Office 365 user security practices are woeful, yet it's still 'Microsoft's fault' when an org is breached

Office 365 user security practices are woeful, yet it's still 'Microsoft's fault' when an org is breached

As soon as defences are sold as a product, hygiene suffers


The US Cybersecurity and Infrastructure Security Agency (CISA) has become the latest government body to plead with admins to implement security best practices on Microsoft's Office 365 platform.


The UK's National Cyber Security Centre (NCSC) made a similar appeal in December 2018. The evidence, though, is that most users are not taking their tablets.


How many, for example, enable multi-factor authentication (MFA) on Office 365? MFA is where not only a password is required, but also a second factor, such as a text message sent to a mobile phone (frowned upon as vulnerable to interception) or a code from an authenticator app. MFA is top of the list when it comes to basic security advice for Office 365.


Exact figures are hard to come by, but it turns out that Microsoft publishes information about the security practices of its users, via a security dashboard available to Office 365 administrators.


The maximum "security score" is currently 707, though this should not be taken too seriously since it assumes use of other Microsoft services like InTune. The average Office 365 score is just 37, though, and that is a concern.


Looking at the Secure Score table, you would ..