Protecting Your Most Critical Asset

Microsoft 365 is our most critical asset for most small and medium-sized businesses. Why is this?

• It stores your files
• It stores your emails
• It manages and processes your user logins or ‘identities.’
• If it were breached, your business would be significantly affected.

Traditional security protection involves protecting the perimeter of your network with a firewall and your computers with antivirus software.

Many businesses still protect their IT estate this way, but a more modern approach is needed.

This is because hackers are targeting your identities, which are your user logins. A firewall and antivirus software do not protect against this.

If a hacker breaches your identity, they have access to everything you have access to.

For those of us who use Microsoft 365, this is where our identities are.

How do you protect something like Microsoft 365?

There are two broad ways:

1. Continually monitor for suspicious activity: Typically done by a SOC (Security Operations Center).
2. Continually harden your configuration: Typically, this is not done at all!

The purpose of this article and Microsoft Secure Score is to help you continually harden your Microsoft 365 tenancy.

What is Microsoft Secure Score?

Microsoft Secure Score measures your security posture and gives it a score out of 100. The higher, the better. The score is represented graphically, tracking your history and showing the improvements you can make that will have the most significant impact.

Microsoft does not make any proactive changes, so it’s up to you or your IT company to review your secure score and the recommendations and take action.

This approach is called the ‘shared responsibility’ model. Many assume Microsoft handle everything security-related in your Microsoft 365 tenant. Unfortunately, they do not.

One of the nice features of secure score is that you can compare your score against other similar organisations to see how you are doing.

What is a good score?

It’s difficult to give an accurate objective measure of a good score. This is partly because it depends on your licensing. However, when working with our customers, we aim to get your score above 80 and keep it there. If your score is below 30, you are at risk and have work to do.

Additionally, there are other secure scores across the Microsoft cloud. Azure has one, there is also an ‘exposure score’ in Microsoft 365 that reflects a different set of metrics. This article only focuses on Microsoft 365 secure score.

Closing The Big Gaps

When we take on new clients, one of the first things we do is review their security configuration using Secure Score.

Almost every client we talk to has huge security gaps in their configuration. Things like:

• Users with MFA
• Legacy authentication allowed
• No geographic blocking in place
• Anyone can invite guests, including other guests!

People assume that when Microsoft provides a tenancy, they put all the right security in place. This isn’t the case. There is also an assumption that the IT provider is doing this either as part of onboarding or in an ongoing manner. Again, this is rarely the case.

As Microsoft Cloud specialists, we take great care to review this with customers when we onboard them. Ongoing hardening is also included as part of ManageOne Evolve, our managed IT offering that includes support, Microsoft 365 licensing, backups, and a range of other services.

Secure Score is really handy for highlighting these big gaps, allowing swift action to be taken. In many cases, it doesn’t take much to raise your score, but it is an ongoing effort.

Summary

If you’re interested in understanding your security posture, then go to https://security.microsoft.com/exposure-secure-score or ask your IT provider to produce a secure score report and compare it against similar organisations. Bear in mind that to access a secure score, you will need certain administrative rights to your tenancy. A safe way to get these rights is to have the ‘security reader’ role assigned to your account, which means you can view settings but make no changes.

As always, if you need help or advice, please reach out to us.