O365 User’s Guide: Information Security

Posted on Posted in Analytics, Enterprise Information Management, Uncategorized
Written by A. Sharif and J. McConnell

Today, the frequency of data breaches is so commonplace, that many organisations consider security risk as a question no longer “if”, but rather of “when”.  As a common aphorism pronounces:

There are two kinds of businesses: those who have been hacked, and those who do not know they have been hacked.

For the global enterprise, information security is not only a concern, it must also be a promise.  But where does one start in delivering this promise as an emerging small business?

Contradictory to most mainstream media depictions, recent studies indicate that most data/information security breaches are perpetrated knowingly by privileged users, and/or remote workers.  IBM’s 2016 survey on security showed that insiders are responsible for ~60% of all data breaches[1].  More recently, a 2017 survey from Haystax Technology showed that 56% of the sample perceive that insider threats have grown more frequent past year, and 75% of respondents estimate the costs of breach remediation to be ~$500,000[2].

If you are leading an organisation, then you are in need of a 365o view of user activity across collaboration platform applications, mailboxes, and document libraries. To support the awareness of both internal and external threat, Office 365 provides built-in security options that administrators and information officers can customize and organize to their needs.  The following article provides an overview of three approaches to using O365 to manage both internal and external security risks, from a small-business perspective.



As a business owner, it is vital that you are provided frequent overviews of the information-exchanges occurring throughout the organisation.  For information security throughout the enterprise, O365 provides an Admin Reporting centre.  Within this centre, a designated security operator can track all user and group activities across platform applications.  These reports are important for information management as well as for monitoring security risks. The reporting centre provides raw metadata, which may help to establish baseline patterns in user behaviours, over time.

Natively, document library alerts may be easily generated to provide delegated parties with daily, weekly, and monthly summaries of library activities, including the creation of new document and/or modifications to existing ones.  The only caveat to this alert is that delegates will not be able to see who syncs and subsequently disconnects a sync to a library – an essential signal of the occurrence of bulk information downloads. Fortunately, there are ways around this gap for this savvy O365 administrator.


Administrator Reports

When managing a business, a single report with all the information for risk management is vital. The ideal risk management report should monitor document, user, and group activity, and bring time-relevant attention to deviations in normal patterns of user and group behaviour.  For the global admin, the reporting tab in the Admin centre gives a helpful variety of views, i.e. user activity per app, e-mail activity per user, OneDrive activity per user, and activity per Group. The reports may be e-mailed automatically on a daily, weekly, and monthly bases, and their raw data exported in .csv format, reaching back as far as 180 days.  This export feature supports an automated alert database system, which may combine variety of reports into a single, executive-level view for monitoring an organisation’s security risk.


Active User Report

The Active User Report provides a summary of user activity per platform applications, as well as a total, daily active user snap-shot.  Using the data for past 180 days, a business owner can see if an employee is using in-built apps or using document library after working hours or late at night. This kind of behaviour can explain data breaching.  With this view, the delegated security officer will be able to recognize deviations from normal behaviour for targeted inquiry.


OneDrive Activity Report

As noted earlier, the need to monitor who is syncing file systems leaves a gaping hole in organization’s security-monitoring process.  The OneDrive Activity Report provides the security officer with a detailed summary that captures the viewing , syncing, and sharing (both internal and external) activities, per user.  While some users might be delegated to manage multiple libraries, deviations to baseline activities are immediately apparent with regular monitoring.  With the rise of Teams, a small business may soon be facing the problem of managing innumerable and fluctuating groups, rapidly emerging and disintegrating across the organisation.  Pulling this report daily is an invaluable step to mitigating the risk of insider threat.


Group Activity Report

Similarly, the Groups Activity Report measures a group’s active status, size, and velocity of information flow. This report presents a per-period snapshot of the total number of groups within the organization and the total number of daily active groups. Additionally, the Groups Activity Report provides essential information about each group, including the owner and it’s type (public or private), so that potential redundancies may be identified and that inactive groups may be properly archived.


