Security Tips for Remote Workforces (Video)
This recorded webinar discusses security and compliance concerns to keep in mind with team members working remotely.
In this session we look at the risks associated with working from home related to hardware being used, what antivirus is installed, and dealing with sensitive company files. We also look at how to address security issues with Microsoft 365.
Contact us if you have any questions about security for team members working remotely.
Melissa: Hi there, everyone. Welcome to the webinar. This is Melissa Greenhill. I’m a marketing specialist here at Encore. And today, we’ve got Pierre Manaigre who is our cloud architect here at Encore. So he will be talking about security tips for remote workforces, so pretty hot topic right now. Hi there, Pierre.
Pierre: Melissa, thank you for that introduction. Hello, everyone. So thank you for joining the webinar today, and hopefully, we’re gonna cover off some topics of interest for you as we all work to navigate this new office situation together. So I know for a lot of companies remote workforces is a very new topic, and Encore has had the ability for remote work for quite some time now since at least 2010. A good portion of our workforce has been…what we’ve adopted is sort of the technology nomad foundation. So basically, a number of times we’ll end up with talented people, and they could be anywhere in the world. So we have had quite a bit in this area that we’ve gained experience with, and hopefully, we’ll be able to impart some of that to you today.
So, for our agenda, we’re gonna talk about the different risks of remote workers and what do they pose to you as a company, and what considerations that you might have in terms of identifying your project as well as success factors and so on. And then looking at providing some information on securing users’ home networks and their environments with some recommendations. And finally going through some cloud security enablement. The beautiful thing about the cloud is that it gives you the ability to not have to worry about procuring all of this expensive foundation in order for you to enable remote work where, you know, 10 years ago, this would have all been mostly located on-premises. So you can really scale up your environment a lot more quickly.
And as your Microsoft partner, it’s in our best interest as well to ensure that you do this securely. So we’re definitely concerned that as people are ramping up because of COVID, that they’re potentially leaving some security loopholes, if you will, in their deployments. And we just wanna make sure that you have the most information that you can get in order to do it securely. And just covering, there’s a number of free SKUs or products from Microsoft that will allow you to increase your security, and we’re just gonna cover those as well as what are the paid features to enable that remote work.
And so the risks for remote workers, and I’m sure you’ve potentially got some ideas already in mind as to what are the risks. And if you think about your office, you have, you know, alarm codes and key locks and so on that really allows you to ensure that physical security. And so at the home office, there’s a lot less visibility that you have obviously in terms of what each user’s home work situation is. So you don’t have the ability to secure that location, and you can’t control that whole network as well where you would have IT professionals that have your network secured in such a way that people have a harder time penetrating that network.
There’s also, understandably, a lack of training on best practices on information security. Because the users, that’s really not their need to understand in their day-to-day work. And they may be unclear about the shared responsibilities on working securely in this new remote situation. And you wanna also identify certain things like are they using a corporate computer or phone, or are they potentially using their home phone and maybe even a home computer if they don’t have a work computer provided to them. And what is the status on those computers and mobile devices?
Are they updated with the latest patches of antivirus and so on? Do you have compliance requirements that you need to be aware of? What kind of data do they have at their house? Are you working with credit card numbers, you know, customer names, Social Security Number, Social Insurance Numbers, medical records, that sort of thing? And also intellectual property concerns, because you have customer lists as well as your basic products that you sell within your business. There’s potential confidential information there that you wanna make sure you secure for the remote work as well.
And in terms of considerations, there’s some questions that I want you to maybe ask yourselves so that you can form a foundation in terms of what we’re going to go through today and hopefully come up with a plan for you in terms of the following actions that you’ll need to take. So where are you today in your remote strategy in your remote workforces? So there’s been a tremendous demand put on businesses that if they wanna continue functioning, a lot of them will have to do so. That possibly for the next foreseeable future, maybe workforces might even be reduced up to 50%.
It might mean going to sort of an AB type of team scenario where team A goes in one week, and team B goes in the next week, and then people just round-robin in terms of remote working the rest of the time. So there’s a number of different scenarios that you might have to consider where this remote work necessity might be going on for some time still. And potentially, if there’s additional waves of this pandemic, then it might…certain restrictions may be rolled back, and you might find yourself in this situation again. And you wanna be in a better posture in order to be more responsive and agile in terms of having those employees working remotely.
So, where do you wanna go is obviously what you wanna think about in the next couple of weeks or months, what you envision this plan looking like and how you’re going to respond to it in the future, and then thinking about how you will get there. So it’s about identifying certain key takeaways from here and just deciding on what options best suit your business in terms of achieving this remote work and making people productive in their environments. And what does success mean to you? It’s what you would wanna think about. How you’re going to measure that success. If your plan is, say, 50% complete in the next month, month and a half. Do you feel that will put you in a good enough position for the uncertainty that may occur in the upcoming winter months if there’s a resurgence of the restrictions? And finally, should you define a remote work policy?
If you’re unfamiliar with this, an acceptable use policy is something that we’ve developed at Encore and a number of other businesses as well. When you have new employees, you provide them with this acceptable use policy for using company equipment as well as the resources such as the network and so on, indicating certain things like limited expectation of privacy because they are doing work on a piece of company hardware.
There is potentially some monitoring tools on there. Not specifically tracking keyboard strokes or anything like that, but there are systems put in place to monitor if a hard drive is filling up or if a computer is being attacked by a hacker and things like that. Then it’s all about providing clarity around what users can expect when they’re working with your piece of equipment. So, for recommendations, yes, you absolutely need a formal remote work policy. And think of this document as giving you the ability to provide user guidance on hardening security. So, network security is something that honestly a lot of us, unless we’re involved in information technology, probably don’t think about too much for our home network.
So, when you get your internet installed by your provider, they might give you the internet modem that you use to connect, and you don’t even think about it. The company manages that and that you’re off to the races. So, you know, has that router been replaced over five years ago? So, there’s a number of security vulnerabilities that get detected every month really. So there will be some additional updates to patch some of these holes. And routers and internet modems have a very finite support time frame.
So basically, if the router is over 5 years old, you’re not going to most likely get a security update for that product. So, generally, we recommend replacing routers that are over 5 years old, but at the same time understanding that your users didn’t ask to have to work from home. And asking them to invest in a new router could be a very difficult conversation to have without providing some additional guidance to them just to mention while you do banking on your home network and, you know, these things are also designed to protect you for your own personal information, not just that of the office.
And if the router is less than 5 years old, well, when was the last time they maybe updated the firmware? So some of the new routers, they will set themselves to update automatically. A lot of times, these are opt-in, like you’d have to specifically pick that you wanna have it update on a schedule. So if those firmwares weren’t updated, then, yes, even though their router may be newer, they may still be vulnerable to some of the latest security threats that have emerged.
So these are all things that you would wanna identify in part of your remote work policy, things like Wi-Fi security. So, it must be set to a minimum of WPA2, not WEP or WPA. However, these would have to be really, really old routers for these two older protocols to still be in play, but it is something that I wanna mention because, again, you still wanna provide as much clarity as you can. And Wi-Fi networks should never be open, i.e., no password required. Even if it’s a user’s guest network, you want to highlight to them the risks of doing that.
Basically, anybody who’s near enough to capture the signal would be able to sign on to their internet and do anything they wanted. And so it just puts them at a legal liability for any potential illegal content that may be happening on their network. So, passwords even on guest networks are always highly recommended. And for an anti-virus, so if you’re running Windows 10, Microsoft Defender is included. So, even if there isn’t a third-party antivirus product, if a home user is using Windows 10, that’s generally a very good sign as well as getting the latest security patches.
If using third-party…sorry, if using another operating system, then definitely a third-party antivirus for other operating systems is highly recommended. And also if you haven’t been aware, Windows 7 is no longer a supported operating system. So you may want to even put a policy in place that a user should not be connecting to your work network with a Windows 7 computer because it’s just not safe. And then always ensure…and again, this is something you wanna define in your policy, but always ensure that you install the latest Windows security updates and keep your antivirus up-to-date as soon as those signatures are available.
