September 01, 2018

Hot Buttons

How Secure is Office 365? What Lawyers May Not Know

Sharon D. Nelson & John W. Simek

Can Office 365 “go down”? Oh, yes, it can. And it most certainly did on April 6, 2018. The outage was experienced in Europe, notably the U.K., as well as in Japan and other regions of the world. As one British technology website noted in typical fashion, “Microsoft’s Office 365 service is suffering widespread borkage across Europe, again.” We do love Brit-speak. Another online tech site said, “It would appear that Redmond has opted to secure user data by, er, removing access to it entirely. Clever.”

According to the Inquirer website, an unhappy customer wrote, “Get it sorted—not been able to access account at all and working from home. Losing business here!”

Pete Banham, a cyber resilience expert at Mimecast, commented: “Microsoft Office 365 was hit with major downtime on Friday, with customers around the world unable to access their services or admin portals. An operational dependency on the Microsoft environment creates business risks that need be addressed.” He went on to say that entities need to consider a cyber resilience strategy to allow them to recover from such an outage.

To Microsoft’s credit, it announced later the same day that it had fixed the authentication problem. Certainly it didn’t solve the public relations problem emanating from all the users who couldn’t log in.

That made us wonder how long an American law firm would be able to tolerate an Office 365 outage. This is an unsettling thought to many law firms that never thought about Office 365 being unavailable to them.

Creating a Cyber Resilience Strategy

We could write an entire article for creating a resilience strategy, otherwise known as a business continuity plan. If Office 365 has a problem, how does a firm remain functional with email, preparing documents, etc.? This is the point at which you plan to fail. Our recommendation is to use other services that integrate with Office 365. While there are many alternatives, we’ll give a few suggestions to keep you running during an Office 365 outage.

Email is now a required service for any law firm. Microsoft has a lot of redundancy for Office 365, but we’ve already seen some major failures. Consider routing your email flow through a service like Mimecast or Proofpoint. Should Office 365 (or hosted Exchange) go down, you can still receive and send email just as you normally would. Once Microsoft comes back up, the “offline” activity is synchronized with Office 365. You’ll need to work with your IT folks to get the configuration right, but it’s possible to still operate during an Office 365 failure.

File access is another concern for continuity. You can control which OneDrive files are available offline. Access to the Office software (Word, Excel, etc.) isn’t an issue since part of the Office 365 subscription is to have local installs of the software.

Other Office 365 services, such as SharePoint, may be more difficult to engineer offline access to. Most firms will be just fine with email and file access. The good news is the extended failures of Office 365 are very rare.

Your Responsibility for Securely Implementing Office 365

When we ask lawyers how secure their implementation of Office 365 is, they seem confused by the question. But it’s a question posed by Microsoft itself on its Office 365 Secure Score web page: “Ever wonder how secure your Office 365 organization really is? Time to stop wondering — the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.”

Your IT person can install Office 365, and it will work. But it is not secure without taking further measures. Secure Score reviews the Office 365 services you use and then analyzes your settings and activities. It then presents a score that represents the quality of your security practices.

Whenever a new client using Office 365 retains us, we automatically run Secure Score. Typically, the results show that no additional security measures were taken when it was installed.  While you don’t need to reach top-of-the-line security, you do need to “get to good.”

While we don’t know the exact percentage of law firms using Office 365, we do know that lawyers are flocking to it in ever-increasing numbers, at least in our experience. Our best guess is that 35 to 50 percent of law firms are now using Office 365, with many more planning a migration to it. So making sure Office 365 is secure is a very big problem in the legal sector.

Attacks Against Office 365

Microsoft is very much the victim of its own success. As soon as a large portion of the marketplace turned to Office 365, the bad guys went on the attack. There was the infamous KnockKnock botnet attack in October 2017 that was designed to target Office 365 system accounts, which tend to have elevated (i.e., more advanced) privileges.

Criminals employing ransomware attacks began to target Office 365 as well—and the attackers were both lone wolves and organized criminal gangs. Cerber ransomware targeted Office 365 and flooded users’ mailboxes with an Office document that released malware via macros.

Collaboration tools can also be a source of danger. Using Office 365 with SharePoint Online or OneDrive for Business, ransomware can spread across multiple users, systems and shared documents. One point of entry can cause a domino effect, giving attackers quick access to data, email and networks.

