O365 Non-Security – again


The US Cybersecurity and Infrastructure Security Agency (CISA) has become the latest government body to plead with admins to implement security best practices on Microsoft’s Office 365 platform.

The UK’s National Cyber Security Centre (NCSC) made a similar appeal in December 2018. The evidence, though, is that most users are not taking their tablets.

How many, for example, enable multi-factor authentication (MFA) on Office 365? MFA is where not only a password is required, but also a second factor, such as a text message sent to a mobile phone (frowned upon as vulnerable to interception) or a code from an authenticator app. MFA is top of the list when it comes to basic security advice for Office 365.

Exact figures are hard to come by, but it turns out that Microsoft publishes information about the security practices of its users, via a security dashboard available to Office 365 administrators.

The maximum “security score” is currently 707, though this should not be taken too seriously since it assumes the use of other Microsoft services like InTune. The average Office 365 score is just 37, though, and that is a concern.

Looking at the Secure Score table, you would get 100 points simply by enabling all the MFA options. In fact, even by flinging a document or two into OneDrive, Microsoft will reward you with 10 points. You also get 10 points for non-expiring passwords, a reversal of former advice. Conclusion: the typical Office 365 account is miles behind in terms of security best practice.