Most firms inherited their Microsoft 365 setup from whoever first stood it up — an outsourced IT contractor, a previous provider, a member of staff. It was configured to get people working quickly. That is not the same as configured to withstand a sector that financially motivated actors target deliberately.
Microsoft's defaults optimise for adoption, not for a regulated firm. Multi-factor authentication left optional. Legacy sign-in methods still open. Administrator rights handed out and never reclaimed. Mailbox rules quietly forwarding mail out of the building.
None of it is visible until someone goes looking. We go looking.
Your Microsoft 365 and Entra configuration, benchmarked against the CIS Benchmarks and the baseline we hold our own managed clients to:
A short written findings report — not a raw export from a scanning tool. Each finding is scored against the CIS Benchmark, ranked by risk, and written in language a compliance officer can hand to a board or an auditor without translation.
Where something needs fixing, we say what, why it matters, and what good looks like. There is no obligation to have us fix it — the review stands on its own.
We believe the safer we are as a wealth-management community, the safer each of us is individually.
An attacker who learns to breach one family office tries the same playbook on the next. So we treat the review as a way to raise the whole sector's floor, not just one firm's — which is why it is complimentary for wealth managers, family offices, trust companies, and law firms.
If that is you, the only cost is an hour of your administrator's time and read-only access to your tenant — no agent to install, nothing to deploy. A stronger baseline across the community is worth more to all of us than the hour it takes.
Most firms come to us introduced by someone we already look after — and a review referred by an existing client is on us, sector or not. Tell us who connected you, or simply reach out directly.
