Office 365 Security Features that Nonprofits Should Know ...

Office 365 Security Features that Nonprofits Should Know and Use

Speakers: Cameron Jones, TechSoup Global & Linda Widdop, Tech Impact

Facilitator: Sima Thakkar, TechSoup Global

Chat Assistants: Zerreen Kazi, TechSoup Global

Slide 1: Office 365 Security Features that Nonprofits Should Know and Use

Hi everyone. Thank you so much for joining us for our webinar today, Office 365 Security Features that Nonprofits Should Know and Use.

Slide 2: Using ReadyTalk

Before we get started, I just want to go over a few housekeeping items. So all callers will be muted. If you have questions, you should see a chat box on the left-hand side of your screen. If you lose your Internet connection, try reconnecting using the link that was emailed to you. If you have to drop off early, or if you want to watch the webinar again, we will be hosting the webinar on our website at community/events-webinars. We will also be sending an email with the presentation, the recording, and any relevant links.

If you are on social media feel free to Tweet at us @TechSoup using #tswebinars. But like I said earlier, we will be using the chat box that you see on the left-hand side of your screen.

Slide 3: A Global Network Bridging Tech Solutions and Services for Good

So just a little bit about TechSoup before we get started. We are located in 236 countries and territories. And we serve over a million nonprofits globally.

Slide 4: Corporate Partners

We work with several technology partners like Adobe, Intuit, Microsoft, Symantec to help make our mission possible.

Today's webinar is primarily focused on Microsoft Office 365.

Poll Question: Do you have an Office 365 account already?

So before we get started, I just wanted to get a sense of who is in the audience today and what your experience is with Office 365. So if you don't mind answering this poll question, I will give you guys a couple seconds to answer. Do you have an Office 365 account already?

So it looks like a majority of you guys do have Office 365 which is great. So I'm going to show the results so you guys know who is in the audience today.

Poll Question: Where did you get your Office 365 account(s)?

And then I would also like to know if you guys don't mind answering, where did you get your Office 365 account? Was it through TechSoup, Microsoft or elsewhere?

All right, so I will give you guys a few seconds to answer. Okay, so it looks like the majority of you got it through TechSoup. Okay, perfect.

Also, just before we get started, I just want to make sure you guys can hear me okay. So if you don't mind typing into the chat box where you're calling in from, and I will read a few of them out just so we know where you are calling in from, and that you can hear me.

So we have Indianapolis, Eugene, Oregon, Austin, Texas. Okay, cool so it looks like you guys can hear me okay.

Slide 5: Presenters

All right, so I'm going to go ahead and introduce today's speakers. My name is Sima Thakkar. I'm the Senior Manager of Content here at TechSoup. I also have my colleague Cameron Jones who is the Vice President of Solutions and Services here at TechSoup. Cameron overseas TechSoup's development of innovative services and solutions for the global nonprofit sector including IT consulting and management services, nonprofit validation services, and refurbished hardware. Cameron has a long successful track record of leading globally distributed cross-functional teams to implement complex programs across multiple geographies and languages.

I also have Linda Widdop who is the Director of Client Solutions and Education of IT Services at Tech Impact. Linda manages all aspects of client relations for Tech Impact including educating nonprofits about technology solutions. Linda works with local, regional, and national partners to provide the nonprofit community with increased knowledge of technologies through speaking engagements, individual consultations, and digital content delivery.

So I'm going to go ahead and pass it off to Linda.

Linda: Great, thanks, Sima.

Slide 6: Our mission

I work at a nonprofit organization called Tech Impact. We are a 501(c)(3) nonprofit whose mission is to empower communities and nonprofits to use technology to better serve our world. We are a TechSoup partner that delivers services to nonprofits.

Slide 7: Digital Transformation for Social Change

So all of our customers must be nonprofits. If your nonprofit needs IT services, everything from planning to implementation, support services we are the place to call, so feel free to do that.

Slide 8: Security Overview

Today we're going to be talking about Office 365 security features. I'm going to start today's session just with an overview and some things that all come together around security to kind of frame our discussion around Office 365.

