Just two months ago we started building our new company. As part of this journey, we setup a brand new Microsoft 365 tenant with E5 licensing. Most new tenants are fairly secure by default, but once you start enabling new features, and once users start leveraging those capabilities it’s imperative to maintain a secure stance in the long run.
Microsoft Secure Score is a built-in service in Microsoft 365 for quickly revealing the big picture of any Microsoft 365 tenant. It’s an incorruptible measure, ranging from a theoretical 0% to 100% security. You can review your score via https://security.microsoft.com/securescore.
For us, we started at just a tad over 50% as our baseline score:
Similar organizations – meaning small cloud-based organizations in this context, were trailing us at roughly 46%. In theory, it’s pretty good but admittedly, at that point we hadn’t spent much time in optimizing our secure stance. And as a company offering services and skills on security, it’s crucial to be above average!
So, together with my co-founder Antti, we got to work. I’ve often casually mentioned for customers that anything above 70% is already a great security stance.
Today, we are at 90.99%.
What was needed to go from 50% to closer to 100%? About 212 configurations changes, settings, modifications and tests. It’s both practical hands-on work, but more about designing and thinking what and how to resolve certain security capabilities. Beyond just enabling two-factor authentication for users – 1 task out of the 212 – it’s more about considering a fine balance between productivity and security in the cloud.
As we are not at 100% just yet, there is more work to be done. Perhaps less urgent, but something to work on in the coming weeks. While the specific score is useful, it’s more crucial to look behind the raw numbers and monitor for possible regressions over time.
For more information on Microsoft Secure Score, see here.