Legal Field IT Specialists CEO, Robert Finley, answering a question regarding security recommendations for using Office 365:

What are the best practices for securely using Office 365?

Microsoft Office 365 is a great platform for SMBs and organizations, because it gives them access to many of the same technology solutions that larger corporations have, but at a price point that's reasonable for their budget. Because there are so many features in Office 365, it can be daunting to know where to start. Most organizations typically start by using Office 365's email platform and extend from there.

In this segment I'll be outlining the 2nd of 3 key steps we recommend to enhance your security profile in Office 365. The first step has already been posted on this same page and the remaining 3rd key step will be covered in a subsequent segment.


Use Email Encryption

Taking email security to the next level includes encrypting email messages. While you can do this for all email, it typically makes sense to do so only for individual messages. For example, basic email communications typically do not need to be encrypted.

There are a few ways within Office 365 to encrypt email. You can set up a policy at the server level that monitors every email, looking inside to see if it contains sensitive information, such as a credit card number or social security number. It scans the body of the email looking for potential patterns and words and, when identified, it encrypts the message automatically. The receiver will receive an email that doesn't just show their social security number right away, but rather they must request it to be unencrypted after a verification process. This encryption policy is at the server level.

But you can also allow that individual sender to decide when they have something sensitive to send in their message. In this case, they can type out a keyword. We usually encourage people to use the square brackets and put the word 'encrypt' in between, like this "[encrypt]"; so that when you do that, it triggers the email server to encrypt the message based on the user's judgment. This moves the responsibility for encryption from the server to the user.

Another type of encryption available is for key vendors, clients, or partners that you communicate with regularly. If desired, you can set up "always on" encryption through the connection between your email server and your vendor or client's email server. For example, we have clients that work with highly confidential information. Quite often, we're asked to set up encryption between them and their clients for an "always on" encryption connection between the two companies.

All these types of encryption are included in the Office 365 platform and we encourage our clients to kick up their security posture a notch by using encryption.

Turn on Multi-Factor Authentication

Ramp up your security even more by using multi-factor authentication. The idea is that you must have multiple pieces of information to validate who you are when you log in to the Office 365 environment.

This could be for when you can check your email in Outlook, or it could be when you're trying to get into your data stored in OneDrive or SharePoint which are part of Office 365. When you go to log in, you will be asked to type in the password, if it isn't already saved, then it is going to ask you for a second piece of information, usually a verification code to let you proceed through.

This verification code can be sent to your mobile device, an app on your desktop or even a special key fob. There are a number of ways to do it, but multi-factor authentication adds another important layer of security to your business system.

Why would you want to enable multi-factor authentication? Let me share a story about a local business that had a horrible experience before they enabled multi-factor authentication. Here's what happened. There were two people involved at the company - one was the account manager and the other was the financial manager. The account manager requested to buy some promotional material for an event that they were hosting, and the financial manager was acting as the purchasing agent. They made the initial request with the vendor, and there was some basic dialogue back and forth. But about halfway through the email thread, the vendor says, "Ok, wire us your transfer payment here."

Fast forward about a month-and-a-half, and the vendor came back and asked, "Why haven't you paid your bill?" And the company was surprised and replied, "What are you talking about, we paid our bill several weeks ago." When they started digging into it and looked a little closer, the financial person, somewhere about midstream through the email's transaction thread, noticed that the email address that they were communicating with had changed from the original vendor's email. The correct letters for the vendor were "dmc" - but they were changed to "drnc." In the lowercase, and being really close together, the "r" and "n" looked like an "m."

So, the company realized that they had been communicating with some other third party altogether, and they didn't even know who it was! It all started with the hacker accessing the account manager's email account months earlier and automatically forwarding the messages from the company to an unknown Gmail account. The hacker waited until the desired money transfer situation occurred. Ultimately, the company lost $40,000. The account manager's email account had been easily accessed because multi-factor authentication was not on.

Email Encryption and Multi-Factor Authentication are a couple of basic security precautions for securing your environment. In order to help ensure your data and/or your financial accounts don't become compromised these need to be put in place ASAP.

If you would like assistance setting up email security, & security for Office 365 as a whole, for your firm call us today. Legal Field IT Specialists provides tailored IT support services to law firms to protect your firm from the dangers of online threats as well as working with you to ensure that your staff is highly productive & efficient which, in turn, increases your firm's profitability as a whole.

Phone: (678) 926-9192