The Trusted Advisor: How CIS Controls and Microsoft 365 Can Elevate Your Managed Services

Organizations are incorporating technology into the very foundations of their business, creating dynamic integrations between systems and external organizations providing new levels of efficiency and opportunity. These opportunities and reliance on technology do increase their vulnerability.

A break in the chain can often halt operations not just for the organization but anyone other organization or person reliant on their services or systems. In a recent high-profile news article, many London hospitals were forced to halt surgeries and blood transfusions after an upstream provider was under a cyberattack from a Russian group.

Long gone are the days of simple break/fix type solutions. Today, Managed Service Providers (MSPs) have a unique opportunity to grow their traditional role and emerge as trusted advisors for organizations of all sizes. This evolution is not just about staying relevant; it's about evolving protection mechanisms against a growing rate of cyberattacks.

While advanced technology such as modern firewalls and endpoint detection plays a vital role in protecting systems, a truly secure environment requires a multi-layered approach such as that by including regular employee training, and well-defined internal policies to establish clear expectations for data handling and access. By incorporating these elements together, you can combat the wide-ranging number of cyber attacks.

This article explores one transformation you can make to your clients' Microsoft 365 environment by implementing CIS benchmarks to assist with hardening one common platform organizations use globally.

What are CIS Benchmarks for Microsoft 365?

The Center for Internet Security (CIS) Benchmarks for Microsoft 365 provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365 environments.

Key points about the CIS Microsoft 365 Benchmarks:

Purpose

These benchmarks act as a guide for organizations to establish essential security measures when adopting Microsoft 365. They provide a baseline configuration, ensuring a minimum level of protection is in place right from the start.

Collaborative Creation by Experts

The development process benefits from the combined knowledge of a diverse group of global professionals. This collaborative approach ensures the benchmarks are practical, effective, and up-to-date.

Comprehensive Coverage

The Microsoft 365 Foundations Benchmark goes beyond basic security settings. It digs into critical areas like:

Account and Authentication: This covers measures to strengthen login credentials, such as enforcing multi-factor authentication (MFA) and managing privileged accounts.
Data Management: This ensures proper data classification, encryption, and access controls to safeguard sensitive information.
Application Permissions: It addresses how applications within Microsoft 365 interact with user data and system resources, minimizing potential risks.
Storage Security: This focuses on securing access to data to prevent unauthorized data breaches.
Other Security Policies: The benchmark covers additional areas like threat protection, malware defense, and incident response procedures.

Starting Point, Not a One-Size-Fits-All Solution

While the benchmarks are thorough, they shouldn't be viewed as an exhaustive list. Every organization has unique security needs based on its industry, data sensitivity, and compliance requirements.

The CIS Benchmarks provide a solid foundation, but organizations should customize them to fit their specific situation. A simple example may be that a control states 'Set passwords to never expire” but as an organization you are mandated by company policy to expire them after 18- days, you can do so.

Implementation and Assessment Tools

Microsoft offers tools like Purview Compliance Manager that streamline the implementation process. These tools can help organizations assess their current security posture against the CIS Benchmarks and identify areas for improvement. This allows for a targeted approach to security hardening, focusing on the most critical areas first.

Regular Updates

CIS Benchmarks are not static documents. They are updated periodically to reflect changes in Microsoft 365, emerging security threats, and evolving best practices. The frequency of updates depends on the community responsible for maintaining the benchmark and the release cycle of the underlying technology.

Free and Accessible Resources

The CIS Benchmarks are freely available in PDF format. This makes them a cost-effective way for MSPs of all sizes to improve their clients' Microsoft 365 security posture.

How can MSPs leverage the CIS Benchmarks?

MSPs can leverage the CIS benchmark for Microsoft 365 to elevate themselves as trusted providers in several ways. Over and above the security hygiene benefits for their clients some key ways MSPs could utilize and talk to their clients about these benchmarks.

Criteria	Details
🔒 Compliance adherence	Many industries require compliance with specific security regulations. MSPs can use CIS controls to ensure their clients' systems comply with relevant regulations, helping them meet industry standards.
🏆 Competitive advantage	Implementing CIS controls showcases an MSP's commitment to security and compliance, which can be a significant selling point to potential clients. It differentiates the MSP from competitors who may not follow such standards.
💰 Cost-effective security	By following CIS benchmarks, MSPs can help clients reduce the risk of security breaches, potentially saving money on costly remediation efforts in the long run.
🗂️ Structured approach	The CIS framework provides a clear, structured approach to security that MSPs can follow and communicate to clients. It offers several high-priority best practice categories that help enhance cyber hygiene.
🤖 Automation and efficiency	MSPs can leverage tools that incorporate security automation to implement CIS controls efficiently, handling the security burden without becoming overwhelmed.
🔄 Continuous improvement	By aligning with CIS controls, MSPs can demonstrate a commitment to ongoing security improvements, as these benchmarks are regularly updated.
🎓 Client education	MSPs can use the CIS framework to educate clients about cybersecurity best practices, fostering trust and demonstrating expertise.
🎚️ Tiered implementation	CIS benchmarks include different levels of controls (e.g., Level 1 and Level 2). MSPs can use this to offer tiered security services, starting with essential protections and progressing to more advanced security measures.

Wrapping up

We explored how MSPs can leverage CIS Benchmarks for Microsoft 365 to become trusted advisors for their clients.

CIS Controls for Microsoft 365 provide a comprehensive set of best practices to secure Microsoft 365 environments. These benchmarks cover essential areas like authentication, data management, application permissions, and storage.

Benefits for MSPs:

Elevate client security: Implementing CIS controls significantly improves a client's security posture.
Compliance: CIS controls can help ensure adherence to industry regulations.
Competitive advantage: Commitment to CIS benchmarks showcases an MSP's security expertise.
Cost-effective security: Proactive security measures help reduce the risk of costly data breaches.
Structured approach: CIS benchmarks provide a clear framework for security improvement.
Automation and efficiency: Tools exist to automate CIS control implementation.
Client education: CIS benchmarks can be used to educate clients about cybersecurity.
Tiered service offerings: CIS controls allow for tiered security service packages.

By leveraging CIS benchmarks, MSPs can demonstrate their commitment to client security, compliance, and staying ahead of cyber threats. This positions them as trusted advisors, a valuable role in today's growing threat landscape.

Are you an MSP looking for a better way to protect your clients' Microsoft 365 data? Contact us for more information or get started by registering on our partner portal and taking advantage of our 14-day free trial.

Author

Ben Young

Technology Evangelist

Ben Young is a Technology Evangelist at Alcion with over ten years of experience in the Managed Service Provider (MSP) and Cloud Service Provider (CSP) markets. He's an expert in using APIs to automate complex tasks and integrate different technologies. His skills are recognized internationally, and he shares his knowledge through writing and speaking engagements. His passion is showcasing the art of the possible and being a product champion.