Organizations tend to think that if they deploy EDR (Endpoint Detection and Response) solutions on their workstations, they are “safe” from malware. While EDR is a powerful tool in detecting and responding to threats, it’s only one piece of a much larger cybersecurity puzzle.
True Cybersecurity isn’t just about technology—it’s about governance, process, and accountability. Compliance frameworks like NIST, HIPAA, PCI and GDPR aren’t just bureaucratic checkboxes; they provide structured approaches to managing risk, protecting data, and ensuring resilience. Even your basic Cyber Insurance policy requires your thoughtful responses to Self-Assessment Applications and proof of compliance. Risk management, meanwhile, helps organizations identify vulnerabilities beyond the technical layer—such as third-party risks, insider threats, and operational weaknesses.
Without a strong compliance and risk management foundation, even the best technical defenses can fall short. Cybersecurity must be holistic, integrating people, processes, and technology. Organizations that treat compliance and risk management as core components of their security strategy are better positioned to prevent breaches, respond effectively, and maintain trust.
Why are we so concerned about Cybersecurity?
We all hear the headlines about data breaches and the pain they cause in terms of lost privacy, lost revenue while systems are recovered, and expensive recovery costs. Look at these recent statistics, and just think of the recent major breach in our own backyard with Kettering Health Network:
The reality in today’s environment is that email-based “Business Email Compromise” (BEC), or “Phishing” now causes 36% of Cybersecurity breaches (Spys). These types of compromises are aimed at getting a user to divulge the username and password for a critical resource like their email. In many environments that depend on a cloud-based infrastructure like Microsoft 365 (or Google Workspace among others), gaining access to your email also gives access to OneDrive and Sharepoint data the user has access to. Premises-based systems with on-site servers are not immune to compromise either. Attackers target these systems with downloaded documents or programs designed to deceive users into opening or executing them.
Note above that “74% of data breaches involve the human element.” Thus, we need to protect the resources that users have access to and train them how to detect and respond to these compromise attempts.
So what’s the right path?
As an MSP, we recommend a layered approach to security and compliance for overall risk management. Even the way cloud resources such as Microsoft 365 are implemented is important to the overall security of an organization.
Before moving into advanced Compliance and Risk-Management solutions, it’s important to first review the workstation and server basics that serve as the foundation for enhanced security, compliance, and risk management.
Workstation (Endpoint) Basics:
Microsoft 365 Premium or equivalent accounts for advanced security and compliance features such as Microsoft Defender, Purview, Azure Active Directory and Intune.
Patch Management – MSP Management provides additional oversight into Patch Management to better control the patch process and allow oversight and additional approval for those occasional times when Microsoft releases patches with unexpected side-effects.
Endpoint Detection and Response (EDR) -- continuously monitors endpoints for evidence of threats and performs automatic actions to help mitigate them. Do note that EDR is only monitoring the endpoints themselves.
Backup for Microsoft 365 Email, OneDrive and SharePoint. By default, Microsoft provides no “backup” of your Microsoft 365 data (email, SharePoint and OneDrive) -- only a guaranteed level of service. Thus, a backup solution is needed to protect your data.
Server Basics
For clients still using servers, those resources need to be protected as well – to at least the same degree of protection as the workstations. Servers need to be deployed with similar Patch Management, EDR and backup solutions. Servers should have complete immutable and secure backups to enable granular file restores as well as “bare-metal” restores for disaster recovery.
Better Security
Protecting the “network”
Building on the basic protections at the workstation and server level, additional protections need to be deployed to further protect your resources. While EDR-based solutions will detect and respond to a great majority of “downloaded” compromises, EDR won’t detect those cases where an attacker gains access to your cloud-based data, or other important external websites.
MDR/XDR solutions add to the “endpoint” EDR. MDR is “Managed Detection and Recovery” and adds real-time analysis of cloud-based environments as well as integration with EDR and other devices such as firewalls and other network devices. MDR digests data from all these platforms in real-time, analyzes and provides automated and human response as necessary. Thus, MDR solutions provide a much more proactive, real-time solution for a much broader view of the entire network.
Web Filtering
Web Filtering solutions provide the ability to “categorize” web activities and allow or deny access to categories of websites based on an organization's needs. Most solutions also have the built-in capability to automatically deny access to known “command and control” or known infected systems that are a primary source of actual malware. The web filtering solutions thus provide an additional level of protection by preventing access to a malicious website that a user may inadvertently access through an email link or document that references an external site to download malware.
Protecting the Human Resources
Since the Human Element is still a primary weak point in Cybersecurity defense, we suggest training and testing the users, to provide them the knowledge tools they need to combat breach attempts. Regular Cybersecurity awareness training generally leads to a 70% reduction in security-related risks (Keepnet). A regular regime of monthly targeted short training videos, slide decks or other web-based materials on pertinent topics such as how to spot phishing attempts, social engineering, safe surfing and password management helps keep people more aware and less apt to fall for a phishing or other breach attempt. Furthermore, regular simulated phish messages, configured to bypass filtering can test the users to see how they actually perform against phishing attempts.
So where does Compliance and Risk Management come into play?
All the above topics relate primarily to prevention. All this is fine and good until the prevention measures fall short. At some point, no matter how many blocks are put in place against malware, something will slip by. A breach to almost any organization can prove catastrophic.
Cyber Insurance is becoming almost mandatory for any business to protect their assets in the event of any sort of breach. The challenge is that many organizations complete the Cyber Insurance questionnaire by checking boxes—without confirming that proper procedures or evidence are actually in place. For example, a common question is: “Have you implemented strong password policies?” Simply telling employees to use strong passwords isn’t enough to qualify as a valid “yes.”
If a breach occurs, your insurance provider will expect proof that all conditions were met. Without it, your claim will likely be denied.
Recent studies show that more than 40% of Cyber Insurance claims go unpaid—most often because of incomplete, inaccurate, or misleading information provided on the application (Asaff).
The Cyber Insurance questionnaires are treated as factual statements. If discrepancies are discovered during a claim review, they can become grounds for denial of coverage.
Going further than Cyber Insurance, many organizations are subject to federal, state, and industry regulations that put further compliance requirements on organizations. For instance, any organization dealing with medical data is subject to stringent HIPAA regulations. Any financial-related organization is subject to FTC Safeguard regulations. Any organization that handles credit cards is subject to PCI requirements. Many of these regulations carry very stiff penalties for non-compliance and in the event of a breach, can be disastrous to the organizations if they aren’t diligent in their policies, procedures, controls and evidence.
So how do you ensure compliance?
To fully protect your organization, any Cyber Insurance policy requirements as well as further federal, state and industry regulations must be strictly met. The various protections mentioned earlier for endpoints, servers and network are only a starting point. Compliance is more than just completing a checklist saying you are doing everything needed. Organizations must have clear policies in place, acknowledged by all relevant employees, along with procedures and controls that put those policies into action. Equally important is maintaining ongoing evidence to demonstrate that these measures are effective.
Compliance isn’t a one-time task—it’s an ongoing process that requires continuous testing, monitoring, and review to ensure lasting protection and effectiveness.
Regular network scans (quarterly is best, or at minimum annually) that automatically analyze the environment for Patch Management, stored personal information (PII), weak passwords or poor password management, and out-of-date software can provide excellent data on a regular basis. Automated analysis of a cloud-based environment provides valuable information for further review or action.
Additionally, maintaining a regular cadence of policy creation, review, and employee acknowledgment ensures that the entire organization has clear documentation and procedures in place. Recommended or required policies may include:
.png){kind=logo}
