Astris CSP
Help portal Begin a conversation
Operational discipline

Imagine you leave the house for a long vacation. Are the locks really locked?

1 June 2024

You live in a shady neighbourhood. You feel confident your locks are secure, but you don’t check them daily. A small crack or hidden weakness could have appeared. You leave for a long vacation. You feel reasonably confident. But you are not certain.

Cybersecurity, properly run, is the daily check. Not the assumption.

The assumption problem

Most small firms in wealth management, trust, and family office work have made an assumption at some point. Usually it is one of the following:

We use Microsoft 365, so we are covered. Microsoft 365 is a platform. Out of the box, it is configured for convenience, not security. The secure configurations — Conditional Access policies, device compliance requirements, phishing-resistant MFA, privileged identity management — are available but not enabled by default. They require deliberate configuration and ongoing governance.

We have never had a problem. This is the most dangerous assumption. Attackers operating against financial services targets are patient. Dwell times — the period between initial access and detection — average 204 days across industries. A problem may exist long before it becomes visible.

We are too small to be a target. The inverse is often true. Small firms with high-value clients and informal internal controls are attractive precisely because the defences are proportionately weaker. BEC attacks, in particular, scale down extremely well.

What the daily check looks like

A properly governed Microsoft 365 environment generates signals continuously. Login events, device compliance status, email threat detections, file access anomalies. The question is whether anyone is reading them.

At Astris CSP, continuous monitoring means that the signals are not just generated — they are actioned. A login from an unusual geography triggers an investigation. A device that falls out of compliance is quarantined from corporate resources until it is remediated. A user who clicks a phishing simulation receives immediate training.

None of this is exotic. It is disciplined operational practice applied consistently.

The vacation analogy holds

When you leave for a long time, you do not rely on your memory of the last time you checked the locks. You check them again. You may ask a neighbour to check them while you are away. You do not simply assume.

The firms we work with operate in a sector where a single successful attack can result in client data exposure, regulatory action, and reputational damage that takes years to recover from. The cost of not checking is asymmetric with the cost of checking.

The daily check is not optional. It is the work.

← Briefings & journal