MSPs: The Heroes of Security Compliance in M365

The Evolving Industry of Managing Cybersecurity Standards

Scaling strategies for Microsoft 365 Data Protection

In today’s interconnected world, cybersecurity compliance is not a responsibility for just certain businesses, but is a crucial shield recommended to protect all companies from the escalating threats of cyber-attacks.

To help accompany achieve compliance and to help them maintain it, it is estimated that 75% of businesses today are willing to invest in assistance from an MSP.  For Microsoft Partners, managing M365 security is core to these security compliance standards.

The world of cyber security compliance is still young. We all know that compliance frameworks around the world take many forms, including CIS, NCSC, Cyber Essentials, Essential 8, GDPR, NIST, BSI, and ISO… to name just a few.

In this blog, we explore the demand, challenges, and opportunities for MSPs in attaining and maintaining security compliance for M365 customers.

The Demand for Cyber Security Compliance

In 2023, the world saw a 400% rise in cyber-attacks. They are increasing both in number and sophistication. It’s no surprise the businesses of the world are expecting one another to be compliant with security standards.

But to date, it is estimated that only 20% of businesses have attained any compliance standing, although the majority of businesses have the intent to become compliant. This is not just a vulnerability that the world must work on, but a huge opportunity for MSPs.

This demand is not only limited to organizations who handle a large amount of sensitive personal information, such as hospitals, banks, and legal firms. In nearly every industry, companies are relying on their customers, vendors, and partners to also be compliant.

By now, many of us have seen a security questionnaire from a vendor or client, and this trend is only growing. Many companies who are leading in their specific industry are doing so by becoming early achievers of security compliance standards.

But at what cost?

Attaining and Maintaining Compliance: Costs and Challenges

The international security compliance standards provide some structure through frameworks and other resources. But the sheer variety of these frameworks can pose significant challenges for businesses and their MSPs trying to achieve compliance(s).

Attaining compliance for a business’s unique usage and clientele profile is a project which can take many businesses years to accomplish.

Furthermore, once compliance has been attained, new projects emerge. A business must be able to give an accurate report of compliance at any moment in time. IT administrators must also prevent a business from falling out of compliance unintentionally, otherwise known as compliance drift.

The cost of preventing compliance drift can be reduced by having systems which proactively notify the correct parties when changes or regular maintenance are due.

Additionally, the multitude of compliance standards globally can seem daunting. Within your customer base, it is highly likely that certain customers will require different compliance standards than others.

The good news is that there is some overlap between these different compliances. According to Microsoft, “CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.” Read more from MIcrosoft

Here are some estimations of the budget required of companies seeking to attain and maintain compliance. It is important to note that these are average costs and the actual cost for a specific business could be higher or lower depending on various factors such as the size of the business, the current state of their cybersecurity infrastructure.

  1. CIS: The cost varies widely based on the size of your environment and level of service, but it may cost $50,000 or more per year to achieve and maintain compliance
  2. GDPR: In the United States, it averages $10,000, fluctuating based on industry, state, and specific legal factors. The average cost of GDPR compliance for a mid-sized company with 500 employees is around €1.3 million. 
  3. Essential 8: The cost of Essential 8 compliance is not readily available in the public domain. However, it’s important to note that achieving Essential 8 compliance involves continuous auditing, monitoring, and reviewing the effectiveness of security controls
  4. NIST: The cost of this approach varies widely based on the size of your environment and level of service, but it may cost $50,000 or more per year to achieve and maintain compliance

Above averages are intended only for comparison purposes, and this information is often not disclosed by companies. However, we can see that there is considerable budget within most companies to simply maintain compliance.

While most businesses are willing to spend 10% of their budget on IT, the project of attaining compliance should understandably be more than that. And with compliance frameworks and SkyKick to help show customers the required work required to attain compliance, MSPs have a considerable revenue opportunity.

Are Compliance Frameworks Competitors to MSPs?

Most compliance frameworks are resources intended for customers to manage themselves through the attainment and maintaining of compliance.  Many provide long checklists to be done. Some provide instruction. But few are simple enough for a company’s internal IT team to use independently.  

These frameworks often lack links to action; they are not integrated with the controls or visibility required to complete this 1-time project of attaining compliance. This is good news for MSPs.

Most compliance frameworks were built in the spirit of helping companies through the project. But it is commonly reported that these require highly skilled internal resources, with dedicated manpower to manage this project to completion. Thus, MSPs are brought into the project the majority of the time.

For MSPs, these frameworks only go so far, thus the reason why your expertise is valuable. Achieving any compliance is a difficult project because no compliance framework can take all of a business’s unique needs into account which can affect the project.

