As schools are required to document ever more sensitive information about students, it is no surprise that school IT Managers and senior leaders responsible for IT in schools continue to say that security and protection against hacking and data leaks remains one of their key concerns. Most schools store large amounts of Personally Identifiable Information (PII), often on behalf of students that are minors in age, and the requirement to protect this against external threats is greater than ever.
This week I have discovered a tool available to Office365 Administrators called Secure Score that provides direct guidance around the best actions to take to improve security in your tenant and reduce the risk of unauthorized hacking or data leaks. You can read more about this here and for a quick overview, the following video is quite helpful:
It’s important to note that if you have Windows Advanced Threat Protection (ATP) you can include this into your score as well. The great part about Secure Score is that it analyzes what services your Tenant is using (i.e. Exchange Online, OneDrive, Teams etc) as well as what services/products you’ve purchased for your Tenant and then customizes your possible overall score based on the above criteria. In other words, this is not a ‘one size fits all’ tool, but accurately reflects what you can do to secure your organisation and tenant against potential threats.
What Is Secure Score?
Ever wonder how secure your Office 365 organization really is? Time to stop wondering – the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.
Just like we service our vehicles regularly and need to have an official Warrant of Fitness certificate to prove that it is safe and secure on the road, think of Secure Score as a check list of actions that you can take as an administrator to protect your organisation and users from both external and internal threats. I am going to share some screenshots below of how it looks and make some comments, but first some outlines from within the tool itself (If you want to jump straight to your Secure Score Dashboard then click here)
- Welcome to the Microsoft Secure Score
- Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data, and show you what you can do to further reduce that risk. We think of it as a credit score for security
- Your Secure Score
- Secure Score figures out what Office 365 services you are using, then looks at your configuration and behaviors and compares it to a baseline asserted by Microsoft. If your configuration and behaviors are in line with best practices, you will get points, which you can track over time. More importantly, you will be able to quick determine what things you can do to reduce their risk
- Take Action, Improve Your Score
- Secure Score helps you quickly figure out what actions you can take to improve your score. You can check your action queue and find the change you can make that most improves your security posture with the least amount of usability impact for your users
- Analyzing Your Score
- Secure Score gives you a different way of managing your risk. Rather than reacting or responding to security alerts, the Secure Score lets you track and plan incremental improvements over a longer period of time
- DISCLAIMER
- The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way
What Does It Look Like?
To get started with your Secure Score Dashboard, or follow the guide below:











My Point of View:
I remember listening to a security expert present to Education IT Directors and IT Managers in Canberra in 2016 and he shared his opinion that the Education Sector was “one or two major security incidents away from having enforced security regulation similar to the banking and health sectors” – that certainly caused everyone to sit up and take notice!
This article from Ed Tech Magazine earlier this week further highlights the risks schools face:
Schools utilizing education technology may need to double down on cybersecurity as collections of student data become more common targets for cybercriminals, announces the Federal Bureau of Investigations in an alert, Tuesday.
According to the FBI, utilizing education technology offers a number of useful services, including “adaptive, personalized learning experiences, and unique opportunities for student collaboration,” as well help with administrative services. However, in exchange, education technology companies may have access to student information including biometrics, personal identifiable information and students’ geolocation.
The FBI warning went even further:
“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” according to the alert. “Therefore, the FBI is providing awareness to schools and parents of the important role cybersecurity plays in the securing of student information and devices.”
The good news for those IT managers responsible for securely administrating an O365 Tenant is that Secure Score now provides an excellent check list of activities to undertake to ensure the balance between security and pragmatism can be achieved. Additionally, it also provides stronger justification when recommending to non IT leadership why they need to have MFA in place (particularly when you can use the comparison scores to other O365 tenants in your industry!).
In terms of free and easy tools to support administrators to be more security conscious, Secure Score is one of the best I’ve come across recently.
One reply on “Secure Your Office365 Tenant With Secure Score”
[…] Microsoft Secure Score for the first time when it was still primarily focused on Office365 – I wrote this blog about it. Revisiting it recently, it is awesome to see how far it has progressed with the integrated […]