Office 365 domain. These techniques are known as social engineering, where the attack focuses on people rather than technology. The most common form of soft breach is caused by phishing, where users are duped into revealing passwords by way of emails or web pages that are designed to look like “real” login screens. Microsoft is continually strengthening their capabilities in this area, and asks that you report all suspected spam and phishing to them so that they can continue to improve their defenses and halt future attacks.
Why Office 365 can’t stop every security breach
When it comes to hard breaches, Office 365 has so far been very successful. Unfortunately, there are no real software defenses against soft breaches. It doesn’t matter how sturdy the lock is if you give a burglar the key, and soft breaches are always about convincing you to let attackers in so that they don’t have to deal with Microsoft’s highly effective security measures.
What security breaches can cost you
If a hacker obtains an account password, he or she can effectively corrupt or delete all the data in that account. Depending on what they are able to access, the damage to your business could be minor….or huge. That’s why it is so important to take a proactive approach to data security, such as regularly changing your personal passwords.
How to defend against security breaches
The best bang for your buck in preventing security breaches is actually training your Office 365 users on security best practices. Being with password policies. Simple things like “don’t tell anyone your password, ever” and “check the web address of any page that asks you to log in” can stop the vast majority of social engineering attacks. You’d be surprised at how many users – even very technically sophisticated ones – don’t know these basic rules.
Beyond bringing your staff up to speed on good Internet safety habits, implementing Office 365 security best practices is a pretty good idea. Office 365 administrators should have backup email accounts and phone numbers in case their primary account gets locked out or compromised. All Office 365 users should be required to use strong passwords. Two-factor authentication, which requires users to input both a password and a time-sensitive code to log into Office 365, renders even stolen passwords useless.
Through Microsoft Azure Rights Management, Office 365 also offers Information Rights Management (IRM) and Message Encryption options, allowing organizations to establish automated policies to further protect against unauthorized access to data whether online or offline.
For some additional guidance on how to protect your data inside of Office 365, I wrote two ebooks for online backup tool provider Datto, both of which are free: “Defending Your Office 365 Data: Five Threats That Microsoft Can’t Defend Against, But You Can” and “The Complete Guide to Office 365 Security.” Be sure to check them out.