Seven surprisingly simple M365 settings will improve cybersecurity at your community bank or credit union.
Integris’ Financial Institution Division (FID) has spent decades conducting IT operating assessments for financial institutions, and we always encounter organizations with disconcerting gaps, despite having relatively strong in-house IT departments.
In this article, we’re focusing on Microsoft 365 or “M365” (which includes Outlook, Exchange, Teams, One Drive, SharePoint, Word, Excel, PowerPoint, and more) for three reasons:
- With nearly 50% of the office productivity software market, M365 is more popular than ever.
- Mastering its administrative nuances is a journey.
- With the emergence and high adoption rate of cloud computing technologies, M365 has become a primary target of malicious actors.
Reduce Unnecessary Cyber Exposure
The forthcoming technical details will help C-Level readers get more comfortable with the configuration vocabulary and minutia.
And if IT audiences get one new idea that leads to implementing a new administrative best practice, it will be even better. The goal is to arm two important stakeholders with additional ammunition to reduce unnecessary cyber exposure.
The following observations were captured from digital discovery with a 155-person community bank, supported by an in-house IT team with 5 people.
Here’s a snapshot of their M365 environment, followed by recommendations to fine-tune a few critical configuration settings.
M365 Cybersecurity Settings for SharePoint/One Drive
The default settings for SharePoint/One Drive are easy to overlook.
Unless the creator of a SharePoint/One Drive site selects private, all sites are created in public mode.
The public setting allows users to add guests to the organization’s Office 365 tenant. This oversight allows guests to access any data or SharePoint/OneDrive site that was accidentally created as public.
Integris FID quickly noticed this community bank had every site in public mode.
The bank also neglected to enable audit logging. According to Microsoft, “Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was. Automated log analysis supports near real-time detection of suspicious behavior.”
M365 Cybersecurity Recommendations
- Disable the user’s ability to add guests to the O365 tenant and assign configuration privileges to a small trusted circle of designated administrators.
- Enable audit logging.
M365 Cybersecurity Settings for Outlook
Integris FID observed Outlook settings allowing auto-forwarding of emails outside of the bank’s domain.
As Laura Kerns, Senior Claim Consultant, of Conner, Strong & Buckelew notes, “Email forwarding is a convenient tool for users and is utilized often in a business setting. For example, if a person will be out of the office for vacation or an extended period, they may forward their emails to a colleague in their absence. Cybercriminals use this feature to forward incoming emails to a separate folder or email account.”
Laura continues, “Not only does this provide the attacker with intelligence for a subsequent broader attack, but it may also provide the cybercriminal with PII of other potential victims. In addition, the cybercriminal may have access to the emails even if the user turns on multi-factor authentication (“MFA”) or changes their password.”
M365 Cybersecurity Recommendation
- Disable auto-forwarding outside of the bank domain. If there are special circumstances where this is required, IT can allow forwarding.
M365 Cybersecurity Settings for Microsoft Teams
Microsoft Teams is a fantastic collaboration tool. So much so, the bank’s users were unwittingly allowing guest and external access into the privacy of their corporate environment.
This meant any bank employee/user could “invite” resources outside of the organization to view files and other privileged communications, including intellectual property, and trade secrets.
Unauthorized access was wide open, excluding documents and sites that were set to private. Even more troubling, the IT department and bank employees didn’t realize the level of access that was accidentally granted to outside parties.
Integrations and Third-Party App Risk
Integris FID also noticed cloud file sharing was enabled (by default), allowing integrations with Citrix, Google Cloud, and several other cloud file-sharing applications.
This setting made it very easy for end users to copy data outside the organization to services the bank could not control.
The users were also allowed to install third-party applications; that enabled external sharing of company data outside of the bank’s control.
M365 Cybersecurity Recommendations
- Disable external and guest access to the Microsoft Team environment.
- Disable Cloud File Sharing within Teams.
- Set Third-Party Apps to disabled.
M365 Cybersecurity Settings for Authentication
Although Microsoft turned off Basic Authentication in early January 2023, at the time of this assessment, the bank had this feature enabled by default, to connect their servers, services, and API endpoints.
In December 2022, Microsoft shared the rationale for its retirement stating, “Basic Authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of Multifactor Authentication (MFA) is not simple or in some cases, possible when Basic Authentication remains enabled.”
At the time, we recommended they block basic authentication for all users. (Now they don’t have to worry about this setting because the feature was phased out.)
We are sharing this historical detail because it underscores two important lessons: it’s easy for qualified IT professionals to miss critical configuration details and M365’s cybersecurity features are constantly evolving.
M365 Cybersecurity Settings for Onsite and Cloud Active Directory (AD)
The bank had a hybrid AD environment with legacy Active Directory infrastructure and Azure Active Directory (recently renamed Microsoft Entra ID), connected by Hybrid Azure AD Joined Devices.
This configuration gives users, inside and outside the office, access to cloud and on-premises applications and resources.
However, there was a problem: Join Required for Windows was not enabled, allowing computers not joined to the bank’s domain to access resources in their environment. This oversight posed a critical security risk.
M365 Cybersecurity Recommendation
- Deploy Conditional Access policies to require Windows devices to be Hybrid Azure AD Joined to connect to Office 365 services.
Learn More: Five Azure AD Integration Challenges
Partnering with Banks to Optimize M365 Cybersecurity
Integris FID pulled these M365 observations from a comprehensive assessment performed both onsite and remotely over the course of eight weeks. The bank’s entire digital estate, spanning servers, the virtual environment, network devices, business processes, IT governance, IT support effectiveness and all cybersecurity solutions were evaluated for efficiency, security, and functionality.
The IT Manager and all members of the IT Department were extremely helpful in completing various pieces of this assessment. In addition, 11 other employees were interviewed and provided extremely valuable information.
Even better, they were grateful for the results of the assessment and became a valued client shortly thereafter.
Distraction is Real
Despite having a highly competent staff, members of the IT support team were getting distracted with other activities and engaged Integris FID to:
- Ensure their IT (support & network configuration) was efficient and aligned with their strategy.
- Improve protection from cybersecurity threats.
- Assess the durability of current technology to handle future growth and recover from a disaster.
- Resolve lingering technology issues.
- Identify the root causes of inadequate support that was causing frustration and downtime for the end users.
- Get a second opinion on why their IT spend was so high.
Please schedule a free consultation to explore ways Integris FID can help you improve reliability, security, efficiency, and control runaway IT costs.