 E-mail Usage Report

As with the previous reports, the E-mail Usage Report also generates an elaborate summary of activities including most active users and sent and received mail counts. To look for insider threat, the sent and received mail statistics are helpful.  Abnormal spikes in the summary may signal a threat.  However, reporting on user’s activity is half the battle.

Within Security and Compliance section of Admin Reporting (Admin App > Reporting > Security and Compliance), two additional summaries provide an expanded view of O365 e-mail health:  Spam Detection; and Top Malware for Mail.  Infected e-mails may include malicious software, which can cause a fallout of a server, and the loss of secure and/or proprietary information.  The data provided by these reports may provide vital information informing policy and procedures to reduce external threats to the organisation.


Administrator Controls

Securely managing the information on O365 also depends upon the vigilant management of user permissions. Traditionally, SharePoint administrators set up permission groups throughout an organisation’s platform.  However, for the small business, managing the permission groups can be a problem for two major reasons. First, SharePoint requires somewhat-specialized knowledge to structure permission groups. Second, permission groups might be left open for want of a dedicated administrator. If permission groups are not closed down at the end of a project’s life-cycle, then the information within a SharePoint site is not secure.

To mitigate this risk, we recommend the use of O365’s Groups. In Groups, permissions are easily accessible to the Group owner, and security details do not require expert knowledge of SharePoint. Groups gives a wide range of security options that SharePoint sites do not have. In Groups, the security can be put in place on every member of the group.

This said, the release of Teams – and the subsequent increase in the ease with which Groups may be created and destroyed – business leaders must guard against the inadvertent loss of information.

Remember: deleting a Team also deletes a Group.

Although a deleted group may be retrieved within 30 days, the retrieval process is, at best, cumbersome, requiring specialised knowledge of Azure’s PowerShell.  This potentially painful learning curve may be avoided with some general awareness training throughout the organisation, as well as delegated process ownership.



While studies indicate the role of users in information security breaches, we propose that the greatest threat to a growing business is a need for diligent awareness. Given the abundance of information about security and management, we offer some useful ways that a small business might apply an information security strategy using their Office 365 platform:


  1. Set up daily and weekly activity alerts for DocLib owners
  2. Run Administrator Reports weekly
  3. Run OneDrive Reports daily
  4. Use Groups to control SharePoint permissions

The DocLib alerts may be tailored to be more general or more specific, depending on the reporting period.  For instance, the daily alert might be more general, and the weekly alert more specific.  Both alerts provide the project and/or Group owner with an essential overview of their information’s activities.  Because they are most familiar with their project’s requirements, these information officers thus represent a first gateway, increasing awareness of their information’s security.

Admin Reports are a great route to take when trying to eliminate any sort of threat or concern. A small business my assign a dedicated security officer to monitor these reports.  Keeping an eye on Admin Reports helps to establish a baseline of normal user behaviours.  Further, the raw usage and activities data may be consumed by a dedicated risk-management database, that could provide a single view of an organisation’s risk.  Alerts to aberrant activities will keep the business leader informed on high-risk behaviours.  For the growing enterprise, OneDrive report should be pulled daily, and E-mail, User and Group Activity reports every week on the mark.

While a full SharePoint site provides more granular permission-ing of users, it also requires diligent management of these permission groups.  In a growing small business, forgotten permissions may leave information vulnerable to the wrong hands.  Both internal and external users require isolated access to information specific to their projects or person.  To create a partition between different projects and business activities, the use of Groups is very helpful. Unlike SharePoint, group Sites do not require a specialised platform knowledge to manage member access.  Instead, Groups themselves may represent different permission levels within the organisation.

Figure 1: Three Sentinels of Information Security

Thus, through daily and weekly monitoring of both platform and library activities, and through a conscientious partitioning of information into both projects and business areas, the small business proactively positions itself to take rapid action against both internal and external security threats.



[1] http://www.soluzioniedp.it/admin/public/downloads/f4f14a553d441ee7cf798c2e1a424e15/files/pt-state-of-ibmi-i-security-2016_wp.pdf

[2] http://haystax.com/wp-content/uploads/2017/03/Insider_Threat_Report_2017_Haystax_FINAL.pdf