An Explanation of Microsoft 365 Secure Scores 

Gain invaluable insights into the current configurations and security posture of your organisation’s Microsoft 365 environment by establishing your ‘Secure Score’.

Microsoft Secure Scores help improve visibility of your IT security

The Microsoft 365 Secure Score, assessed by ARO’s Cloud experts, serves as a measurement of an organisation’s security posture. It provides a numerical score between 0 and 100%, indicating the extent to which an organisation needs to implement recommended security actions, with a higher percentage representing a stronger security posture.  

Through our own research, which we will explore in detail within this guide, we found that 63% of those surveyed had an overarching Secure Score that fell below 50%, signifying that their Microsoft 365 configurations and defences failed to meet even mediocre security standards.  

This is of course no fault of their own, with countless businesses struggling to keep pace with today’s heightened security expectations, and just as many facing limitations related to budget or staffing constraints. However, there is always action that can be taken – no matter the budget, employee count, or secure score – and that’s where we come in.

The Microsoft Secure Score assists organisations in several ways: 

  • It reports on the current state of the organisation’s security posture. 
  • It improves the security posture by providing discoverability, visibility, guidance and control. 
  • It allows organisations to compare their security posture with benchmarks and establish key performance indicators. 
  • It also reflects when third-party solutions have addressed recommended actions. 

The Need for a Microsoft 365 Security Audit

As we enter 2024, cyber-attacks across all sectors continue to rise, with the financial impacts only worsening.  

  • More than 70% of SMBs think that cyber threats are becoming an increasing risk. 
  • Nearly 25% of SMBs stated that they have had a security breach in the past year. 
  • Less than 50% of the SMBs surveyed have a dedicated IT security expert in house. 
  • The global average cost of a data breach in 2023 was £3.5 million, a 15% increase over 3 years. 

Moreover, with Microsoft 365 still reigning as the established standard for business email and collaboration, it naturally falls as a key area for consideration when conducting any security assessments.  

By evaluating the current state of your Microsoft 365 environment and implementing a thorough security strategy that incorporates identity and access management, data protection, threat protection, security posture management and effective security operations, you can drastically reduce the risk of data breaches and cyberattacks.   

It’s important to clarify that the purpose of the security audit is not to simply produce a list of third-party security recommendations – in fact, it can help organisations to identify security features that are already included in their current Microsoft 365 licensing that are not being utilised. Additionally, it often outlines vulnerabilities that can be addressed without additional technology, and instead by changing processes, controls, policies, standards, and even education. 

How the Assessment Works

Completing your Microsoft 365 Security Assessment consists of a few steps, during which our team of Cloud Security experts will guide you through the current security posture of your Microsoft environment, any security elements that are not being properly utilised, and further recommendations on how you can improve your Secure Score for the future. 

The 5 Secure Score Categories

First, you will be presented with a Total Secure Score – this serves as the overarching number for your Microsoft 365 environment, and businesses should aim to achieve as close to 100% as possible and stay above 50% at a minimum  

This will be followed by a more detailed breakdown, with further Secure Scores assigned to 4 key areas of vulnerability: 

  • Identity Security 
  • Device Security 
  • Data Security 
  • Application Security 

You may find, for example, that your Total Secure Score is above average, but your Application Security Secure Score falls below the threshold of 50%, indicating that there are still vulnerabilities that need to be addressed. 

To display this more clearly, the example above shows how two organisations’ Secure Scores may differ. Although ‘Organisation B’ has a higher Total Secure Score, and more areas reaching higher numbers overall, they may be considered higher risk with just the one area falling below the 50% threshold. In this instance that risk would be related to data breaches, as the area falling short is Data Security Secure Score. 

Assessing Your Microsoft 365 Utilisation

Next, our team will summarise your current utilisation of Microsoft 365 elements, highlighting any areas that are not being leveraged to their full potential. These under-utilised elements can create gaps in your security posture, and even lead to wasted budget on third-party solutions that serve the same purpose.  

The Microsoft 365 elements that we consider during this stage are as follows: 

  • Tenant and Identity Security 
  • Device Management and Security 
  • Automatic Device Provisioning 
  • Email Collaboration and Security 
  • Defender for Business/Endpoint 
  • Teams, SharePoint & OneDrive adoption 

Additional Security Recommendations

Finally, if further improvements are needed for your Microsoft 365 environment, our team will discuss some additional recommendations that can help to bring your Secure Score even closer to 100%. This stage of the assessment is the most bespoke, as each organisation’s existing processes, security expectations, and compliance requirements are taken into consideration. 

