If you are using Office365, or any other cloud service, have you activated all the security features available to you? Many people have not set up a simple step that will verify the identity of anyone logging in to your virtual office.
Office 365 – you can access it from anywhere. Any device, any location, any time. You know this already. And that’s why so many businesses choose to use it.
Wherever you are, open a browser, pop in your password and every Office tool is there for you. Everything you need to work, just as it is in the office: all your files, your contacts, your emails, just as you would expect. Incredibly powerful; incredibly simple.
But that is where the risk might come in.
Because it’s not really all that difficult for someone with malicious intent to find a bunch of your email addresses. With these usernames, criminals can try to break in to your office.
Like all opportunists, cybercriminals go for the low-hanging fruit, the unlocked door, the window left ajar. In technological terms, this often means weak passwords. Tell the truth – can you be sure that none of your users have the password Jan19? Or password1? Some research suggests that the worst offenders for weak passwords can be surprisingly high up in the corporate food chain. (Donald Trump was labelled the worst password offender of 2017.)
If this happens, if a bad guy gains access to your virtual office, then they would see exactly what you see – all your files, all your emails, all your contacts. And if that thought doesn’t worry you, I think it should.
Take a moment to access good password advice: cyberaware.gov.uk or getsafeonline.org. Sharing this advice with all your colleagues regularly is a great place to start. The next step is to enforce your password policies (or get a great IT services provider, like SITOC, to enforce it for you!) by regulating password complexity and prompting regular password changes.
Beyond these common-sense steps, it might surprise you to learn that there is a built-in effective security tool that only a few people use. It’s a tool that’s often available in the basic package – this applies to Office 365, and equally to other cloud providers. And yet it’s also a tool that many people initially don’t want to activate.
Multi-factor authentication – also known as two-step verification.
Relatively obvious, perhaps, it means that the single fact that you enter the right password is not enough. Normally, you would expect to enter your password (one step) and be straight in to work. A second hurdle makes good sense, a check before you get in – or someone impersonating you gets in.
Usually this will be a unique code sent to your mobile phone. It’s virtually instant, but very reassuring.
The natural human inability to assess risk is certainly part of the story. You are trying to weigh up knowing that there will be a delay (however short), an extra step to overcome each time you connect from a browser, against the unknown risk of a security breach at some unknown point in the future. People are famously bad at these judgements.
Where our instincts fail us, we need to rely on expert advice. And our advice is to activate multi-factor authentication wherever it is available to you. Rationalise any resistance you have.
In our experience, any business that suffers a password breach will, immediately after, activate multi-factor authentication. Once the personal experience is there to allow informed judgement, businesses choose the highest available security, even at the expense of a little time lost – and they often invest more money in security measures too.
If you take our advice, you can skip the pain of a security breach, and go straight to implementing the best security available.
So, in summary:
- first, implement better password security;
- second, activate two-step verification, which is often available without additional costs.
- And, third, have a look at some of the higher-level enterprise security options. For example, in Office365, Enterprise packages allow you to have better control of mobile devices, to set ‘safe’ IP addresses, and to better recognise and block threats.