Skip to content

Office 365 Security Best Practices For 2020

Office 365 Security Best Practices For 2020

When using Office 365, or any other computer program, good security is essential. Hackers and other mischievous types have been around for a long time, but they have become a much bigger problem in recent years. All the data seems to show a steady increase in this type of crime, and that’s why it’s so important to use good security practices at home and work.

Office 365 is an incredibly useful tool, and many businesses are taking advantage of its benefits. Unfortunately, there have already been several instances in which the security of this program has been compromised. With that in mind, let’s present a quick list of tips that will help you to be more secure when using Office 365.

Security Mostly Comes Down To The User

A computer can be very secure or wide open. It all depends on the user and their level of knowledge. Diligence is also key for good security because good security largely comes down to the human element.

Most of the time, hackers will refrain from directly attacking the system infrastructure. Not only is this very difficult, but it also exposes the hacker to the risk of being identified. Instead, they usually try to manipulate the human element.

The most common type of cyberattack is the phishing attack. When you click on a link, you need to make sure that you know where it’s going. Hackers can use boobytrapped links to steal your information or worse. In some cases, they will forcibly encrypt your entire hard drive (or at least your important email accounts), so that you have to pay a ransom in order to regain access. In some cases, the hackers simply take the money and run, leaving their victims without the crucial data that was stolen.

Usually, a hacker will attempt to trick their victims into clicking a link that takes them to a fake page. This page will be made to look like something legitimate, such as an update notification from Windows or something like that. Instead, it’s a dummy page that allows your data to be stolen.

Make Sure To Use Strong Passwords

Did you know that most passwords can be cracked in minutes with a simple program? These attacks, known as “brute-force” attacks, use a program that gradually cracks a password by learning from many failed attempts. The program is able to learn a little bit from each failed attempt, allowing them to obtain the password eventually. This happens because most people do not use strong enough passwords.

The above might sound a little scary, but there is good news. These password-cracking programs are very limited. If the password is too long or complex, it won’t be decoded. Theoretically, a hacker could crack any password if they were connected long enough, but ultra-complex passwords would require days or even weeks to do their job.

Your passwords should always contain at least 17 characters (20 is better), and they must always include both uppercase and lowercase letters. Any good password should also contain numbers and maybe even a few random symbols. If you run a company, these are good rules to enforce.

On a more basic level, you need to make sure that your passwords are as strange and random as possible. If you pick a combination of common words like “Ilikemustard,” your password can be cracked within minutes. If you use a birthdate or an anniversary date, that is equally easy. With only 365 days in the year, the program has far fewer options that have to be eliminated. It’s best to make up new words that don’t exist in any language. As the Navajo codetalkers in WW2 learned, the only code that cannot be broken is one that isn’t a code at all.

Make Good Use Of Encryption

Some people see encryption as a shady thing, being the province of hackers. However, it’s actually one of the best ways to protect yourself from cybercriminals. Encryption works by jumbling up the data in a basic format. Once scrambled in this way, the data cannot be read until it is decrypted with a password. Because the password is also the decryption key, it is theoretically impossible to break encryptions without the password.

Because of this, most hackers don’t bother trying to de-encrypt their target systems. Instead, they will try to obtain the password through some shady means or another. Their most frequent tools are emails that direct you to change a password. Just remember that no one should ever demand you change your password.

The use of encryption adds an extra step to many processes, but that is the price of tight security. The good news is that Office 365 has a built-in option to encrypt any emails or messages that are sent from within the program. This is a good way to go, but we fear the encryption isn’t strong enough.

If you really want to get serious, you should consider the use of PGP or GPG (two forms of the same basic encryption type). To give you a general idea of how it works, it uses two keys instead of one. Like a safe with two locks, this kind of encryption has proven to be the most effective. As far as we know, it has never been broken, not even by governments.

Use Multi-Factor Identification Tools

When someone is logging into your system, and especially when they create an account for the first time, caution is important. There are multiple ways to identify someone, but all of them can be faked. Faking more than one identifier would be much more difficult, but still possible.

One example of a multi-factor identification system is one that uses a CAPTCHA to verify human interaction before using phone verification. In this way, you can at least verify who is using a given phone number and verify that bots are not being used against you.

