Risk Mitigation Strategies for Data Protection for Office 365

IT security is top of mind for businesses and technologists alike. From global ransomware attacks to email phishing scams, it’s clear that your data is under attack. For businesses migrating primary productivity and collaboration tools to the cloud, such as Microsoft Office 365, ensuring the safety of your data is a key priority.

In this Q&A between Andy Rouse, Senior Product Manager for Spanning Backup for Office 365, and Lori Witzel, Sr. Product Marketing Manager, they discuss risk mitigation strategies for data stored in Office 365 and the importance of being fully prepared to restore data after an attack. Here’s a snippet of their conversation.

Witzel: You can’t ignore the looming specter of ransomware and malware these days. What are you hearing from our customers?

Rouse: Over the last 18 months, malware, and more specifically, ransomware has become admins’ biggest concern related to data loss in Office 365.  In my role, I speak with many customers and prospects, and ransomware is a constant topic of our discussions.  This isn’t just a fear generated by recent reports in the media, ransomware attacks are happening to real customers and people in their network—and it is almost always crippling to the victim, which in turn makes it a real responsibility for Admins. When talking about ransomware, I often refer to a US-CERT report published in July of last year noted that 4,000 ransomware attacks were occurring daily in 2016, a 300% increase over 2015. That number has only grown, and the methods more devious and damaging. We’ve seen similar growth of attacks among our customer base.

Witzel: What are your recommendations for risk mitigation strategies?

Rouse: First off, prevention is key. Good prevention includes educating your users on ways to avoid getting infected in the first place, installing proper antivirus/malware software and keeping systems and applications up to date.

And don’t just educate your users on how to avoid infection—test them on it. Try using a service like Duo Security or KnowBe4 and see how your users perform in the real world. Test on multiple levels, email, USB, etc.

Our Security Engineer Brian Rutledge warns, “Once opened, fake PDF files, fabricated FedEx notices, and fraudulent financial institution correspondence that are infected with malware can quickly bypass an organization’s network security and spread beyond the local system through network drives and other endpoints tied to file sync and share tools such as Microsoft OneDrive and Google Drive.”

Secondly, you need to have a recent, complete backup of your data that is easily recoverable back to the state it was before the attack. Without a recoverable backup, your only option may be to pay the ransom, but, as we recently saw with NotPetya, a particularly malicious strain of ransomware, the perpetrators were unable to unlock and decrypt the victims’ data after they paid. The FBI also recommends not paying for this exact reason.

Lastly, conduct a mock attack scenario. Don’t wait until it happens to see if your prevention, education and recovery plans will work. Try them now.

Witzel: What are the main considerations when choosing a backup solution for Office 365?

Rouse: First ask yourself, is it easy to setup, maintain and scale? Your backup should be automated to run in the background with minimal oversight. A cloud-to-cloud solution delivers these capabilities. Here are the other key points to consider:

  • Evaluate its ability to meet your key restore scenarios. Reliable backup is a basic feature and should be tested, but how easy is it to restore the data? Are you testing that it works?
  • Is it secure?  Ask your vendor these three questions:
    1. What security certifications and accreditations does your service have? At a minimum, the vendor should have a SSAE SOC 2 Type II certification, but also ask relevant industry or region specific compliance like HIPAA, FERPA or APP (Australian Privacy Principles).
    2. Does your backup require you to store admin credentials? Backup solutions for any SaaS product should use OAuth, which requires the IT admin to grant the application the API permissions needed to function. You should never store admin credentials in a 3rd party backup.
    3. Is data always encrypted in transit and at rest?  What level of encryption, and who controls the encryption keys?

Witzel: What advice would you provide for business leaders concerned about security?

Rouse: Ask the right questions.

Ask your security and IT teams, for example, if they’ve taken an all-encompassing look at the risks and conducted scenario planning. Have they thought about the worst case scenarios and do they have a solution and response for each of them?

Witzel: What can we expect to see from Spanning Backup for Office 365 through the rest of 2017?

Rouse: The key themes you can expect to see from us in 2017 are:

  • Suite Expansion: providing backup and restore for additional services and features across Office 365
  • Monitoring and Administration: expand reporting, monitoring and trending capabilities
  • Enterprise features: continued focus on performance, scalability, customization and a close integration with Microsoft

It’s an exciting time to be part of Spanning. We are growing across the globe, expanding our product portfolio, and hiring new talent.

Get the Definitive Guide to Office 365 Backup