I have Ms M365, I am secure . . .?
How secure is Microsoft M365?
One of the common things I here when talking to SMBs about cyber security is:
“I have Microsoft 365, I am already secure”.
It would be funny, if it wasn’t so common, and if it wasn’t so seriously wrong.
So here is what you get when you subscribe to Microsoft 365: A username/password, Outlook/Email, Ms Teams, Word, Excel PowerPoint, SharePoint, OneDrive and a handful of other apps. The functionality to aid your business.
Here is what you DO NOT GET - SECURITY.
By default, you do not get much - a username and password. The security Microsoft provides is security to protect their Microsoft 365 environment (the one that all of their customers run on), but they don’t protect yours, or anyone else’s - that is up to you.
You don’t get Two Factor/Multi Factor out of the box, you don’t get identity protection, you don’t get data protection, you don’t get malware protection, you certainly don’t get device protection, web protection or browser-based attack protection, and for the second most popular attack method, phishing you get the absolute bare minimums. You don’t even get legacy authentication methods, a known and easy to exploit attack method.
Microsoft 365 security, and security in general, is up to you to implement. Why ? Because it is up to you to choose whether you want security and how much. What level of security risk are you prepared to take - some choose complete freedom with reckless abandon, others lock it down like it holds The Crown Jewels, and some of varying degrees between the extremes.
But right now, many SMBs have unwittingly chosen the ‘reckless abandon’ option and are taking big security risks with many paying the price (check the stats on SMBs and what happens after a successful attack). Large enterprises, they lock theirs down before it even sees the light of day, and they leverage both inbuilt and additional, better, security controls and solutions (which are now also available to SMBs - we are familiar with and use these ourselves).
The good news is, there is a bunch of security that can be configured within Microsoft 365 to help protect your environment, and it is there waiting to be activated and configured properly. Things like configuration to provide better (not best) protection against phishing, protection for identity compromise, malware protection, malicious email link and attachment protection, plus others like multi-factor, single sign-on (one login to access all you need), stopping strangers from joining Teams Meetings, stopping externals from seeing your calendar and many other features. It is just sitting there waiting for someone to use it.
So my big question to you - now you know, is, what are you going to do? Reckless abandon? Research Microsoft 365 and learn how to implement security properly? Trust your IT provider has done it (big hint - rarely have they even done a proper basic job, which is Two/Multi Factor).
Small Robot offer and recommend a few ways forward:
- 1. Move your Microsoft licensing across to us and we will do a free security review and improvement
- 2. Engage with us to do a full security review and implement the security you need, while still giving you the freedom to work the way you do.
- 3. Talk with us about looking after your Security (and optionally all of your IT) whereby we secure, monitor and keep it secure (detect and respond to security events).
- 4. Do nothing, and then contact us when you are hacked - our day rates for that are much better for us, much better :-)
And just so you know, we price these services specifically and only for SMB, not our normal rate, as we know the challenges of competing priorities of getting something going.