What’s your Microsoft Security Score

Introduction

Over the last few years, we have seen the pattern of law firms outsourcing their IT to Managed Service Providers (MSPs) and implementing Microsoft 365 for online services.

There seems to be a comfort that if you outsource IT and use Microsoft 365 (MS365) you don’t need to worry about security?

Think again – recent experience shows that MSPs are simply not looking after the Microsoft 365 platform as Microsoft would expect them to. This exposes you to significant business risks.

To some extent many MSPs still see MS365 as a new way to license Microsoft software or host email, rather than seeing it as the platform it is. Like all platforms it needs time and attention to configure and maintain as it evolves.

Background

Even though you’ve outsourced the operational elements of IT and security you cannot absolve responsibility to a 3rd party, the buck as they say remains firmly at your door.

Firms remain responsible for determining their security stance, developing policies and procedures, ensuring relevant systems are deployed and confirming that they are implemented correctly. It goes without saying that the biggest risk is the business impact in terms of downside and reputational damage should your security stance not standup to the challenges.

Microsoft 365 Security Approach

Microsoft 365 takes the form of a “tool kit” and whilst Microsoft do a lot of parameter security prevention for their clients, it is up to each “tenant” (Microsoft’s term for each unique client’s “instance” of the 365 platform) to enact the security protocols which are relevant for their business.

To support this approach, Microsoft provide a tool to assess the security of the tenancy and provide a “security score” and advice on what changes could be made to improve that score.

This score is an indicator of how secure your environment is, with a higher score being better.  It can be evaluated against the following scale:

• Less than 30% – Highly vulnerable
• Less than 50% – Best practices have not been applied
• 67% – Expected score with best practices applied
• 80% or above – Highly secure with additional and advanced security features configured

According to AttorneyAtWork, an acceptable score for a legal practice is 60 – 80%.

We have recently undertaken three assessments of law firms using an MSP & Microsoft 365 and found that in each case the security score was in the low 30%’s. This indicates a significant business risk given it is only just above the “Highly vulnerable” status.

Sometimes this score can be mitigated as the firm has different solutions in place (e.g. Mimecast for email) but we would argue it is good practice to complete the Microsoft assessment as identifying such 3^rd party solutions as this hones the advice you get from Microsoft about securing your unique tenancy.

Frankly put, a score this low shows that the MSP are not following best practice or monitoring / implementing the advice which Microsoft clearly provide on the weaknesses within your environment and therefore are simply not managing the MS365 environment proactively.

Rather than the Microsoft Cloud being a trusted secure environment it is currently being seen as a significant business risk.

Recommendations

Baskerville Drummond offer a comprehensive MS 365 audit which would consider your unique requirements and your current configuration and provide you with confidence that your MS 365 security posture is where it should be.