Do Frequent And Comprehensive Data Backups

It’s a problem as old as the computer itself. Non-physical data storage can sometimes disappear without warning or explanation. There are quite a few glitches and attacks that can result in data loss. For instance, some Windows 8 users reported problems with their computer changing the formats to .raw on various important files. No one seems to know the exact source of this bug, but it has happened to quite a few people.

Ransomware is another cause of data loss, and it’s become more of a problem in recent years. A ransomware attack infects your computer with malware, which is then used to encrypt the contents of the email account or hard drive. This effectively locks you out of your data. In order to regain access, individuals and companies will demand ransom payments like any other kidnapper. Of course, kidnapping data isn’t as bad as kidnapping people, but they are using the same approach and the same tactics.

If you get hacked in this way, you’re in some pretty big trouble. The only way to defeat ransomware with any reliability is to deal with the problem before it happens. Frequent data backups allow you to ignore the demands of online thugs and continue with business as usual. Just be aware that they might try again! Even if you are never targeted for a ransomware attack, you can sleep better, knowing that you are prepared for a computer crash.

Use The Rights Management Settings

Microsoft Office 365 has several built-in options that allow for the control of individual files and documents. Documents can be configured to “read-only” for those who cannot necessarily be trusted. The alteration of important documents can be a disaster for any company, and that’s why you should not allow just anyone to edit your documents.

In most cases, Office 365 is used in a business setting, where many people are using the same software on the same network. In such a setting, data control becomes far more important. It only takes one bad actor to alter or delete your records and cause you no end of problems. If you see someone doing something suspicious with one of the files, you can revoke their access immediately. You can also use Office 360’s options to control sharing rights.

Restrict OneDrive Synchronization

A lot of people use OneDrive in conjunction with Microsoft Office products, but you don’t necessarily want everyone to do that in a business setting. When two computers synchronize, they are sharing (more or less) all of their data. Obviously, this presents a security risk that is not acceptable.

Thankfully, Office 365 gives an administrator certain options in this department. You can control which devices are allowed to sync and which ones aren’t. Only those who are known to be trustworthy should be allowed to do a full sync with the company system. However, there is also an option to limit syncing to those who are directly joined to your domain. This is a good way to go because it gives you good security without too much of a compromise on usability.

Use The Audit Functions

Although they are not enabled by default, Office 365 allows you to create detailed logs that will be updated automatically. This creates a much greater degree of accountability for those within the system. All significant actions are logged in a central location where they can be checked at any time.

Office 365 offers two different kinds of audit logging. One of them is called a unified audit log, while the other one is a mailbox audit logger. You should enable both of these, as they will provide you with an important investigative tool in the event of a problem.

Use A Proprietary Login Page

We have already covered the danger of phishing attacks, which use dummy pages to trick people into entering their credentials. Because these are the most common types of hacking attacks, you should try to make your login page as distinctive as possible. That way, it will be harder to spoof.

Office 365 gives you the option of branding the login page with your company’s logo. If possible, we would recommend that you use a complex design with many elements. Even if your company’s logo is a simple symbol, you should be able to elaborate upon that symbol and add distinctive background features. Once again, the purpose is to make it easier for your employees to recognize a phishing page by making the real login page as distinctive as possible.

Use The Security Score To Audit Yourself

Like any other computer program, the security of Office 365 depends largely on how you set up the options. By adjusting the settings in favor of security, you can do a lot of good with a little work. However, you may not know how to tune your computer correctly for maximum security. Thankfully, Office 365 has included a tool for this purpose. It’s an automated audit program that looks at your security options and gives you a score. This can help you to identify gaps and deal with them more quickly. Bear in mind that this security score isn’t a perfect measurement because it only accounts for the settings of Office 365 itself.


While internet security can be a large and daunting subject, we hope that these simple rules and practices will give you a good start on understanding this crucial subject. If there is one point that we would like to reiterate, it is the importance of the human element. Any system, no matter how secure, is only as good as the people in control. If the people in control give no thought to security, then security will definitely suffer as a result. We hope that you will not be one of these foolish people and that you will heed our advice on this matter. If you would like to learn more, please feel free to fill out the contact form below.