How to Protect Microsoft 365 Data

Organizations understand the value of backing up their on-premises data, but unfortunately many are not backing up the data they produce and share in software-as-a-service (SaaS) platforms such as Microsoft 365 the way they should. All those contacts, spreadsheets, email attachments, marketing and sales plans, and other company data in Exchange, OneDrive, SharePoint, Teams, Excel, and Word require you, the content owner, to take special steps to protect it.  

For the most part, the Microsoft 365 platform has built-in protection mechanisms that help keep your data secure. However, there are potential gaps. For instance, problems can arise when a file is inadvertently deleted and goes unnoticed. Microsoft maintains a recoverable items queue that runs for 14 days and can be extended to 30 days, but if you don’t know the deletion has occurred, recovering the lost file beyond the 14 or 30 days can be difficult. Another example: The native restore functionality for OneDrive allows roll back to any point in time in the past 30 days; however, all files are rolled back to that point in time. When a single folder needs to be recovered, all new data after the selected restore point is lost.

Thus, having a Microsoft 365 backup and recovery solution can be vital in cases such as accidental or purposeful deletion of data, a ransomware attack, or a natural or manmade disaster that takes down your IT systems.

It’s also worth noting that there are simple precautionary measures that every organization using Microsoft 365 can take to help protect their data against malware and other external cyberattacks.

Everyday Tips for Protecting 365 Data

1. Disable Microsoft 365 macros

Attackers can use macros to run and generate code that infect some Microsoft 365 files. Macros are the most common way ransomware attacks occur. 

2. Implement a phishing prevention plan

Phishing emails are one of the easiest types of cyberattack to execute. They’re used to spread malware, steal user credentials, and take over employee login information.

Employee education is a good first line of defense against phishing schemes. While these emails are getting more sophisticated, there are still telltale signs that make most of them easy to spot for the trained employee. Obvious signs include misspellings, sloppy grammar, and unusual formatting, which aren’t found in genuine business emails. Less obvious clues can often be found in the sender’s address. Training your employees to recognize the signs can go a long way in reducing the likelihood of them clicking on a phishing email.

In addition, remember that knowing your enemy is the best weapon in your security arsenal. Analyze all phishing emails that get past the filters set up by Microsoft and yourself. Understand how they got through and update your filters so the same type of phishing email can’t target your organization again. 

3. Create strong passwords

There are many tips on the Internet for what constitutes a strong password. In addition to heeding these tips, employees should be encouraged to avoid reusing passwords for both work and personal accounts. Using the same password for multiple accounts is another bad habit, although it’s still a common practice among many employees. If, for example, you use a service that gets hacked; your email and password associated with the hack remains on the Internet. A nefarious person who wants to try to get into one of your Microsoft 365 accounts can take the breached password and see if it’s been used elsewhere. 

4. Use multi-factor authentication (MFA)

MFA is an increasingly prevalent practice, whereby users are granted access to an application or website only after a second method of authentication is provided in addition to the password. Often the second form of identity is a biometric fingerprint or a one-time password generated via an app on the user’s phone.