We always recommend Secure Score as a starting point within Microsoft 365, it can quickly bolster your security posture and help ensure that you are getting more value out of your licenses. The historical score changes report can be used as a tool to demonstrate value to the business based on progress made by the relevant teams.
Secure Score however, just like MFA is not enough to cover every scenario. A well-architected identity policy will be far more in-depth than just enforcing MFA for access, which is one of the main score points within Secure Score. When working with customers who have rolled out MFA as an identity security policy we like to dig deeper into individual scenarios:
- What is stopping an employee on a home computer that isn’t protected by your controls from downloading all your data?
- What is stopping an infected machine from accessing your corporate apps and data?
- What happens if the user just accepts every MFA prompt they get because they are so used to them?
There are just a few of the scenarios we go through when speaking with customers about their security strategy, reflecting on each one. In short, MFA alone is not sufficient to prevent a compromise.
Organizations should now be working towards a Zero-Trust architecture, taking into account all the different ways employees should be interacting with corporate systems and the controls needed to make sure this happens securely without affecting productivity.