Slide 9: Security Concerns

First, let's talk about our security concerns and who we should be worried about. And you see here on the slide that there are external hackers. These are the ones that we consider the bad guys. These are the ones that are sending us the phishing attempts, and they are trying to hack into our networks, and they're trying to get all kinds of not just cash, but

also information from us. They may also be acting as an activist hacker who somebody who is not in line with our organization's mission, and seeks to cause us some public embarrassment, or harm to our organization. So they are the ones we know about and we hear the most about in the news.

But the other side of the slide are just as important for us to take a look at, and the these are internal staff. These are people who work at our organization who could inadvertently, accidentally, or maliciously allow some of our sensitive information to get out. So we really need to use our technology solutions and our internal staff policies to make sure that we are securing ourselves against those external and internal hackers, or people.

Slide 10: Cyber Security Threat Vectors

At Tech Impact, we look at cybersecurity threat vectors in six general categories: device security, data loss controls, item level encryption, account security, malware controls, and network controls. For the purpose of today's discussion, we are really going to be looking at four of the six of these.

Slide 11: What Is the by Security

And the ones that we are going to be diving into are device security. How can Office 365 help you protect your devices? Those are the computers on your network, against threats, external threats, and internal threats. So we are going to look at limiting which devices are accessing our data, enforcing settings, managing updates through Office 365 features, and even going so far as allowing us to wipe sensitive data using mobile device management, and remote wipe services.

Slide 12: What Is Item-Level Encryption

In terms of item level encryption, we are going to be looking at how to protect sensitive data. If we do need to share data outside of our network, how can we do that in an encrypted way, so that we are ensuring the safety of that content from those people that we need to share with?

Slide 13: What Are Data Loss Controls

Data loss controls, how are we going to monitor for accidental or intentional sharing of sensitive information such as HIPAA information, Social Security numbers, PII, personal identification information? How can we make sure that we are limiting that? How can we monitor where that information lives in our Office 365 cloud, and make sure that we are analyzing patterns to see whether there is behavior that we should, as security-minded administrators, be aware of.

Slide 14: What Is Account Security

We are also going to look at account security. How can we ensure that your Office 365 accounts are being used properly, and accessed properly by one person, by the correct user? And again, looking at those logs for suspicious login activities.

Slide 15: How can we protect ourselves?

So if we look at those six areas, those threat sectors that we talked about that we looked at earlier. Two and a half of those, the ones on the left, should be dealt with by your IT professional. So looking at making sure that you have a firewall in your office, making sure that the operating systems that are on your computers are up-to-date. They are the current versions. They are Windows 10 Pro, or they are Mac OS whatever the latest one is; making sure that they are updated, and the security patches are done there; making sure that you have antivirus, and anti-malware installed. That should be done by your IT professional.

And then the other 3 ? buttons here, we can deal with with the Office 365, and that's what we're going to dive into next.

Slide 16: What can Office 365 do?

So how can Office 365 help us with data security? Again, ensuring only secure devices can access our cloud-based data. I had to enroll my computer into our Office 365 environment, so that -- and I can't use my personal computer to actually get any information out of Office 365. Only my work, my company-owned laptop can be connected into that, so that is some of the things that we can do with device security.

Making sure that our devices have to, when they are enrolled, they have to meet certain minimum requirements. They have to have a certain minimum operating system. They must have antivirus installed and updated. They must have disk encryption on them. So we are using BitLocker to make sure that we are encrypting the disc at the local level. We have got passwords set to log into the computer, etc. All of these things can be set as minimum compliance standards through the device security.

Account security, enforcing things like multifactor authentication. When I log into my Office 365 account, I am sent a code to my mobile device which I have to put in. That's the second layer of authentication, multifactor authentication there. Making sure that we've got monitoring setup for unauthorized access, and this is something that our administrator looks at on a regular basis.

