At Professional Advantage, we have a bi-monthly internal team catch-up for each line of business called Business Time Out (BTO). It’s where we get together to talk about ongoing project updates, sales and marketing activities, what’s new and exciting in the IT industry, and our learning and experiences from the field. At our recent Cloud & Infrastructure (C&I) BTO, we discussed the Microsoft Secure Score extensively after our project team shared their experience working with a client whose Secure Score was only 18%. This score was precariously low for their industry and user size, so a discussion ensued, and questions were raised:  

1. What is Microsoft Secure Score?
2. Why use it?
3. What is an acceptable Secure Score?
4. How to improve my organisation’s Secure Score?
5. How do Essential Eight and Microsoft Secure Score align? Can I use one or the other to get an accurate reading of my security posture?

The answers to these questions and the free advice from our security specialists were too good not to share, so let’s dive into what we discussed at our C&I BTO in this blog.

What is Microsoft Secure Score?

Microsoft Secure Score (previously known as Office 365 Secure Score) is a threat and vulnerability management tool within Microsoft 365 that measures and monitors your security posture. It lists improvement actions based on three buckets within Microsoft 365: identities, apps, and devices. A high score generally means you have an effective security posture, whereas a low score indicates having a higher susceptibility to a breach. It provides a report of the average scores for companies like yours, including Microsoft’s recommendations and best practices to fix it if you have a low score.

To check your Secure Score, visit https://security.microsoft.com/securescore and log in with your Microsoft 365 administrator account to see the result.

Why use it?

Microsoft Secure Score shows the current state of your organisation’s security posture by listing your security flaws and what actions you can take to improve them. It allows you to prioritise tackling your security gaps and preventing existing vulnerabilities from being exploited by cyber attackers.

Using the Secure Score provides you with a benchmark against companies of similar industry and size to yours which is a good reference point to compare and establish your own key performance indicators (KPIs).

Finally, using the Secure Score means getting specific protection meant to work with Microsoft products that you are currently using, such as:

1. Microsoft 365 (including Exchange Online).
2. Azure Active Directory.
3. Microsoft Defender for Endpoint.
4. Microsoft Defender for Identity.
5. Microsoft Defender for Cloud Apps.
6. Microsoft Teams.

What is an acceptable Secure Score?

An average Secure Score of 44% for a small not-for-profit with less than a hundred users is good. But an organisation belonging to a different industry, even with the same number of users, would have a different acceptable average Secure Score. That’s because the benchmark changes depending on your existing licenses, industry, and number of users.

It can provide information on the maximum score available with your existing licensing and the ‘achievable score’ that considers your current risk acceptance.

How to improve my organisation’s Secure Score?

We recommend following these tips if you fall short of your industry’s benchmark but aim to improve your Secure Score.

• Check the ‘Recommended Actions’ in Secure Score and sort by ‘Points Achieved’. It will tell you which actions will contribute to getting a higher score. In this screenshot for example, this organisation enabled multi-factor authentication (MFA) but only for select individuals. Turning it on for everyone else will give them a maximum of ten points.
  
  

• Check the History tab in Secure Score to see if your score is dropping. It shows your score in real-time and will tell you exactly the reasons why so you can remediate them.
• Ensure you have configured your Microsoft 365 security correctly so you have full visibility of your servers and workstations. It is not hard to bring up your Secure Score in Microsoft 365 and Azure environments with just emails and some servers on them. But the moment you integrate them with your endpoint and put Microsoft Defender for Endpoint, it will pick up security issues in your workstations which then pulls your score down.
  
  So many times we see people getting fooled when they see a high or good enough number on their Secure Score, but in reality they have not yet integrated it with one of the most important piece of hardware they have: their users’ workstations. Workstations are one of the main entry points for hackers and can be easily compromised without the right protection.

How do Essential Eight and Microsoft Secure Score align?

Can an organisation just use one or the other to get an accurate reading of its security posture? Essential Eight is one security framework you can use to strengthen your security stance, but the Secure Score is built right into your Microsoft 365 platform. Both frameworks overlap to some degree, but they’re not 100% match for match because they focus on slightly different things.

Secure Score focuses more on prevention, and a lot of the solutions in the Microsoft Defender suite aid in helping organisations get to a better maturity level in Essential Eight. In contrast, Essential Eight focuses on recovery to ensure your business gets back on track when a cyber incident happens, which the Secure Score doesn’t look at.

We highly recommend using these two frameworks to reinforce your security, for example, by going through your Secure Score and using it for reference to prevent lateral movement in your network. Lateral movement is where an attacker gets access to a compromised admin account and goes deeper into your network in search of sensitive data or intellectual information. Using the least privilege and just-in-time domain admin access as much as possible would not only tick off the lateral problem but also pick up Microsoft Defender and some of the items in the Essential Eight maturity level. Without local admin credentials, compromised servers reduce significantly.

Conclusion

Microsoft Secure Score is a powerful tool to get an overview of your organisation’s current state of security posture along with the steps you can take to improve it. Combining it with an industry-recommended framework such as Essential Eight further fortifies your IT security strategy against evolving cyber threats.

Doing this could be tough for most organisations because not everyone has the expertise or time to do so, but you don’t have to do it alone. Partnering with a proven and skilled Microsoft 365 + Security partner like Professional Advantage can help you achieve the best combination between a secure IT environment and a great user experience.

Contact us today to learn how to get your Secure Score reviewed or if you have other questions about this blog post.