Five Most Common Security Recommendations from Microsoft Secure Score
Microsoft Secure Score is a feature in Microsoft 365, which provides an overall measurement of an organization’s security posture. The higher the Secure Score, the better. The Secure Score is accessed from the administrator dashboard in Microsoft 365.
Secure Score can be used in a number of different ways to improve security in your company. First, Secure Score is a fantastic awareness tool for administrators, as the the various check lists and suggested security improvements from Microsoft help to raise the awareness on the literally thousands of different configurations available in Microsoft 365, Azure Active Directory, and various other Microsoft cloud products and services. Microsoft supplies context sensitive help on features and configuration best practices, along with step-by-step instructions. Next, Secure Score makes it easy to start tackling the lowest hanging fruit, the security gaps which have the biggest impact and are easiest to implement. In some ways, Microsoft has “gameified” the experience of implementing security best practices, as it is easy to track the score improvements as each change or configuration is implemented. Over time, it is rewarding to see your organization’s Secure Score grow and improve versus similarly situated companies.
Here are the most common and important security improvements highlighted by Microsoft Secure Score:
1. Require multi-factor authentication (MFA) for all users and admins
MFA is far and away the most important security improvement companies can implement. By default, MFA is turned off in most Microsoft products and services. Turning on MFA requires users to authenticate to cloud services or admin portals with something they know (their password) and something they have (like a one-time password sent to a previously registered mobile number). The key with MFA is to make it easy and convenient for users, while adding in a critical extra layer of authentication to defend against credential theft. There are other ways to leverage a second means of authentication, such as using mobile authentication apps like Microsoft Authenticator, Google Authenticator, or Duo.
2. Turn on audit data recording
By default, detailed logging is disabled for Microsoft 365 subscribers. By enabling logging, Microsoft 365 administrators get detailed log data on every admin and user interaction with the service, including Azure AD, Exchange Online, and SharePoint/OneDrive. This data makes it possible to investigate the scope and severity of any security incidents, should they occur. Log data is also useful for everyday supervision and data governance, as more and more sensitive corporate content, intellectual property, and data reside in cloud applications today. The log data is retained for a 90 day period.
3. Adjust password policies to current best practices
Password best practices have evolved over time. There was a day not long ago when it was believed password complexity was vital. Moreover, in the recent past, users were forced to change their passwords with a high degree of regularity. Both of these security steps backfired and caused users to resort to less secure behavior. Today, the best practice is to encourage longer passwords, not necessarily more complex passwords. For instance, long, easily remembered passphrases, such as lyrics to a song, are considered more secure. The longer the passphrase the better. When paired with MFA, long passwords are the state of the art. In addition, it is no longer wise to expire user passwords frequently. All of these new best practices can be implemented in the Microsoft 365 and Azure AD admin consoles to increase an organization’s Microsoft Secure Score.
4. Activate information rights management (IRM)
With more and more sensitive intellectual property and corporate data living in cloud based applications such as SharePoint, OneDrive, and Teams, it is vital that administrators implement safeguards against data leakage or data theft. By activating information rights management (IRM), admins can increase their Secure Score and implement data leakage prevention policies. For instance, data exfiltration – or the the large scale exporting or theft of data – can be prevented with IRM. Certain highly sensitive documents and data stores can be specially classified and restricted automatically, preventing the email or export of this content, even if an unauthorized user has gained access to the files. IRM is a vital layer for data governance in an organization.
5. Activate mobile device management
With today’s highly mobile workforce, users expect anytime, anywhere access to their data and applications. Users insist on being productive on the go, even from BYOD type devices. Admins want to enable employee productivity, while safeguarding sensitive corporate data and applications. With mobile device management and Microsoft Intune, admins can control application and data access across a range of devices, whether Windows PCs or MacOS, iOS, or Android devices. There is a broad range of use cases, from simple remote wipe actions on lost or stolen mobile devices, to password and application control. MDM is a core part of the Microsoft 365 solution, which adds security and device control to Microsoft 365 cloud subscriptions.