Secure Score analyzes and assigns a score to your Microsoft 365 security. Learn how.
Microsoft Secure Score is an analysis report available for free with a Microsoft 365 subscription that lives at https://security.microsoft.com/securescore. As Microsoft defines, “Secure Score analyzes your organization’s security based on your regular activities, security settings and assigns a score.”
This tool benefits you by ensuring you know all the possible security settings available through your subscriptions. What exactly is analyzed, and how can your organization make the most of it?
What Is Microsoft Secure Score?
It aggregates your company’s user behavior, system settings, and other security-related configurations and vulnerabilities into one numerical value. The higher your score, the more secure your organization. Below, we break down everything that comes in the results, from the score itself to additional analyses that come along with it.
1. The Score
The score is broken down across different areas so you can determine where your maturity needs to improve. The score within each of those areas is based on all possible options in each particular setting and how those options are actually used within your organization. For example, the action “Enable MFA for all global admins” has a potential score of 50/50 points. If only half the available global admins have MFA activated, then the score will be 25/50. The total number of points available for your tenant depends on your licensing.
Each security setting has a category, impact, cost, and score assigned to it. Microsoft calculates the scores daily in the late hours.
2. Score History
As you continue to use Microsoft Secure Score, you’ll start to see your score history so you can learn if your security posture is improving (or not) over time. Like the score itself, you’ll see a breakdown based on each individual component so you know if some scores have gotten better or if any have gotten worse.
3. Recommendations and Top Improvement Actions
After you receive your score, in the report you can see what additional actions you could take to improve your score. As you improve and implement the actions listed below the score increases and decreases accordingly.
In the example below, one action might be to “Block Office Communication application from creating child processes.”
The Secure Score dashboard will even provide you with “Top Improvement Actions,” or actions you need to improve as soon as possible or ones that will be quick to address to help you improve your score quickly. It will even break down each action by how much in percentages it could improve your overall score.
4. Benchmarks
Microsoft also computes the average score across all Microsoft 365 tenants of similar industries and sizes so you can see how your score compares to other organizations. Even so, keep in mind that all organizations have their own security needs and requirements, so the comparison is only an interesting chart to note and should not be used to gauge your company’s security effectiveness.
How to Access and Use Your Score
To access Microsoft 365 Secure Score, you need Microsoft 365 with Exchange Online, SharePoint Online, or OneDrive for Business.
Once your admins are in a global or custom role, they will have access to Secure Score and will be able to share results with any non-admin users. The results are available graphically at the site and are downloadable for manipulation in Excel.
Your IT administrators and security teams can then use the Excel spreadsheet to:
- Mark off security improvement actions as they’re completed.
- Create team-wide key performance indicators based on the score’s additional recommendations.
- Help determine departmental strategies for the next month, quarter or year, especially when it comes to identifying vulnerabilities and determining ways to mitigate security risks.
Microsoft Secure Score: A Guide, not a North Star
Because of the breadth and depth of the Microsoft 365 platform, it is easy to overlook (and even forget) some key security settings. But this tool ensures you do not miss anything. That means your chief information security officer (CISO) will forget your name, which is a positive side effect!
This tool, however, is not designed to gauge the likeliness of a security breach in your organization’s tenant, nor should it be used as a single source of truth for your organization’s security practices.
Every organization is different and will require different cybersecurity needs – if you’re in an organization that requires a lot of collaboration, some security recommendations may prevent your team from working together seamlessly. Conversely, if you work for a financial services company in a heavily regulated industry, you’ll likely need a much higher score than the aforementioned organization.
What’s a Good Score?
As noted above, recommendations, and therefore the Secure Score itself, are all relative. While you can’t sacrifice security for the desires of the users, you also can’t sacrifice user satisfaction for the desires of the security team. In general, an aggregate score of less than 50 percent likely means you have some improvements to make.
The Initial Score Is Only Step One
Getting your Microsoft 365 Secure Score and reviewing a few of the actions based on your company’s overall needs is only step one. Cybersecurity and your own organization’s risk posture is ever-evolving, especially as data breaches become more rampant and as your team shifts focus. There’s a reason Secure Score tracks your progress over time – so that your team can continue to return to its recommendations and determine your next steps.
Security is not a one-and-done process. But you can ease some of the burden of ensuring your team members and customers are safe and secure with a little guidance and some organization.
Do you want to fully tap into all Microsoft 365 has to offer? Our Modern Workplace experts can guide you through best practices to make your collaboration efforts seamless. Talk to an expert