Data Loss Prevention
It is natural to assume that storing data in the cloud is less secure than keeping it onsite on a device such as an in-house server. The reality is that your documents or actually less secure in-house because they are not being managed.
Office 365 offers a lot of tools directed at data loss prevention. Some of these are turned on by default now and some require some tweaking that can probably be achieved best by your in-house staff such as your Human Resources Director, etc. The challenge is making everyone who needs to know aware of these features. The most obvious security measures to be turned on by default is of course, auditing, multi-factor authentication and In-Tune Mobile Device Management (MDM).
Auditing is pretty straight forward. Any data synced to One Drive for Business or Sharepoint becomes instantly trackable by Office 365. The security benefits of this is that you can pour through audit reports and know every detail of who access what documents from what IP address on what date and time. Any file deletions, file creations, file modifications as well as changes made to a user account such as role changes, delegations, etc. All activity is logged in the audit system in the cloud where no one can touch it. One reason we like storing things in the cloud, besides the fact that there is redundancy in storage.
Multi-Factor authentication, is something you should have enabled for any account that can be logged into from anywhere on the planet. The whole username/password scenario is totally worthless now with botnets, AI’s and darknet databases of commonly used passwords. If you have a Facebook account, Gmail account, Amazon account or any other type of account and you don’t have multi-factor authentication turned on, you are a security risk to yourself and to others. Google how to activate multi-factor on all of your accounts now. Needless to say, we don’t like leaving any Office 365 tenant’s MFA turned off. It will require your end users to receive text messages on their phones in order to get logged into their accounts when signing in from anywhere new, on a new device/app or even on a known device or app whenever certain conditions are met. It is slightly inconvenient but a necessity these days if you want to be 99% less likely of getting hacked.
We typically setup clients on Office 365, but Microsoft is pushing a slightly more expensive service called Microsoft 365. Some of its features overlap some of ours with our monthly support, but they only overlap to a degree. Our endpoint security is far superior to the Microsoft solution. With that said, there are some In-Tune services available for Office 365 Business Premium clients. In particular, there is a policy we can enable to where once your end users sign into their Office 365 account using their mobile device it won’t allow them access to any data until they agree to some terms and install an additional app on their phone. The app will immediately ask for full admin rights to their mobile device and will have the ability to remote wipe either the entire device or just company related data. It will also force them to enable a password on their device so random people can’t just access the information on their device by simply picking up the phone and swiping. The only flaw we have found with In-Tune MDM is that you cannot GPS track a mobile device. Not to worry though, our own Endpoint Management software can easily do that and far more once deployed onto a mobile device.
If you store highly sensitive information, you probably want that information to be encrypted. All data is encrypted in the cloud, however it isn’t encrypted by default when synced to a device via One Drive. There are policies that can be configured to encrypt synced data on a device so that, if say a laptop is stolen, the data synced to that laptop’s storage is not accessible/readable without being authenticate to Office 365 properly. There are also data retention labels that can be assigned to document libraries that will prevent people from making modifications, deletions, etc of highly sensitive data such as HR records. Such labels can also be configured to specify the amount of retention for specific data (7 years, forever, etc) and even specify what legal oversight organization/policy (HIPPA, OSHA, etc) such data retention and access is governed by.
You can even scan organization wide email for keywords, etc and have supervisors receive for review communications from your end users. You can setup a document library to alert specific staff members via email/text whenever any changes are made in those particular libraries.
Office 365 offers a plethora of features for data loss prevention and monitoring of important data. This is why we say your data is less secure setting on a server or NAS device somewhere than it is being managed by Office 365.