Would you store a spreadsheet with the names and salaries of everyone in your company on a on a “secure” spot on your file server? Of course you wouldn't because your file shares are a mess.
Windows file shares with mapped drives, VPN's, and BDR's is such dated technology. You have decades of files that nobody deletes dropped in all sorts of folders they weren't supposed to go. You have sub-folders with special permissions different than the parent folder which creates serious security issues.
You don't have MFA enabled even though you know you should have done that a long time ago (but it is such a hassle, right?). Your user names are the same or similar to your email addresses and your passwords never change.
You are best to assume some of your users have unknowingly supplied their user names and passwords through a phishing email and overseas hackers are testing out those credentials to access your email system to see if they can blackmail or extort your company with its own data.
It’s time for ownership to stop being dismissive of security and IT managers to stop crossing their fingers and hoping for the best. It's time to get serious about your IT security and management with Microsoft Intune and Microsoft 365 Identity and Threat Protection.
What does “security” really mean to you when it comes to your IT? If you are like most of our clients (businesses with about 20-50 employees), it really means PRIVACY—keeping their data PRIVATE, and STABILITY—keeping their computers from being crippled or shut down by viruses.
For most of our clients, this is where they stand with data security:
- They feel most of their data is not “super sensitive”.
- They don’t see how THEY would be a target of an attack as they are too small to be worthwhile.
- They do not want them (the owners/executives), or their staff, to have to jump through a lot of hoops to get access to their data as the as the threat is not worth a lot of hassle.
- They want reasonable measures with reasonable costs to keep their data private, and their computers running stably.
Let’s get to the “I’m too small thing”…
I’m too small to be the target of an attack you say, so, hey IT guy, calm down…..and stop making things complicated.
I get the logic but you're wrong. Maybe you haven’t been hit with an attack yet – or at least, you are not aware yet that you or someone in your company has been attacked.
What you are thinking is that why on earth would a hacker go after my 40-person company, trying to hack their way into my firewall or my computers? The hackers want the huge companies with lots and lots of money.
Small companies are easier targets with better odds to steal money.
The concept of a hacker sitting there with the login prompt to your firewall or server trying out different username and password combinations is 1980’s whiz kid hacker nostalgia.
Attackers go after identities –usernames and passwords—looking for ways for you to freely and willfully give them your identity: it’s just easier.
Once they have your identity, they can use it to go in and start seeing what they have access to and how they can exploit it.
Why small companies are better targets.
I’m going to share a very simple example of why you, as a small business are a FANTASTIC target for hackers.
- You already stated above you didn’t see yourself as a target so you don’t need “Pentagon level security”: they know you think that.
- Your guard is down.
- You haven’t had a major hacking incident where you lost significant money or lost sleep over knowing potentially sensitive data was exposed and you don’t know where/who has that it and when/if this will come back to hurt you.
- You have an IT company that knows how to get your computers working and fix blow ups, but they have no official training or certification around IT security or modern IT management, and thus you assume since you haven’t been attacked that everything is A-OK.
A few days ago, your bookkeeper got an email from “Microsoft” stating she needed to “confirm” her password or else she will get locked out—that this is just a standard email meant to keep her “secure” and the email is very official looking. To be fair to her, you keep her busy with a lot of things and so with a lot on her mind, the last thing she wants is to be hung up in the next day or two while she is trying to get work done. She clicks the link, enters here username and password, and gets a confirmation that her account is good, and she will not be blocked. Whew!
A few weeks go by.
The bookkeeper then gets an email from “you” with an invoice, stating that you need her to wire $25,614 to one of their vendors. The invoice is a higher than normal, but isn’t unheard of for the business you are in, and your signature is at the bottom – so she replies back to you with a few questions over the next few days, “you” answer, and then provide her with a bank routing number at some point.
Your bookkeeper still has a few questions and (hopefully for you) something doesn’t quite seem right and then decides to call you on the phone as it would be quicker than going back and forth in emails. You tell her you have no idea what she is talking about to transfer $25,000, and it is then you both realize you are deep into an Internet scam, and just HOW CLOSE you came to giving a criminal your money, and now you are left feeling very exposed wondering just how much of your information they did see and have collected.
This scam didn’t use a virus, didn’t require a super computer to hack into your network. It just required a little bit of research on the Internet to find information easily obtained through LinkedIn: who is the business owner and who is the company controller. They wouldn’t have even needed to get your username and password because ANYONE can send an email with any display name they want. I could send an email to you as Bill Gates, and unless you click through to the email address and really check it out, you wouldn’t notice the email was actually something like email@example.com.
Even at Xerillion!
Even at Xerillion, our own CFO has corresponded with “me” for a few days when “I” asked her to send money to a vendor in this same manner with a fake email from an attacker. If an attacker gets a successful wire transfer or $10,000 to $100,000 1 out of 100 times, it is well worth their time to continue, and the risk of being caught is nearly non-existent. In fact, when my CFO called the police about the potential crime they simply said a crime hadn’t occurred and there was nothing they could do about it. We are on our own here folks…..
Azure Active Directory Premium
And think about all the identities (user accounts) you have out there for your company with various web-based services and applications you depend on to run your businesses. Wouldn’t it be nice to have a single identity for which you can give to an employee when they start at your company that has access to all the cloud-based services. They will only have to remember a single user account and password, and if they leave the company, a single click will disable access to all of those accounts. This is called Single Sign On and one of the ways we use Microsoft’s cloud identity management service: Azure Active Directory Premium.
Azure Active Directory Premium Identity Protection
With Azure Active Directory Premium we can also control and manage some other things around security.
What if your IT system had some bit of artificial intelligence which saw that 99% of the time you login from Chicago, but today it saw you were logging in from Phoenix—and you really were in Phoenix for a conference, but, just to be safe, your IT security prompted you to confirm your identity with a pin code sent to your cell phone. You’d be very slightly inconvenienced—possibly annoyed as you were trying to get some work done before you head out of your hotel room, but you’d probably feel good knowing your system is looking out for you.
Let’s take it even further……
What if your IT system noticed that you were logging in from Chicago and China at the same time…..uhhhhh, this might be a serious problem….we call this “impossible travel”. Possibly, your identity has been obtained and someone with your actual username and password is trying to login from a place you never login from—at the same time you are logging in from a place you always login from. What if your IT security was set to immediately block access and prompt for a pin code to your phone number and force a password reset? And, if you had a single identity among all of your 3rd party web services you run your business with, you’d reset a single password, one time, and all of your data is protected as opposed to going through account after account to reset everything; Azure Active Directory Premium Identity Protection does this.
Azure Information Protection
What if you had a very sensitive document, that contained information about you, your employees or your clients – salary information, personal information, financial information, passwords, ect. What if you could create a document inside of Microsoft Word, and simply classify as it as “Highly Confidential”, and in doing so, your IT security system knew that this document could only be seen by company partners or financial officers, and that protection followed this document NO MATTER WHO HAD THE DOCUMENT OR WHERE IT WAS IN THE WORLD. You could send this document to your ENTIRE STAFF, but nobody except company partners and financial officers could ever open the document. If this document were placed in the wrong company folder, it also wouldn’t matter. A disgruntled employee could copy this document, let’s call it, “Wayne Chapin Compensation Package 2017” to a USB drive, and take it home with them, and still, they could never be able to open it. Any time the document was attempted to be opened, you’d get a notice with a GPS location, and at any time, you could revoke the document entirely so even people that have permissions can no longer view the document. You can even set that the document must see an Internet connection every 7 days or it dies. You can even have documents AUTOMATICALLY classify and secure themselves based on words like “employment agreement”, “bonus plan”, ect. This is the kind of security you get with Azure Information Protection and are easily implemented.
Microsoft Intune and Azure Active Directory Conditional Access
I would also suggest for your IT security, that you manage which DEVICES are allowed to connect to your data—not just who.
Most companies provide computers for their staff but not cell phones – though the company always allows the employee to access email and company data on their cell phone, even though at that point, they have no control over it the data – which is usually sync’d to a mobile device. The data can generally be connected to from any device and a sync’d copy made from any device. We call this “shadow IT” and they are copies of your data for which you have no control over.
Wouldn’t it be nice to know:
- Only company computers that are digitally under company control and management are allowed to connect to your data.
- Computers that are not registered under company management are not allowed to connect, even if the user connecting has a valid user account.
Using Microsoft Intune and Azure Active Directory Conditional Access, we can easily set these requirements. All company computers are Azure Active Directory Joined, and enrolled in Microsoft Intune. Then, when an active user logs in from that device, Azure Active Directory checks the password, authenticates the user, then checks the compliance policy in Azure Active Directory. If the compliance policy states that the user must be connecting from a compliant device (i.e., a device enrolled in Microsoft Intune), then the computer will be allowed to connect. If the user is connecting from a non-compliant device (i.e., his friends Windows Vista computer that hasn’t been updated in 6 years), then the access will be blocked—even though the user account itself isn’t blocked. This ensures your data is only being worked on with your company computers.
Microsoft Intune Device Profiles (.i.e, getting rid of imaging)
Imagine if you had a computer setup process that didn’t involve setting up and maintaining images or laborious time-consuming manual setups; where a user could purchase a computer off the shelf, login with their Azure Active Directory account out of the box, and your IT system sent that computer instructions on how to configure itself, install Microsoft Office, and any other 3rd party desktop apps and within an hour the computer was ready to go on your computer network. This is known as “zero-touch deployment” and is a service using Windows AutoPilot and Microsoft Intune.
With Microsoft Intune, you can easily setup device profiles so that will apply your company required settings for computers. You can also define compliance policies where if a user tried to change a computer setting, their computer would be flagged at out of compliance, and not allowed to connect to company data – even if their user account is valid under your Microsoft Intune Compliance Policy.
Lastly, think about the Windows operating system itself. At the very least, the hard drive should be encrypted (free with Windows 10 Pro and Enterprise), have serious antivirus (free with Windows 10 Pro and Enterprise) the computer should be setup for updating the OS and antivirus regularly. It should be configured with an idle time lockout, and a system wipe after 10 failed logins. All of this can easily be managed with Microsoft Intune, Microsoft cloud device management service.
