What is a security breach in Office 365?

A security breach occurs anytime an unwanted person gains access to your Office 365 account. If anyone other than one of your end users signs into one of your Office 365 accounts, that’s a security breach.

There are two kinds of security breaches: a “hard” breach and a “soft” breach.

Photo by Michael Dziedzic on Unsplash

Photo by Michael Dziedzic on Unsplash

A hard breach occurs when the software itself is compromised. In other words, hackers have found a way to get around your defenses and get at your data. While Microsoft have architected and built their data centers from the ground up to protect user data from both physical and digital intrusion, most security breaches are not the result of an attack against the data center – but in errors on the customer end of the connection. Microsoft secures their data centers through restricted access, biometric scanners, 24/7 continuous video surveillance, and twofactor authentication methods. But show your users a list of the most popular easily guessed passwords and see if their faces go pale with recognition.

A soft breach occurs when an attacker tricks one of your users into granting him “legitimate” access to your Office 365 domain. These techniques are known as social engineering, where the attack focuses on people rather than technology. The most common form of soft breach is caused by phishing, where users are duped into revealing passwords by way of emails or web pages that are designed to look like “real” login screens. Microsoft asks that you report all suspected spam and phishing to them so that they can continue to improve their defenses and halt future attacks.

Why Office 365 can’t stop every security breach

When it comes to hard breaches, Office 365 has so far been very successful. Unfortunately, there are no real software defenses against soft breaches. It doesn’t matter how sturdy the lock is if you give a burglar the key, and soft breaches are always about convincing you to let attackers in so that they don’t have to deal with Microsoft’s highly effective security measures.

What security breaches can cost you

If a hacker obtains an account password, he or she can effectively corrupt or delete all the data in that account. Depending on what they are able to access, the damage to your business could be minor….or huge. That’s why it is so important to take a proactive approach to data security.

How to defend against security breaches

The best bang for your buck in preventing security breaches is actually training your Office 365 users on security best practices. Being with password policies. Simple things like “don’t tell anyone your password, ever” and “check the web address of any page that asks you to log in” can stop the vast majority of social engineering attacks. You’d be surprised at how many users – even very technically sophisticated ones – don’t know these basic rules.

Beyond bringing your staff up to speed on good Internet safety habits, implementing Office 365 security best practices is a pretty good idea. Office 365 administrators should have backup email accounts and phone numbers in case their primary account gets locked out or compromised. All Office 365 users should be required to use strong passwords. Two-factor authentication, which requires users to input both a password and a time-sensitive code to log into Office 365, renders even stolen passwords useless.

Through Microsoft Azure Rights Management, Office 365 also offers Information Rights Management (IRM) and Message Encryption options, allowing organizations to establish automated policies to further protect against unauthorized access to data whether online or offline.

Christian Buckley

Christian is the Microsoft GTM Director for AvePoint Inc., and a Microsoft Regional Director and Office Apps & Services MVP based in Silicon Slopes (Lehi), Utah. He hosts the AvePoint Office 365 Hours (#O365hours) series, monthly #CollabTalk TweetJam, the #CollabTalk Podcast, and leads the monthly Microsoft 365 Ask-Me-Anything (#M365AMA) live stream. He is based in Lehi, Utah (Silicon Slopes).