Security and the Shared-Responsibility Model
Under the shared-responsibility model of cloud security, organizations secure what they own.
Microsoft owns the infrastructure that runs 365 applications and services, making it Microsoft’s responsibility to protect. Everything else — from digital identities to user devices and stored data — must be secured by the business.
This creates an opportunity for compromise. If small businesses don’t recognize their role in defense, they may inadvertently leave digital doors open for attackers. Misconfigurations are a common culprit; for example, as noted by Acronis, if businesses don’t properly configure Microsoft Exchange settings, they may be exposed to email spoofing.
RELATED: The solutions and services from CDW that can support your small business.
Common Security Mistakes Made by SMBs
If small businesses miss the memo on shared responsibility, they’re more likely to make common security mistakes, such as:
- Failing to enable multifactor authentication for all users: Without MFA, brute-force password attacks or credential spoofing are much more likely to succeed.
- Ignoring administrative access controls: If businesses don’t limit data access, the compromise of any user profile could expose sensitive data.
- Poor password hygiene: Failing to implement strong password requirements puts SMBs at risk of large-scale compromise, especially if they leverage single sign-on frameworks for streamlined access.
- Failing to back up data: Data in the cloud is secure but not inviolable. Failure to back up this data locally can create challenges if misconfigurations lead to security breaches.
FIND OUT: How does the cloud shared responsibility model work?
Best Practices to Boost Microsoft 365 Security
Microsoft 365 includes multiple security features that can improve protection — if SMBs use them. These include MFA, conditional access policies, data loss prevention policies, Microsoft Defender for Office 365, encryption and secure-share settings for OneDrive, SharePoint and Teams. Businesses should be sure they are using all of these security features.
They should also implement four best practices. First, they should conduct regular security audits and assessments to ensure data is protected and applications are secure. While networks may appear secure, testing is the only way to pinpoint gaps in protection. Regular testing helps ensure consistent protection as IT environments evolve.
Second is employee training. Staff should be trained to recognize common phishing and credential threat tactics, and their knowledge should be tested against simulated attacks. It’s also important to create a security-first culture that encourages staff to report any suspicious behavior.
The third best practice is to use Microsoft security add-ons. These include Entra for identity protection, Purview for compliance and governance, and Intune for device management.
EXPLORE: The Microsoft 365 solutions that are changing modern work for the better.
Fourth, and finally, it’s worth considering a partnership with a managed service provider to help set up, deploy, monitor and manage security solutions. While it’s possible to handle these responsibilities in-house, many small businesses have limited IT teams or take a community approach to IT operations. In both cases, businesses may find themselves stretched thin when it comes to security management at scale.
Microsoft 365 is a powerful productivity solution, but it requires active security management to protect SMBs from evolving threats and deliver consistent ROI. CDW can help SMBs deploy critical security solutions and ensure they’re working properly. Bottom line? Acting now prevents breaches later. Get started today with CDW.
This article is part of BizTech's AgilITy blog series.
