When was the last time your organization audited your Microsoft 365 or Google Workspace security settings?
If the answer is "I don't know" or "never," you should consider having cybersecurity professionals take a look. Although Microsoft 365 and Google Workspace come with some decent default security settings enabled, these defaults still leave considerable security gaps that expose your company to business email compromise (BEC) attacks.
BEC attacks are increasingly common, particularly against cloud-based business email solutions like M365 and Google Workspace. In fact, according to the FBI, more than half of all the financial losses to businesses in 2019 were the result of successful BEC attacks ($1.77B of $3.5B total).
Whether it is wire fraud through hijacked email threads, a starting point for phishing campaigns, or access to improperly disclosed PHI/PII data, much of the success attackers enjoy can be mitigated by auditing and optimizing your environment's security settings.
The following list outlines the top three security misconfigurations we typically see. While this is by no means exhaustive of what our audits uncover, addressing them will start to reduce security risk common in M365 or Google Workspace security settings.
THE TOP 3 MOST COMMON SECURITY MISCONFIGURATIONS
1. Multi-Factor Authentication (MFA) disabled
- According to Microsoft, virtually 100% of all successful BEC attacks occurred on accounts without MFA enabled.
- MFA can be implemented natively to M365 and Google Workspace or with third-party solutions.
- Although a relatively simple control to activate, enabling MFA may require additional time and training for the organization to adopt fully.
2. Audit logging disabled
- Enabling this feature provides security investigators access to critical compromise-related information, which can significantly decrease the cost to investigate a security incident.
- Stores events related to logins, cloud drive access, rule changes, and other important events.
3. Mailbox audit logging not optimally configured
- Optimally configured mailbox audit logging provides additional information crucial to security investigations such as email deletion, inbox rule updates, and cross-mailbox operations.
PATHFYNDER'S 12-POINT M365 AND GOOGLE WORKSPACE AUDIT
Pathfynder follows a 12-point inspection approach of critical security controls to audit your tenant environment and optimize its configuration according to best practices. Depending on the organization's environment, these audits can typically be completed over three to four workdays and may be followed by an additional remediation period. The time to remediate depends mainly on the organization's security resources and may also be influenced by its readiness to adopt some of the recommended changes.
For instance, while enabling MFA is arguably the most effective control a company can implement, it often takes time and training to prepare employees for the change. Therefore, it is important to facilitate the smooth adoption of critical security controls across the organization to prevent disruption of normal business operations.
BRILLIANCE IN THE BASICS, BUT NOT A FULL-PROOF ANSWER TO THE BEC THREAT
Regardless of the cloud-based business email solution in use, we recommend administrators strongly consider implementing the following mitigations and best practices as a start:
- Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for administrators and users.
- Protect Global Admins from compromise and use the principle of "Least Privilege."
- Enable unified audit logging in the Security and Compliance Center.
- Enable Alerting capabilities.
- If possible, integrate with organizational SIEM solutions.
- Disable legacy email protocols if not required or limit their use to specific users if necessary due to business necessity.
Whatever your security roadmap entails, Microsoft 365 and Google Workspace audits are a great example of "low-hanging fruit" initiatives that produce enormous benefits to your organization's overall defenses.