Microsoft 365 (M365) is a powerful suite of productivity tools that has become widely adopted in life sciences organizations globally. As of February 2024, this SaaS (Software as a Service) offering has 30% of the market share and continues to grow. M365 offers numerous collaborative features with the cost-effective benefit of shared administration, patch management, and more as a service. However, one key area which is often neglected is secure configuration.
Contrary to what some may think, M365 is not secure by default. After my first scan a few years ago, I thought it was just an anomaly that my client’s scan came back with so many findings. However, over the years, my team and I have found most organizations fail a large number of configuration checks. Since that first scan, I have been “beating the drum” about baseline/secure configurations.
Due to the popularity of Microsoft products within most businesses, there is an ever-growing amount of valuable data stored in M365. Technologies such as Exchange, SharePoint, Teams, and OneDrive have become important tools in modern business communication, collaboration, and knowledge management. Security gaps in cloud-based infrastructure configurations are not limited to M365; the same issues abound for Google configurations and other cloud offerings. But given the prominence of M365 in many life sciences organizations, it makes sense for leaders to direct particular attention to ensuring M365 configurations do not reflect known vulnerabilities.
Targeting Configuration Vulnerabilities
As we discuss in our recent white paper, CREO has found a variety of common misconfigurations and security difficulties in the many M365 scans we perform with our clients. By identifying and fixing these deficiencies, organizations can strengthen their M365 security, secure sensitive information, and demonstrate stronger adherence to compliance standards.
Many vulnerabilities we find are well-known and completely avoidable. Life sciences IT and security leaders can benefit from leveraging publicly available configuration baselines that guide the most suitable configurations based on organization size and licenses. These valuable resources include CISA (Cybersecurity & Infrastructure Security Agency) Secure Cloud Business Applications (SCuBA), CIS (Center for Internet Security) Microsoft 365 Benchmark, and Microsoft Security Score recommendations.
Among these configuration baseline assessments, here are five vulnerabilities that CREO has found to be common in life sciences organizations:
- Legacy authentication not blocked – Disabling legacy authentication is important because it reduces security vulnerabilities by eliminating outdated protocols that lack modern security features and are often targeted by attackers. (See CISA MS.AAD.1.1v1, CIS Microsoft 365 Benchmark 5.2.2.3)
- SMS being used for MFA – Using SMS for multi-factor authentication is dangerous because it is vulnerable to SIM swapping, interception, phishing, malware, physical theft, network vulnerabilities, and message forwarding. (See CISA MS.AAD.3.5v1)
- SharePoint external sharing enabled – External sharing for SharePoint should be limited to Existing guests or Only People in your organization. Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limit. (See CISA MS.SHAREPOINT.1.1v1)
- Phishing-resistant MFA should be required for highly privileged roles – Phishing is a prevalent attack method, and if an attacker obtains credentials from a user with Global Admin privileges, the impact radius significantly increases. (See CISA MS.AAD.3.6v1)
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) – DMARC, building upon DKIM and SPF is crucial because it helps prevent email spoofing and phishing by allowing domain owners to authenticate their email messages and control how unauthorized emails are handled. (See CISA MS.EXO.4.2v1)
Recommendations
For most life sciences organizations, M365 should be a highly reliable, well-integrated, and secure business environment. Here are a few tips to help your organization establish and maintain good security practices.
- Leverage Security Tools and Reports: Utilize built-in M365 security tools and reports to monitor and enhance your security posture continuously.
- Implement a Zero Trust Model: Adopt a Zero Trust security model where no user or device is trusted by default.
- Regularly Review and Update Policies: Security policies should be dynamic and updated regularly to address emerging threats.
- Training and Awareness: Ensure leaders, system administrators, and users are aware of security best practices and the importance of adhering to them. Tenant owners must play an active part in defining security options so as to protect their information and also meet the rules that govern them.
In summary, most life sciences organizations can strengthen their M365 security stance significantly, lowering chances for data leakage and different cyber attacks, through a few essential protective measures. Want to learn more? Read our white paper.