For instance, during the journey to achieving compliance, new security risks can emerge due to the nature of project management and the duration of the project. It is common for back-channels of checklists and other information to emerge during the project, to aid in their journey until such a time as they are ready to submit their application for approval or be audited.  

A common concern voiced in social media is that during the project of attaining compliance, the compliance frameworks require a deep amount of information which must be disclosed to an MSP or provided in a compliance assessment. This is difficult to accomplish in a secure way, as there is commonly a lacking interface to manage the project of attaining compliance. Some of the details which must be tracked can be highly sensitive information.

Also, the duration of the project also poses logistical challenges. Keeping any project assets up to date during the course of this potentially year-long project poses the risk of an endless loop of assessing and updating.

And for an MSP managing many customers, keeping track of the separate frameworks for different customers can be difficult, as naming conventions and other details may seem different across different frameworks and platforms. For instance, as mentioned above, CIS does not necessarily map to GDPR, although there is considerable overlap in the recommended security measures.

A credit to Microsoft in establishing their M365 Secure Score. When it comes to managing multiple customers to different compliance frameworks, the M365 Secure Score can serve as a good status check for the M365-related components of compliance.  You can be confident that a customer with a good M365 Secure Score is likely complying with most if not all online data security standards.

SkyKick thus integrated the Microsoft Partner Center with Security Manager, which takes managing Secure Scores to the next level.

Centralized Tooling through SkyKick’s Security Manager

You guessed it, SkyKick has the solution for MSPs with customers on M365: Security Manager.

While different compliance standards internationally vary in scope, there is a great amount of commonality in the requirements for M365 security. These requirements involve settings and policies which typically take the bulk of MSP effort in configuring, managing, and preventing compliance drift.

Generally speaking, we find that all of the security compliance standards have the following core elements:

  • Configuring a customer’s tenant to be compliant
  • Maintaining compliance and preventing compliance drift
  • Reporting on status of all compliance requirements at any time
  • Documenting and implementing a swift and actionable incident response plan

Security Manager was built specifically to accomplish these 4 areas. To simplify the management of your entire M365 customer base, SkyKick leverages Microsoft Secure Scores.

Microsoft developed Secure Scores as a way to monitor a tenant’s security posture. SkyKick Security Manager takes this to the next level by providing:

  • Multiple dashboards including Secure Scores, At-Risk Users, Activity Logs, and more
  • Workflows to execute changes, to one customer or multiple at a time.
  • Robust and fast reporting: One-Click reporting which can be set on a recurring schedule with multiple export formats. These are designed for MSPs managing their customers during and after the compliance project
  • Workflow customization, so you can build solutions of your own to run against your customer base, all in one place. Valuable for compliance attainment project, as well as executing ongoing maintenance and swift incident response

The robust reporting and dashboards mentioned above allow you and your customers to see a granular view of your compliance on-demand, and even set up to automatically be sent to you on a schedule. These can serve as a project plan during the road to achieving a compliance standard, and also help keep visibility to be aware of changes which have occurred which may need to be addressed to avoid compliance drift.

The workflows and collections of workflows available within Security Manager are an excellent action plan. There are dozens of comprehensive out-of-the-box workflows to configure compliance, as well as react to security breaches.

These are supplemented by over 16,000 other commands which can be added to a new or existing workflow, allowing you to easily search for a solution and swiftly respond to an incident for one or all of your customers at once.

Set the Foundation

One popular SkyKick workflow for MSPs embarking on a company’s road to compliance is:

Assess and Apply Microsoft 365 Security Baselines.

This was built for MSPs to make a tenant comply with over 150 Microsoft recommended security settings, all in 1 workflow. Often MSPs enter the tenant after many admins have made configurations. This can add to the challenge of achieving a compliance standard.

Within each of the Security Manager workflows resides the exact details an MSP should know when managing their customer about running a workflow. This workflow may over-write many user-impacting settings. Thus, the workflow begins by first running a report on such details, so that you can set customer expectations appropriately.

This is one of many ways Security Manager was designed specifically for MSPs. SkyKick enables you to manage projects for your customers such as attaining and maintaining security compliance.

Conclusion

This cyber security industry holds great opportunity for MSPs. Security Manager was built specifically for MSPs to run a comprehensive, efficient, world-class cybersecurity management practice for their M365 customer base, which has taken a spotlight with today’s world of security compliance standards.

The nature of Security Manager is to be able to quickly assess a tenant, make swift changes to the security of a tenant, and to share results. These abilities are core to the project of attaining and maintaining security compliance, and are made easy for MPSs within Security Manager.

Take the Self-Guided Tour


Footnote  
As of 2024, SkyKick has attained global ISO 27001 certification, HIPAA compliance, and GDPR compliance. SkyKick is trusted by thousands of Microsoft Partners who use Security Manager to manage millions of users around the world.