Top 9 Cybersecurity Tips for the Modern Hybrid Work Environment
Hybrid and remote work are here to stay. Today’s employers and employees alike have realized that empowering people to work wherever and whenever they’re most productive has rich benefits. Research shows that hybrid and flexible remote employees are 22% happier than those that work in-office only. They also report lower stress levels, increased ability to focus, and better work-life balance. And studies have demonstrated that they’re significantly more productive as well.
Companies that want to take advantage of hybrid work’s benefits without compromising on cybersecurity will usually find that they need to modernize their technology environments. When people are working from home or another remote location, they’re no longer protected by the corporate firewall as they once were. Instead, they’re connecting to cloud resources from an array of different devices that could be either employee-owned or company-owned, and managed or unmanaged. This has the potential to greatly expand the attack surface.
Although modern cloud-centric computing ecosystems enable unmatched business agility, protecting them will require new cybersecurity strategies. Here are our top 9 tips on how to secure your Microsoft 365 environment to mitigate the risks that come with the widespread adoption of hybrid work.
#1: Turn on two-factor or multi-factor authentication for all logins.
Requiring multiple authentication factors means that your employees must prove their identity in more than more way whenever they sign into the Microsoft 365 environment. This means that every user’s account will have stronger security than passwords alone can provide. (Even the longest and most complex passwords can still be compromised in an identity-based attack.) Microsoft supports a range of easy-to-use sign-in methods, including receiving a one-time code by text message, biometrics, and Microsoft Authenticator, a mobile app that sends push notifications to enable you to verify your login activities.
#2: Use the principle of least privilege for all administrator accounts.
Like all user accounts in your Microsoft 365 environment, those with administrative privileges should be protected with two-factor or multi-factor authentication. Going beyond this, though, you should also ensure that the only employees to be granted admin privileges are those who really need them to complete their job responsibilities. All users who are given permissions should be given as few of them as possible. Microsoft Windows includes User Account Control (UAC), a feature that Microsoft developed to make it easier for administrators to assign the least-possible privileges by default, and elevate to higher permission levels only when needed. We recommend that this principle be applied throughout your technology environment.
#3: Apply Microsoft-recommended email security and hygiene policies.
Microsoft Exchange Online includes a set of built-in anti-spam and anti-malware protections that are enabled by default. Called Exchange Online Protection (EOP), this is a cloud-based email filtering service that can block emails from senders with known-bad reputations, prevent malicious attachments from reaching users’ inboxes, and weed out spam messages, phishing emails, other unwanted communications. EOP comes with standard preset security policies, though it’s also possible to customize it for higher levels of protection.
#4: Verify that devices comply with corporate policies before allowing them to connect to resources.
Verifying the security status of devices before allowing them to connect to applications or the corporate network is a key concept within the Zero Trust model of cybersecurity. Microsoft offers Zero Trust-compatible solutions to enable organizations to check devices’ health and compliance status before granting them access to resources. Microsoft Intune is an endpoint management tool that’s built into Microsoft 365. It can protect data on both company-owned and bring-your-own devices, checking to make sure that applications and operating systems are up to date, that data encryption is turned on, and that devices are securely configured.
#5: Use email attack simulation training to upskill employees.
Phishing emails are the most common attack vector employed in ransomware infections today. One recent survey found that phishing served as the point of entry in more than half (54%) of successful ransomware attacks. Training your employees to better recognize and respond to phishing attacks can transform them from the weakest link in your defenses to an “intelligent human perimeter” protecting your environment. Microsoft offers a security awareness training program that allows organizations to mimic realistic attack scenarios, making it possible to identify and train vulnerable team members before real attackers strike. This phishing attack simulation training helps users increase their awareness and change their behavior.
#6: Leverage a unified collaboration hub that was purpose-built for hybrid work.
Microsoft Teams offers videoconferencing, voice calling, chat, and content sharing capabilities – all in one single, centralized hub. Using Microsoft Teams can help everyone in your organization stay on track and in the know, making it easy to connect with colleagues and share ideas. In addition, Microsoft Teams offers an array of security, data protection, and compliance capabilities, making it possible to enforce policies to ensure that users aren’t sharing sensitive information in channels where they shouldn’t.
#7: Monitor your Microsoft Secure Score, and act on the recommendations provided.
Organizations that have implemented Microsoft 365 Defender will have access to a score based on Microsoft’s assessment of their current security posture across all Microsoft 365 workloads. Microsoft Secure Score provides you with enterprise-wide visibility of your security status, as well as intelligent recommendations on how to improve your security posture by updating configuration settings or implementing additional controls. Microsoft Secure Score can help you identify areas for improvement, figure out how to make improvements, and drive those improvements into production.
#8: Limit the blast radius if an account gets compromised by enabling privileged identity management (PIM) wherever possible.
We mentioned the principle of least privilege earlier in this list of tips. In reality, maintaining least-privileged access for all users can be tricky, especially in larger organizations with many employees whose job responsibilities often change and overlap. Fortunately, it’s possible to take advantage of automation to make it easier. Privileged Identity Management is a service in Azure Active Directory (Azure AD) that enables administrators to manage, control, and monitor accounts with privileges within their Microsoft 365 environment. With PIM, they can, for instance, set permissions that will expire after a particular task has been completed or that require a supervisor’s approval before they’re granted. PIM makes it easier to discover, restrict, and monitor access rights to better protect critical data and administrative accounts within your organization.
#9: Conduct periodic access reviews to ensure that users with role-based privileges still need them.
Because employees’ responsibilities do change over time, it’s important to periodically review role-based access permissions to ensure that they’re still appropriate. In role-based access control (RBAC), groups of users are assigned sets of permissions based on what types of access they need to do their jobs. Groups can be based on things like department, job title, region, or level of seniority. The goal is to grant employees only the level of access that’s needed to do their jobs, and nothing more, while also making it easier and more efficient to manage access. Organizations that use RBAC should continually re-assess how roles are defined, and which permissions are truly needed.
There’s no question that maintaining robust security can be complex and challenging. Microsoft provides industry-leading solutions and features that can make it easier. And we’re also here to help.
To learn more about our cybersecurity advisory and managed security services.