Now that your data is in the Cloud, you need to make sure you secure it. Office 365 covers encryption, redundancy & other important items, but your users are still your biggest risk! Learn the basics to help determine who can share documents, how to receive notifications about specific messages that leave your firm, & more!
2. About Accellis
Technology Group
Specialized IT Services Company providing
• Managed IT Services
• Cybersecurity & Risk Management
• Software Consulting
• Application Development & Integration
Target market: small to mid-sized firms (5-250 users)
Target verticals: legal, financial and non-profits
22 Employees in Ohio office
www.accellis.com
7. What does this mean for me?
• Encryption at Rest
• BitLocker volume-level encryption
• Using Advanced Encryption Standard (AES) 256-bit
• Encryption in Transit
• Transport Layer Security TLS 1.2 256-bit
• Internet Protocol Security Ipsec
• Secure Datacenters
• Separation of Roles
www.accellis.com
8. …But, what does this mean for me?
• Your data is secured when stored in O365
• Your weakest link is your staff
www.accellis.com
9. What should I do?
• Password Policies
• Set one up (Settings > Security and Privacy > Edit)
• New NIST guidelines
• Longer passwords
• No password rotations (good-bye 90 days)
• Enable 2 Factor Authentication
• Clean house
• Get a software report to see who is using what. Once you know, get ride of
freeware and replace it with O365.
• Training
• Firm members are the weakest link when it comes to security. Make sure they
have training so they can spot risks
• Backup
• Office 365 only stores deleted, deleted data for 30 days. After which it is
unrecoverable. Also its spam and other protections are not always sufficient. We
usually recommend Barracuda essentials, but other vendors have software will
augment O365 as needed.
www.accellis.com
12. Thank You
John H Roth II
Jroth@accelis.com
216-662-3200
www.accellis.com
Editor's Notes
I get lots of questions about the security in O365. Some are very specific regarding certifications, specific financial or health care requirements and ciphers. I’ll admit I don’t know the answer to most of them even, when asked many times. Its like asking, is speeding illegal? Yes, sure the limited and fines change but the answer is yes. Well all the O365 security questions are just different ways of asking, Is Office 365 secure? To which I answer yes, if you want the specifics, send me your requirements and I’ll get the necessary specific answers. But lets look at some specifics anyway.
Microsoft has the most comprehensive compliance coverage in the industry. They are compliant with global standards, US Government standard, Industry standards for financial services, and healthcare, and more.
They also understand that you may have unique regional requirements and They go above and beyond to ensure we support those.
Using O365 or some other cloud document storage means you can access your documents from anywhere. Depending on the software, ALL of your documents can go with you and are searchable. If find email and mobility are one in the same. Everyone has email on their phones, but documents no so much. I still see people emailing themselves documents so they can “take it with me”. But what do you do if you forgot something? No worries with your documents in O365 you can get to all your documents from anywhere.
Why is staff the weakest link? Well they make poor passwords, download questionable software and they can’t identify phishing attacks. So they end up letting the bad guys in unknowingly.
The first step, and perhaps the easiest is a good password policy. With the new NIST standard you no longer need all those goofy characters and 90 day rotations. They have found this does not do much to increase security. Instead they recommend a passphrase. So instead of a pass word, you would use a pass phrase with or with out punctuation and spaces. The longer the better. I usually use a quote from a song, book or speech. Here is one example “the more you learn the more you earn!”
Next I’d suggest working with IT to enable 2FA. This is a big improvement on security, but before making this change prepare your firm.
I’d also suggest, if you didn’t already, getting a software report. This will show you want software is installed on what machines and you IT vendor should be able to provide this. Once in had look for things like chat tools, videos conference tools, free sync and save software etc. Once identified a plan should be put in place to remove the tool in favor of O365…usually. Some firms prefer other software. I recently worked with a firm that preferred Dropbox of OneDrive. That is fine and Dropbox is good software. But they needed to clean up free accounts, provide training and make sure their staff knew how to use the software well.
If you haven’t noticed, I talk about training often. I see this as the biggest problem firms and organizations face today. We use technology every day, but we over look many of the real benefits it provides us. For example since Word came out in 2003, 15 years have passed 4 full versions and countless updates. I still see people treat Word like a typewriter. But now security is a real issue. The bad gusy know that people are the weakest link. So make sure your staff can spot phishing scams and the like.
Finally, I recommend software to improve upon O365 security. This includes software that will deliver better spam filtering, advanced email security, improved archiving, backups and more. There are other vendors out there but we often recommended Barracuda Essentials for O365. Full disclosure we are a Barracuda partner. https://www.barracuda.com/products/essentials/features.
If you’ve done the items I’ve suggested above you can go even further. O365 allows many other types of controls. For example you can limited or block users ability to share documents with people outside the firm. You can do the same for the local sync feature. You can have people notified when documents are shared with out notifying the share-er. You can even setup supervision policy's to see if or when people share SSN’s or other such information. Oh, and if I haven’t mentioned yet, setup retention polices.