Microsoft Corporation invests huge amounts of time and money into security of their systems, including Microsoft Teams. Their engineering team constantly improves and adds new security features, making it one of the safest tools for collaboration. At the same time, there are always data security risks, no matter what platform you use for operating your business. And it’s a responsibility of each organization to ensure the safest use of the tool and protection of data.
In this article we will outline the most common security risks in Microsoft Teams and best practices to help minimize them.
One of the greatest capabilities of Microsoft Teams is communicating and collaborating with external users by granting them guest access to your teams, channels and meetings. This is why Teams is so widely used for conducting remote negotiations, making sales pitches, and discussing projects with partners.
However, by granting guest access you’re also allowing your guests to get a complete access to your team’s files and other data that is shared through channels. Therefore, you risk having your guests see sensitive content, which poses potential data security risks.
If External Sharing is turned on in Teams, then all the documents you store in SharePoint can potentially be shared with external users through chats. This can result in leaks of sensitive data and create serious security risks.
Screen sharing capability can also let you down if not used carefully. If you or your employees accidentally share the wrong page with outside users, it can cause irreversible damage.
Teams owners can change your team privacy at any time, which is why it’s important to oversee who owners of your teams are. Changing teams privacy can lead to security issues. So, you may want to choose them carefully and certainly not grant ownership to every member of the team.
If your team has only one owner and this person, for example, leaves the company, this can become a problem. A team cannot be without an owner, so potentially any user can become one. This may sabotage your team’s privacy since the owner can change settings of the team.
Private channels are a great way to discuss sensitive matters with a few members from the team (and even guest users) without having to create a whole new team. However, if the owner of the private channel is removed, any member can become a new owner. This can be risky as they could invite anyone to the private channel and, therefore, give access to confidential information to other users.
It’s against the law to share certain very sensitive data. That, for example, is true for social security numbers. Sharing this kind of data in Teams with external users is illegal. Enabling data loss prevention policies makes sure users do not accidentally slip sensitive information.
When integrating a third-party app into Teams you may give it permission to access your team’s data. Some apps can transfer data among their services, which can cause data loss and GDPR compliance violations.
Microsoft Teams users receive email notifications about activities in their teams. Knowing that, cyber-attackers started targeting Teams users for getting their credentials and accessing companies’ intellectual property and strategies.
There are ways to increase your teams’ security and minimize security risks. Below we list some of Microsoft Teams security best practices.
One of the most reliable ways to enforce security in Teams is by setting up governance policies. Teams governance determines how the organization will function internally, how end-users can use the app, who can create teams, what information users can share, etc.
If you’d like to learn Teams governance best practices, we recommend checking out this article. There are many points to consider, and they revolve not only around security, but also the organizational structure.
When it comes to security, you may want to consider the following points:
The first thing you need to do is to decide who can create teams. This will allow you to minimize teams sprawl and all the security issues it arises.
There are a few ways to do that:
Setting up the right ownership and membership policies will allow you to better monitor teams and private channels and control what information is being shared. Team owners can remove members, add guests, change settings, and perform some administrative tasks. So, you may want to make sure you have a few owners in each team so that in case one of them is removed from the team, the ownership will not go to a random member.
Here are a few ways to do it:
Open access to third-party apps for end-users puts at risks the security of your sensitive content. Managing third-party apps, therefore, is vital in ensuring effective collaboration while keeping confidential information safe.
You can oversee third-party apps by:
1. Managing app setup policies.
You can highlight and pin the most important apps in teams and install apps on behalf of users.
2. Managing app permission policies.
You can control what apps are available for users in admin center:
There’s also a possibility to filter apps by restricting them to only those certified by Microsoft.
Office 365 provides additional features to secure your data.
DLP feature identifies very sensitive data, such as Social Security and credit card numbers, and prevents from sharing it with external and guest users.
For example, if sensitive information is shared with an external user through a message, it will be automatically deleted.
In case a document that contain such information is shared with an external users, the document won’t open for those users.
You can learn more about DLP and how to enable it here.
To get the job done your staff collaborates both internally and externally, posing potential data security risks if a highly confidential document accidentally falls into wrong hands.
Sensitivity labels let you classify and protect your company’s data, while making sure that user productivity and their ability to collaborate isn’t impeded.
Sensitivity labels can encrypt emails and documents, mark the content when you use Office 365 apps, protect content in containers such as sites and groups, and Apply the label automatically to files and emails, or recommend a label.
Learn more about sensitivity labels here.
With Microsoft Teams you can invite external guest to your teams, which might raise some data security concerns. Which is why it’s essential set up the right guest access rules.
You can configure guest access settings in the Teams admin center. You can disable it completely, although if you use Teams to communicate with clients and partners you might want to keep this capability. Instead, you can grant them with the least privileges, just enough to discuss matters of mutual interest.
If you’re concerned about accidental leaks of information during video meetings, you may choose to disable the screensharing capability.
You can create and configure sensitivity labels that, when applied during teams creation, enable users to choose privacy settings for a new team.
Teams created with a highly confidential label won’t allow guest access and will only be available to your employees. People outside your organization can’t join the team.
There’s also a way to enable guest access only for select authorized teams by creating a new Azure AD App Registration that allows to utilize Microsoft Graph for creating teams and set its priorities. You can find a step-by-step guide here.
To prevent external users from accessing your meetings in Microsoft Teams, you can leverage Lobby capability. You can enable/disable it in Microsoft Teams admin center.
Your external users will be redirected to a virtual lobby where they will need to wait for admission. This can be useful, for example, if you’re having a negotiation meeting with your team and a client and wish to have a talk with your team members before the official meeting starts.
Multi-factor authentication greatly increases the security of users logins. It’s definitely one of the Microsoft Teams security best practices if you want to protect your system from phishing attacks that steal you employees’ credentials.
Aside from entering username and password to log in, users must verify their credentials with a multi-authentication factor, by receiving a phone call, text message or a notification.
If you would like to enable privacy for certain teams, you can do that at the template level with SalesTim Collaboration templates.
You can decide if new teams created from the template will be Private or Public. Private teams will only allow team owners to add members, while in public teams anyone from the organization will be able to join without validation.
You can leverage Office 365 Audit Log to monitor potential security issues. After creating an activity alert you will receive email notification each time users perform specific activities in Office 365.
You may set activity alerts for external sharing, creating of sharing invitation, uploading/downloading files, site permissions modifications, and so on.
This way you’ll be able to oversee any potential security risks from user activity.
By following these Microsoft Teams security best practices you will ensure a high level of protection of your organization´s system and its data.