Introduction

Stats don’t lie: 70-80% of cloud breaches trace back to misconfigurations. Microsoft 365 (M365) powers collaboration, but its shared responsibility model where Microsoft secures the platform, and users secure their setups leaves gaps. Phishing, data leaks, and admin lockouts threaten organizations daily. This newsletter, rooted in Canadian Cyber’s expertise, outlines why assessments are critical, who needs them, and how to enforce security with tools like Microsoft Purview and standards like NIST. Time to lock it down, eh?

Why Assessments Matter

M365’s tools Defender, Secure Score are robust but passive. Misconfigured permissions or weak email security invite ransomware and compliance fines. Standards like NIST 800-53 (risk management), CIS Controls (M365 benchmarks), and ISO 27001 (infosec framework) demand proactive audits. A security consultant from Canadian Cyber, drawing on firsthand experience auditing tenants from Vancouver to Toronto, emphasizes that organizations should assess regularly. In 2020, LifeLabs learned this the hard way when a cyberattack exposed 15 million patients’ data due to weak access controls assessments catch what Microsoft’s defaults miss.

Who Needs This?

Every M365 user benefits, but some need it most:  

• Industries:
  • Healthcare (PIPEDA/HIPAA)
  • Finance (OSFI/GLBA)
  • Legal (privilege)
  • Education (FOIPPA)
  • Government (ITSAP)
  • Retail
  • Manufacturing
  • Tech
  • Nonprofits
  • Professional services data sensitivity or regs make it urgent.  
• Organization Types:  
  • SMBs: Understaffed IT hides gaps common in Calgary audits.
  • Enterprises: Complex setups amplify risks GTA firms beware.
  • Remote Teams: Device sprawl needs control pandemic legacy.
  • Regulated Shops: Compliance audits demand proof.

Canada’s PIPEDA and provincial laws raise the stakes assessments boost overall security across the board.

Data Protection with Microsoft Purview

Microsoft Purview’s Data Loss Prevention (DLP) blocks sensitive data PII, credit card numbers from leaking via Teams, SharePoint, or email. Yet, most organizations underuse it. In 2020, MEDNAX Services, a healthcare provider, had 1.29 million patient records exposed after hackers accessed M365 email accounts DLP could’ve flagged this. Assessments reveal this gap, recommend policies (e.g., block external PII shares), and push enforcement. Purview’s a data shield organizations should lean on it.

Steps to Assess M365 Security

A proven process:

1) Scope: Map Exchange, Teams, SharePoint know the landscape.

2) Tools: Secure Score, Azure AD logs, CIS benchmarks audit essentials.

3) Audit: Check MFA, DLP, encryption against NIST/ISO skips hurt.

4) Test: Phishing sims, lockout drills stress-test configs.

5) Recommend: Enforce DLP, DKIM, passkeys close the gaps.

In 2023, Indigo Books & Music suffered a ransomware attack that disrupted operations, with weak cloud configs exposing vulnerabilities testing could’ve exposed weak configs.

Key Security Features to Enforce

Microsoft’s baseline needs teeth enforce these for all users:

• MFA: Mandatory via Conditional Access cut a Winnipeg breach short.
• Conditional Access Policies: Block dodgy devices or IPs (e.g., no logins from sketchy VPNs) caught a rogue admin in Regina.
• Email Encryption: Office 365 Message Encryption (OME) auto-encrypts sensitive emails set in Exchange admin center, pairs with DLP.
• DKIM & DMARC: DKIM signs emails (Defender setup), DMARC blocks spoofers (p=quarantine via DNS TXT) stopped a BC phishing wave.
• Safe Links/Attachments: Defender scans in real-time must-have.
• DLP: Purview locks down leak’s compliance lifeline.
• No Legacy Auth: Block POP3/IMAP via Conditional Access kills 99% of spray attacks.
• MDM: Intune enforces device rules remote necessity.
• Passwords: 12+ characters, ban weak ones with Azure AD Protection.
• Sharing: Restrict Teams/SharePoint externals saved a Toronto law firm.

These align with NIST/CIS/ISO organizations should enforce them or face audit red flags.

Emergency Access: Break Glass with Two Passkeys

Lockouts hit hard a Saskatoon admin lost his MFA phone mid-crisis. Organizations should enforce 1-2 break glass accounts (e.g. breakglass1@company.onmicrosoft.com), Global Admin level. Secure them with two FIDO2 passkeys YubiKeys, stored offline (one in the office safe, one with a trusted exec). Skip MFA/Conditional Access but monitor with audit log alerts. Two passkeys ensure redundancy and phishing-proof access better than calling Microsoft at 2 a.m.

Change Management: Secure Every Update

Uncontrolled changes spell trouble Home Depot Canada’s 2020 incident stemmed from a misconfigured cloud service exposing customer data, no rollback. Organizations should enforce this:

• Initiate: Log it (e.g., “Enable DLP”).
• Approve: Change Advisory Board IT and security sign off.
• Test: Sandbox it NIST insists, and it saves grief.
• Implement: Maintenance window, rollback ready (PowerShell’s key).
• Review: Audit logs post-change catch issues fast.

This keeps M365 stable, and ISO 27001-compliant organizations should adopt it.

Tools and Next Steps

• Secure Score: Baseline at admin.microsoft.com.
• Microsoft Purview: DLP and compliance hub.
• Defender Portal: Threat policies, DKIM setup.
• Azure AD: Conditional Access, passkey config.

Start now: audit Purview DLP, enforce MFA, set break glass with dual passkeys. NIST/CIS/ISO alignment’s your edge doesn’t flunk your next audit. Questions? Hit up Canadian Cyber we’ve got your six.

Contact: info@canadiancyber.ca

• Share the blog on: