We’re receiving calls from our cybersecurity customers when the IT Team discovers that ordinary users have given third-party applications access to all their organization’s files, email messages, calendar events, Teams chats and channels, and other data.

How can ordinary users have that much power?

By default.

Situation: This configuration affects most companies. While the default settings for your Microsoft 365 system allow your users to approve third-party access, Microsoft recommends the following more restrictive settings to increase security.

The Risk: Without this setting, workers may override protections without oversight and allow any application to access your company data, create and delete files in SharePoint and OneDrive, read and send email messages, edit calendar events, access and modify Teams chats and channels, update user profile information, and perform other tasks. While some applications might need this level of access, it must be granted only after the appropriate authorities, including your IT Team, thoroughly consider it.

Reality Check: This setting catches many IT Teams by surprise. Microsoft is updating its security controls quickly, and it is nearly impossible for IT Teams to keep up with the changes. And when defaults promote ease-of-use over security, like this one, your systems can become at risk quickly without the team realizing it. Know that your IT Team’s level of expertise can be excellent, and situations like this sneak up on them anyway.

Urgent Quick Verification: Your IT Team can quickly access the Microsoft Entra admin center > Enterprise applications > Consent and permissions > User consent settings. There are three options:

• “Do not allow user consent.”
• “Allow user consent for apps from verified publishers, for selected permissions.”
• “Allow user consent for all apps” (the current risky default value)

Update If Necessary: Microsoft recommends you select “Allow user consent for apps from verified publishers, for selected permissions.” Different organizations have different data access needs. Your IT and compliance teams must determine the appropriate level for your situation. Smaller organizations might choose the first option if they don’t want users to expose data to third-party applications without checking with the IT team. Larger organizations with more complex needs often prefer the middle option with careful permission management to take some of the workload off busy IT professionals while providing protection.

Next Step: Your Administrators will also need to specify which permissions are low-impact, as detailed in Microsoft’s article “Overview of user and admin consent.”

Facilitate the Approval Process: Your team can optionally set up an admin consent workflow that users must follow when they want to provide permissions.

Forward this to your friends who are executives at other organizations so they can give their teams this heads-up, too.

The post Executives – Any User Can Accidentally Expose All Your Data Unless IT Changes This Default Setting appeared first on Foster Institute.

Microsoft presents the feature to users saying, “Download apps and OS updates from multiple sources to get them more quickly”.

Think about it and it sort of makes sense. Rather than every computer on the planet having to go to Microsoft’s servers to download patches and apps, Windows 10 computers can reach out to other Windows 10 computers and obtain the patch from them. This helps prevent Microsoft’s servers from becoming overloaded, and can allow your computer to receive patches and apps sooner. Ultimately, this can even reduce the amount of traffic flowing on the Internet in general.

Microsoft has built in strong security – though security can be broken.

Microsoft does their best not to use your computer to deliver patches if you are connected to the Internet using a mobile hotspot – helping you avoid unexpected data charges. You can also specify what Wi-Fi connections are charged as metered networks.

One concern is that, if your computer is being used to deliver updates, your Internet connection may slow down. Or, perhaps you don’t want your computer to be, what some users may feel is, a zombie for Microsoft to use as part of their patch delivery mechanism.

How to turn this feature off in Windows 10: Go to the Start button icon, choose Settings > Update & Security > Windows Update > Advanced Options. You can choose to not participate, or to select either PCs on your local network only, or PCs on your local network and PCs on the Internet”

Please help spread the word and forward this newsletter on to those you care about!

The post Microsoft Using Your Computer To Deliver Software appeared first on Foster Institute.