Microsoft Office used to be just Word, Excel and PowerPoint to most people but now it is so much more and continues to grow and become an integral part of running any business today.
The Microsoft Office 365 Secure Score is another piece in the compliance and cybersecurity jigsaw that is going to help you achieve compliance and get the most out of your investment into Office 365.
What is this Secure Score?
Secure Score is part of the Security and Compliance Centre in Office 365. This includes links and dashboards for a variety of areas including Data Governance, Threat Management, Data Privacy and lots more which we can cover in other blog articles.
You can find a link to the Secure Score at the bottom of the centre.
This score is actually based on how Microsoft feel the current set-up and administration of your Office 365 account is currently being operated at. The default settings without changing anything at all will give you a score of 28 for a brand-new account and the maximum score that can be achieved is currently at the time of writing 807.
Why should you care about the Secure Score?
The Microsoft Office 365 Secure Score is a great way of understanding how your IT is setup to protect your business data. This provides peace of mind that you have put in the required security level and enables you to demonstrate this to others.
So how do I improve my Microsoft Office 365 Secure Score?
For example, moving the sliding scale for just one action will increase your secure score to 78.
As you move the sliding scale up the more tasks you are assigned to complete, with the current total of 79 actions to complete to achieve the maximum score of 807.
As you move from left to right you will find the tasks have more impact and complexity.
Each task you are assigned to complete is outlined below your score and will show lots of very valuable information to help you understand how the changes you are making will potentially impact your business.
You are shown the title of the task and then 3 areas of impact as per below.
As you can see from this image above there is a lot of very useful information including what the user impact is, what the implementation costs are as well as the threats this action will work towards solving and any compliance controls this action will also work towards.
How do I complete the tasks?
The tasks are completed in various ways. Under each task there are the following buttons
The Learn More button will open up another screen and give you some instructions about what you need to do. Sometimes it’s a simple as enabling something with a single click and other times it requires doing some further work to ensure your systems are more secure and compliant.
The Ignore button will do exactly that and ignore this request and will remove it from the list altogether.
The Third-Party Button operate like the ignore button and removes from the list and tags the task as being completed by a third party.
It is important to note that when you use the ignore or third-party buttons it will take up to twenty-four hours to reflect in the portal. You can also undo this if you need to.
What score should I be aiming for?
The size of your business and more importantly, the amount and type of data you are holding in Office 365 will help determine the score level you should aim for. Your target score can also be determined by any compliance requirements your business has. For example, if you are looking to achieve a certain ISO accreditation or even GDPR compliance then the score you will be aiming for could be much higher. The tasks do show which parts of compliance they achieve by enabling and implementing them.
Our advice would be to start off with some of the lower scores to first understand the process and see how you feel about the potential changes made to your Office 365 environment.
Does a high score mean I will not get breached?
Unfortunately, no, there are no guarantees even with the maximum score that you will not suffer from a security breach. These tasks and settings will certainly help but they do not offer any kind of guarantee.
Who can access the secure score?
Not everyone can access your company’s secure score, only the Office 365 administrators.
This is because only the people that can actually make the changes can see the score and the tasks.
The roles that can access secure score are the global admin or a custom admin. Admins care share results with other people in the business. Microsoft are looking at introducing non-admins being able to access the score but not complete or see any of the tasks.
How long does it take for my score to be updated?
Once you have completed an action it can take between 24-48 hours for the changes to be reflected in your secure score.
Do we need an IT Company to complete our tasks on our behalf?
This depends on a few things, to start with in many cases your IT provider will in fact, be your global administrator and therefore will either be able to complete these tasks for you or will be able to make you a custom administrator if you have the technical knowledge to do this.
In some cases, your IT provider may not wish to grant you access to do this and may prefer to provide you with reports as to what score you currently have and discuss a score you would like and what the implications or changes required to put this in place.
If you are an IT manager in the business, you will likely have access and the skill sets to complete this.
What to do next?
To start with it, find out who is the global administrator of your Office 365 account. Then you will need to understand if the company you work for is working towards or has in place in compliance certifications or regulations such as ISO or GDPR.
Once you understand these two things you will need to understand the potential implications for making changes to your Office 365 environment and discuss with the right people what kind of security score you would like to aim for and over what time-period.
Once you have this in place you can start making the required changes by simply working through the list of tasks that are generated from the secure score you have set.
We are a BCS Customer… what do we do?
If you are a BCS customer and you have our ‘Compliance, Security and Maintenance’ visits, then the good news is this is all included. Talk your account manager or primary engineer about your Microsoft Office 365 Secure Score.
If you are a customer and do not have our CSM visits, then again contact your account manager to discuss the benefits of these visits and how you would like to understand your secure score and how you can improve it. If you are not sure who your account manager is, give us a call on 01843 572600 and we can put you straight through to them to discuss this further.
What if you are not a BCS customer?
If you have an existing provider, then your first port of call will be them or if you have an In-house IT manager or engineer then again ask them first. Should you not have a current IT provider or are possibly thinking of changing then we would love to discuss with you how we ensure our clients are safe, secure, and trained to ensure their businesses have the best opportunity to grow. You can reach out to me directly at email@example.com or give me a call on 01843 57600.