How MSPs in New Zealand can help their clients navigate Microsoft 365 security compliance

Microsoft 365 has become an essential service for organisations across New Zealand as it has for more than two million companies all over the world. But while it offers many great features, Microsoft 365 needs some help from third parties to meet most organisations’ security needs. In fact, running Microsoft 365 without third-party data protection can cause compliance problems for businesses in regulated industries.   

Fortunately for MSPs, the gaps in Microsoft 365’s data protection create opportunities to provide services to clients. But MSPs need to know how to sell data protection to companies that use Microsoft 365, and they need tools to enable them to keep clients in compliance. In Aotearoa, helping clients maintain country-specific compliance standards can be a challenge.

MSPs in New Zealand need to know what Microsoft 365 offers for data protection and what it’s missing. Then, they need to know how they’re going to fill the gaps in Microsoft 365 security. Solutions designed specifically for MSPs can help.   

Microsoft 365 does offer some level of data protection depending on subscription cost. It includes several built-in compliance features designed to help organisations manage data and meet regulatory requirements. However, those features are not universally available in Microsoft 365.  

The availability of data-protection features varies across different Microsoft 365 plans, which increase incrementally in cost:

Microsoft 365 Business Standard includes basic compliance features with limited capabilities.

Microsoft 365 Business Premium offers more advanced compliance features, including enhanced eDiscovery capabilities.

Microsoft 365 E3/E5 provides the most comprehensive set of compliance tools available in the suite, including e-discovery features as well as enhanced data loss prevention and information protection.

Built-in Microsoft 365 data-protection features, dependent upon subscription level, include:

E-discovery: This feature enables organisations to search, collect and export data for legal or regulatory purposes. It supports advanced search capabilities and helps manage legal holds and data preservation. E-discovery is available in some form at all three levels for business subscribers.

Audit tools: Audit logs, also available at all business levels, provide a detailed record of user activities and system events, helping organisations track and investigate compliance issues.

Microsoft Purview (formerly Compliance Center): Purview is available only in Microsoft 365 Business Premium plans and above. It is not included at the Business Standard level. This central hub provides tools for data governance, information protection and compliance management. It helps organisations manage data across various Microsoft 365 services.

Data loss prevention (DLP): Also available on in Premium plans and above, DLP policies help prevent sensitive data from being shared or leaked. These policies can be configured to monitor and control data across email, documents and other collaboration tools.

Cost isn’t the only factor that can cause problems for Microsoft 365 customers. Default configurations and licensing gaps can pose challenges for small and medium-sized businesses (SMBs). For instance, default DLP policies may not cover all necessary data types, and some advanced features may require additional licensing.

New Zealand has its own set of compliance standards, and organisations there also need to comply with international frameworks. Critical regulatory and compliance standards in Aotearoa include:

Privacy Act 2020: New Zealand’s principal data protection law outlines the principles for handling personal information. Organisations must ensure that data is collected, used and stored in compliance with these principles.

CERT NZ reporting obligations: CERT NZ (Computer Emergency Response Team New Zealand) is an organisation to which businesses and other entities report notifiable cybersecurity incidents. Those include breaches that pose a significant risk to individuals or an organisation.

ISO/IEC 27001: This international standard provides a benchmark for information security management. Many New Zealand businesses, especially those in regulated industries, adopt ISO/IEC 27001 to ensure robust data handling practices.

Aligning Microsoft 365 data management with local privacy and breach notification laws can be challenging. Organisations must ensure that their data governance policies and practices are in line with these frameworks.

What’s more, Microsoft doesn’t claim to provide comprehensive data protection. In fact, the company specifies in its shared responsibility model that it is not responsible for protecting data; that responsibility falls on the businesses using Microsoft 365.

The known gaps in Microsoft 365’s data protection can make compliance difficult for organisations in New Zealand. Several common pitfalls can undermine compliance and data-protection efforts:

Incomplete DLP configurations: Default DLP policies may not cover all sensitive data types, leading to potential data leaks.

Incorrect retention policies: Misconfigured retention policies can result in premature deletion of data or in retention beyond the time period necessary.

Lack of immutable backup: Microsoft 365 does not provide immutable backup for services like Exchange, OneDrive, SharePoint and Teams, which can create significant risks in case of data loss or ransomware attacks.

Misconfigured access controls: Incorrectly set access controls can lead to unauthorised users, including cyberattackers, gaining access to sensitive data.

Shared mailboxes and external sharing: Mismanagement of shared mailboxes and external sharing settings can also expose data to unauthorised users.

Relying solely on Microsoft: While Microsoft provides compliance tools, organisations should not rely solely on these tools for data security and compliance reporting. They should instead look to add additional measures and adopt third-party solutions that fill the gaps in Microsoft 365 data protection.

Organisations need MSPs to help clients close compliance gaps in Microsoft 365. MSPs can provide some key services to aid clients with maintaining compliance:

• Proactive compliance assessments: Conduct regular assessments of Microsoft 365 environments to identify and address compliance issues.
• Backup and recovery solutions: Implement backup and recovery solutions beyond Microsoft’s native retention to ensure data is protected and recoverable.
• Policy configuration: Configure DLP, conditional access, encryption and multifactor authentication (MFA) policies to enhance data security and compliance.
• Compliance reporting and audit-readiness: Ensure that clients in regulated industries — for example, finance, health care and education — are audit ready by providing comprehensive compliance reporting and documentation.

Lucrative and numerous opportunities exist for MSPs to provide services that enable clients to achieve compliance. But MSPs need the right tools to deliver critical capabilities to the organisations they serve.

Trying to manage multiple, disparate tools to provide different services is complex and prohibitively expensive. Tool sprawl can stop MSPs from offering essential new services to clients before they can even start.

MSPs need a natively integrated solution for Microsoft 365 that combines multiple tools into one solution and delivers them in a single interface. Native integration simplifies management, ensures better performance and reliability, and enhances security. It enables MSPs to expand services without incurring prohibitive new costs or needing to hire experts to manage disparate tools.

Plus, a natively integrated solution enables MSPs to more accurately predict the cost of administering Microsoft 365. They can then develop accurate pricing and revenue models that help them avoid surprises and increase profitability.

Acronis Ultimate 365 brings together everything MSPs need to administer services for clients and help them achieve compliance, delivering seven critical tools in a single package:

1. Backup and recovery: Ensures all data within Microsoft 365 is protected and can be quickly restored in the event of a disaster.
2. Email security: Provides comprehensive email security to protect against phishing, malware and spam.
3. Collaboration app security: Protects sensitive data from cyberthreats with real-time threat detection, data loss prevention and secure file-sharing capabilities.
4. Email archiving: Ensures that all emails are securely stored and easily accessible, meeting regulatory standards and providing a reliable record of communication.
5. Security posture management: Provides tools to identify and address security gaps, ensuring that the environment is always up to date and secure.
6. Security awareness training: Educates employees on security best practices and reduces the risk of human error.
7. Endpoint security: Protects against a wide range of threats with AI-driven threat detection, real-time monitoring and automated response capabilities.

Microsoft 365 provides a robust set of compliance tools, but ensuring compliance is a responsibility organisations share with Microsoft. MSPs need to help their clients tailor and implement these tools correctly so that clients can meet New Zealand’s regulatory requirements.

By offering proactive assessments, comprehensive backup solutions and robust policy configurations, MSPs can become trusted compliance partners. And with Acronis Ultimate 365, they can add critical new services without increasing costs or complexity.