Microsoft has duly noted the threats and, in April, unveiled an Attack Simulator for Office 365 Threat Intelligence. This phishing attack simulator builds on the work of Office 365 Threat Intelligence, released in 2017, which allows IT pros to analyze threats in near real-time and to set up custom alerts. Just Google Office 365 Threat Intelligence and see what’s possible. The dark side of reading about it is realizing the full extent to which Office 365 is under attack.

More About Secure Score

In light of the torrent of attacks on Microsoft Office 365, Microsoft has provided, through Secure Score, recommendations for its customers to improve the security posture of access to its service, reducing risk at the same time. There is no silver bullet, nor does Secure Score give you an absolute measure of how likely you are to have a data breach. But it does help assess the extent to which you have adopted security controls that can help prevent data breaches. Rather than reacting or responding to security alerts, Secure Score lets you track and plan incremental improvements over a longer period of time.

While some of the changes to Office 365 for improving security occur behind the scenes, like auditing or reviewing reports weekly, others are more time-consuming and noticeable to users when implemented, like enabling multifactor authentication or implementing a mobile device manager.

Microsoft takes the guesswork out of achieving these security-minded goals by providing a checklist of tasks and instructions on how to complete those tasks. Once implemented, the secure score will go up. The default score after just implementing Office 365 is 27, and the highest score you can achieve is 450. Our recommendation is to shoot for a score of 250 or better, which will help to increase the security of your data stored within Office 365 and reduce the potential risk of a data breach occurring.

Microsoft charges $1.40 per user per month for multifactor authentication, $6 per user per month for the mobile device manager called Intune, and Advanced Threat Protection costs $2 per user per month.

These are not major costs for most law firms, and initial costs for configuring these security measures are not extreme, perhaps in the 10- to 15-hour time frame for a small firm.

General Data Protection Regulation

The European Union’s General Data Protection Regulation (GDPR) became effective on May 25, to the consternation of many entities, including law firms, which were not prepared for the very strict requirements of the GDPR. And be aware that violations of the GDPR carry hefty fines.

If you have European Union clients, or store or process data of European Union residents, it is past time to roll up your sleeves and make sure you are GDPR-compliant. New features in Office 365 can help you meet the strict GDPR privacy requirements. While this is a complex subject, Microsoft walks you through the key changes under GDPR and the implications for Office 365 users.

On the plus side, Office 365 meets requirements specified by ISO 27001 (i.e., an international cybersecurity standard), the Health Insurance Portability and Accountability Act, business associate agreements and the Federal Information Security Management Act, and users own and retain all rights to the hosted data, they can view a map of where the data resides, and there is limited access by Microsoft database administrators. Microsoft has done a good job with compliance—though it’s much harder to fend off the bad guys who want your data.

Final Thoughts

Once again, we caution that there is a difference between IT and cybersecurity. A lot of perfectly good IT consultants can get you up and running on Office 365. But can they get you up and running securely? Most law firm managing partners seem unaware of the possible security dangers that come with Office 365. They want to “set it and forget it.” It’s clear that this worries Microsoft, which has really begun an extensive campaign to wake organizations up to the security risks—and increasing threats—that may come with Office 365.

One wonderful resource provided by Microsoft is an Office 365 Security Roadmap: Top Priorities for the First 30 days, 90 days, and Beyond. Again, just Google it. This is one of the best resources we’ve found, and a road map is exactly what law firms need.

Now that Office 365 has such a big bull’s-eye painted on its figurative back, we applaud Microsoft for taking a hard look at security concerns and trying to address them. But this is a dance that requires a dancing partner, and those who use Office 365, especially lawyers, have a duty to make sure they are aware of potential security problems and are doing their best to beef up their security posture.

Given the dangers that this article has identified, the time for investigation and action is now.

Sharon D. Nelson

President, Sensei Enterprises Inc.

Sharon D. Nelson is a practicing attorney, a past president of the Virginia State Bar and the co-author of 16 books published by the ABA.

John W. Simek

Vice President, Sensei Enterprises Inc.

John W. Simek is  a Certified Information Systems Security Professional and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, information security and digital forensics from their Fairfax, Virginia, firm.