Data loss controls, detecting and mitigating any attempts to send sensitive information externally, meaning that we can set data loss controls to make sure that for instance, if I'm sending an email, if the email contains something that looks like a Social Security number, it's got three digits dash two digits dash four digits, I'm going to get an alert as that user that says, "Hey, that looks like sensitive information. Are you sure you want to send that?" And I have got to respond "yes" or "no," Or it will, we can set it so that it just blocks that. It won't allow me. It just gives me an error message and says, "That looks like it has got a Social Security number in it. You are not allowed to send it." So that is data loss controls.

Item level encryption is a little different. Item level encryption means that we are using sensitivity controls on item levels, so files, folders, etc. to make sure that information that is contained within that email message, or that document is not allowed to be transferred outside of our organization.

So this is what Office 365 can do, and these are how we are going to deal with the licensing to make sure that if you need this, it can be done with Office 365.

Slide 17: Levels of Concern Vary

The levels of concern that your organization has in each of these four areas may vary. You may be working at a nonprofit that really doesn't have sensitive information, and you are not that concerned about setting up item level encryption, or data loss prevention.

But other organizations, maybe you do work with HIPAA. I can't believe HIPAA is spelled wrong on this by the way. You may be working with HIPAA related information or personal identification. You might want a little more compliance and security around your information. Maybe you are working with banking information that may require you to have a higher level of concern.

And then finally, if you are an organization that has a mission that can be viewed from two different points, and you might have "enemies" out there, you might want to have the highest level of concern.

Slide 18: Licensing Overview

So that was just the overview of how we are approaching this discussion. Now let's see how the licensing can work

within that.

Slide 19: Enterprise Licensing and Microsoft Cloud

The Microsoft licensing that is available, what we will be talking about today are the Enterprise level licensing. So we will not be covering Business Essentials or Business Premium licensing.

We will be talking about the E1, Office 365 E1, E3, and E5. E stands for Enterprise. We will be talking about a different kind of licensing called the Enterprise Mobility and Security licensing. We call that EMS for short. EMS also comes with E3 and E5 levels. We will be talking about a quick overview of the Microsoft 365 which is a bundle license that contains Windows 10, Office 365, and EMS licensing at a bundled price. You also can have some of these with add-ons, Office Pro Plus, Azure Rights Management, Online Archiving, and Advanced Threat Protection, but we are not going to be discussing those in-depth today.

Slide 20: Office 365 Nonprofit Licenses

So let's look at the five licensings that are available to nonprofits. Again, the first two on the left we are not going to be talking about today. They are the business level.

The next three E1, E3, and E5 layer, you can review this slide when you get the recording. What I wanted to call out are those sections that are highlighted in yellow.

With your E3 licensing that's a $4.50 per user per month price, but it includes compliance solutions, data protection, DLP, data loss protection, and some other services. If you go to the E5 license which is $15 per user per month, you get that plus advanced E-discovery tools, analytics, and other services. I just wanted to call those two things out. I am going to show you details in the next slides.

Slide 21: Office 365 E3 Security Features

So here's some details about the Office 365 E3 security features. Advanced email, using archiving and legal hold capabilities. If you are in an organization where you need to hold all of the email correspondence from your staff members whether they work there or not, or they have gone, that's what legal hold capabilities can do. Also allows us to set up that data loss prevention policies to ensure that Social Security numbers and that kind of information cannot be shared externally.

Document and email access control, this is Rights Management Services. This is allowing us to encrypt the file level sensitivity information.

Message encryption, allowing us to send sensitive information outside of our organization if we do it in an encrypted way. Which means that when you send information and you encrypt it in an email, when I receive it will say, so and so sent you this message. Click on this link to go to a secure portal to read and respond to that information. Ensuring that the information doesn't really get to my local inbox or my local computer as the recipient, so therefore I can't do something dumb like share it accidentally with others.

Advanced compliance tools using the eDiscovery Center where you can search, "you" meaning the administrator, can search across all components, communication components, and file storing components for compliance level information.

So that's the E3 security features.

Slide 22: Office 365 E5 Advanced Security Features

The E5 security features have all of the things that we just saw on the previous slide plus these additional; advanced information protection, threat intelligence, allowing us to look at the whole threat landscape. Again this is for administrators to take a look at threats that are potentially involving your Office 365 realm.

