As schools are required to document ever more sensitive information about students, it is no surprise that school IT Managers and senior leaders responsible for IT in schools continue to say that security and protection against hacking and data leaks remains one of their key concerns. Most schools store large amounts of Personally Identifiable Information (PII), often on behalf of students that are minors in age, and the requirement to protect this against external threats is greater than ever.
This week I have discovered a tool available to Office365 Administrators called Secure Score that provides direct guidance around the best actions to take to improve security in your tenant and reduce the risk of unauthorized hacking or data leaks. You can read more about this here and for a quick overview, the following video is quite helpful:
It’s important to note that if you have Windows Advanced Threat Protection (ATP) you can include this into your score as well. The great part about Secure Score is that it analyzes what services your Tenant is using (i.e. Exchange Online, OneDrive, Teams etc) as well as what services/products you’ve purchased for your Tenant and then customizes your possible overall score based on the above criteria. In other words, this is not a ‘one size fits all’ tool, but accurately reflects what you can do to secure your organisation and tenant against potential threats.
What Is Secure Score?
Ever wonder how secure your Office 365 organization really is? Time to stop wondering – the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.
Just like we service our vehicles regularly and need to have an official Warrant of Fitness certificate to prove that it is safe and secure on the road, think of Secure Score as a check list of actions that you can take as an administrator to protect your organisation and users from both external and internal threats. I am going to share some screenshots below of how it looks and make some comments, but first some outlines from within the tool itself (If you want to jump straight to your Secure Score Dashboard then click here)
- Welcome to the Microsoft Secure Score
- Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data, and show you what you can do to further reduce that risk. We think of it as a credit score for security
- Your Secure Score
- Secure Score figures out what Office 365 services you are using, then looks at your configuration and behaviors and compares it to a baseline asserted by Microsoft. If your configuration and behaviors are in line with best practices, you will get points, which you can track over time. More importantly, you will be able to quick determine what things you can do to reduce their risk
- Take Action, Improve Your Score
- Secure Score helps you quickly figure out what actions you can take to improve your score. You can check your action queue and find the change you can make that most improves your security posture with the least amount of usability impact for your users
- Analyzing Your Score
- Secure Score gives you a different way of managing your risk. Rather than reacting or responding to security alerts, the Secure Score lets you track and plan incremental improvements over a longer period of time
- DISCLAIMER
- The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way
What Does It Look Like?
To get started with your Secure Score Dashboard, or follow the guide below:
Sign into your Office365 Admin Portal and then click on the “Admin Centres” on the left and select “Security and Compliance”
You should see the “Microsoft Secure Score” tile in the dashboard with a direct link to the Microsoft Secure Score you can click on – or go directly here,
You will immediately be displayed your current score, along with a possible maximum secure score. In the above screenshot you can see my demonstration tenant has a score of 95 out of a possible 566. If I had Advanced Threat Protection available I could also add scores from my Windows10 devices.
This is a a particularly interesting use of AI showing how your tenant compares to other tenants in your Industry Sector. My demo tenant is an Education Tenant so I have a direct comparison point of anonymized data from other education institutes and what their average Secure Score is (74). I can also see what the overall Secure Score is on the far right (31)
This slider bar is very helpful – it allows me to take a pragmatic approach to security. The reality is most school IT managers are very busy and do not have endless hours to be implementing additional security features, no matter how ‘best practice’ they may be. Similarly, they need to consider the impact on the end users and their daily work flows. By shifting the slider to the left, only the least intrusive actions are suggested (your overall possible Secure Score is also reduced). Similarly, sliding right creates more recommended actions and boosts your overall possible Secure Score.
Here you can see the first four actions recommended for my tenant, along with the expanded view of the first recommended action – enabling Multi Factor Authentication for users with elevated privileges (e.g. admins).You will note that it shows the impact on the users, the cost to implement as well as links explaining what the threats this action is designed to combat or mitigate (this is super helpful in terms of assisting an IT manager in justifying these sorts of actions).
By clicking on one of the threats there is an expanded dialogue box explaining the impact / risk of this threat.
One of the features I best like about Secure Score is that you can take action directly from this dashboard. By clicking on “Learn More” you can get an action that will start to action this feature. In this screenshot, it even points out the users with elevated privileges who would be impacted my implementing MFA, as well as providing an option to notify them – super handy!
This was the top 20 action items recommended for my demonstration Education Tenant – those with [Not Scored] means there is currently no assessment (yet!) of this in the tool but expect it to come. You can also choose to “Ignore” an action which means it won’t count towards your overall score, or you can indicate if you’re using a third party tool for this action (Which will again reduce the overall score).
Secure Score provides the ability to filter actions based on what your priorities are e.g. low cost, or low impact on end users vs perhaps protecting data or securing the identity of users. This allows IT Admins to take a very granular and targeted approach to securing their O365 tenant.
Finally, you can select “Score Analyzer” which gives you a view of the security of your tenant over time. This allows you to track progress and identify whether you’re trending in the right direction or not in terms of securing your tenant and users.
My Point of View:
I remember listening to a security expert present to Education IT Directors and IT Managers in Canberra in 2016 and he shared his opinion that the Education Sector was “one or two major security incidents away from having enforced security regulation similar to the banking and health sectors” – that certainly caused everyone to sit up and take notice!
This article from Ed Tech Magazine earlier this week further highlights the risks schools face:
Schools utilizing education technology may need to double down on cybersecurity as collections of student data become more common targets for cybercriminals, announces the Federal Bureau of Investigations in an alert, Tuesday.
According to the FBI, utilizing education technology offers a number of useful services, including “adaptive, personalized learning experiences, and unique opportunities for student collaboration,” as well help with administrative services. However, in exchange, education technology companies may have access to student information including biometrics, personal identifiable information and students’ geolocation.
The FBI warning went even further:
“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” according to the alert. “Therefore, the FBI is providing awareness to schools and parents of the important role cybersecurity plays in the securing of student information and devices.”
The good news for those IT managers responsible for securely administrating an O365 Tenant is that Secure Score now provides an excellent check list of activities to undertake to ensure the balance between security and pragmatism can be achieved. Additionally, it also provides stronger justification when recommending to non IT leadership why they need to have MFA in place (particularly when you can use the comparison scores to other O365 tenants in your industry!).
In terms of free and easy tools to support administrators to be more security conscious, Secure Score is one of the best I’ve come across recently.
No Responses