Office 365 logo under magnifying glass

Office 365 Security – Ensure Your Team Members Do Not Have Global Administrator Permissions

When it comes to online security, small oversights commonly made by small business owners can quickly become big problems. Today, our team at TUCU will explore Office 365 security, and explain how small business owners and their IT administrators can ensure their employees’ email accounts do not become phished or hacked. At TUCU, we specialize in small business IT support. If you need help switching to and managing your Office 365 accounts, we can help.


How Office 365 Accounts Can be Compromised

A couple of weeks ago, an online Reddit user explained how a client’s Office 365 email was phished. The problem was first detected when the email account in question was sending spam email. Upon this discovery, the account was secured. However, further issues began to surface. After a bit of investigation, it was discovered that the small business owner had made all of the users Global Administrators in Office 365. As a result, the cyber attacker was able to:

  • Create a rule that actively deleted Office 365 emails
  • Create rules that caused mail to be auto-marked as “read”, and then moved to the RSS subscriptions folder
  • Create two brand-new Office 365 accounts and then assign them Global Administrator permissions

How To Secure Office 365 Accounts

Hindsight is 20/20. There are several things that could have prevented this type of security breach, including user awareness training, multi-factor authentication, and securing mail flow. More importantly, only the IT provider and the small business owner should have global administrator permissions. In the sections below, we will offer some basic tips on how to protect your small business from situations such as this one.

Multi-Factor Authentication

Multi-factor authentication, or MFA, provides an additional layer of security when logging into an account. For example, in addition to the initial login, a user will be prompted to also acknowledge a text message, phone call, or app notification. Therefore, a stolen password is not enough to phish an account. The attacker would also need to satisfy an additional security challenge.


Use Office 365 Secure Score

Fortunately, Office 365 has a built-in security analytics tool, called Secure Score. By comparing your business’ data with a baseline determined by Microsoft, Office 365 can evaluate your activities and settings, and recommend any necessary changes.


Use Office 365 Cloud App Security

Every business can set up specific policies based on their specific needs. As a result, administrators can review unusual activity and determine if further action must be taken. This includes things such as multiple failed login attempts, sign-ins from unknown IP addresses, and downloading large amounts of data.


Secure Mail Flow

This feature is available in Exchange Online Protection and gives small business owners more knowledge about the identity of each email sender. It can also protect the system against unknown malware, viruses, and more.


Use Data Loss Prevention

Data loss prevention is a beneficial tool that helps keep your employees from intentionally or accidentally sharing sensitive data. This feature is available across the entire Office 365 platform, ensuring that users remain compliant without workflow interruption.


Cloud IT Consultants In Toronto

Before you switch to the cloud, get professional guidance and setup help.  If you already use Office 365 for your small business, and are not sure if you are following best computer security practices, you can hire our IT Consultant to review your setup and advise on changes.  TUCU is tech u can use – we have been providing small business IT Solutions in Toronto since 2003.  Call or email us today to schedule a phone consultation or an in-office visit to review your cloud and IT Security needs.