Advanced security, helping us set up things like customer lockbox, two-factor authentication for administrator approvals. It's a higher level of that two-factor authentication that we can set up there.

And then finally, and again those analytic tools so that we can really get a sense of using dashboards to see where our compliance needs to be strengthened, where some attempts are coming from, and allow us to take even more action against that.

So those are your Office 365 licensing security feature overview.

Slide 23: Microsoft Enterprise Mobility Plus Security

Now, this slide is about Enterprise Mobility and Security, EMS. EMS or Enterprise Mobility and Security allows us to take even more compliance and security control of our cloud. And these are set up in two different licensings. There is the EMS E3 licensing and then there's that EMS E5 licensing.

EMS E3, Microsoft has made available, the first 50 of those licenses for free. After you go through the 50, you will be paying $2.50 per user per month.

EMS allows us to do more with overall identity management through Azure AD. And so that first bullet point there, Azure Active Directory, Azure AD allows us to set user identity across the enterprise with more control that we can set for all users. So that's my device security, my user security, the fact that I have to do multifactor authentication, and I have to comply with certain rules and regulations about my device being connected.

Managing mobile devices and apps, so that I can do things like, my administrator can do things like wipe my computer if I contact my administrator and say, I lost my cell phone. My administrator can just send a message. Next time that cell phone comes online all of my Office 365 information, my inbox, my calendar, any files that I might have saved, my team's messages can all be remotely wiped. Same thing if I had lost a laptop. So that's Enterprise, EMS E3 allows us to do Active Directory, and do some of those things. And you will see that Intune is part of that.

E5, EMS E5 does all of that plus a little bit heavier Active Directory. There is a P2, means plan two so there is some more in-depth things that we can do with the Azure AD. The same thing with Azure Information Protection. It has a P2. And then the most sought-after thing for most of the people that we talk to is the cloud app security which we will talk about in a minute.

Slide 24: Levels of Microsoft Licensing Required

So we are back to those four components, those four threat vectors. How can your licensing through Office 365 matchup with what you want to do in these categories?

So again, if you are any nonprofit, and you are just a little bit concerned about security, just a general security, making sure we are generally secure, some things that you are going to want to do.

In the device category, you are definitely going to want to have Windows 10 Pro loaded on as your operating system across all your Windows-based devices. That's just a no-brainer in today's world. The Windows 10 Pro is going to give you the most security functionality, and it's going to have the most current up-to-date security patches etc. It's also going to allow you to, if your computer has a TPM chip in it, it will allow you to use disk level encryption on your computer as well, great for laptops.

For item-level encryption, you may not be that concerned about it, so you can just go with your Office 365 E1 license,

and be fine with that.

For account security, we are recommending that all nonprofits, because you get the first 50 for free, you might as well install the Enterprise Mobility and Security E3 license for at least those people within your organization that deal with some sensitive information, your finance department, maybe your executive director, maybe your human relations people. You would probably want to have the Enterprise Mobility and Security E3 license.

For data loss controls, again, maybe you are not that concerned with allowing your users to share content, and they know pretty much that they shouldn't be sending Social Security numbers out. You don't need that. Maybe you are fine with the E1.

And then again, you can see how as we get more and more security conscious, or compliance conscious we're going to add those licensings. So you are seeing here that if you are working with HIPAA, or FIRMA, or banking regulations, or you are concerned with GDPR, you should be bumping your licensing for Office 365 up to the E3 license. You should still be using the Enterprise Mobility and Security E3 license, and that's going to pro -- and of course, the Windows 10 Pro. That's going to be allowing you to set up data loss prevention rules, item level encryption. It's going to allow us to do that device security, and the user identity security with the multifactor authentication, and all those kinds of controls that are required, and will keep you in compliance. Many, many nonprofits are doing that. They are doing the E3 Office 365 and E3 for Enterprise Mobility and Security today.