Other things that you would want to include within the remote work policy is a line chapter on protecting customer data and just mentioning to them the different privacy concerns around customer data and what they need to be aware of. So, for example, credit card numbers should never be emailed. I’ve seen some people email those with the expiry date and the three-digit security code on the back and not even encrypting the email. So certainly, that’s a behavior that you wanna not encourage at all. And if the credit card information is written down that it should be in a locked cabinet. It should never be left unattended, and it should be securely shredded. And then what other personal needs need to be defined in the policy?
So again, we circle back to what other personally identifiable information under PIPEDA or GDPR, etc., that you need to be aware of to make sure you delineate that in the policy so that everybody’s clear on what’s expected and how they should best proceed. And on the topic of protecting corporate data, so what devices have information? We talked about a lot of times users are using their own personal mobile phone to interact with their email. That’s good because you…and not every business can provide a mobile phone for each of its employees. And also what computer are they using? If they are using a home computer, then how are you ensuring that that device is meeting your set requirements for being up-to-date before working with files on your network or your cloud environment?
So, for all Windows versions, we highly recommend even on personal computers if they would like to protect their data further, not even just focused on corporate data, is activating Windows BitLocker. Windows BitLocker is a hard drive encryption that’s included, and it safeguards against data breach. So if ever somebody’s computer is taken, unless they know your password, they will never get access to that data. So then at least your information will be safe, and most likely the thieves will just end up formatting the computer and then using it or selling it or whatever they do with it. So BitLocker is definitely something you wanna take advantage of.
And then just identifying to them that they may wanna always lock their computers when they leave their desk. Even if you’re the only person working at home, it’s still a good practice for the simple reason that you never know if you walk away from your desk and then you receive a call, and you have to leave your house in a hurry, and that computer remains unlocked, and then on the off chance that there’s a theft in between that time and when you return. If your computer is unlocked and you have the hard drive encryption enabled, well, the hard drive encryption is not very useful at the moment because then they can just change your password, take the computer with them, and then they’d have access to all of your data. So just hitting Windows key L to lock your computer when you leave your desk is also a very good practice to get in the habit of doing.
And so cloud security enablement. So as mentioned, Microsoft has a number of different approaches in terms of securing your data in the cloud. For as long as I can remember with computers, passwords have been used, and really only…sorry, only hackers love passwords. They’re frustrating to use, they’re not secure, and they are potentially expensive as well. And I’ll cover each of these points. And if you think about the password policies that we’ve had where it’s you need a minimum number of characters, you probably have to have a one uppercase and lowercase letters, a number, and maybe a symbol in there. And you have to change it every 45 or 90 days or whatever it may be. That led to a very bad habit of people creating very simple passwords where they maybe cycle a number to change their password.
And, you know, one of the most used passwords in the world is, you know, password 123. So hackers have what are called dictionaries, and they’ll do what’s called a spray attack. They’ll basically just sit there and use this file to just guess all these most used passwords. And they have a very high success rate if you can imagine getting into these accounts. So, you wanna come up with a better way to secure those logins so that it doesn’t rely just on the password. And also from an IT perspective, if a user recently changed their password then went on vacation, or for some other reason, maybe forgot their password, then they’re engaging the helpdesk in order to do a password reset. So what you wanna do is have a solution that’s convenient but is also still secure and can potentially reduce costs.
And so that’s where Microsoft MFA or multi-factor authentication comes in. So what it is is like it will send a challenge-response to your device. So if you’re logging in from your computer, it will send in a notification to your app, or depending if you have one of the paid MFA products, then it could potentially even send like a text message or even call a landline and just verbally give you a code to enter in. If you’re familiar with say if you have a Google login or some other login, that you might have an additional attachment to, say, your mobile phone or your landline just providing a secondary method to contact you. That’s where this will be created is within your user registration that you’ll register this other phone number, other email address, that sort of thing.
