If your business is considering new options for cloud services, you are likely looking at Microsoft 365, the cloud-based platform for the ubiquitous Microsoft Office Suite.
Encompassing a broad range of software such as Word, Excel, and PowerPoint, the Office Suite has long been a standard of the marketplace, and the 365 cloud version includes many add-on solutions such as Teams, a communication, and videoconferencing tool that is rapidly gaining popularity.
But before committing to 365 or any other cloud services provider, an evaluation of how your company will use the services and whether your industry has heightened needs for cybersecurity is essential to ensure the safety of your data.
Even if you already use Microsoft 365, we recommend reviewing your license agreement once a year to make sure it still aligns with your needs. If your business has grown and more employees are now accessing sensitive data, or if your industry recommends heightened cybersecurity practices, you may want to consider upgrading to a higher level of service and security.
Like most cloud-based software subscription services, 365 offers multiple levels of licensing agreements, with prices dependent on the number of services, features and users. But automatic backups are not included, leaving licensees’ files and data vulnerable in case of a technology failure or ransomware-style theft.
Following are several issues to consider when shopping for a cloud-based platform:
- What kind of data and information do you currently store, such as emails and general data files? Do they contain sensitive and/or confidential information? Consider your needs for backing up and securing that data.
- What is your strategy for protecting your data today? Consider how your employees access data, such as from company computers or from personal devices, and any restrictions you should have on access to certain data. If employees access company data from personal devices, you should have guidelines and restrictions to protect the data. Restrictions can include multifactor authentication and other conditional access policies. Decide which accounts can be accessed only from behind a company firewall. This may include administrative accounts.
- Does your business need heightened data security measures because it is subject to government or industry regulations? This might include healthcare companies that must abide by HIPAA or companies that provide financial services and are subject to banking or SEC regulations.
- Create strong data loss prevention policies to protect financial resources and other sensitive records that may contain credit card numbers, Social Security numbers and personal information about employees. All this data should be encrypted and restricted from sharing.
- What is your backup policy? Backups are not included with 365 services, and licensees should understand that just because data is in the cloud doesn’t mean it’s secure. Backing up your data to your own internal system, such as to a hard drive or an external drive, is not a good idea. That drive is likely to be accessible to people in your organization. Ideally, data contained in the cloud should be backed up to a third-party cloud-based utility. These tools come with a price, but whatever the price, it’s worth it when compared to the price of losing your company’s sensitive data.
- Seek advice from IT professionals who are familiar with your industry. They can help you assess your needs and project how evolving data security tools can help you now and into the future.
If you are considering using a cloud-based platform, or if you are already a user and need to reassess your needs, contact your Rea advisor.
By Paul Hugenberg, III, CISSP, CRISC, CISA, CMMC-RP, QSA (Wooster Office)