How can you assess how secure your M365 environment is?

Introduction

Law firms depend on their IT infrastructure to provide a safe and secure environment in which to perform work for their clients.  With the growing trend of migrating to Microsoft 365 (MS365) / Azure to provide these services online, there is an assumption that your data and environment is secure.

While MS365 gives you the opportunity to benefit from Microsoft’s investment in the provision of a highly secure environment and highly secure data, it requires some manual configuration to ensure that the best working practices are implemented.  By default, with MS365 ‘out of the box’, this is not the case.

So, where do you stand? How can you assess how secure your environment is?  How much risk are you exposed to?

Being able to answer these three core questions is the first step in determining your security stance and securing your working environment and subsequently meeting the challenges of ever-increasing risks when using IT.

Background

Data taken from Astra Security during 2022 indicates the following: –

• nearly 4,000 new cyber-attacks were detected PER DAY
• more than 560,000 malware attacks were detected PER DAY
• Every 14 seconds worldwide a company fell victim to Ransomware which can result in devasting impediment of business operations and subsequent significant financial loses in terms of ransom payment, post breech tidy-up and direct cashflow due to business disruption
• In the UK, 39% of UK businesses were affected by cyber-attacks

With these kinds of statistics, it is imperative that you know how secure your environment is.  You may have moved the operational elements of IT and security to MS365 to utilise the advanced protection it provides but this, in and of itself, is not enough.  Whatever approach you take, you cannot absolve responsibility for knowing the risk level you are operating under and how you can improve your security stance to combat the very worrying security threats that all companies face.

Firms remain responsible for developing policies and procedures, ensuring relevant systems are deployed and confirming that they are implemented correctly. It goes without saying that the biggest risk is the business impact in terms of downside and reputational damage should your security stance not standup to the challenges.

How To Improve

Before you can improve your security position, you must have a clear understanding of your current situation.  From that you can derive an improvement plan to increase your security without adversely affecting the day-to-day operations of your business.

One of the most effective ways to achieve this is to undertake an audit of your current security posture.  Ideally this should be conducted by an independent organisation who will be unbiased in their opinion and recommendations.

There are many companies available who can provide this service.  Some key things to look for when choosing one, or deciding to complete it internally, are:

• What level of access is being asked for? An audit should be able to be completed without having any permission to change any settings.  Within M365 there is a specific audit role.  If you are being asked for more access than this, then be aware.
• Will the report you receive give a summary of your current security posture?
• Will the report show you comparison to other firms?
• Does the report give you clear recommendations for priority and subsequent steps?
• Does the report give you the full detail of what has been audited?
• Are there different levels of report available or is it a one size fits all? Not all firms use the same infrastructure, some are much larger than others. A one size fits all approach could mean you are paying more than you need to.
• Can the recommendations in the report be understood by your staff?

Once you have your audit report you can then formulate an implementation plan and start the process of improving your security stance.

Recommendations

1. Find an audit provider

Look at the various players in the marketplace that provide this kind of service. Do your research, ask for examples, and settle on one that fits your budget and requirements.

2. Commission an audit

Provide your chosen supplier with access to your systems on a read only basis and allow them time to review your infrastructure. This may include allowing them access to any IT professionals you have in-house to clarify certain items.

3. Create an Improvement Plan

Look at the recommendations of the report and understand what they mean and what change they require. Then adopt any of them that fit with your company ethos and risk appetite.

4. Regularly review

Use the inbuilt features with MS365 to monitor how many of the report recommendation have been implemented and how far through the improvement plan you have come.

5. Re-Review

Once you have implemented some of the improvement plan, and you feel progress has been made, commission another audit. Regular auditing not only keeps you abreast of new security risks but is also a good way of showing improvement and can be used as part of any security accreditation such as ISO 27001:2022.