This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

Thomas G. Stephens Jr., CPA, CITP, CGMA

If you run Office 365, do you know how to use Secure Score to improve its security? Maybe the better question is did you even know that Secure Score exists? These are important questions. Office 365 currently has over 200 million subscribers, so when there are unsecured implementations of Office 365 the data belonging to each subscriber is potentially at-risk.

In this blog, you will learn about Secure Score and how you can implement it to improve security.

Secure Score

Microsoft Secure Score is a feature of Office 365. You can use it to evaluate the security of your Office 365 implementation and to provide recommendations on how you can improve your Office 365 security regime.

Secure Score can help you and your organization in the following three areas:

• Help understand the current state of the security of your Office 365 implementation.
• Help discover issues with security, make those issues visible to management, guide corrective actions, and increase internal control.
• Compare your organization’s results to benchmarks and key performance indicators.

Additionally, Secure Score can assess the several components of the Microsoft stack. For example, the tool checks and provides recommendations for SharePoint Online, Exchange Online, and OneDrive for Business. Outside the Office 365 environment, Secure Score also works with Azure AD and Cloud App Security.

Enabling Secure Score

To enable this feature in Office 365, you must have administrative rights. Assuming you do, log in to the Microsoft 365 security center where you will have access to Secure Score.

As shown in Figure 1 (below), when you use the tool in Office 365 it provides a detailed report that provides metrics on your current level of security relative to your total possible security score. One recent study indicated that the average Office 365 score was paltry 37 out of a possible 416! Also, it provides information about which corrective actions would provide the biggest improvements to your score and lets you know how your organization compares to similar organizations. Armed with this information, you and your team can begin to make quick and effective changes to improve security.

Figure 1 - Sample Office 365 Secure Score Report

Improving Security

Most admins will be shocked by their organization’s Secure Score the first time. However, it’s important not to overreact to a low score. A better approach would be to adopt a careful and considered approach to the security of all the data in your organization – not just that in Office 365. Begin by considering – on an item-by-item basis – the recommendations in the Actions to Review section of the Secure Score dashboard. Figure 2 (below) provides a sample of typical recommendations. Carefully weigh each of these considerations relative to other security measures you have implemented outside your Office 365 environment.

Figure 2 - Sample Recommendations from Secure Score for Improving Office 365 Security

To learn more about any single recommendation, click on that recommendation to expose a detailed window about that recommendation. As shown in Figure 3 (below), the details window provides more information on a specific recommendation that includes the expected benefits, the impact on end users, and how to implement the recommendation. By clicking the Manage button, you are taken directly to the page to activate the recommendation. As shown, the tool provides a “road map” of how you can improve security in Office 365.

Figure 3 - Details of a Specific Secure Score Recommendation

Other Security Considerations

Secure Score can be a highly effective tool to improve Office 365 security, but it shouldn’t be your only tool. All traditional “blocking-and-tackling” security tools are still required to minimize risk. Here are a few examples of some of the standards:

• Each user should establish separate, long-and-strong passwords for every application. These passwords should never be shared.
• Ensure that properly configured firewalls are in place to reduce the risk of outside attacks.
• Continually train users on emerging security pitfalls, including the continuing risk of phishing emails.
• Enable encryption at every opportunity.
• Implement a sound backup strategy. Additionally, store backups of critical data off-site and disconnected to your network.
• Consider “whitelisting” approaches to protecting against malware.
• Remain vigilant and actively look for new threats. As these appear, create an effective strategy to mitigate them.

Conclusion

Security is a top concern at all organizations. For those running Office 365, they may not even know about some of the tools they already have in-hand to help achieve their security objectives. Secure Score is one such tool. If you are running Office 365, Secure Score can be a terrific way to identify and address security gaps. It is easy to access and work with, and helps you understand where the gaps are in your Office 365 implementation. Equally important – if not more so – Secure Score can guide you through the process of addressing the security gaps. If you are running Office 365, investigate how Secure Score can improve your security.

Thomas G. Stephens Jr., CPA, CGMA, CITP, is one of the shareholders in K2 Enterprises, affiliating with the firm in 2003 and joining as a shareholder in 2007. At K2, Stephens focuses on creating and delivering content, and is responsible for many of the firm's management and marketing functions. You may reach him at tommy@k2e.com. Learn more about K2 Enterprises.

For more Office 365 features, consider one of these PICPA programs. More information on Secure Score can be found at Microsoft's website.