Office 365 and Cyber Security

[Onthebrightside]

Dear all - I am hoping someone can assist with this query:

We are a small company providing Economic studies to Local Authorities, Universities etc. Most of the contracts we find require us to sign-up to frameworks. Some of those frameworks are now asking for Cyber Security.

At present we keep our files on OneDrive/SharePoint, but does that really fulfil all the criteria listed below, such as anti-virus (surely Microsoft is providing that), data protection and encryption of data on the server - again surely 365. Aren't things like restricted access also covered, after all, no one can see any of the files unless the files are shared with them?

In short, what I am asking is would we be credible in replying on this form that we are using Office 365 OneDrive and Sharepoint and asking any questions that way, or is it more likely that they would require far more than that and therefore we would need to ensure our files were managed by a data company? If that is the case, what sort of charges do such companies make and what do you get for your money - are there any recommendations?

With many thanks for any assistance anyone can give (for reference, below is the latest form we are filling in and the sort of questions we are being asked.

Thanks
Trish

1. Cyber Security Provide a detailed description of:
(a) The security technologies adopted to protect on-premise and cloud-based systems, servers and devices. This should include malware (anti-virus) implementation and other technical security provisions that are employed (e.g. firewalls, end-point monitoring) to protect client data.
(b) The security technologies adopted, including encryption techniques, to protect data at rest on servers, laptops and other devices and data in transmission to HIE and SoSE.

2. Data Storage & Transmission Provide a detailed description of:
(a) The policies and procedures adopted to protect and secure data and information gathered as part of delivery of the contract.
(b) The geographic location of the data centre/servers where data and information will be stored and processed. This should include details of on-premise, cloud or hybrid storage environments.
(c) How data and information will be subsequently destroyed at the conclusion of the assignment. This should include a description of the precise procedures and tools employed to erase, destroy and render unreadable all data.

3. Access Control Describe what provisions will be in place to control access to data. Your response should at a minimum include:
(a) Restrictions and controls on access to the data/information (i.e. building and room access; computer access).
(b) How users are authenticated and authorised to gain access to the data (e.g. multifactor authentication; password policy).

4. Service Continuity Describe back-up and disaster recovery systems and procedures that are in place to continue service delivery in the event malware infection; data loss or corruption. This should include data replication times in the live system and restore times in the event of catastrophic failure.

1. 5. Supply Chain Assurance If third-party software, platforms, cloud solutions or sub-contractors are employed, detail the assurances that have been obtained that these are secure and the methodology employed to gain these assurances

 

[Solve My Problem]

Replying with same post as other thread to help others, best to only have one thread in truth.

A good starting point is https://www.ncsc.gov.uk/

Not fully read above as its late and on phone. Relying on 365 will not be enough to satisfy most requirements.

Darren

 

[Solve My Problem]

You will probably want to look at getting a proper security audit to help you in detail.

Most small businesses don't protect their data correctly. When you have to account for procedures it's important to think carefully about each step.

You not only have the process of who can access the data within your organisation but also who can access data should machines get stolen, and how you protect data outside of your organisation.

So first off at the bare minimum your machines should have up to data paid anti-virus software. Something like Acronis will provide anti-malware and antivirus with one package. They bought Bitdefender and now bundle this with their software.

https://www.acronis.com/en-gb/products/cyber-protect/security/

They also offer encrypted backups.

By using a package such as Acronis it is recognised.

You should also have a decent router rather than the standard IPS cheap models, These will allow you to configure a firewall to block traffic (both in and out)

On your machines you should employ disk encryption, one such product is BitLocker that is shipped with Windows 10 Pro. Equally you can use encrypted disk storage that allows you to save files locally in encrypted containers, this means even if your machine was stolen the data is still secure.

With online storage services you should employ at the minimum two factor authentication, meaning even with a username/password someone cannot gain access to your account without an additional code.

You should use a password manager such as 1password or LastPass, and use random long generated passwords for all services.

You should also have a procedure in place for if computers are stolen, if that happened, what services need to have passwords changed, what services do you need to login to to deactivate access from your machine etc...

All the above is key especially with Ransomware etc.. if you came into the office tomorrow and had no access to your computers, how would you get back within 12 hours.

Backups, strong password access, two factor authentication, restricted access to physical computers, strong Anti-Virus and Mailware protection, secure backups, secure backups, secure backups.

