This blog piece follows up on our last article introducing Microsoft Secure Score, and why it matters. At Tier 3, we have been striving to educate our clients and audience about this tool to help them to improve their cyber security posture, using specific measurements and best practices, creating a range of benefits. This piece will offer a brief recap of how Microsoft Secure Score works and offers some ways to increase your score and cybersecurity posture.
How Microsoft Secure Score Works
As outlined in our previous article, Microsoft Secure Score is a tool that helps organizations to assess and measure their cyber security posture and helps them to increase it by suggesting practical measures. The wide range of measures includes, but is not limited to, introducing multi-factor authentication, creating safe links policies for emailing, and enabling impersonated user protection, among many others.
A particular benefit of Microsoft Secure Score, is that it is tailored for organizations using Microsoft tools for their workplace, making the suggestions particularly relevant and easy to implement across Microsoft products. There are three sub-categories that comprise the overall score:
- Identity – all things revolving around identity, such as users, authentication, passwords and user roles amongst others.
- Device – all things revolving around device security, including operating system security, mobile device management practices and assessing how much devices are complying with organizational policies and standards, as well as industry best practices.
- Apps – all things revolving around the security of applications, including application security configurations, access controls within applications and the current alignment of your organizations’ applications with legislation such as GDPR.
Assessing these three core areas, Microsoft Secure Score offers specific sub-measurements for scoring each of these and allows you to compare your score with the average score of other organizations in your industry. In real time, it can also inform you of recent changes to the score, based on recent events and changes within your IT infrastructure. It thus provides an adaptive, insightful and applicable framework for achieving more cybersecurity and compliance.
6 options that will get your Microsoft Secure Score up and over 50%
- Enable & Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication is a crucial security measure that adds an extra layer of protection to user accounts. In the end, much of cyber security comes down to having multiple layers of defences that prevent breaches. Microsoft Secure Score takes the usage of MFA across your organization into consideration, so you can boost your security and score by adopting MFA across your Microsoft platforms. By requiring users to provide an additional form of authentication, such as a verification code, even if an attacker manages to obtain a password, they will be blocked from being able to access the account.
- Create Safe Links policies for email messages
With phishing attacks (via email) as one of the most common areas of cyber breach, Microsoft Secure Score places credence upon taking steps to better protect your users from potentially malicious links – preventing them from inadvertently falling prey to sharing sensitive information or access credentials via a spoof weblink. SafeLinks scans URLs providing ‘time of click’ protection against phishing attacks; re-writing the URL to take the user to a real-time verification, as opposed to directly to the malicious website.
- Ensure that intelligence for impersonation protection is enabled
The more sophisticated of phishing attempts, known as ‘whaling’, will be incredibly well targeted to t
he most sensitive or important users on your network – such as the CEO or CFO. Such an attempt will see the cyberactor conducting their attack by assuming the identity of the important individual – giving an elevated sense of importance to their message and duping the recipient into accepting the instructions of the email at face-value because of the person that has purportedly sent the email.
- Move messages that are detected as impersonated users by mailbox intelligence
With further anti-phishing tactics in mind, the Microsoft Secure Score seeks the activation of user impersonation protections – a filter that makes the use of mailbox intelligence (using a form of AI) to determine what may likely be a malicious email, based on the pattern of typical email traffic with a user’s frequent contacts. The mailbox intelligence will automatically protect a user from inadvertently acting upon a suspicious email, by filtering it out before the user can read and act on the email in their inbox.
- Enable impersonated domain protection
One of the reasons why phishing has been such a popular method of attack is that traditionally it has been remarkably easy for email domains to be spoofed; any cyberactor with moderately basic technical skills could send emails purporting to be from your domain. With improvements in domain security, with the scaling-up of features such as DMARC, DKIM and SPF, it has become more of a challenge to overcome. However, without the appropriate filters in place on your mailboxes, most users will never know the difference. Impersonated Domain Protection is given one of the highest Microsoft Secure Score weightings as it’s one sure method to identify any email masking itself as another domain, without the appropriate authentication methods in place.
- Set the phishing email level threshold at 2 (aggressive) or higher
Microsoft Secure Score applies a score weighting to those 365 accounts that take a stepped-up approach to the baseline filtering of potential phishing emails. This may be a point of contention with your users, as false positives that are filtered out will soon becoming annoying and potentially disruptive – so any change needs to be properly considered in conjunction with user awareness training. The key point to consider though is that at a Phishing Threshold set at 2 (Aggressive), means that any attempts marked as ‘high’ or ‘very high’ probability will take action in the mail filter, while ‘low’ and ‘medium’ can take a different action.
Other best practices to secure your Microsoft 365 environment
- Keep Software Up to Date
- Enforce Strong Password Policies (Set to ‘Do not expire’ & permit self-service)
Weak or easily guessable passwords present a significant vulnerability to organizations. Microsoft Secure Score evaluates the way passwords are enforced within accounts; such as the setting to never expire – contrary to old-school advice on passwords – their strength and complexity of the passwords. Implementing robust password policies will greatly enhance your security. Encourage staff to use unique and complex passwords – that are over 20 characters in length, are complex (with various character types) and are unique (random and not used for other systems). It is no longer considered necessary to regularly change passwords, unless you suspect or are alerted to those credentials becoming compromised.
- Implement Data Loss Prevention (DLP) Policies
Protecting sensitive data from unauthorized access or accidental exposure is essential. Microsoft Secure Score assesses the implementation of Data Loss Prevention policies within your organization. Define and enforce policies that identify and prevent the transmission of sensitive information through various channels, such as email or file sharing services. By implementing robust DLP policies, you can minimize the risk of data breaches and improve your Secure Score.
- Regularly Review and Remove Unused Accounts
Dormant or unused accounts can be an open invitation for cyber attackers. Microsoft Secure Score also considers the number of inactive accounts in your organization. Conduct regular audits to find and remove accounts that are no longer needed or actively used. This practice helps with minimizing the range of attack points for malicious online actors and reduces the risk of unauthorized access to your systems and data.
- Educate Employees on Security Best Practices
Your employees play a vital role in maintaining a secure digital environment. Microsoft Secure Score consi
ders the behaviours of employees across organization in its assessments. Provide regular training sessions and awareness programs to educate employees about common security threats, safe browsing habits, and best practices for handling sensitive information. By empowering your employees to be vigilant and security-conscious, you can significantly improve your Secure Score.
In all, leveraging your Microsoft Secure Score continuously by using its insights and implementing measures to action them, such as these examples, can serve as a very useful tool for ensuring an excellent security posture across your organization that sets your organization apart from your competition.
Want to Achieve an Excellent Microsoft Security Score? Contact Tier 3 IT!
At Tier 3, we have designed three dedicated Microsoft Security Score packages that help organizations to achieve a much higher Microsoft Security Score. and naturally in-turn, vastly improve your array of defenses against the myriad of threats facing the privacy of your data. If you lack peace of mind where your cyber security, compliance, or data privacy are concerned; or have checked your own Microsoft Security Score and wish to improve your rating – please reach out to the experts at Tier 3 today.