Making a business case for signing up to Microsoft 365 is easy. The cloud software gives you an integrated suite of office tools that can be accessed from anywhere and is updated seamlessly in the background by Microsoft. Included with the package are layers of cybersecurity protection and tools for monitoring your risk levels, but bundling so much in one subscription service has its downsides.
First, the upside. Microsoft recognises that smaller businesses are exposed to increasingly sophisticated security threats. It has invested heavily in building cyber defences into its services and provides subscribers with lots of advice on the security.microsoft.com website and through security centres that cover different topics, like cloud and identity management.
You are actively encouraged not just to analyse the performance of your security layers, but to continuously improve them, reducing the risk of having your data stolen or services compromised by an attack. A downside is that small firms with limited technical resources will find this far from straightforward.
Lack of clarity around too many controls
Because Microsoft 365 offers a one-size-fits-all approach, it’s hard to match complex security layers to a small firm’s unique risk profile. Depending on the license you have, there may be over 180 security controls that a business could implement. At the same time, you are encouraged to take surveys of your threat readiness and chase down incremental improvements in security ratings.
What’s absolutely appropriate is the emphasis on constantly revisiting your cyber protection, not just because the threats evolve and Microsoft tweaks it licensing propositions — which it frequently does — but because your business will change. Launching a new product/service or implementing new business applications might expose you to vulnerabilities that weren’t there before, so it’s imperative that you constantly test and evaluate your security posture.
The problem is that guidance from Microsoft on what’s right for your business is hard to follow, with overly technical language making it difficult to understand precisely what’s relevant, let alone how to configure it. You can try and do all the checks yourself, but you’ll realise very quickly that the parameters are enormous and the fixes complicated. Get the configuration wrong and you could make things worse and end up with an environment that’s less secure.
Even if you get the changes right, the reality for many small firms is that there will be diminishing returns in trying to constantly score higher. The time and effort it takes to get over 80%, for example, could be disproportionate to your levels of risk. We’ve seen companies spending money on locking down elements of their business unnecessarily. And if your firm relies on applications and tools outside of the Microsoft ecosystem, the advice you are given will be even less relevant.
Matching security levels to risk profile
Our message at Leacam is to focus on security features that make the most sense for your business, thereby saving money on security without increasing your risk level. What matters is where your business intersects with the threat landscape, and what it will take to make you secure at those points. It’s not about implementing a raft of security features because they happen to come with a license.
We provide gap analysis as part of our support offering, identifying where your business is and where it needs to be in terms of cybersecurity. For Microsoft 365 users specifically, we can carry out a score remediation service over a few days, depending on the size of the company, and identify areas that need improvement.
We layer a service on top of what Microsoft provides, 24/7 monitoring via a separate security detection platform, which enables us to instantly shut down a device or a service that has been breached. Essentially what we’re providing is a type of SOC (Security Operations Centre) — common in large enterprises but not a capability that comes with Microsoft 365. Working with a partner with a background in military-grade security, we put small firms on the front foot in the war against cybercrime.
Have no doubt, cybersecurity threats are only going to accelerate in the coming years as criminal gangs harness the power of AI. The good news is that managing your level of exposure is something we can measure and control, mitigating the risks without spending a fortune.
Reach out to us to explore how Leacam can support your cybersecurity needs.