However, to serve as an example, here are some recommendations that may be discussed: 

  • Implement Multi-Factor Authentication (MFA) 
  • Build technology processes based on a Zero-Trust policy 
  • Limit user access to sensitive data 
  • Utilise admin account protection measures 
  • Keep hardware and software up to date  
  • Introduce employee Security Awareness Training  

Assessment Research Summary

Recently, ARO conducted a survey with 500 companies, resulting in some concerning but unsurprising numbers. This survey comprised of the initial phase of the Microsoft 365 Security Audit, establishing each company’s Total Secure Score, as well as the additional 4 areas of concern. 

Out of the 500 participating companies, these statistics display how many achieved a Secure Score lower than the 50% threshold in each category: 

  • 63% had a Total Secure Score below 50%  
    (313/500) 
  • 42% had an Identity Secure Score below 50% 
    (212/500) 
  • 93% had a Device Security Secure Score below 50% 
    (466/500) 
  • 90% had a Data Security Secure Score below 50% 
    (448/500) 
  • 90% had an Application Security Secure Score below 50% 
    (449/500) 

Considering businesses should aim to achieve 100% across all these areas, or as close as possible, it is incredibly alarming to see such high percentages unable to reach even 50%. This clearly displays the level of vulnerability organisations have grown accustomed to, as they believe improving their security posture any further than this will require too many employees, too much budget, or is simply impossible. This is of course not the case, and ARO are already assisting countless businesses to improve their Secure Score and save money at the same time. 

How is the Secure Score calculated?

During the Microsoft 365 Security Assessment you are given points for the following actions: 

  • Configuring recommended security features 
  • Performing security-related tasks 
  • Addressing the recommended action with a third-party application/software 

 

Some recommended actions will only grant points towards your Secure Score once they are fully completed. Others will award partial points if they are completed for some users or devices.  

All these points are combined to make up your overarching Secure Score.   

How are recommended actions scored?

Recommended actions are each valued at 10 points or less, with the majority being scored in a binary fashion. If you successfully resolve a recommendation that involves a singular action– for example, turning on a specific setting you will receive 100% of those points. For other recommendations that involve a chain or group of actions – for example, applying security measures to all user devices points are presented as a percentage of the complete configuration. 

To expand on that example, if a recommended action is valued at 10 points for applying Multi-Factor Authentication to all user accounts, and you only apply the action to 50 out of 100 total users, you would receive a partial score of 5 points (50 users / 100 total * 10 points = 5 points). 

What is a good Microsoft Secure Score?

Businesses should of course aim to get their Secure Score as close to 100% as possible, but that level of excellence will involve thorough and meticulous work, especially in those final percentage points.  

As earlier discussed, 50% is typically considered the threshold of acceptable security, with those achieving scores below this being high-risk to detrimental cyberattacks. 

A Secure Score in the range of 60-80% is categorised as ‘good’ – this range is relatively straightforward to achieve and reflects a security posture that would offer reliability and peace-of-mind to the average organisation. However, certain businesses or industries with more stringent security requirements and regulations might still consider areas of their Microsoft 365 environment to be vulnerable at this level.  

What are the benefits of the Microsoft Secure Score?

Here are 5 compelling benefits of discovering your Secure Score and following the recommended actions to move your score closer to 100%: 

  • Risk Mitigation

    By regularly assessing your organisation’s security posture using Microsoft Secure Score, you can identify and address vulnerabilities and misconfigurations. This proactive approach helps in reducing the risk of security incidents and data breaches within the Microsoft 365 environment.  
     

  • Compliance Assurance
     The Secure Score helps to align your organisation with industry-specific and regional regulatory requirements for data security and privacy by following recommended actions. 
     
  • Optimised Security Investments

    Evaluate and optimise security investments by fully leveraging Microsoft 365 security features, as suggested by Microsoft Secure Score, potentially saving budget that was previously assigned to additional third-party security solutions. 
     

  • User Awareness and Training
    Enhance your organisation’s overall cybersecurity awareness through Secure Score’s user behaviour recommendations, prompting secure practices and reducing the likelihood of human error within the Microsoft 365 ecosystem.
  • Continuous Improvement 
    Measure and improve your organisation’s Microsoft 365 security posture over time using Microsoft Secure Score, fostering a culture of continuous improvement to adapt to evolving threats and technology changes.