IT Guide: Improve Your Business's IT Security with Microsoft Secure Score
An Introduction to Microsoft Secure Score
Many small businesses in the Toronto area have turned to cloud services such as Microsoft Office 365. A good service provides many benefits, including predictable costs, reduced IT requirements, and a high level of security.
Reputable cloud services have physically controlled facilities as well as full-time experts to protect customer data. Even so, security depends on a partnership between the service provider and the customer. A business that uses cloud services has to stay on top of its responsibilities to ensure that its data stays safe. Managers need to understand and apply the best practices to protect their cloud accounts.
Microsoft Secure Score is a convenient and effective tool for Office 365 administrators to assess their security status. By reviewing their score and its associated information, they can identify the areas where there's room for improvement.
Small Businesses Are At Risk
Huge data breaches at major enterprises make the headlines, but no one is too small to be targeted. Attacks on computer networks are automated operations. They scan every IP address and domain, looking for weaknesses. They spam every email address they can find.
Every site has something of interest to criminals. It could have customer records with black market value. It might have private correspondence which aids in crafting personalized scams. Any server can be infiltrated and weaponized for attacking other servers. Small and medium businesses are often targeted because of the perception that they're less well protected than the biggest ones.
Every business in Canada that deals with personal information is subject to the requirements of PIPEDA. It requires safeguards on personal information which an organization stores. Failure to comply with PIPEDA and other applicable requirements can lead to fines or business penalties. Some organizations face more stringent requirements than others, but no one can ignore the issue.
Secure Score Lets You Assess Your Security Status
Office 365 managers can use the Secure Score tool to build a quantified picture of how well protected their services are. It's a part of Microsoft's Threat and Vulnerability Management. It shows your score, based on the protections which you have implemented. This score is presented against a maximum based on all the available services. It gives specific recommendations for improving your score, explaining the risks, effects, and costs.
The calculation is partly automatic, partly based on the information you provide. What you get isn't just a number, but an explanation of each security control which is available. You see not just how well you're doing, but exactly where you could improve the score.
The word "control" has a specialized meaning in IT security. It's not a button to push, but a set of policies and practices to mitigate a risk category. Secure Score identifies controls you can implement and explains their effect. Each control is worth a certain number of points if you implement it.
An example of a security control is two-factor authentication. Like all controls, it provides a benefit and carries a cost. In this case, the benefit is that criminals won't be able to break into accounts just by stealing or guessing a password. The cost is that employees will sometimes have trouble legitimately getting into their accounts. They'll need more assistance, and they might be unproductive till they get it.
How Your Secure Score Is Calculated
Each control that you implement gives you points. There are two ways to get them. If you turn on the corresponding feature in Microsoft 365, you get them automatically. You can implement some controls through third-party services, and you can designate these manually. You're asked for a description of the service you're using. This is strictly for your business's internal reference; no one at Microsoft will look at it or judge it.
Your score isn't updated in real time. If you implement a control, it will generally show up in the score the next day.
The highest possible score isn't always the best. The control panel gives you a slider to select the level of security you need, from "Basic" to "Aggressive." The setting affects the recommendations which you get and the controls which are shown. An aggressive setting gives you the most locked-down environment. It's very secure, but it will cost you in inconvenience and time. It could encourage shadow IT by frustrated users, in which case your security might be worse than before.
The goal is a realistic assessment of your business's security situation. The right trade-off between protection and ease of use depends on what kinds of data you handle and what the consequences of compromising it might be.
Understanding Your Score In Context
Microsoft provides tools for putting your Secure Score into a context. You can view it against an overall average or the average for your industry. Averages tend to be low, since they include many accounts with minimal needs. If you're in a business with strong security needs, such as finance, the comparison against your industry is more meaningful.
You can view the history of your score as a line graph over time. By selecting a particular range, you can see what changes in your practices or settings have caused a change in your score. In addition, you can generate reports to deliver to managers or auditors.
When you view your score, you get specific recommendations for improvements, based upon the desired level of security you selected. Each recommendation shows the effect it will have on your score.
Improving Your Score
A better score is generally good, but it's not an end in itself. Don't implement controls just for the sake of the points. As a manager, you're the ultimate judge of your security needs, regardless of what a Microsoft algorithm says. If some controls don't apply to your environment, you can remove them from the calculation.
Sometimes a control offers only a small advantage for a large amount of trouble. If you've evaluated the risk, it's fine to ignore or postpone it.
Deciding which actions to take and assigning them priorities takes experience and understanding of security issues.
Understanding IT is easier with free IT Guides and applying IT concepts is easier with professional help.
TUCU is a Toronto IT Services Provider offering managed services, assessments, consulting, and Microsoft Secure Score services. We'll perform a Secure Score analysis for you, review the results, and provide the remediation that makes the most sense for your business.
Contact TUCU for a free consultation. We'd love to talk with you.