The conversation usually starts the same way. A managing partner at an accounting firm, a CPA practice, a small RIA, or a regional financial services SMB sends a message that goes something like: "Our cyber insurance renewal came back with new requirements. Our biggest client just sent us a vendor security questionnaire we cannot answer. We are not sure where our Microsoft 365 tenant actually stands. Can you take a look?"
This post is a composite of those engagements. The numbers and details below describe a pattern we see consistently across financial services and accounting SMBs in the 50-300 user range, not a single specific client. Everything described here reflects work we have done multiple times, across multiple firms, with consistent outcomes. We have deliberately removed anything that would identify a real organization.
The starting point
The firm we will call "the practice" had 180 employees across three offices, a managing partner who treated technology as a necessary expense rather than a strategic asset, an outsourced IT vendor handling endpoints and helpdesk, and a Microsoft 365 Business Premium tenant that had grown organically over five years.
When we ran a tenant audit, the patterns matched what we covered in our post on what we found auditing Microsoft 365 tenants. Specifically:
- MFA was enabled for most users but Conditional Access beyond Security Defaults was absent.
- Twelve guest accounts dated from engagements that had ended over a year ago.
- SharePoint default sharing was set to "Anyone with the link."
- DLP policies existed in test mode covering credit card numbers, but the policies were not enforced and nobody had reviewed the test reports in six months.
- Audit Standard was enabled at 90 days retention; the firm needed at least 365 days to satisfy its own compliance posture, never mind regulatory inquiry.
- The Defender for Office 365 Plan 1 included in Business Premium was deployed but its advanced features (Safe Attachments, Safe Links) had been left at default policies that did not match the firm's risk profile.
- Three service accounts had Global Administrator rights, no MFA, and passwords that had not rotated since 2022.
The Secure Score reading 58% reflected the picture, but as we noted in our post on what Secure Score does not tell you, the number was the start of the conversation, not the conclusion.
The compliance frame
For financial services and accounting SMBs, the relevant regulatory and contractual frameworks usually include some combination of:
- GLBA Safeguards Rule (Federal Trade Commission, applies to non-bank financial institutions including accounting firms that prepare returns for individuals). Requires written information security program, access controls, encryption of customer information at rest and in transit, multi-factor authentication, monitoring and logging, incident response procedures.
- FTC Safeguards Rule (revised 2022, full enforcement 2023) which added specific technical controls: MFA on all customer information systems, encryption, periodic penetration testing or continuous monitoring, vulnerability assessments, qualified individual responsible for the program.
- SEC and FINRA rules for any client-facing investment advice (Regulation S-P, the new Cybersecurity Risk Management rules).
- PCI-DSS if any payment card data flows through the environment, even tangentially.
- State-level requirements including New York DFS Part 500, Massachusetts 201 CMR 17, California CCPA/CPRA, and increasingly stricter regimes in Illinois, Connecticut, and others.
The practice's largest enterprise client had also sent a vendor security questionnaire with 90 questions, of which the practice could answer about 40 truthfully and another 20 by interpreting questions favorably. Thirty answers were either "in progress" or could not be honestly checked off.
The leadership question was not "how do we improve Secure Score." It was "how do we honestly answer this questionnaire by the end of the quarter."
Why E5 was not the answer
The first reflex from many MSPs would be to recommend a Business Premium to E5 upgrade. For 180 users, that is a difference of roughly $32 per user per month, or $69,000 per year recurring. The E5 license would include Defender for Cloud Apps, Defender for Identity, Defender for Endpoint Plan 2, Microsoft Purview Information Protection, and Audit Premium with one year of retention by default.
We did not recommend the upgrade. The reasons:
Business Premium already includes what is needed to close most of the gaps. Conditional Access via Entra ID P1, Intune device management, Defender for Office 365 Plan 1, Defender for Business (the SMB-focused EDR), Microsoft Purview DLP for Exchange and SharePoint, and Audit Standard up to 180 days. The features the practice was failing on were almost entirely in licenses already paid for.
The E5 features that the practice did need (longer audit retention, Defender for Cloud Apps for shadow IT) were available as add-on SKUs. Specifically, Entra ID Audit Logs through Microsoft Sentinel or Purview Audit (Premium add-on) and Microsoft Defender for Cloud Apps standalone, at a fraction of the cost of a full E5 jump.