So, it’s better than passwords alone. But there are some ease of use challenges. It’s just very minor. In terms of activating the policy, you wanna make sure that you put Windows Authenticator app on the mobile phones for the users and create a communication strategy along with instructions just to make sure everybody’s ready and comfortable with a new method of logging in. Although it could still be susceptible to what they call men-in-the-middle or phishing attacks. So if you think about times where you received an email message from even potentially somebody that you were expecting to receive a document from, and it says, “Oh, please click this button to retrieve your document.” And then you click it, and it says, “Oh, I need your credentials for you to retrieve this document.” So then by answering that, you’ve just given the attacker your email address and your password.
So, I always encourage people to operate from a zero-trust mindset. Even if you are dealing with somebody on a consistent basis, and you receive the document, but you’re thinking, “Mmm, something’s a little odd here. I’m a little suspicious. My spidey senses are tingling,” then I always recommend that you just pick up the phone and call that person and verbally ask them, “Hey, did you send this to me before I click it?” And the reason I recommend calling versus texting or emailing is just because you do not have any clear understanding of who you are talking to with the exception of actually hearing that person’s voice if you’re familiar with them and dealing with them. So, always best to just err on the side of caution and call just to make sure.
So, as I mentioned, there’s a number of products available that work to increase security. So the Microsoft Authenticator app you would install on Android or iOS. So that’s going to send either a code when a user signs in for multi-factor authentication just to verify their ID, or there will be an approve or deny button. So there’s a couple of ways that it works. If it’s one of your corporate devices, they have the option to…and I’ll just loop back to that. They have the option to check a box to say, “Don’t ask me for 60 days.” And then after 60 days, it will prompt them again. Now, if there is an activity that they’re doing that is different than what is normal, again, it will do a risk assessment and say, “Okay. I need you to authenticate again.” So, something as simple as picking like a private browsing session on that same computer will engage that authentication request.
And if you’re using a different computer as well from a different IP address even the same computer, it’s going to go ahead and ask you again. So it’s a very good protection, and it’s not terribly obtrusive either. So you have the option for push notification. And then for the paid SKUs, you could get SMS or voice. If people don’t have a mobile phone but they have a landline, for example, then you can have it…call them and give them the code. So Windows Hello is another mechanism for secure login over a password. And if you have a Microsoft Surface computer, it for sure supports it. Other hardware vendors are supported, not all computers, so Dell, Lenovo, HP, for example. Certain computer types will have the right cameras in place in order to do Windows Hello. So that’ll allow you to log in just with facial recognition.
And then there’s…for even more security, you can use security keys. Biometrics is another option as well, and we’ll talk about some policies that you can activate. So, for example, at Encore, we have…Outlook Mobile is our email client that we use on our mobile phones. And even if my phone is unlocked and I go to look at an email, I need to tap with my fingerprint in order to open the email application. So that way, even if my phone is unlocked, they still cannot get access to corporate data without providing that biometric response. And multi-factor authentication is definitely just that one tool alone can prevent up to 99.9% of identity attacks. So as long as your users are suspicious, hopefully not clicking approve on a random message that pops up on their phone but actually realizing, “Oh, I didn’t engage this login. I may want to deny that because I don’t wanna get compromised.”
And so, Azure MFA is available within your Office 365 by default. So it’s the free version, and we’re gonna quickly go through these slides. We won’t really be going in order. We’re gonna kind of jump around a little bit. So hopefully, it will make sense. As soon as you deploy a cloud environment within Microsoft, if you have your Office 365 login, which is usually going to be your email address and password, you have what’s called an Azure Active Directory account or Azure AD for short. So you could enable security defaults to enable multi-factor authentication. But what it is is an all-or-nothing item. So, you can’t be granular with the accounts and activation. You wanna really make sure that you have a solid communication strategy in place that you’ve got all your user documentation created and that you’re ready to make sure the users are prepared for your deployment to ensure the least amount of interruption within their productivity.
