10 Practical Questions to your IT Provider around email security and 365
Last week I attended a Webinar which served as a useful reminder to the key points any prospective client should asked their IT Managed Service Provider regarding email security and Microsoft 365. Whilst Fusion IT is ISO 27001 accredited it is always worth revisiting and refreshing your security knowledge to make sure you have all the bases covered.
So here are the top ten questions gleaned from the Webinar:-
- Are your domain records configured correctly to prevent spoofing?
- Most are not!
- How many of your staff email accounts are exposed on the dark web?
- Usernames and passwords are available for sale and you need to know who has been compromised…
- Passwords – are they secret, complex, unique and who controls this?
- Good password management is critical!
- Are your inbound and outbound email filters configured correctly?
- Inbound needs rules to quarantine, outbound needs rules to prevent sending thousands of phishing emails from your account.
- Is Multi-factor Authentication (MFA) deployed wherever possible? Is it configured correctly?
- Only 23% of Scottish law firms use it according to a recent poll. Plus another survey revealed 77% of all MFA is incorrectly set up.
- Conditional access – who has permission to access your systems and from where?
- Most threat actors will be attacking from outside of the UK, so ensure geographical controls are correctly configured…
- Legacy authentication – are you still using POP and IMAP?
- This can bypass MFA, so beware!
- Outlook Web Application (OWA).
- Are devices authenticated (recognised) when they log in?
- Do staff receive emails on mobile phones?
- Who owns them?
- Which app are they using?
- Alerts & Logs – are these set up to tell you if unusual behaviour is occurring?
- Would you know if a criminal was in your system?
- Would you know if staff are sending work information to their personal email accounts?
- Would you audit logs tell you what’s been going on?
It is important to remember that the above are purely questions to ask on email. In general, the Webinar revealed that most Law Firms (Legal is a key sector Fusion focus on) quite worryingly have no more that 2 or 3 of the above questions/areas adequately covered and they are often incorrectly configured.
Other areas which need to be considered:-
Email security is just the tip of the iceberg. When reviewing your IT Security posture the following areas should be taken into account and assessed.
- Staff behaviour
- Anti-virus configuration
- Device security
- Firewall set up
- Remove working – VPNs, RDPs
- Hosted and cloud service security
Please, if you have any concerns about your IT Security posture in terms of email or any of the other areas mentioned above, give Fusion IT a call. My recent blog on the The State of Cyber Security highlighted that many IT Security vendors are fighting an ever challenging battle against what are known as Active Adversaries and it has never been more critical to secure your network, sensitive client data and employee activity. Don’t leave your IT Security to chance!