What's your Security Score?
What is Office 365 Secure Score?
Security is clearly a number one priority for businesses but gaining visibility of security in a meaningful way has and is a challenge for many. Businesses using Office 365 are now able to evaluate how the security configurations of their Office 365 tenants measure up to the global Office 365 baseline. This information can then be used internally with your security/compliance teams and your Microsoft Partner to help understand and improve your organisation's security posture within Office 365.
My Security as a Number!
The Secure Score is made up of two numbers, a numerator (51 in my example below), and the denominator (in this case 344). The numerator is the sum of all the security capabilities that are enabled in your Office tenant. The denominator is the sum of all the "possible" security capabilities that could be enabled based on the options that are available to you through the Office 365 subscription that your business has purchased.
This means that if you have an Office 365 E3 tenant then your have access to services such as Data Loss Prevention and Multi-Factor Authentication, so the denominator number will be higher than an organisation that has E1 but lower than an organisation who has E5!
Your organisations' "score" is re-calculated and updated every night and also provides a relatively comprehensive list of recommended steps you can take to improve this score. Your score is also compared to the general average across all Office 365 tenants at the same level - it's not currently relative to organisations of similar size or sector but it is a highly requested feature so that may change over time.
The final number that Secure Scope provides is your organisations' "hypothetical" maximum score. This may actually be bigger than the denominator number and the action queue will typically include enabling features that your organisation may not have purchased.
The hypothetical score will therefore show what your score could be if you purchased and enable "premium services" such as Advanced Threat Protection or Azure Privileged Identity Management. As you can see, in the example above, if you purchased and enabled all the other services, your score could be as high as 341.
Now what?
So now you know your number - Microsoft provides some suggestions to help you improve it. Below your organisations' score, you are presented with a table listing “Actions in the queue.” This is a list of all the capabilities that your organisation has available (based on your current Office 365 subscription) that you can deploy, configure and enable but they havent yet.
In the example above, the top recommended action is to enable Multifactor Authentication (MFA) for Admins. This should be obvious because the risk of an breach on an admin account is massive due to the level of access admins have. Microsoft estimates that over 87% of breaches start with a phishing attack, and most attacks are aiming to gain access to admin or privileged accounts That said, its scary how many customers I talk too that don't have MFA enabled.
Of course, there is probably good reason as to why you haven't
- You may not have known about them (you do now)
- Your environmental complexitities may mean you need a partner to help you deploy
- You may be using alternative products which you can either replace (to save money) or use instead.
Be careful what you click though
Each action taken is likely to have an impact on user experience, so Microsoft provides a "guide" that informs administrators of the impact taking the recommended action may have. The guide also provides as guideline as to cost of implementation and difficultly and risk in applying the change.
Want to know more?
Cisilion offer a no-charge consultation with one of our security architects to discuss your security, compliance requirements and those that are interesting in knowing more about Office 365 Security - get in touch with us