Welcome to our first Newsflash of 2020. We are pleased to welcome two new additions to our team for the start of the year.
New team members
Tapiwa Wenge joins the company as a Professional Services Consultant. He has worked in a variety of information security roles during the last 20 years. Most recently he was a Senior Information Security Analyst at Auckland Council where his responsibilities included conducting security risk assessments on a range of software projects and providing security advisory on cloud adoption initiatives. Prior to working in the Local Government sector Tapiwa worked in security roles in the financial and petrochemical industries.
Kevin Alexander takes on a Business Development role with a focus on customers in NSW and NZ. Kevin has worked in the security and network infrastructure business for much of his 17 year IT career. Having worked with vendors such as IBM, VMWare, Trend Micro and Symantec he then moved in to a consulting organisation. In this most recent role Kevin was working in the areas of offensive security (penetration testing services) as well as security governance and compliance (process and policy).
Microsoft 365 – Dynamic, complex and challenging
In some of our previous articles we discussed the challenges that organisations need to contend with in order to ensure their Microsoft 365 (MS 365) environment is securely configured.
Some of the key learnings we noted from our customer engagements were –
Even well managed and mature sites have been compromised.
It is important to know all your data aggregation points at all times.
Data sharing across the MS 365 environment is misunderstood.
Identifying termination points (where data can be readily shared with external parties) is critical.
Cloud service mapping and effective management reduces unnecessary risks and exposures.
Knowledge of all MS 365 capabilities and security dashboards aids prevention or early detection.
For this Newsflash we asked one of our consultants to outline some of the more common findings from his work in providing a Security Configuration Audit Service to MS 365 customers.
His nominations are -
The option for users to register Microsoft and 3rd party applications is configured at multiple locations. If all of the configuration selections are not in accordance with security best practices this could lead to a potential security breach.
Users are able to provide a blanket consent to company data stored within the MS 365 environment. While this can be effectively managed with a secure configuration, when it is incorrectly implemented there is a risk of providing unrestricted data access to potentially malicious applications.
The concept of least privilege is not followed by the default environment configuration, the settings to fine-tune and limit the user’s ability to view MS 365 security configuration items are commonly overlooked.
Microsoft Teams provides a range of good functionality and interacts with many default and 3rd party applications as it’s standard configuration option. Securing the Microsoft Teams configuration is key to limiting any on-going data sharing activity and avoiding users unknowingly creating data security risks.
Microsoft Secure Score provides recommendations regarding the implementation of security options within the MS 365 environment. Some of these recommendations or options may not align with best practice or industry standards. Following these recommendations without expert input may result in introducing new risks to the environment.
MS 365 is helping organisations improve collaboration and productivity. A comprehensive range of security controls options are available in MS 365 however, the dynamic and changing nature of the environment means that security gaps and vulnerabilities are very likely to exist.
Organisations of all sizes are highly dependent upon technology. Ensuring your people understand what is expected of them when using organisational technology, systems and data is key to minimising the threat of reputational damage and the potential loss of business.
The IT Policy System Lite is designed to help organisations of less than 200 users set the foundations for a safe computing environment. The system is cloud based and branded for each of our customers. A typical deployment covers 18 key policies in an easy to use system.
Our delivery process sees a Kaon Security consultant run a workshop for each new customer to ensure the system is customised to their business requirements. Thereafter Kaon Security ensure it is kept up to date in terms of policy wording, terminology, relevant best practice and standards information.
Writing policies, maintaining them and ensuring they align with best practise requires a significant investment of time and effort. In deploying the IT Policy System Lite our customers have commented that it is very cost effective, and has meant they can then focus on improving cyber security awareness and running their business.