top of page

Reducing Risks for Small / Medium Sized Companies


Quite rightly, the Microsoft Cloud platform is purchased by individuals and companies for specific tasks, such as communication, collaboration, design, data analysis and way way more.


But with cloud services comes a mountain of risk that could easily impact you through a variety of threats ranging from;


  • Unplanned outages

  • Loss of data (accidental or malicious)

  • Unauthorised access to your systems and data (internal or external actors)

  • Phishing campaigns via email

  • Malware / Ransomware


That's all very well, but for the average company on a tight budget, how on earth is someone going to achieve any sort of security measures against those?


The answer is by performing an analysis of your current environment, and categorising recommended control measures under the following to start with.

For example:


If it's a recommended best practice but also marked as urgent, is it straight forward to implement? If the answer is yes, then it could be deemed as a tactical fix.


If it's not urgent and can wait, but still recommended, can it be scheduled as more of a strategic option?




But perhaps most importantly of all......


My approach to security isn't providing the latest and greatest product just because that's what the industry says. Security needs to be bespoke to the individual, whether you're a sole trader or a company with thousands of employees.


So how does the this relate to the Microsoft Platform?


Scenario:


Your company has 20 employees, all using Microsoft 365 services from their company owned devices. The tenant was set up many years ago, and everyone is assigned an Office 365 E3 licence, providing the basic application needs.


Employees regularly report suspicious emails and one individual sadly fell for a phishing email, providing their credentials.


Devices have full access to the internet and occasionally download malware, although it doesn't get reported to anyone.


Multifactor authentication isn't enforced, but has been enabled for 20% of employees using SMS.


Data is stored in both OneDrive and SharePoint between all 20 employees with no real segregation of access permissions.


50% of the devices are laptops running Windows 10 Home edition and used by their owners for personal activities outside of work.


Administration of the tenant is performed by one of the employees who's assigned Global Administrator to their existing account. There are no other Global Administrators.


Potential Options


  • Leveraging existing Exchange Online Protection Email policies

  • Consider Defender for Office 365 Plan 1 for better protection against Phishing, Impersonation attacks etc

  • Microsoft Entra Security Default settings can be fine tuned to enforce stronger MFA options

  • Cloud Security Standards will help drive better practices across your platform around naming conventions, identity management etc.

  • Device Management would open the doors for better controls around patching, encryption, Defender for Business deployments

  • Moving to a different Microsoft licence to leverage more security options



How would the company benefit?


  1. Reduction of malicious emails

  2. Reduced risk of unauthorised personnel logging on / accessing confidential systems

  3. Reduced risk of data being exposed in the event of a device being lost

  4. Better administration controls

  5. Reduced risk of downloading malicious content - improved detection and reporting

  6. Improved monitoring


As you can see, this is just a quick approach to a hypothetical situation, using existing capabilities along with additional recommendations but with an aim to minimise expense.


If you'd like a conversation to discuss your current environment and brainstorm ideas as to how Security Ninja can help you, please get in touch.



32 views0 comments

Comments


bottom of page