The security of your mail is equally important. The built-in Exchange Online Protection offers basic forms of protection against spam and malware but doesn't prevent address spoofing. You should spend some time evaluating third-party products to provide a solid email security foundation for your Office 365 environment.
You should also consider creating transport rules to match against common financial and personal data types. You can do this using Data Loss Prevention (DLP) templates that create transport rules you can tweak, or you can create transport rules directly using sensitive information types. To create a transport rule to block the sending of unencrypted credit card numbers and Social Security numbers, open the Exchange admin center and navigate to Mail Flow > Rules. Click on the + sign and choose "Generate an incident report when sensitive information is detected ..." Choose the type of sensitive information you want to detect, select a recipient to notify and the information included in the notification, and (optionally) add an extra action to block the message with or without a Non-Delivery Receipt (NDR).
Mobile device settings
Most of your users will probably want to use their own mobile devices to access company email. This benefits the user in that they will only need to carry one device, and it benefits the company in that it doesn't have to purchase and manage devices and contracts for its users. Those mobile devices, however, are now portable access points into your mail system or, if you use line-of-business applications or have a mobile VPN, your entire network.
Once you have completed MDM setup, click on "Manage device security policies and access rules." Click on the + sign to create a new policy, providing it with a name and optional description. There are a number of options available to you here. You can enforce PIN locking (or more complex passwords), sign-in failure counts, inactivity locks, device encryption, and preventing "rooted" or "jailbroken" devices from connecting.
You should at least configure a six-digit PIN, wipe after 10 tries, force data encryption, and disallow hacked devices. This should prevent the largest number of basic attacks against your devices without greatly inconveniencing your users.
Sign up for CIO Asia eNewsletters.