There’s a good chance your business relies on at least one Microsoft product for daily operations. Whether it’s Outlook, Teams, SharePoint, or good old Word and Excel, it’s estimated that the majority of organisations across Australia are using Microsoft 365 as a core part of their digital infrastructure (1). 

It’s an incredible tool that has enabled tens of thousands of businesses to digitally transform their operations and innovate at speed over the last few years. However, Microsoft 365 is also a significant target for cyber attackers due to its extensive user base and the critical nature of the data it holds (2).  

The frequency of attempted attacks remains extremely high (67% of attacks happened through Malicious or Criminal attack in the first half of 2024 (3)), underscoring the need for continuous vigilance and advanced security measures. 

Luckily, Microsoft is well aware of the threats and the need to keep users secure. Enter: Microsoft Security Score (MSS). The score acts as a live marker of your Microsoft security posture, helping you understand, identify and rectify security gaps. 

While it is one of the best tools you can have in your cyber security arsenal, it can also be complex and highly technical. So, we’re breaking down everything you need to know about MSS and how you can use it to protect your business. 

What is the MSS and how does it work? 

The Microsoft Security score is an aggregated score that visualises how you secure your Microsoft devices and applications are. It’s broken up into four key areas, and scores you on what actions, licenses or rules you’ve implemented and enabled across: 

• Identity management 
• Devices 
• Data 
• Applications 

Your security score is fluid, just like the cyber landscape. As new threats develop, standards change, and Microsoft evolves its security measures, your score will fluctuate. This is part of the magic of MSS – it provides a real-time snapshot of your security posture at any moment in time, enabling your business security to be constantly up to date. 

The security score dashboard also shows your score history and how it has varied over time and also provides recommended actions and comparisons with businesses of similar sizes. 

Using MSS as part of your wider cyber security approach 

Security models like Essential 8 are incredibly important and provide a more holistic approach and visibility across your whole environment. But the MSS, which looks specifically at Microsoft devices and applications, can be an equally valuable tool. 

Up to 25% of data breaches are caused by human error while 59%+ are due to compromised credentials (including phishing & brute-force attacks (4, 5, 6)). 

Yet, relatively simple measures can be enforced to significantly reduce the chances of these occurring. Without these measures, your security score will drop. 

While there is no ‘perfect’ MSS (it will depend on your business, how you operate and where your biggest risks lie), a score below 40% indicates that there are several simple fixes that can and should be made quickly. 

By implementing and enforcing basic measures (like MFA, password strengthening, and incoming document scanning) you can significantly uplift your security posture with minimal investment. 

Even something as simple as actioning a block on executable files from running can increase your security score by 7.7%. 

Some of the measures you implement to lift your security score will also help achieve some wider security goals. A tool that can help you focus efforts on the most important, relevant areas to ensure time and cost efficiency. 

Making cyber security second nature 

Cyber security can be a complex task, especially for SMEs who have limited time and resources to commit to the upkeep of security in an ever-evolving risk landscape.  

The Microsoft Security Score gives you the visibility and power to keep across some of the most important elements of cyber security and realise the business benefits of completely secure operating systems. 

Enforce security standards organisation-wide 

Many organisations have standards in place around certain security measures (MFA, sharing confidential data via chat or email, etc.). Yet not all businesses enforce these standards – they simply expect staff to follow them. To improve your MSS, these measures need to (and can be) enforced across the organisation, leaving nothing up to chance. 

Continuously monitor and update your security posture 

Constant changes in threats and security standards make it increasingly difficult to maintain strong cyber security, with organisations constantly playing catch-up. MSS provides a live picture that takes into account all changes as they happen. With continuous monitoring, you can always be aware of any vulnerabilities and rectify them immediately. 

Help protect from some of the most common threats 

As mentioned earlier, some of the most common threats are highly preventable with the implementation of certain actions or security rules. MSS can help you understand where these gaps lie and easily apply new processes to capture the low-hanging security fruit. 

Customise security to your business 

Risks and security priorities are different for every business. MSS enables you to focus on the areas that are most important for your specific business, so you can focus time and energy on the actions that will have the biggest impact. It enables you to be more cost and time-efficient without risking security. 

How do I get my score? 

The MSS provides ongoing fit-for-purpose cyber security measures for your Microsoft devices and applications. If you don’t know your score, you don’t know how secure the applications you use every day to share and store some of your most important data are. 

Your Microsoft 365 security score would be around 30% straight out of the box. While Microsoft offers extensive security, it needs to be switched on and configured for your environment. 

This is not something just anyone in the business can do or access. Only the global administrator of your Office 365 tenancy can access it for security purposes. Managing and implementing MSS elements can be highly technical and complex, so it needs to be done by a trusted and experienced IT administrator or provider. 

MSS is part of Bigfish’s security offering and recommendations. We offer MSS set-up and basic uplift as a one-off service, but we also provide (and recommend) ongoing monitoring and maintenance to ensure you’re constantly improving your security response. After all, cyber security should be a constant conversation, not a set-and-forget. 

We’ll help to: 

• Implement basic measures to improve your security score 
• Recommend and implement additional or more complex measures based on business needs 
• Ongoing score monitoring and updating 
• Report on cyber security posture and potential threats 
• Ensure security changes don’t impact daily operations or processes 

If you’re keen to learn more about your Microsoft Security Score, we can access and share it and discuss whether and how you can start improving your cyber security posture. 

To learn your security score and get started, get in touch with the Bigfish team. 

Sources: 

1. https://www.ibtimes.com.au/press-release/20230504/hybrid-work-lifts-microsoft-cloud-use-in-australia 
2. https://www.microsoft.com/en-us/security/blog/2024/08/28/the-art-and-science-behind-microsoft-threat-hunting-part-3/ 
3. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024 
4. https://securis.com/news/25-of-data-breaches-are-caused-by-human-error/ 
5. https://contentsecurity.com.au/notifiable-data-breach-report-july-to-december-2021/ 
6. https://www.tenable.com/blog/verizons-2022-data-breach-report-insights-for-cloud-security-professionals