If you are an organization that has that mission that could cause you to have political enemies, you are going to want to step up to Office 365 E3 maybe, but then definitely the Enterprise Mobility and Security E5. That E5 has that advanced threat intelligence, so that we can really hone in on who is trying to attack us and when. It also allows us to do things like set up the cloud apps security as well. And so at least at a minimum, Office 365 E3, you could go to Office 365 E5 as well, but definitely the Enterprise Mobility and Security E5.

So you can get a look at this. And you know if you want to err on the side of security, it's never a bad thing. You can always go up in levels. So if you are at a certain licensing now, you can always increase that licensing.

Remember this is also mix and match across your enterprise. You could set up the really super-duper E5 stuff for some of your most vulnerable users, like I said, your finance department, Executive Director, HR department. You might want to do that. And maybe for some of your front-line workers, you could back off a little bit and do E1 or E3 for Office 365, and then EMS E3 or E5.

Slide 25: Configuration & Support

For configuration and support, we are looking at -- this isn't easy to do. So I just want to throw that out there to say it's not easy to do.

Slide 26: How can we protect ourselves?

Remember that left side of the column? Those 2 ? things that I said your IT administrator needed to do for you, that's absolutely true, and you should do that first. I've got a couple of bullet points here making sure that you are getting some of this stuff through TechSoup, and setting it up properly, etc.

Slide 27: Levels of Professional Support Needed

For the other four, we are looking at levels of support needed. And I've got basically three here. Those little green guys with the DIY, do-it-yourself, meaning do it yourself or have somebody that your IT person at the organization can configure that for you.

Those blue icons there, you definitely need an IT professional to help you with configure those components. Some of

those components like the device security, a lot of that has to do with your Windows, and your operating systems, and that kind of thing, user configuration, account configuration. Your IT pro can usually handle that.

But then you'll see those yellow guys, the security pro. And I'm sorry there's no women in that, in this but I couldn't find any icons.

Your security pro, you really should engage with a security pro if you are looking for real compliance help. You are working with those political enemies. You are working with those data loss prevention controls. IT professionals are still kind of coming up to speed in this area, some of them. So hiring someone, or finding somebody to help you that is really understanding the security landscape out there, and how to configure this properly, and monitor it ongoing is really important if this is what you want, definitely not do-it-yourself.

Slide 28: Recommended roadmap

We have a roadmap here that gives you -- I'm not going to go through all of this. What I want you to notice is the legend at the bottom.

There's the blue things are low user impact, moderate user impact is in yellow, and then black is high user impact. The little triangles are also colored in blue, yellow, or black indicating the implementation complexity low, medium, and high. Anything that is going to be high user impact, and/or high implementation capacity, you should take a look at, and talk to somebody professionally about that.

Slide 29: Professional Help is Available

I'm going to end real quick by saying at Tech Impact this is what we do. We have a whole team of people who help nonprofits get on board with Office 365. We have got security assessments and analysts on staff to help you with the compliance and security concern. We have IT pros that will help you with that device and user account configuration. If you don't have an IT professional that can help you with this, feel free to contact us.

I'm going to turn this back over to Cameron to talk about how to get in touch with TechSoup to ask questions about this, and ultimately get in touch with Tech Impact to do that.

Cameron: Thanks Linda, very much. So I want to move as quickly through the rest of the slides. I know that we are running a little bit behind here today.

Slide 30: TechSoup Courses on Office 365 and the Microsoft Cloud

So I just wanted to cover that as Linda mentioned, Tech Impact has a number of services available to help nonprofits with this. TechSoup also has multiple resources available to nonprofits to help learn about, adopt, and manage Microsoft cloud products and subscriptions.

To learn about our Microsoft cloud products, our TechSoup courses program currently has five courses available with lots more on the way.

Slide 31: TechSoup Services Offers That Support Office 365 Set up and Migration

And in addition that to help with the adoption of Office 365 and other cloud products, we have several services offered at different levels to help meet different nonprofit needs.

So we have a basic Office 365 set up which does not involve migrations. This is generally for small organizations that

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download