Security is not always easy to talk about, but it is a necessity when you want to make sure that your organization's hard earned dollars and intellectual property are protected.
As much as I love people, unfortunately people are the weakest security link in any organization. It only takes one click from someone to take down your entire network, send thousands of dollars, or be asked to enter his or her credentials on an ever-so-convincing malicious website. Many organizations think they are protected, because they have anti-virus, an anti-spam filter, or maybe even some web filtering. These are great first steps, but they are solutions that often require reactive responses, after the damage is done.
Fortunately, there are steps you can take to help increase your security posture significantly, with minimal effort, and limit the changes your staff (people) need to encounter.
- Increase your cloud presence
- Enforce MFA on those cloud resources, even local resources
- Validate, then trust - links, attachments, users, and devices
Where does your company land?
I see most companies between legacy, be it cost or lack of desire to move to the cloud, and reactive, where those first steps are in place though the cloud can (and should) be leveraged more to offload some of the IT response overhead. (if one is in the cloud often it is just turning on some of the already included features)
Small effort, big gains.
Now that we have covered what and why, let's talk about how. What tools are needed to achieve the north star of ZERO TRUST?
Microsoft 365. Even Office 365, with the right licensing. M365 includes [a flavor of] Enterprise Mobility + Security (EM+S) whereas with O365 you do need to add it on. With M365 and EM+S you can not only move your data to Microsoft’s cloud, but protect it; with conditional access policies and data leak prevention policies all while helping your people.
What does M365 with Enterprise Mobility + Security do?
- Increase your cloud presence
- By simply moving your identities and mail to Microsoft’s cloud, you are opening the door to better protect that information, leveraging automated response technology.
- Enforce MFA on those cloud resources, even local resources
- With EM+S you can create conditional access policies, such as requiring MFA when out of the office or on a non-corporate device
- Validate then trust links, attachments, users, and devices
- You can configure Safe Links, Safe Attachments, disallow users who do not pass MFA from logging in, and you get Intune for MDM and MAM.
That is a lot of gain.
What about the minimal user impact that was mentioned?
As part of the migration to Microsoft’s cloud, typically you would leverage Azure AD Connect to sync your existing on-prem identities to the cloud. That means it is the same username (or email) and same password users are familiar with.
In addition, Outlook and Office apps appearances remain largely unchanged (unless you are upgrading from a grossly outdated version of Office).
I have been told multiple times after a migration, “I don’t think my migration was successful.” Last I checked a migration in which one does not realize they were migrated is a successful migration.
What users might notice is when they receive an email with an attachment, they need to wait a few seconds to open the attachment while ATP scans it making sure it is safe. They might notice links are redirected briefly to safelinks.protection.outlook. com before loading the actual link, while ATP ensures the link is safe. While these changes are barely noticeable they typically do not add much time to one's workflow to cause user frustration and as long as proper communication goes out prior giving people a heads up, staff are very receptive to knowing that technology is helping make their decision making safer – regardless of their decision to click or not.
Going back to “It only takes one click from someone to take down your entire network, send thousands of dollars, or be asked to enter his or her credentials on an ever-so-convincing malicious website…”
With M365 and EM+S…
- Jamie in accounting did not receive the spoofing email from the CFO asking to redirect funds to another account.
- Sam in IT was just notified that someone overseas tried to access their account but was unsuccessful, thanks to MFA.
- Kyle in shipping, who clicked the track now in the “UPS” email, was not taken to the convincing, malicious site asking for his credentials.
- Taylor in sales was not able to share last month's numbers with an external source.
So, while security is not always enjoyable to talk about, it is a necessity, and there are ways to strengthen your posture with minimal user impact.