And same thing with Office 365 Business Premium. Now it’s been renamed Microsoft 365 Business Basic Enterprise 3 or E3 and E5. They all have the multi-factor authentication as well similar to the Azure Active Directory where you can only apply it to everyone, not just a subset of users. Now, as you get to these SKUs up here, these are all the paid SKUs. And what I always suggest to people…if you’re not familiar with this EMS acronym, it stands for Enterprise Mobility and Security. So it’s a Microsoft security bundle that you can use in Microsoft 365. And depending on the level of protection you want, that’s why they have the E3 or E5. And these Active Directories are included as part of this EMS bundle. Now, you could buy each of the products within the EMS bundle separately. But what I always advise users is that as soon as you want a second product within that EMS bundle, it’s cheaper for you to usually buy the bundle itself. And it does come with several products as well. So, if you’re only using a single product out of it, then generally buying the one line item is sufficient and will save you money.
So with Azure Active Directory P1, you get access to what’s called Conditional Access. And that’s where you can set specific policies that will prompt users for multi-factor authentication so that you can suit it to your business requirements. It will also give users the ability to do like password reset and account unlock self-service. So that’s where in the slides before where we talked about password resets being costly to a business. Just imagine for an IT department that no longer has to unlock user account or do password resets for users and they’re able to self-service, potentially how many calls that could save on a daily, weekly, or monthly basis. And it also makes the user experience a lot more convenient, and certainly, that’s what you want to achieve with your security strategy is basically balancing the needs for security but also with usability because the more secure something is, the less user-friendly it becomes. And if it’s too secure and too non-friendly, then people will find ways around it. And that’s definitely not the behavior that you want to promote.
There’s this one here and then finally, the Azure Active Directory P2. You can mix and match these licenses as well. So what I would highly recommend is if you have a high-value target, so, for example, any of your administrators, you don’t want them running with the full administrator privileges in their day-to-day accounts. So what you can do is if they’re protected with the Azure Active Directory P2, you get something called Privileged Identity Management. And what that will allow you to do is the users are…they’re not set to administrator mode, but they’re able to elevate themselves. And it’ll be only for a period of time and then the elevation is removed automatically. And then it will also create an event where you can audit who elevated themselves and for what purpose. So, it just gives you a little bit more of control and protection for those administrator users so that they’re not running with the full-elevated account all the time.
Now, offers to support your shift to remote work. Microsoft has a number of offers available for new customer cloud tenants. So sadly, if you have existing Office 365 licenses, not all of these offers will apply to you but some of them may. So, I definitely encourage you to speak to your Microsoft…sorry, your Encore Account Representative just to go over what your options may be for remote work. So with Microsoft Teams, they’re making it available to everyone through…the offer changed this month. So now in May 2020 moving forward, you can get six months free Microsoft 365 Business Basic, which is…formerly, it was the Office 365 Business Basic, I think it was called. It’s the online versions of Office 365.
So you can’t install Office on your computer, but you’ll be able to go to the portal website and just use the online versions of the products, including Microsoft Teams. So you’ll get collaboration, and voice, and chat, and everything, yeah, for Teams to Teams voice, not actual landline numbers in this particular offer. So, you have to commit to a year, but you get months 1 through 6 for free, and then you would pay 7 through 12. And then same with Office 365 E1, which is the Enterprise version. Again, it’s still the online versions of the product, not the actual downloaded client, but you’ll get the first six months for free. And you can also apply for Azure Active Directory Premium P1 trial. So that’s available through your Encore account team.
Customers using Security Center Configuration Manager, which there’s probably not very many of you at this point, you can now do co-management with the Microsoft cloud. Desktop virtualization. If you’re unable to secure remote computers at the home networks, for example, Windows Virtual Desktop is an option for you. There would still be some Azure infrastructure that you would have to pay for, but they are including six-month free Windows E3 license. And you can also get the Office 365, again, available through your account team for any new cloud customers.