Darren

 

[Solve My Problem]

The other consideration is your Wi-Fi being secure and mobiles connecting to it. Your mobile if using the Wi-Fi should have anti-virus installed. Your Wi-Fi should have a strong password and be in a locked cabinet. I.E. it's physical security as well as virtual.

If you are working from home your work network should be separated from your home devices.

 

[Onthebrightside]

Thank you,

I am very grateful for the information.

Regards,
Trish

 

[Solve My Problem]

I am very grateful for the information.

You're welcome, the link contains lots of information.

It's about thinking about who has access, who could get access and how you deal with that.

Data security is huge, lots of businesses get caught on ransomware and have not thought about how they would deal with it, it's the same principles when handling client data.

 

[Onthebrightside]

If I could ask another question:

Is there such a thing as a Cyber Essential Accreditation? So that once you have fulfilled all the criteria you can get 'rubber-stamped' so to speak when apply for contracts/tenders etc. ?

 

[Solve My Problem]

If I could ask another question:

Is there such a thing as a Cyber Essential Accreditation? So that once you have fulfilled all the criteria you can get 'rubber-stamped' so to speak when apply for contracts/tenders etc. ?

Yes, there is a link on the site. It does open the door for applying for various contracts.

Cyber Essentials

Protect your business against the most common cyber threats with Cyber Essentials.

www.ncsc.gov.uk

 

[ctrlbrk]

Some of those frameworks are now asking for Cyber Security.

Your best bet, as already suggested, is to appoint an Information Security consultant or firm who will perform an assessment as to whether you meet the requirements or not.

 

[Onthebrightside]

Yes, there is a link on the site. It does open the door for applying for various contracts.

Cyber Essentials

Protect your business against the most common cyber threats with Cyber Essentials.

www.ncsc.gov.uk

Thank you for this. I am trying to read through it, but I am getting a little confused. I will though keep reading and I am grateful for the advice/links etc.

 

[Onthebrightside]

Your best bet, as already suggested, is to appoint an Information Security consultant or firm who will perform an assessment as to whether you meet the requirements or not.

Thank you for your advice.

Does anyone have any suggestions of companies I could contact to get quotes on this please?

 

[Solve My Problem]

Thank you for this. I am trying to read through it, but I am getting a little confused. I will though keep reading and I am grateful for the advice/links etc.

If you want some guidance I can assist with this.

 

[Avast Business]

If I could ask another question:

Is there such a thing as a Cyber Essential Accreditation? So that once you have fulfilled all the criteria you can get 'rubber-stamped' so to speak when apply for contracts/tenders et

Agree with a lot of what’s been said already - that relying on a single vendor (Microsoft) is not wise. There are vendors with tools that can help get you towards Cyber Essentials Certification, but you’ll need to put in place a number of processes. We know IASME (https://iasme.co.uk/cyber-essentials/) very well and they are one of the main accreditation for Cyber Essentials. IASME do the certification and training for Managed Services Providers (MSP's) who in turn take people through the Cyber Essentials process.

 

[Avast Business]

Thank you for your advice.

Does anyone have any suggestions of companies I could contact to get quotes on this please?

I'm able to help with this if you want to contact directly

 

[matthewbeddoes]

Do you have a cybersecurity policy, detailing what happens with data, how it is stored, how it is used, what security protection mechanisms you have in place. Each company should have one, try looking at your data and think what a malicious person could do with it, and then look at how to mitigate the risks.

Next perform a full security audit of your website and network, include this in your security policy "we test our website/network every month for new security issues".

Feel free to contact me if you need to chat.

 

[Onthebrightside]

Do you have a cybersecurity policy, detailing what happens with data, how it is stored, how it is used, what security protection mechanisms you have in place. Each company should have one, try looking at your data and think what a malicious person could do with it, and then look at how to mitigate the risks.

Next perform a full security audit of your website and network, include this in your security policy "we test our website/network every month for new security issues".

Feel free to contact me if you need to chat.

Thank you Matthew. No, we don't have that in place. The more advice I receive the more I begin to realise how glad I was not to appear here under the company name to advise everyone of how little security we have

Having followed the links provided by @Solve My Problem to the government website, been slightly thrown by the question about my 'thin clients' (which I now understand having looked up the lingo), but totally flummoxed by some of the other questions, I am feeling that we do indeed need to ask the questions you have put above and then get someone in to assist us with achieving Cyber Essential Certification.

