As an Office 365 administrative partner for almost all of our clients, we have extraordinary access to your systems – and a huge responsibility. You depend on our honesty and competency to keep your systems running and protect you from breaches. Some of our colleagues are not as good about this. Microsoft finally provided some tools to strengthen security.

We’re shocked it took Microsoft so long to do this, but they finally are requiring outside administrators, such as Sterling Rose, to keep two-factor authentication turned on at all times. We instituted this control years ago on all of our administrative accounts.

What brought the issue to a head? When Microsoft Office 365 went mainstream by making the subscription service available to individual users, families and small home-office businesses, it created a lot more accounts for us to service for our clients. It also created a password nightmare.

As administrators, we can go into accounts to see what’s needed to make sure you and anyone included in your subscription can do what’s needed. In most cases, we go in when called on to solve a problem. We are scrupulous about signing out properly, effectively shutting the door to your account on our end, and we have been scrupulous about two-factor authentication to protect access from our end.

In our opinion, the two-factor authentication covers the laziness or carelessness of some IT providers – and it also protects Microsoft from being responsible for any losses of data not connected to a Microsoft meltdown.

That puts the data-protection ball back in our court. We want to make sure you have your side of the court covered, and here are some things you can do. The big thing, of course is to have all of your files backed up. Microsoft OneDrive does this, but we don’t recommend it to be your only storage location. Azure, another Microsoft product, has backup and restoration capabilities, and there are other providers.

On our side of the court, we have two-factor authentication and other tools that fall under the label of cyber resiliency. Through the Information Technology Laboratory of the US Department of Commerce, a three-level approach to cybersecurity is being developed and refined. The first level, of course, is to resist penetration by cybercriminals. It’s an approach that’s been around, but we’ve learned that no defense can be entirely impervious.

Thus, we have two additional layers. One layer seeks to limit lateral movement within a system once it’s been penetrated. The strategies include barriers to gaining permissions to move laterally within a system, a technique that hackers use to get to other systems. Defenses can include time limits to lock out an intruder or limit the amount of data that can be exported from a system under attack. Another defense is to provide misinformation. Another layer of security will allow a system to operate while under attack so that business won’t be disrupted.

This gets us back to why it’s so important that Microsoft hardened its defenses for Office 365. It provides one more defense against penetration. At the same time, it provides another reason for your IT providers to have access to your system.

We have access to some of the tools needed to limit lateral movement within a system, many of them customized to your needs. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs and implement a plan.