And then deployment. If you require any further assistance in these deployment efforts, then, by all means, reach out to Encore support team, and we can assist you in any capacity that you would need in order to get your remote workforce productive. So, for Microsoft 365, I only highlighted the Enterprise Security portion of it since we’re dealing about the security topic today. But there’s a number of items that you get with it. If we think about Windows 10, so antivirus is included. It’s the very basic level of antivirus, of course. And there’s a more plugged-in version of advanced threat protection as you move to the Enterprise Mobility and Security E5. So then you have data loss prevention. So it prevents sensitive information from escaping your corporate boundaries.
eDiscovery, if you’re not familiar with that, allows you to do searches within the entire cloud environment. So it’ll look for content across, you know, your email documents, instant messages, and social channels like Teams and Yammer. And we talked about Azure Active Directory, so the Premium where you have Conditional Access and reporting, and it will do certain alerts depending on the SKU that you have as well for certain risk behaviors that don’t make sense such as impossible travel. Like if I’m a user that’s logged in recently in the United States, and then three seconds later there’s a login that’s trying to happen from Indonesia, then the system is automatically gonna block that because it knows that there’s no way I could have traveled that far in that amount of time.
Microsoft Intune. So as we talk about employee personal items, computers, and mobile devices that we may not be able to monitor, there, again, Intune gives us the ability to see with the mobile devices and their corporate computers are they up to date with antivirus? Do they have the right Windows updates installed from a single pane of glass? And then for the personal devices, again, that’s where the Active Directory Conditional Access. This module here can come in handy as well where you can tell it, “I want you to put somebody’s home computer in a bit of a lockbox until we can determine do they have an antivirus that’s responding to my queries? Do they have the right Windows updates installed?” So, without you managing or impacting the computer that’s at home that a user would not want you to manage because it’s their personal property, you still have the ability to still challenge that device just to find out does it have everything in place in order for it to be safe for me to allow them access to our resources.
Azure Information Protection P1. So this is for email encryption and encryption of files. And then, again, you get more features when you upgrade to the P2 offering that’s available in Enterprise Mobility and Security E5. So the P2 version will do automatic classification, and you can even put in certain conditions such as like we’ve seen some companies use a really neat code name for a top-secret project, for example. So you can create a policy that will automatically alert you whenever somebody sends an email with that word in it or creates a document or shares a document with that word in it or even say, “Anything that has social security numbers in it cannot leave the confines of this organization.”
And some of these policies you’re able to do, but it requires putting some restrictions on how users interact using their mobile devices but only when it means they’re interacting with your data. So an example would be if you are going to restrict users’ ability to share files, then from their mobile phone, for example, they have to use Microsoft Outlook Mobile. They can’t use their iOS or their Android-provided email client, but that’s only when they’re accessing your work email.
So if they’re accessing their home email, they can do everything that they want with their stock email program. There’s no problem. So you’re not restricting their movements when it comes to personal life, only when they’re interacting with your corporate data. And from that same perspective, it also protects you as the company because if they ever leave, then if you remove your data from their phone, it only removes your data. It doesn’t touch anything on their phone or delete the entire device unless they tell you the device has been stolen, and then you can wipe it remotely. But a lot of times, employees have that ability to do it themselves as well and would probably do it themselves given that they have their banking information and everything else on their phones potentially.
And then Secure Score is a great product that we’ll review. It’s available to…office administrators can log into this website, and we’ll cover that in just a moment. And so, again, just Advanced Threat Protection is the full antivirus product that you have the base version with Windows 10. And then as you go to Office 365 E5 or the EMS, Enterprise Mobility and Security E5, you would get the full threat protection. It’ll have additional tools that you can create a simulation. For example, send out a fake email message with what they call a payload or a virus in it.
It’s not real, but you’ll be able to see the spread within your network to identify which potential users might even need additional training in terms of mitigating these threats and becoming more suspicious. And if you ever get compliance requests as well, Advanced Compliance tools can help you create these packages. If you had to respond to a GDPR request from a user who wants to know what data you have about them, Microsoft can automate the gathering of that information if you have the Office 365 E5.