I have a feeling we are a looooong way off.

With thanks
Trish

 

[samuel.tamkin]

Dear Trish,

Unfortunately, stating you adopt Office365 does not deem an organisation as "secure".

A couple of quick points for you:

1. Define your Cyber Security Policy.
2. Microsoft 365 has a tool called "Secure Score" which can used to assess your current security posture and identify changes that need to be made.

Best,

Sam

 

[Onthebrightside]

Dear Trish,

Unfortunately, stating you adopt Office365 does not deem an organisation as "secure".

A couple of quick points for you:

1. Define your Cyber Security Policy.
2. Microsoft 365 has a tool called "Secure Score" which can used to assess your current security posture and identify changes that need to be made.

Best,

Sam

Many thanks Sam, I did go to "Secure Score" some of the Policy changes we need seemed to require a package called Azure? In other points the impacts ranged from all Users of Office 365 to 11 users as they were below Multi Factor Authentification standards. The problem I have is that if I activate those things without knowing who is affected our consultants that work from Italy/China/France could be cut out of the system I would guess. I think I really need to find a company that can deal with this for us and get a quote. This far too far reaching for my tiny mind.

 

[Solve My Problem]

Many thanks Sam, I did go to "Secure Score" some of the Policy changes we need seemed to require a package called Azure? In other points the impacts ranged from all Users of Office 365 to 11 users as they were below Multi Factor Authentification standards. The problem I have is that if I activate those things without knowing who is affected our consultants that work from Italy/China/France could be cut out of the system I would guess. I think I really need to find a company that can deal with this for us and get a quote. This far too far reaching for my tiny mind.

Azure is their Microsoft cloud service.

Message me and I will help you, it's not massively complicated.

It is more about ensuring who has access to what. Ensuring you have 2 factor authentication on all email and logins. Where your data is stored and who in the organisation has access to it.

Darren

 

[Onthebrightside]

Message me and I will help you, it's not massively complicated.

Thank you so much Darren, however, I am a virtual PA for this company and this is not just over my head but over my pay grade really. I think if they need to be more cyber secure they really need to pay someone. Is achieving Cyber Essentials something that you company does for your clients?

 

[samuel.tamkin]

Hi Trish,

We're an IT MSP and can assist with this. Just give us a search on Google "Workplace Connect". We're ISO27001 accredited so take security very seriously!

Thanks,

Sam

 

[Solve My Problem]

Thank you so much Darren, however, I am a virtual PA for this company and this is not just over my head but over my pay grade really. I think if they need to be more cyber secure they really need to pay someone. Is achieving Cyber Essentials something that you company does for your clients?

That makes perfect sense.

It's not something I specialise in, but am happy to help small businesses obtain certification. I do a lot of consultancy for small companies which includes the security side of things but it's not currently a day service more part of a bundle of things.

I think you are best off passing it back to be honest, it requires someone with a full understanding of all the tech used within a company to be able to accurately identify all the points that need to be addressed.

Darren

 

[Onthebrightside]

Thanks Darren, I think you are quite right.

 

[Onthebrightside]

Hi Trish,

We're an IT MSP and can assist with this. Just give us a search on Google "Workplace Connect". We're ISO27001 accredited so take security very seriously!

Thanks,

Sam

Hi Sam, are you at EC2A 4NE?

 

[samuel.tamkin]

Hi Sam, are you at EC2A 4NE?

Hi Trish, yes and we also have an office near Basingstoke.

 

[Onthebrightside]

Hi Trish, yes and we also have an office near Basingstoke.

Thank you, I am back at work tomorrow and will be in touch for a quote.

 

[Avast Business]

Thank you so much Darren, however, I am a virtual PA for this company and this is not just over my head but over my pay grade really. I think if they need to be more cyber secure they really need to pay someone. Is achieving Cyber Essentials something that you company does for your clients?

Hi Trish,
As you can probably see from our banner at the top and the side of this page, we provide both information and cyber solutions to small businesses. Feel free to read more. As I mentioned earlier, we work closely with IASME and Cyber Essentials and our solutions are aligned in order to get SME's toward the certification. More than happy to have someone talk to you and your company on what you need.
Teon