Microsoft Secure Score: Are Security Defaults Enough to Protect Your IT Environment?

If your organisation uses the Microsoft 365 suite of collaboration and communication tools, and you’re an administrator of this organisation – also referred to as a ‘tenancy’ – you may have received an email in the last few months about Microsoft Secure Score (MSS) and all the new metrics being added.

What is the Microsoft Secure Score?

In 2018, Microsoft announced the general availability of an updated feature; Microsoft Secure Score. This was a combination of renaming the pre-existing Office 365 Secure Score feature, while also integrating the rest of the Microsoft services portfolio.

It was the first step in a series of measures designed to bring security to light for modern organisations, for business decision makers to get a glimpse into this previously heavy tech-based area.

The Microsoft Secure Score dashboard has become a place to immediately grab actionable information on key aspects of an organisation’s cloud operations. 

Are Security Defaults Enough?

Security defaults, depending on your business, are likely not enough given current security considerations. With data security more important than ever in protecting your IP, reputation, and lawful operation, there is a need to provide greater fortification. Using security defaults, the Microsoft Security Score sits at around 55/100.

A great example of this is Multi-Factor Authentication, or MFA, where you enter your password, then need a code from an SMS or app to finish logging in. It might surprise you to hear that MFA is not turned on by default for Microsoft work and school accounts, but can protect from up to 99.9% of all account compromise attacks. 

5 Steps to Improve Your Microsoft Secure Score

1. Understanding the MSS

Log into the Microsoft Secure Score dashboard and look at where you currently stand. It should look like the following:

Start digging into the metrics to see what they mean – read up, or ask us for a detailed explanation.

2. Assessing

You then need to assess how the MSS reflects on your organisation’s operations. This can be used as an opportunity to improve not only the immediate cloud security posture, but also your Data Access Policy, and how you employees to engage with these services.

The “Organizations like yours” metric can be a good gauge of how you’re performing against the competition. Unless it indicates 100/100, that means room to improve.

For lower scores, it could be a reflection of better management required for an increasingly remote workforce and number of access points.

3. Plan

It’s at the planning phase that you should consider getting in outside help, unless you have a Microsoft Certified Practitioner on the team.

While many of the actions recommended in the dashboard state that they have minimal or no user impact, there can be third-party integrations in place, users operating software requiring “legacy protocols”, and similar unforeseen hurdles that can impact your operations. 

A plan should be put together so you can identify stakeholders, risks, timeline, and who is responsible for different aspects. A plan may involve setting particular goals to obtain cyber security insurance that requires an MSS as standard.

4. Execute

When you’ve planned correctly, the execution stage of implementing new security features goes off with minimal impact across your organisation. This step can involve outsourcing execution to the same professional services company, for greater peace of mind.

5. Assess & Monitor

Now, how did you do? Did it go off without a hitch, or is it time to go back and gather more information? What is important is that you did something – you started on this process and have made a change. This is not the end of the journey though, there are always next steps. You’ll need to keep an eye on your Microsoft Security Score regularly.

As new security metrics are added, or more products released that then have defaults that you can improve on, your score will change. This is where ongoing monitoring and management comes in, which is something an external managed support provider can excel in.

Speak to our team today about how we can minimise your business risk and the time taken in managing it – allowing you to focus on your business and what you do best. Security is an investment and with the right approach can be managed with confidence. We’re here to assess, inform and support you through any step of the process.

Clint Shiels

With over 20 years in the technology space and a background focused on Microsoft and Security, my methodology is to understand business requirements and outcomes first and foremost then set out a roadmap and delivery plan to achieve these through advisory and modern workplace delivery services.