By Michael Turcsanyi, CEO, TruPoint

Sponsored Content

For many Licensed Insolvency Trustees and restructuring professionals, Microsoft 365 has quietly become the modern “office.” It houses terabytes of the most sensitive information a firm will ever handle—creditor statements, debtor financial records, estate banking details, and privileged communications with lawyers, lenders, and stakeholders. As firms digitize more of their work, the security of this environment becomes directly tied to the security of the practice itself.

Yet there is a widespread and dangerous misconception across the industry: having Microsoft 365 does not mean you are secure. The default configuration of a new Microsoft 365 tenant is intentionally open and flexible — designed for ease of use, not for the regulatory responsibilities of insolvency professionals.

If you would never leave your physical office unlocked overnight, you should not run Microsoft 365 with out-of-the-box settings. And yet, many firms unknowingly do just that.

The Shared Responsibility Model: What Microsoft Secures — and What You Must Secure

Microsoft provides a world-class cloud infrastructure, complete with physical security, redundancy, and service uptime guarantees. But the security of your tenant—your identities, devices, access rules, and data governance—is explicitly your responsibility.

This is the foundation of the Shared Responsibility Model, a principle often misunderstood in professional services. Microsoft ensures the cloud is secure. You must ensure you are using it securely.

This includes:

• Who can log in
• From where
• On what device
• With what authentication
• And with what level of access to your data

In practice, this means a surprising truth: a poorly configured tenant is just as vulnerable in the cloud as a poorly secured server sitting in a boardroom closet.

Identity Attacks Are Today’s Battleground

According to Microsoft’s 2024 Digital Defense Report, over 97% of all cyberattacks now target identities, not firewalls. Attackers no longer “hack in” — they simply log in using compromised passwords, phishing scams, or legacy email apps that bypass MFA.

For insolvency firms, the threat is amplified. Estate information is extremely valuable on the black market, and professional service firms are high‑value targets for:

• Business Email Compromise (BEC)
• Ransomware
• Wire fraud attempts
• Credential harvesting
• Data extortion

If your firm is relying on passwords alone, or if older protocols are still enabled, an attacker can often enter your tenant with no alerts at all.

Why Microsoft Secure Score Is Now a Business Metric — Not an IT Metric

Microsoft Secure Score is a built-in measurement of how well your tenant is configured compared to Microsoft’s recommended baseline. Think of it as a credit score for cybersecurity hygiene.

• Low scores (<30%) typically signal default or near-default environments with optional MFA, excessive admin rights, and minimal logging.
• Strong scores (>65%) indicate hardened tenants with proactive controls that block automated attacks before they begin.

Why Trustees Should Care: Cyber Insurance Now Does

The cyber insurance market has transformed dramatically. Insurers are paying record claims for ransomware and email compromise, and they have responded by tightening their underwriting standards.

Today, many carriers:

• Request evidence of Microsoft 365 controls
• Ask for your Secure Score
• Require MFA and Conditional Access for eligibility
• Reduce coverage or deny applicants with weak security

A low Secure Score doesn’t just increase risk — it can increase premiums, reduce coverage, or stop renewals outright. Improving your score is no longer optional. It is a direct business requirement.

Three High‑Impact Steps Trustees Can Take to Harden Their Tenant

You don’t need to be a cybersecurity specialist to make meaningful improvements. The following three steps immediately increase your Secure Score and drastically reduce the attack surface of your firm.

1. Enforce Phishing‑Resistant Multi‑Factor Authentication (MFA)

Most firms have some form of MFA turned on, but few have it properly enforced. There are two common pitfalls:

a) Legacy Authentication Still Enabled

Older email protocols—like IMAP, POP3, and SMTP—do not support MFA. Attackers aggressively target these specifically because they allow password‑only logins. If legacy authentication is enabled, your environment is not secure, regardless of your MFA policy.

b) Weak MFA Methods in Use

SMS codes can be intercepted through SIM swapping or social engineering. Modern, phishing-resistant MFA includes:

• Microsoft Authenticator app
• Number matching
• FIDO2 hardware security keys
• Windows Hello for Business

Microsoft data shows that strong MFA blocks over 99% of account takeover attempts.

2. Conditional Access: Your Firm’s Digital Bouncer

Conditional Access (CA) is arguably the most important security feature in Microsoft 365. It evaluates the risk of every sign-in and automatically enforces rules based on your policies.

Examples:

• Only allow logins from Canada
• Block access from unknown or high-risk countries
• Require MFA if the login risk is high
• Restrict access to approved devices only

If a login attempt comes from a suspicious location or an unmanaged device, CA stops it before the attacker even sees a mailbox or SharePoint site. For Trustees handling sensitive debtor and creditor data, Conditional Access is not optional — it is essential.

3. Audit Logging and Proper Retention Policies

In the aftermath of a suspected breach, the first question is always the same: “What did they access?” Without proper logging and retention, you may never know. Many firms mistakenly rely on Microsoft’s default retention settings, which may not meet OSB, insurer, or internal compliance requirements.

Every insolvency firm should ensure:

• Unified Audit Logging is fully enabled
• Logs are retained for an appropriate regulatory period
• SharePoint, OneDrive, Teams, and Exchange are governed by retention policies
• Deleted items cannot be silently purged by attackers

Audit logs are your evidence trail — crucial for investigations, regulatory review, and client transparency.

Where Firms Struggle: Configuration Risk

Configuring Microsoft 365 securely is not straightforward. Misconfigured policies can:

• Lock users out
• Break integrations with insolvency software
• Block mobile email
• Disrupt Teams or OneDrive sync

• Disable access for estate banking platforms

This is often why firms avoid making changes despite knowing the risks.

The TruPoint Advantage: Hardening by Default

TruPoint specializes in the regulatory and operational realities of insolvency practices. We don’t simply provide Microsoft licensing — we engineer secure, compliant, high‑performance environments designed for Trustees.

Our Approach Includes:

✓ Hardened Deployments: Our TruOffice™ and TruWorkspace™ environments start with best-practice security configurations baked in from day one.

✓ Active Secure Score Monitoring: We treat your Secure Score like a financial KPI. Our team continuously monitors it and adjusts policies as threats evolve.

✓ Insurance-Aligned Controls: Because we work closely with insurers, we understand exactly what underwriters expect. We help clients generate the reports and evidence required for smooth renewals.

✓ Operational Sensitivity: We ensure security changes never disrupt estate workflows, system integrations, or day-to-day operations. Your team focuses on administering estates. We focus on keeping your digital doors locked.

Are You Secure — or Just “Default”?

Most firms don’t discover a problem until:

• A renewal questionnaire arrives
• An insurer requests evidence
• An employee account is compromised

• Or a suspicious login appears in the audit log

By then, it is either stressful — or costly.

Book a Free Microsoft 365 Security Assessment

TruPoint offers a complimentary assessment tailored for Insolvency firms. You will receive:

• Your current Secure Score
• A clear explanation of the risks
• A prioritized roadmap to remediation
• A plain-language briefing suitable for partners or insurers
• Visit www.trupoint.com/M365

Don’t wait for a breach — or a denied insurance renewal — to find out your exposure.