About Microsoft Secure Score – Free Guide

A helpful guide to using Microsoft Secure Score to assess your cyber security posture. 

Business owners and IT administrators can use Microsoft Secure Score to assess and improve cyber security.  You can also work with a trusted IT consultant to help you understand and improve your cyber security. This guide will help you understand:

Need help with Techaches or IT challenges?

Book a discovery call for options & an estimate.

What is Microsoft Secure Score?

Microsoft Secure Score is a convenient and effective tool for you to assess your Microsoft 365 and overall security status.

It is a part of Microsoft's Threat and Vulnerability Management.

The Secure Score tool gives you insight in to your score. By reviewing your score, you can identify weak areas and plan improvements.

The calculation is partly automatic, partly based on the information you provide and is best assessed with an IT professional because you don't want or need to aim for a perfect score. In fact, this can impede you. In any event, when you run the tool, you will get not just a number, but explanations of security control available, see where you are doing well, and where you could improve the score. You then decide which controls to implement.

Who needs Microsoft Secure Score?

Many small businesses have turned to cloud services such as Microsoft 365 - perhaps you have too.

A good service provides many benefits, including predictable costs, reduced IT requirements, and a high level of security.

Reputable cloud services have physically controlled facilities as well as full-time experts to protect customer data. Even so, security depends on a partnership between the service provider (Microsoft) and the customer (you).

A business that uses cloud services has to stay on top of its responsibilities to ensure that its data stays safe. Your IT managers need to understand and apply the best practices to protect your cloud accounts.

Microsoft Secure Score is a convenient and effective tool for Microsoft 365 administrators to assess their security status. By reviewing their score and its associated information, they can identify the areas where there's room for improvement.

Secure Score Helps Business Owners Self Assess Cyber Security

Huge data breaches at major enterprises make the headlines, but no one is too small to be targeted. Attacks on computer networks are automated operations. They scan every IP address and domain, looking for weaknesses. They spam every email address they can find.

Every site has something of interest to criminals. It could have customer records with black market value. It might have private correspondence which aids in crafting personalized scams. Any server can be infiltrated and weaponized for attacking other servers. Small and medium businesses are often targeted because of the perception that they're less well protected than the biggest ones.

Every business in Canada that deals with personal information is subject to the requirements of PIPEDA. It requires safeguards on personal information which an organization stores. Failure to comply with PIPEDA and other applicable requirements can lead to fines or business penalties. Some organizations face more stringent requirements than others, but no one can ignore the issue.

Office 365 managers can use the Secure Score tool to build a quantified picture of how well protected their services are. It's a part of Microsoft's Threat and Vulnerability Management. It shows your score, based on the protections which you have implemented. This score is presented against a maximum based on all the available services. It gives specific recommendations for improving your score, explaining the risks, effects, and costs.

The calculation is partly automatic, partly based on the information you provide. What you get isn't just a number, but an explanation of each security control which is available. You see not just how well you're doing, but exactly where you could improve the score.

Understanding Controls In Secure Score

You may be looking for a "button" or an "on/off switch" to control a security setting in Microsoft Secure Score, but the word "control" has a specialized meaning in IT security.  It applies to a set of policies and practices to mitigate a risk category. Secure Score identifies controls, or policies and practices,  you can implement to improve your security. Each Microsoft Secure Score control is worth a certain number of points if you implement it.

An example of a security control is two-factor authentication. It's not a setting inside the Secure Tool, it is a best practice you apply to all your important accounts in the real world.

Like all controls, each provides a benefit and carries a cost.

In this case, the benefit of two factor authentication is that criminals won't be able to break into accounts just by stealing or guessing a password.

The cost is that employees will sometimes have trouble legitimately getting into their accounts. They'll need more assistance, and they might be unproductive till they get it.

How Your Secure Score Is Calculated

Each control that you implement gives you points. There are two ways to get them.

If you turn on the corresponding feature in Microsoft 365, you get them automatically.

You can also implement some controls through third-party services, and you can designate these manually. You're asked for a description of the service you're using.

This is strictly for your business's internal reference; no one at Microsoft will look at it or judge it.

How high should my Microsoft Secure Score be?

There is no right or wrong answer for how high your Microsoft Score needs to be.  The highest possible score isn't always the best.  Your score should be a realistic assessment of your business IT Security practices an needs.

The control panel gives you a slider to select the level of security you need, from "Basic" to "Aggressive." The setting you choose affects the recommendations which you get and the controls which are shown.

An aggressive setting gives you the most locked-down environment. It's very secure, but it will cost you in inconvenience and time. It could encourage your end users to skirt security rules (shadow IT), in which case your security might be worse than before.

The goal is a realistic assessment of your business's security situation.

Your score should strike the right balance between protection and ease of use, and will vary depending on what kinds of data you handle and what the consequences of compromising it might be.

Why is my Microsoft Secure Score not updating?

Microsoft Secure Score is not updated in real time. When you implement a new control, it will generally show up in the score after 24 hours.

Understanding Your Score In Context

Microsoft provides tools for putting your Secure Score into a context. You can view it against an overall average or the average for your industry. Averages tend to be low, since they include many accounts with minimal needs. If you're in a business with strong security needs, such as finance, the comparison against your industry is more meaningful.

You can view the history of your score as a line graph over time. By selecting a particular range, you can see what changes in your practices or settings have caused a change in your score. In addition, you can generate reports to deliver to managers or auditors.

When you view your score, you get specific recommendations for improvements, based upon the desired level of security you selected. Each recommendation shows the effect it will have on your score.

Improving Your Secure Score

A better score is generally good, but it's not an end in itself. Don't implement controls just for the sake of the points. As a manager, you're the ultimate judge of your security needs, regardless of what a Microsoft algorithm says. If some controls don't apply to your environment, you can remove them from the calculation.

Sometimes a control offers only a small advantage for a large amount of trouble. If you've evaluated the risk, it's fine to ignore or postpone it.

Deciding which actions to take and assigning them priorities takes experience and understanding of security issues. If like most small and medium businesses, you do not have an in house IT department, it may be wise to hire  Microsoft Secure Score IT consultant to help you assess your IT security.


TUCU Managed IT Services Inc offers IT support in Toronto including IT consulting and cyber security and IT support services. We'll perform a Secure Score analysis for you, review the results, and provide a remediation plan that makes the most sense for your business.

Need help with your IT challenges?

Our small business IT experts are here for you.

Book a discovery call for options & an estimate.

brandmark_white