Organizations choose the subscription-based Microsoft Office 365 over traditional MS Office not only for ongoing support, robust cloud productivity features, and multiple user/device access, but for regular updates to business applications and security features alike. The security features is of particular importance, given the impending threat of cyber crime.
However, with news breaking that new phishing attacks have allegedly been able to bypass Office 365’s stringent email filters, some current and prospective subscribers may be concerned. Discussion on MS Office 365 security increased further when within the same week the FBI named Office 365 users as the gateway for a recent global espionage campaign that has targeted the Five Eyes intelligence alliance comprising the U.S., Canada, the U.K., Australia and New Zealand. What these reports neglect to include, is that the issue is not with MS Office 365, but with an organization's own activities and security settings in the subscription service. And this, is where Microsoft Secure Score comes in.
Microsoft Secure Score is an enterprise-class dynamic report card for cyber-security. By using it, your organization will receive assessments and recommendations that can significantly reduce the risk of a breach. It will provide your security team with guidance on how to better secure admin and user accounts with Multi-Factor Authentication, will turn off client-side email forwarding rules, and more. We discussed Secure Score in our recent article about how Microsoft offers one of the most secure cloud productivity solutions around, but today we are taking a more in-depth look at this useful security tool.
To leverage it, you’ve got to get it. That means your subscription needs to include Office 365 Enterprise, MS 365 Business, or Office 365 Business Premium, and in order to view and use your Secure Score dashboard you must have the necessary permissions:
There are essentially three key “to dos” involved in your Secure Score experience; review your score, take action, and track your progress over time.
Here’s a snapshot of what your Secure Score will look like:
The score is calculated based on the controls you can configure, versus what you have configured, and only calculates your score based on the services you’ve subscribed to. Your Office 365 score is taken on its own or added to your Windows score (if you have Windows Defender Advanced Threat Protection) to deliver the final tally. The numerator is the sum of the security controls that you fully or partially meet, while the denominator represents the number of points that you can possibly earn given the set of features that you have available. The difference between the numerator and the denominator denotes your room for improvement.
Not only does your Secure Score give you a clear accounting what action needs to be taken, it allows you to benchmark your organization against other organizations of a similar size, across the entire service. In the future Microsoft will turn this into an industry view so that you can gain better competitive insight.
With your score target defined, you can then prepare to take action.
Within the Secure Score dashboard, your organization will receive a list of recommendations, steps that your IT team can take to improve your score along with complete transparency about what risk each step intends to mitigate. So that you can better account and budget for these actions, Secure Score provides several control dimensions, which include the ability to filter controls by user impact and implementation cost. This will help you balance your organization’s productivity against security.
Need a relatable example of a recommendation? “Enable MFA” is a very important one. MFA (Multi Factor Authentication) was headlined in our recent article about cyber security protocol for 2019, which brings us to the global espionage campaign addressed in the introduction. Hackers were able to expose vulnerabilities in the Australian Parliament’s use of Office 365 because they only employed Single-Factor Authentication. If they used MFA, the hack may have been avoided. Or in other words, if they used Secure Score, they would have uncovered this gap in Office 365 security.
Once your IT team has made a recommended change, your score will update accordingly within 24 to 48 hours. You can leverage the Score Analyzer function in the dashboard to review the positive impact of your actions on your organization's security over time, as such:
The score over time (in orange) is shown in comparison to the average (in grey) which will give your organization a clear day by day accounting of where you stand against other companies of similar size, and industry. The data is easily exportable (PDF, CSV) so that you can share the progress with your team and stakeholders.
While MS Office 365 subscribers should absolutely take advantage of Secure Score today, please note that your organization’s score does not express an absolute measure of how likely it is to get breached. Secure Score expresses the extent to which you have adopted features that can offset the risk of a cyber attack. Secure Score should not be interpreted as a guarantee in any way. Instead, it is a great complement to a more robust cyber security protocol.
If you want to leverage all that Microsoft Office 365 Secure Score offers, but don’t yet have a subscription, contact SIRKit today. To help you avoid the high cost of Enterprise products, we offer monthly subscriptions of Office 365, and as a Microsoft Certified Partner, you can use our in-house Canadian team for 365 support.