Homeworking securely during lockdown: how secure is domestic tech?

Whilst it’s excusable for businesses to have been unprepared for the rampant consequences of COVID-19, not being prepared for what might follow would be folly. Scientists are already predicting subsequent waves of pandemic disruption and it’s not just the ongoing global epidemic we have to look out for either; there are political and economic challenges ahead too, and robust defences need to be put in place to protect businesses and people.

So, now you have done the right thing by ensuring the immediate safety of your team, this is the time to look at keeping your business as secure as it can be in these unpredictable times.

Necessarily, many organisations have had to quickly provide interim solutions for their employees to work from home. But what happens next? Do those resources scale, do they offer sufficient functional longevity to enable your business to not just survive, but to thrive? Are they secure?

It can be hard to stay productive in a locked down environment, often with the whole family in residence gaming, streaming, YouTubing and home-schooling over home broadband using vulnerable or uncertified apps. Fortunately, there’s a plethora of online guidance and support to address these particular challenges.

But what about your business? What are the potential security ramifications of your team using domestic technology for commercial purposes?

Together with Mark Ashford, MD at one of our partners MACOM Consulting, we have compiled a list of quick Microsoft Office and Teams security checks you should undertake to establish whether or not your company is potentially exposed to what, in any ‘normal’ office environment, would be deemed as unacceptable risk.

• Ensure that auditing is switched on within the Office 365 environment – this used to be off by default, but appears to now be on by default – please do check.

• Disable IMAP and POP3 under SharePoint Admin unless it’s essential.  These are legacy protocols which aren’t normally needed today, though are usually switched on by default.  This is a risk, as IMAP can be used to download someone’s mailbox if their account is compromised.

• When creating a new Team, it’s best practice to do this from SharePoint as that provides more control.  When you create a Team, within Microsoft Teams, it automatically creates a SharePoint site, which may not have your SharePoint governance applied.

• Think about Security Groups.  If they’re created in Active Directory (AAD / AD environment), they can be used to secure a SharePoint Site, but they won’t secure the Teams site – even though the backend is SharePoint.

• SharePoint is not backed up by Microsoft.  If something is deleted, when there are no retention polices applied, it will sit in recycle bin for 93 days, and then it will be removed.  After that, it cannot be recovered.  Our recommendation is to go with a 3^rd party backup solution / provider to ensure that your data can be recovered.  If you do apply retention policies, the file cannot be deleted if it’s within the defined policy.

• As OneDrive is integrated into SharePoint, the same thing applies. So, if you have an employee who has data on their personal OneDrive space, and leaves the company, their data will be deleted 93 days after their account is removed.  Note: by default, an admin does not have access to someone’s personal OneDrive, so again, if they leave, you may not have access to the data.

• Review your Security & Compliance Centre.  Look at applying labels to data, particularly around PII in line with GDPR compliance.  SharePoint has some polices and labels built-in which can be applied, and they can be used to trigger notifications when PII data is shared outside of the company, by email for example.  Look into your DLP settings.

• Employ Multi Factor Authentication (MFA). Office 365 is a huge target for fraud and cybercrime.  Policies can be implemented which negate the need for MFA when within the secure confines of the corporate network – i.e. within the office environment.  Setup can be flexible with different polices being applied. For example, it should be requested every time a connection is made via the web portal, but you may decide to set it only every 24 hours when connecting into Teams, through a BYO device.

• Look at Intune device management with conditional access.  This is very powerful, but can be tricky to setup.  You can configure it so that the only apps that are allowed to connect to the corporate environment, are ones deployed via the company portal – this prevents anyone without this security from being able to access the corporate network.