This post is part 2 of our security awareness series. If you’re just joining us, don’t miss the first post about the #1 most underrated security risk.

You take security seriously—we can tell. Why else would you be here, reading an article about security awareness training?

We both know that good security is more than firewalls and anti-malware software—and that people are the greatest cybersecurity risk. Because 95% of data breaches are caused by human error,1 users need to be trained to guard against things like phishing and other social engineering attacks.

But if you’re not involving Microsoft 365 in your security awareness training, you’re shooting yourself in the foot.

Effective training is about helping users develop secure working habits, not just telling them what not to do. And integrating Microsoft 365 tools will help users work more productively and guard against security risks.

So—if you’re serious about protecting your data, your company, and your people, share these Microsoft 365 best practices with your users.




Even with the advent of Skype, Slack, Teams, et al., email is still a workplace staple—and a major security risk.

Think about it: leaking data is as easy as mistyping a name and sending a message to the wrong recipient. And don’t even get us started on phishing emails.

So many of these dangers can be averted just by being a little more aware, taking a second to double-check the button you clicked, the name you typed, or the link you’re about to open. But there are also a few best-practices that can keep you—and your colleagues—safer.

Use the BCC field

If you’re sending a message to a large group of people (especially external contacts), don’t add their addresses to the “To” field. Use the BCC field instead—that prevents scammers from copying the list of addresses and protects the identity of everyone you’re emailing.

Plus, no one can accidentally “reply all” if everyone’s on the BCC list.

Manage your senders

Generally speaking, you can’t control who emails you. But if a spammer does access your email address, add them to your blocked senders list so their messages always head straight to your junk folder. Go a step further in—mark phishing emails as such and report the sender to Microsoft.

On the other hand, if a colleague’s emails always end up in your junk folder, add them to your safe senders list so their messages go straight to your inbox.

Stop using attachments

Besides being inconvenient (file size limits, forgetting to attach a file, etc.), email attachments are a security risk. Corrupted or infected files can compromise your device—or your recipients’ devices. And attaching the wrong file qualifies as a data leak.

Instead, just upload and share files via OneDrive or SharePoint. Which brings us to . . .


what your security awareness training is missing




Because leaked or corrupted files are such security threats, cloud storage really is a game-changer. For one thing, with your files in the cloud, that hard-drive failure or an unfortunate coffee spill aren’t as tragic. No matter what happens to your devices, your data is safe.

Beyond that, the following OneDrive best practices an also help ensure your files reach their intended recipients and no one else.

Eliminate duplicates

When information exists in multiple documents, the risk of a leak is that much greater. But with OneDrive, one version is all you really need.

When you save a file to the cloud, everyone who needs access can see the most updated version. If needed, the whole team can work on the file together and see each other’s changes in real time.

Specify permissions

One of the greatest things about OneDrive is how easy it is to share files with anyone—without sacrificing security. Whenever you share a file, you can give access to anyone with the link, to people in your organization, or to only the people you specify.

As a project runs its course, different people will need file access. With OneDrive, it’s a snap to adjust permissions, revoking access to those who’ve already done their part and granting access to newcomers.

Control file access

Once you decide who can access a file, you can further control how they can access it.

For example, if a recipient needs to edit a file, you can make that happen. Or you can revoke editing access and make the file view-only.

Additionally, you can prevent the recipient from downloading the file, require a password before opening the file, and specify an expiration date for the shared link.




Ah, SharePoint sites . . . They straddle that line between making information available to everyone who needs it and keeping it out of the wrong hands. And with the right settings in place, they do their job well.

But that’s the catch—SharePoint sites are only as secure as you make them. So, follow these guidelines to strike that secure/accessible balance.

Manage permissions

As a site owner, you get to decide who can visit the site: anyone (including external users), those in your organization, or only the people you specify. And among site users, you can also limit who has editing permissions.

Control library versioning

Sometimes it’s handy to review a file’s version history and restore an older and more accurate version—and sometimes it’s not. That’s why site owners can turn off versioning, require users to check out files, and require approval for changes to items (among other things).

Delete old sites

When you’re pulling a team together for a project, a SharePoint site is the perfect place to gather and collaborate. But when the project’s finished, leaving that site up is asking for trouble. Even if the site’s outdated, hackers could still get valuable information, like team members’ names and other details.

If you’re done with the project, you’re done with the site—so delete it and move forward.




Microsoft Teams is your one-stop collaboration hub—which means it’s full of your proprietary info that shouldn’t be shared freely. That’s why Teams includes so many built-in security features.

Like the other Microsoft 356 apps, Teams is protected by multi-factor authentication (MFA) and single sign-on (SSO). And because Teams integrates with OneDrive and SharePoint, anything you do to secure OneDrive and SharePoint also makes Teams safer.

All the same, here’s one pro tip to keep your information secure in Teams.


A man watching a video on his computer.


Create private teams and channels

Not everyone in your organization needs access to your team’s conversations, files, meetings, notes, and apps. That’s when private teams come in handy. Only the people you add can join the team and view its resources.

Some conversations should be limited to certain people—like managers—without involving the whole team. That’s when private channels come in handy. Again, only the people you specify can access that channel.

Small mistakes can have big consequences when it comes to cybersecurity. Good  thing your security awareness training is effective. Or is it? Get the guide >>


The Shortcut to Better Security Awareness Training


Maybe you’re looking at this list of Microsoft 365 best practices and thinking, “Ok . . . this is a lot of information.”

Yep, it is. And we’ve only scratched the surface of all the tools and features that can reinforce your company’s security from the inside out.

Designing a security awareness program is pretty time intensive. And let’s be real: you probably don’t have the time to revamp your security awareness training to include every Microsoft 365 best practice.

Good news! You don’t have to. That wheel’s already been invented—and it’s called BrainStorm Threat Defense. It’s a program designed to protect your users from their own unsafe behaviors through a combination of education and simulated phishing emails.

We know you take security seriously—now use Threat Defense to help your users take it seriously as well.


In part 3 of our cybersecurity series, discover the 6 habits of a secure user to up your defensive game.