Mobile App Management Without Enrollment
And how about those personal cell phones your staff connects to your company data from? What if we could allow that your staff to access their email and document from their personal devices, but not allow that data to be moved outside of company control-and without having to install anything on the employee’s personal device? This is possible with Microsoft Intune using Mobile App Management Without Enrollment. On any mobile devices, IOS or Android, (and soon WindowsOS Enterprise), a business can configure that company data can only be accessed by company managed apps, like Outlook, Word, Excel, and the data cannot leave the app, or moved to local storage, or moved to a user’s person DropBox account – not even copy or pasted. And if the employee leaves – all access to the data and the apps, and the data itself is immediately removed. The data is no longer available, even sync’d data, but the employee’s personal data will still work in the very same apps. Amazing.
Windows OS Devices
These days with our users accessing our data through 3rd party cloud services (like Microsoft 365) and outside the management of local networks and firewalls, we need to put much more focus on the WindowsOS devices themselves. Windows has the ability to confirm it is healthy or not on startup and report that to Microsoft Intune.
- Launch software prior to the boot of the operating system that scan for viruses.
- Launch software that scans the code of 3rd party software drives to ensure they are digitally signed and not a virus.
- Confirm that the software used to load the operating system was not tampered with.
Once all the checks have been done, Windows reports or “attests” that it is healthy or not, and if NOT, we can setup an Azure Active Directory Conditional Access rule stating that the access of that device is to be blocked since accessing your company data with that device presents a risk to the privacy and security of your company data.
Microsoft Enterprise Mobility + Security (EMS) E5
All of the technology listed above: 1. Azure Active Directory Premium, 2. Microsoft Intune, and 3. Azure Information Protection – the cloud services used to keep your data private, secure and under your control make up Microsoft Enterprise Mobility + Security (“EMS”) E5 package; a proper and highly recommended add-on to an Office 365 subscription. EMS has all the tools we need to manage and maintain your IT whether you are a start-up, to a company with thousands of users.
Want to Really Do Your IT Right? Microsoft 365 Enterprise E5
If you REALLY want to set your business up for success and get EVERYTHING right from the start with MODERN IT, then I HIGHLY recommend the full package: Microsoft 365 Enterprise E5 which includes Office 365 E5 (the best version of Office 365), EMS E5, and Windows Enterprise E5. This package has EVERYTHING we as your IT company need to make your IT highly productive, always up-to-date, and very secure. You’ll always have the latest version of Microsoft Office, Microsoft Windows, connecting up to the latest enhancements and features of Microsoft’s cloud services: Exchange Online, SharePoint Online, Skype for Business Online, Azure Active Directory, Microsoft Intune, Azure Information Protection, ect. – all you need once you have the subscription is an IT company that knows how to set this up right from the start, a good computer.
We are getting to the end here, but let’s talk firewalls.
A firewall is an important part of IT security and network performance, but I’m afraid it is becoming less and less relevant over time. The days where everyone is in the office all day long, sitting behind the protection of a firewall is gone, and going fast. People are either traveling more outside of the company firewall control, or working from home more – also outside of the control of the company firewall. And, as more and more IT moves from behind the firewall to up in the cloud – it is easy to start wondering how much firewall is really adding to security. Your IT guy might enjoy having it, but if 20-30% of your staff is hardly in the office, and your data and apps are in the cloud, that firewall isn’t doing much for you.
A better focus will be on managing the individual devices, configuring them in a way to reduce leakage or shadow copies of company data, and reduce exposure to malware at the endpoint.
Don’t forget the security training…please.
All of your users need to be aware of what a scam email looks like and aware of simple ways to keep themselves from being the victim of an attack.
Having all this low-cost, sophisticated technology can only do so much for you, but simple ongoing short video-based training for your company is really all it takes to keep your users up to speed on IT security.
At Xerillion, we have a video-based training system we provide for our clients that covers all the technology in the Office 365 product family; this is a very easy way to get up to speed fast on things like Outlook, Word, Excel, PowerPoint, Windows, Office 365. The videos are 1 to 4 minutes long, easy to work on them when you get to them with quizzes along the way. One important skill path in the training platform is on security; it is excellent and makes the users very aware of what to look out for. Security training should be a part of all of your uses onboarding training for your company.
Working from Home – Where Traditional IT Management Breaks Down
Giving your employees the ability to work from home is a big morale booster – though it is up to you to do it right and ensure your staff can operate just as productively as if you were at the office. If you have an IT company that knows how to properly implement Microsoft 365 and its associated security technologies, you’ll find you have employees getting more done, more efficiently, and HAPPIER, because they can work just as easily from home as they do in the office – and you’ll be comfortable that your data is secured, fully in your control, while you get kudos from your team for being a forward thinking boss.
I know all the things above was a lot to go over. If it sounds about like where you want to be with your IT and you like Microsoft, then you’ll like working with Xerillion, a Gold Tier 1 Microsoft cloud solution provider.
Let us help you get into the new world of Modern IT productivity and management.