How to Secure and Control the Use of Documents

A blue and white graphic contains a white file folder surrounded by padlocks to represent secure files.

Do you have a video doorbell for your home? Or an alarm system? How often do you lock your back door? Do you use double locks when staying at a hotel? Does your environment guide your security precautions? If the answer is yes, you can apply a similar mindset to securing and controlling documents.

Most organizations need to secure documents. Your organization likely requires advanced security measures if it:

  • houses financial information (i.e., a payroll company or an organization with an in-house certified public accountant)
  • houses personally identifiable information, such as social security numbers, birth dates, or bank information (i.e., an organization with in-house HR)
  • operates in the healthcare industry or allied health industry (i.e., pathology or workman’s compensation)
  • operates in e-commerce and houses credit card information
  • has customers that require CMMC (Cybersecurity Maturity Model Certification)

Take a moment and think about the sensitive information you need to secure.

To help you determine the level of security you have and need, here are three layers to consider: Microsoft 365’s built-in security features, additional security options that enhance what Microsoft offers out of the box, and advanced security options to address the needs of regulatory requirements like HIPAA (Health Insurance Portability and Accountability Act) and CMMC.

Secure Documents with Out of the Box Features of Microsoft 365 Basic and Standard Plans

There are some excellent security features available within Microsoft 365 default security settings. One basic MFA (Multi-Factor Authentication) feature increases password security by sending push notifications to your phone to confirm your identity. For our more technical readers, possible MFA configurations include requiring all users and admins to register for MFA using the Microsoft Authenticator app, challenging users with MFA, disabling authentication from legacy authentication clients that cannot do MFA, and protecting admins by requiring extra authentication every time they sign in.

A few shared links in SharePoint work great, but after a while, sharing out documents creates a complex web of permissions. When team members change, it isn’t easy to recreate those links. To solve this challenge, create security groups based on job roles. In Microsoft’s cloud, you can create Roles Based Access Controls to categorize how documents can be accessed and which jobs roles can access them.

Secure documents you need to share with your customers can be made available using an ID and password. Security can be configured so that your customers can access documents you want to share with them and cannot access documents that shouldn’t. You can even restrict their access so that they cannot download or print information but can only view it.

Raising the Standard with EndPoint Management and Anti-Phishing and More

We recommend all our customers choose Microsoft 365 Business Premium to benefit from its additional security features such as endpoint management and anti-phishing. These solutions are available as add-ons for Basic and Standard users. Business Premium includes conditional access, an enhanced form of MFA which allows you to restrict access by location and other conditions—for example, preventing logins from countries where your team does not work.

For users with Microsoft 365 Basic or Standard, it may make sense to leverage a more cost-effective endpoint monitoring tool like TechHouse’s SafetyPlus solution that includes device monitoring as well as Endpoint Detection and Response (EDR).

Zero Trust is Critical

As many protections as we put in place, there is always the possibility that a hacker will break through. That is why it is important to consider all devices untrustworthy. This approach is called Zero Trust and is a critical part of any cybersecurity strategy. To learn more about Zero Trust, see this Microsoft resource:

Zero Trust Model – Modern Security Architecture | Microsoft Security

If you would like to assess where your organization is on the Zero Trust maturity model, you can take this assessment:  Microsoft Zero Trust Maturity Assessment Quiz | Microsoft Security   

To help enhance your Zero Trust security posture, ensure you have an AI solution constantly monitoring for unexpected behavior. Add a Secure Operations Center (SOC) to capture event logs and provide more details should a breach occur.

Affordable Security for Special Requirements – CMMC GCC high alternatives

In some instances, you may need a different platform or level of security from your Microsoft 365 environment, specifically, if you are working with Controlled Unclassified Information (CUI), a new category of unclassified information within the U.S. Federal government. As stated in our previous blog, CUI is sensitive information owned by the government and requires safeguarding and protection. Types of CUI include financial records, engineering drawings and lists, manuals, and contract information. In other words, any organization working with sensitive information for the U.S. government has standards to meet.

Read more: New DFARS & CMMC Requirements | TechHouse (

In many of our small to mid-market customers, we find that very few can afford the cost of maintaining that level of security across their entire organization when only a part of their organization, about 20% of their customers, requires CMMC.

If you want to operate your documents on Microsoft 365 with CMMC Level 3 or higher security, you have the option to get GCC High from Microsoft. There are only a few limited sources that can make that available. Microsoft is not making it available to all customers. And those who can often do not want to bear the additional cost of managing it and work through the many restrictions associated with its limited features.

To get around this, it may be best to set up a separate, isolated environment to manage email and files related to CUI. And then continue to have your standard level of security in Microsoft 365 for all other emails and files.  We offer a solution. We are always available to discuss the different options and alternatives available to you regarding your CMMC compliance.

Related reading: How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud – Microsoft Security Blog

Next Steps for Layered Security

Your decision to move forward with securing and controlling appropriate documents may take steps you did not initially expect. We know you care for your organization and your customers, and their sensitive information matters to you. Imagine the ease you will feel knowing you have done all you can to ensure documents are secured and controlled as needed.

We are happy to guide you through any additional questions you may have about ways to secure and control the use of documents.