And so this is just another view of the Enterprise Mobility and Security because I know there’s a lot of different products and it gets very confusing. But it just shows you EMS E3 contains all of these products, and then EMS E5 has these upgrades, so, again, the Active Directory P1 that will allow your users to reset their own passwords and unlock their accounts. Active Directory P2, so Privileged Identity Management, if you have the administrative workers that you wanna protect a little bit more and have that auditing built-in.
Microsoft Threat Analytics is one that I didn’t cover. It’s one that a lot of people aren’t probably ever gonna use. It requires you to create a server on-premises and do network streaming analysis. So what that’ll do is it’ll analyze all the different traffic on your internal network and then look for suspicious activity and alert you for it. So, not something that a lot of people are gonna use. But if you have the E5 version of Enterprise Mobility and Security, you will get access to part of the Advanced Threat Protection that we talked about, which increases the functionality of the Windows 10 antivirus, also gives you the cloud version of this product so that you don’t have to have that server on-site. You can basically create the cloud deployments within the Microsoft tenant that you have. And there’s even some default templates that’ll get you started very quickly.
So Microsoft Cloud App Security, I haven’t covered yet, but this is where you would identify the authorized cloud app programs. So saying that only the Microsoft Cloud versions of PowerPoint, Outlook, and so on are authorized to access data, and this is how you would further prevent people from basically copying and pasting. Say you have a protected Word document. They’re gonna try to copy everything and then paste it inside of a Google Doc. You know, it will prevent them from doing that. It will prevent them from taking a screenshot of a product…pardon me, the page. Say I’m displaying my screen during a Microsoft Teams event, and I happen to have one of those confidential documents open on my computer, and I switch accidentally to that program, Microsoft Teams knows that the product has a confidential banner attached to it, and it won’t share it on the screen. It will say, “Oh, there’s no shared content.”
If you use Power BI, that could potentially have a lot of users sharing some inappropriate information possibly with other people. So Cloud App Security is going to lock that down for you and basically tell you who’s sharing what in terms of Power BI so that you still maintain that visibility while your users are free to be more productive and more self-engaging with creating reports. And again, the Microsoft Intune is that mobile device app management and cum corporate computer management as well.
So here’s the Microsoft Secure Score. So this is what I was talking about earlier that you have access to if you’re an administrator. This is the dashboard you’re gonna wanna go to monthly or quarterly depending on how important it is to you. And there you’re going to be presented with a score. Obviously, the higher the score, the better security you have. But we talked about how increasing your security too much will sacrifice usability and potentially put you at more risk if the users are not happy with how difficult their work has become, and then they may find some other alternatives.
So, there’ll be a number of recommendations that you can see here. They all have a point’s value. Some recommendations are easier to do than others. Some of them you can activate with very little user impact, and they’ll have a value of increasing your score. Some other scores will be a little more difficult to achieve without affecting the user. So you wanna make sure that you have a communication strategy available in order to add that functionality without impacting the users.
And here’s where the Encore Technical Services team can be quite useful to you. We’ve done this internally at Encore and for a number of customers as well. We can identify for you which items are easy to do, which items will require a little bit more thought. And in that way, you’ll be on your way to a successful improvement of your Secure Score. And this will provide you some context in terms of what the global average is and potentially what the average is for similar seat count as yours and what the average is in terms of your industry.
So, obviously, if you’re up here, this is a great place to be. And the reason that you wanna go in frequently is just to see how the evolution occurs over time. So here you notice there’s a drop in the score. Sometimes Microsoft will add new features or change certain counts. So the score may go down. And then you’ll have to look and see, “Okay. Do we wanna do what it takes to bring that score back up or is it not relevant in this case?” It is really a living dashboard that you wanna frequent when you can.
Another thing you wanna do is enable unified audit logs search. So, basically, if it’s not activated, you just have a turn on auditing button that you can activate. And in order to get there…so this is the office admin…sorry, the Office 365 panel. So if you’re an administrator, you’ll click on the Admin tile and then go to Show All. And then we want to go under Security. So this will bring us to the Security and Compliance. And then we want to go under Search, Audit log search. And so it’s already been activated for my tenants, so that’s why this banner is not showing as it was in the previous slide. But here I can search my audit logs and definitely something useful so that you can gain visibility in terms of what’s happening within your tenant.
So teams meetings security. So there’s a number of different options within meetings. You can have roles in meetings, attendee consent for recording. These two things, if you think about from an education standpoint. So you’re an educator, you’re giving a class. You don’t want some students who might decide to play a trick to have the ability to kick the teacher out during the conference. So that’s where roles within a meeting become important. So you can specifically identify what people can and cannot do.
Attendee consent for recording is important because you’re dealing with a lot of different jurisdictions depending where people are working. So you wanna make sure they get that visual message at the top saying that the recording has started so they can choose to dismiss that, or they can leave the meeting if they wish. Any meeting recordings you do, if they have a team’s account that they’re part of your company that they log into, they’ll be able to access those recordings. But then nobody else will be able to outside of your organization. So, again, it just protects all of your data from the outside and keeps everything secure.
And then same thing that the teams we had talked about uses multi-factor authentication and their secure guest access. So it’s not just a remote…pardon me, an internet web URL that somebody can easily guess the sort of code at the end and bump into your meeting. They specifically have to be invited to the meeting and gain access to it that way. And, again, so we talked about encryption. So you can encrypt emails, but teams’ data is also encrypted in transit and at rest. Data loss prevention. So you can’t share sensitive information if it’s during a team’s meeting and so on. The Advanced Threat Protection and the Cloud App Security, we’ve already gone through as well.
For teams deployments, there are certain teams that you want to have private, finance, HR, department teams, you know, that may wanna have private conversations. But for the most part, we found teams work best when they’re public. And you don’t have to worry about a public team being visible to people outside the organization. They are visible to people who are within your organization. If you’re a guest, you have to be invited to a team. But if you are part of the organization, then you’ll be able to join any public team and search data for it. And that’s useful for preventing information silos. So if all the teams are public, then we end up having…basically, information is hard to find. People are gonna start creating duplicate documents, and it just becomes a real mess. And then a retention policy. So you can identify policies that allow you to manage content in the organization. So, you can preserve information to meet compliance needs if necessary.
And so there’s quite a bit of data that we’ve covered today. So, what I’ve provided is a list of different Microsoft documents that you may wanna look through to help you create your remote work policy as well as looking at increasing the security of your office…your Microsoft cloud deployment. And this number eight is probably something that a lot of you aren’t gonna use unless you have an incident response manager within your organization. But I did include that as well for those that might have it. And then Microsoft 365 Best Practices is definitely something that you’d want to look at as well as these additional links above.
And so we covered the risks of remote workers, and securing those home networks, and educating the users on why securing the home network is important as well as a shared responsibility for information security. Creating that remote work policy, so they have a clear set of guidelines that they’re able to work with, and they know they can adhere to for the best success. What Microsoft Cloud Security products are available free versus paid as well as that Microsoft Secure Score dashboard that gives you the insight into what your current score is and the best way for you to improve that. And then finally, the Microsoft security recommendations within the references section. So that’s all I had to cover today. I don’t know, Melissa, if we’ve received any questions so far in the session.
Melissa: Thanks so much, Pierre. Yeah. I’m looking at the question pane and nothing has come in right now. So we might be able to give everyone a little bit of time back.
Pierre: Sure. Okay. That sounds great. All right. Well, I thank everyone for attending. And, yes, if you need to contact me, by all means, this is my email address as well as my direct number. And also, yeah, speaking directly to any of your account representatives as well is a great way to get a foothold on your remote work security. And hopefully, you found today valuable.
Melissa: Great. Thanks, Pierre. Good afternoon, everyone.
If your business experiences these red flags, your diagnosis is clear: time to adopt the cloud!