Top 10 security recommendations we should consider while working from home

• Mobile working is a standard and it probably will last.
• Companies are no longer protected by their infrastructure in their corporate environment.
• Crucial data is moving away from centralized systems. We are taking document data out of our corporate environment to work on this data.
• Does it sound familiar?

Over the last years I've met a lot of customers that were not capable of managing their devices. It's more important than ever to have control on endpoints to empower remote-workers to be able to use modern and secure technology. I personally believe that right now is a massive opportunity to build decentral systems that are designed different than ever before.

The 10 security recommendations we should consider while working from home:

1. Identity protection

• Activate MFA. It's easy.
• Run a Microsoft Attack Simulator. It costs 2 hours and will show the potential risk.
• See which accounts have most likely been compromised through risky sign-ins.
• IMAP, POP3 disablement and implementation of MFA in 1 click? Enable Azure AD Security Defaults.

2. Patching & updates

• Take control of all devices in your organisation with Microsoft Endpoint Manager.
• Take control of Mobile Devices, or at least use Mobile Application Management and protect your corporate data. (iOS, Android, W10, macOS…)

3. Passwords and management of authentication

• Create a password policy. Check that 100% is compliant during renewals. Enable MFA for everyone. If you don't: set a policy — e.g. IF not with MFA then set password to 100+ characters (for applications, not users).
• Microsoft has advised to disable password renewals — this is possible IF you are doing multiple other steps of this article.
• Start using Windows Hello for Business.
• Start using Passwordless Authentication.
• Start using Self-Service Password Management.

4. Create real-time reporting of security vulnerabilities

• Identity risks are in every organisation. Don't think your chances are low — check the facts.
• It is very easy to use Risky Users, Risky Sign-ins and Risk Detections to find out real risks.
• Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.

5. Create automated and intelligent alerts

• Create alerts when 100 files are deleted or copied to Dropbox, for example.

6. Install antivirus on ALL endpoints + go beyond antivirus

• Microsoft Defender ATP, Sentinel One, Norton, McAfee — it doesn't really matter. As long as you are able to protect all endpoints.
• Make sure your antivirus is enabled. Use a single console — or use MDATP. Set security alerts so you know when you are at risk.
• Use EDR monitors to detect and respond to advanced attacks in real time.

7. Secure private (personal) devices and corporate devices

• Workstations and portables (Windows 10) are in control in most companies. Mobile devices are left unmanaged because we don't know the options.
• With Intune (Endpoint Manager) you can isolate and segment applications without having to manage the device. Corporate applications are under control. The organisation's data is protected.
• Choose fingerprint, Face ID — worst case a PIN code — in app protection.
• Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option — and simple to implement.

8. Evaluate regularly which users have access to data, devices and physical network

• Cloud App Security shows you exactly whether data is passing on all endpoints.
• Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation, risk levels, GDPR-proof applications…
• Bring network device logging into CASB to have more insights.

9. Track and block access for temporary projects or when employees leave

• Governance without enforcement is just good advice. Create simple written policies, enforce policies.
• Create retention policies — for example in a Microsoft Team that removes the team after 180 days.

10. Use information protection to protect your data everywhere

• Use Information Protection to protect document data — even if you lose the document physically. There are still options to block it from opening and keep it secure from distribution, opening, editing…
• Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.

Conclusions

• Security priorities are difficult. However, I would always start with MFA because this is fundamental identity security. Afterwards document and device security — because companies are moving to Teams during Covid-19, and you don't want data leakage during this time.
• If your identity is not secure and is compromised, there is no point in doing information protection — because a 'hacker' will use your accounts to access your corporate data.
• Use Microsoft Secure Score at securescore.microsoft.com as a guidance. Extract your priorities.

---