Securing Data in Microsoft Teams

With a large spotlight being shined on the technologies being used for working from home, we have taken this opportunity to talk about securing Microsoft Teams and best practice surrounding the data held within.

Teams is used as a platform for collaboration, communication and sharing of data. This means that it is possible for there to be multiple types of data stored, including chat logs, files with any kind of content (innocent or highly restricted) and user information. Also, because of the collaborative aspect of Teams, users who are not from your organisation can access this data if they have been invited into a Team.

Multi Factor Authentication

One of the most basic methods of securing Microsoft Teams, and by extension Office 365, is using Multi Factor Authentication, which you can read more about here: https://datcom.co.uk/en/news/tech/mfa-for-business-security

Multi Factor Authentication asks for a second method of authentication to log in, as well as a password. This helps to prevent unauthorised access to an account with just a password. A mobile phone is typically used as a second method of authentication.

Data Loss Prevention

Data Loss Prevention is the method for configuring policies that prevent people sharing sensitive data or information in Teams, particularly where there are guests present. This can be configured with definitions of sensitive information, such as bank or billing information, national insurance number or any other information that can be defined in a common pattern or terms. You can also specify to receive notification alerts when an attempt to share information is detected and stopped. This makes accounting and tracking of potential breaches easier. Policies can also be defined to prevent documents from being shared that contain the same sensitive information patterns or definitions.

Microsoft Azure Information Protection

Microsoft Information Protection can help to protect documents and files that may be shared outside your organisation. It does this by using things such as labels to classify documents for a certain level of user, such as HR documents for HR and Management users only, for example. You can also use new features with this product to apply the same type of labels to Teams and their Channels.

Turning Off Sharing

If you do not see a time when you will need to collaborate with external users, something as simple as turning off the ability to invite guests into your Team removes a feature that could result in a potential data breach. This also applies to users’ ability to add new apps into Teams, as these could be accessing data from your organisation about your users that they do not even know about.

End User Education

Educating your users on the dos and don’ts of interacting with data, and how to be responsible for the data and information they have access to, is a basic method of control for your information, but it can go a long way to ensuring data is not lost or leaked unthinkingly.