An E5 upgrade without first activating Business Premium creates a different problem. It moves the firm into a tier where the unactivated-feature gap gets larger, not smaller. We have audited too many tenants that upgraded to E5 because someone said it was "more secure" and then never configured the features that justified the upgrade. We wrote about this exact dynamic in the E5 all-in-one security trap.
The pitch to leadership was: activate what you have first. Add specific add-ons only where Business Premium genuinely cannot cover the requirement. Revisit E5 in 12-18 months if the firm's data sensitivity or scale changes.
The work, in sequence
The remediation took roughly 10 weeks of MSP-side work, sequenced so that no single change risked breaking production:
Weeks 1-2: Identity foundation. Break-glass accounts created and tested. Conditional Access baseline deployed: universal MFA, legacy auth blocked, admin role hardening, risk-based policies for users flagged by Identity Protection. Service accounts migrated off Global Administrator to least-privilege custom roles where they could not be moved to managed identities. Many of the patterns we discussed in Conditional Access mistakes that leave your tenant exposed were corrected at this stage.
Weeks 3-4: Device posture. Intune compliance policies authored for Windows and macOS, baseline configurations enforced, BYOD restricted via MAM for unmanaged devices accessing email. Defender for Business deployed across the endpoint fleet, including Attack Surface Reduction rules and Tamper Protection. We covered the broader rationale in our post on from patching to risk management.
Weeks 5-6: Data protection. SharePoint and OneDrive default sharing reset to "specific people" with link expiration. Sensitivity labels designed around the firm's actual data classes (client tax returns, audit working papers, internal HR, public marketing) with auto-labeling for known patterns including SSN, ITIN, EIN, and bank routing numbers. Purview DLP policies promoted out of test mode for the highest-sensitivity categories first, with a four-week calibration window before broader enforcement.
Weeks 7-8: Email defense. Defender for Office 365 Plan 1 policies tuned for the firm's actual threat landscape: Safe Attachments dynamic delivery, Safe Links rewriting for all internal and external mail, anti-phishing policies with impersonation protection for partners and tax authorities, anti-spoofing hardened, attachment scanning for nested archives. The default Microsoft policies catch the broad case; the firm's specific phishing exposure required tuning.
Weeks 9-10: Visibility and operations. Audit log retention extended via Microsoft Purview Audit Premium add-on (not full E5). Microsoft Defender for Cloud Apps standalone deployed for shadow IT discovery and the AI security dashboard, which surfaced three unauthorized GenAI tools being used regularly by staff. Sign-in Logs, Conditional Access reports, and Defender alerts wired into a weekly review process with the firm's qualified individual (designated under the FTC Safeguards Rule).
The compliance outcome
By the end of week 10, the vendor security questionnaire could be answered honestly across 86 of 90 questions, with the remaining four covered by documented in-progress remediation. The FTC Safeguards Rule technical controls were all materially in place. The cyber insurance underwriter requirements were satisfied without exceptions. Secure Score moved from 58% to 81%, but as we have written before, the number was a side effect rather than the goal.
The total cost was roughly $14,000 in add-on licensing (Purview Audit Premium and Defender for Cloud Apps standalone) plus the engagement fee for the work. The avoided E5 upgrade saved the firm $69,000 per year recurring. Net first-year position: significantly better security posture and significantly lower license cost than the alternative.
What this pattern means for similar firms
If you are running a CPA practice, accounting firm, RIA, or financial services SMB in the 50-300 user range on Microsoft 365 Business Premium, the most expensive mistake we see is upgrading licenses before activating what is already paid for. The second most expensive mistake is treating compliance as a checkbox separate from real security, when in practice the work overlaps significantly.
For accounting firms specifically, the FTC Safeguards Rule has shifted the conversation. "We are a small firm and not a target" is no longer a defensible position, and the new technical controls (MFA, encryption, monitoring, qualified individual, written program) are enforceable. Most of these controls are achievable within Business Premium with focused activation work.
If your firm has a Microsoft 365 tenant and you are not certain whether it is meeting the controls your regulatory environment requires, the NeoDefender Reality Check is essentially a structured version of the work described above. We benchmark your current configuration against the controls your industry requires, identify the highest-leverage gaps, and quantify which features your existing licenses already cover.
If a vendor security questionnaire, insurance renewal, or compliance audit has surfaced gaps you cannot easily answer, schedule a call with the NeoDefender team. The work usually takes less time and costs less than leadership initially expects, especially when the answer does not require new licenses.
