The Microsoft 365 Secure Score is a numerical summary, or rating, of an organisation’s security posture within Microsoft 365 based on system configurations, user behaviour, and other security related measurements. The higher the final score, the more secure your tenant is in Microsoft 365. The data can then be used to identify potential security and compliance risks, and actions that can be taken to raise your tenant’s security score.
Important: Secure Score is not an absolute measurement of how likely a tenant or data will be breached; rather, it represents the extent to which a company has adopted security controls available in Microsoft 365 which can help offset the risk of being breached. No online service is completely immune from security breaches; the Secure Score should not be interpreted as a guarantee against security breach in any manner.
Benefits of Secure Score include the following:
- Provides guidance as to what you can do to mitigate risks while balancing productivity and security.
- Utilises a sliding bar which you can adjust to quickly see what needs to be done to increase the target score at a glance.
- Offers a dashboard for Chief Information Security Officers (CISOs) and security managers to quickly understand, at a glance, the tenant’s security score and which security features are enabled or disabled.
- There is also a Secure Score API which provides extensibility which enables organisations to develop customised dashboards and monitoring solutions.
- Using Secure Score helps increase security by encouraging an organisation to use the built-in security features in Microsoft 365.
Using Secure Score to access your security posture
It’s challenging for organisations and security administrators to keep pace with the growing amount of threats in the workplace and the ever-evolving data governance and compliance regulations that are introduced. It’s not unusual for security and compliance administrators to have trouble understanding what their current security posture looks like, what risks they are prone to, and what their roadmap might be to mitigate those risks to be more secure and compliant.
Resource allocation to security should be proportional to the projected cost of the worst-case scenario that occurs if the organisation is compromised
Common pain points that an organisation must overcome include the following:
- Understanding the breadth of security threat vectors. Threat vectors might be in email, as an attachment or malicious link, or by traditional methods like compromising a firewall or network.
- Solutions that don’t adequately protect against current security threats. Previous investments in security software or hardware may be out of date and fail to adequately protect against today’s advanced security threats.
- Changing data governance and compliance regulations. Challenges exist around new and emerging regulations and standards. A recent example of one is the General Data Protection Regulation, or GDPR, by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU) and address the export of personal data outside the EU.
Microsoft Secure Score gives you a different way of managing your risk. Rather than reacting or responding to security alerts, secure score lets you track and plan incremental improvements over a longer period of time.
CloudSecure Assessment aims to help organisations in Office 365 and Microsoft 365 assess and understand their current state and identify the steps that are necessary to be more secure. Once you’ve identified your current score, getting from point A to B may best be realised through a phased approach such as the one below:
- Assessment. To be successful, it’s imperative that you involve all the key stakeholders during this phase. In addition to the CISO or IT Security manager, you want to have engagement from your Active Directory team, networking, security, Exchange, and so on. Together, you should identify any gaps between where the organisation is today in terms of security and identify the actions that are needed to mitigate risks to make your environment more secure. This is also the time when you should lock down the scope. For example, depending on what you expect in terms of growth, it might be practical to only assess those workloads you are currently using. If your tenant is only using Exchange Online, it might not be practical at the time to include SharePoint Online or OneDrive in your initial assessment.
- Education. The next phase is to learn as much as possible about the actions you can take to mitigate your risks, why you should execute those actions, how to implement the actions, and how certain actions may impact your organisation. It’s during this phase that you might realise that a certain action would have too high an impact on user productivity to implement now.
- Roadmap. Perhaps the most valuable phase of the assessment, developing a roadmap for how you intend to minimise risks in your organisation is the key to ensuring you meet your goals. For example, you might collectively decide to act on the low hanging fruit in your organisation; for example, enabling multi-factor authentication for global admins or All users.
We at Becloudsmart, need to make sure we have controls in place while allowing people being productive. Our current SecureScore is just under 500 points. What is your SecureScore rating?