Microsoft Secure Score awards points for good security practices, such as adopting multi-factor authentication (MFA), using third party solutions to improve security, regularly producing and viewing security related reports, and using and configuring recommended Office 365 security features. It also shows how your level of security compares with other companies, and serves as a basis for improvement.
Here are 10 ways to dramatically boost your O365 Secure Score, now formally called Microsoft Secure Score. Get more detail in our Guide: Boost Your Microsoft Secure Score eBook.
Step One – Check Your Office 365 Security Health
One way to improve your Secure Score is to start with a baseline. That can be done by getting your Secure Score results from Microsoft. You can take an alternative – and in many ways deeper looking with the CoreView Office 365 Health Check (a complete scan of your O365 tenant to determine security posture, application usage and license state) which outlines many ways you can boost your O365 Security. Better security equals a better score.
Below is a CoreView Security Compliance Check that dives into passwords, MFA status, malware exposure, state of admin privileges (excess rights are a huge security issue), email safety, and data leakage exposure level.
Step Two – Smarter Password Management
Passwords are a big deal for any application, service, or environment. They are even more critical for an Office 365 tenant. Once an O365 password is cracked, the hacker has access to everything that end user does.
The Center for Internet Security (CIS) released extensive benchmarks for M365 security, CIS Office 365 Security Benchmarks, and here advises that IT ensure through policies and processes that passwords are never set to expire.
CIS advises IT to “Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.” The rationale? “NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure.”
CoreView protects passwords identifying and notifying IT to risk events both across the tenant and specific to end users, helping IT alert users to reset their passwords — and best of all has an automated workflow to pause the account and force a password reset.
Step Three – Maximize Multi-Factor Authentication
Complex passwords are all well and good, but are not nearly as effective as strong authentication, CIS argues. “Other recommendations within this Benchmark suggest the use of MFA authentication for at critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD,” CIS outlined. Mobile devices should likewise be set so passwords never expire, CIS adds.
In fact, multi-factor authentication (MFA) is one of the most important security practices you can employ. Microsoft Office 365 has a robust and proven MFA solution built-in. Forward-thinking organizations are implementing MFA to improve user identity security. MFA has become so recognized that the National Institute of Standards and Technology (NIST) guidelines on password security now specifically recommend the implementation of MFA. Also, the United States Department of Homeland security now recommends that all Office 365 users implement MFA.
Microsoft agrees. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.
CoreView shows how many users have MFA activated, have MFA disabled, and how many users with MFA disabled have administrative roles, which presents a substantial security risk.
In the case of a risk event, CoreView strengthens authentication by enforcing MFA measures.
Step Four – Don’t Forget to Turn on MFA
MFA only works if it is activated. “Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts,” the NIST guidelines stated.
Step Five – Beef Up Email Security
94% of all security threats start with email. Mailboxes are the number one way hackers breach systems, steal identities and credentials, and launch phishing and ransomware attacks. One step to take is to set access rights to mailboxes to protect data, mail content and mailbox owner identities. This can include items such as access to more than five mailboxes, autoforwarding, and accessing mailboxes of others.
Fortunately, CoreView can apply key rules for mailbox security related to access rights. CoreView, for instance, flags user accounts that have been provided with access rights to more than 5 other user mailboxes. These are not for Room, Shared, or Team mailboxes, but rather actual User Mailbox accounts. Such cases should be investigated to ensure they are being used for acceptable business purposes.
Often, mailbox security can be compromised by spam and malicious malware. CoreView can discover the exact number of instances of malware sent from your organization.
Knowing the internal sources of malware is critical to stopping the spread. CoreView keeps IT informed of unusual patterns or targeting, which may be attempts to compromise mailboxes in your organization. CoreView also provides details on potentially compromised accounts and the malware which may have been sent from your organization, enabling your shop to take action to support investigations and remedy issues.
Malware often spreads from mailbox to mailbox – right under IT’s nose. The answer is tracking all actions and file movement from mailbox owners hit by malware, and other unusual activity
Finally, monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business-critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other users’ mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats.
Step Six – Get a Handle on Out of Control Administrative Roles
Ensuring that administrative privileges are limited to those that absolutely need them is critical to a safe Office 365 environment. An internal threat, such as a disgruntled employee, with access to global admin privileges, is a major risk that can be prevented simply by limiting the number of users with admin privileges — and restricting the scope of those permissions.
Unfortunately, Microsoft Office 365 Admin roles have limited flexibility. Microsoft offers some roles that limit administration rights on a specific workload, but these are not available across all workloads.
Meanwhile, CoreView shows how many admins your shop has, and their roles. Even better, by using CoreView, your organization can implement a granular Role-Based Access Control (RBAC) policy. This will enable your organization to assign administrative privileges to operators which appropriately matches their responsibilities.
Step Seven – Reduce the Danger of External AutoForwarding
To the average end user, setting up automatic email forwarding rules is a harmless exercise. But for those whose job it is to prevent data breaches and ensure compliance, email forwarding rules can quickly turn into a nightmare scenario. The indiscriminate forwarding of emails outside of your organizational control is a common vector for information theft, as well as GDPR and similar data protection regulation violations.
CoreView can identify mailboxes that have auto-forwarding to external addresses such as “Gmail.com”. This is a major data leakage concern. These should all be reset to internal e-mail addresses or have the auto-forwarding removed completely.
Step Eight – Plug Data Leakage Through OneDrive and SharePoint Sharing
Whether your organization is large or small, sharing content with users is a powerful capability provided by Office 365 collaboration features. This is especially true when working with clients, vendors, and partners.
CoreView can detect OneDrive sharing activities, SharePoint sharing activities, as well as creation and use of anonymous links. Also, with CoreView admins can be alerted when new anonymous links are created or used. You can then immediately address any problems.
Step Nine – Eliminate Misconfiguration Danger
Gartner argues that “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.” Monitoring and enforcing policies is the responsibility of Office 365 IT professionals, and is a must-do best practice to reduce your breach perimeter.
CoreView shows all misconfigurations, so IT can immediately correct the problems, and improve the tenant security level.
To reduce mismanagement issues, CoreView implements segregation of your tenants in many critical ways. You can separate your tenant into sub-tenants or virtual tenants. This way you can have local administrators that keep an eye on a smaller, more defined set of users. Specific policies can apply to just these user sets. Moreover, because fewer admins have global rights, end users in these sub-tenants are protected from global admin mistakes or malfeasance.
Step 10 – Get the Complete Secure Score Guide
For more advice, download our Guide: Boost Your Microsoft Secure Score.
Or sign up for a personalized CoreView demo.