The 90-Day Blind Spot Problem
Quarterly audits made sense when networks were static. You’d count computers, check configurations, and document findings. Things stayed stable until next quarter.
That assumption no longer holds.
Between quarterly audits, employees connect personal tablets. Contractors add temporary laptops for projects. Department heads adopt cloud services without IT approval. Staff leave but their devices remain on the network. Each change creates security exposure. You won’t discover it for 30, 60, or 90 days.
Small municipal IT teams spend 8-20 days annually on quarterly audits. That’s two to four full work weeks. The effort is substantial. The results are outdated by the time you finish.
Threat actors operate on different timelines. Automated scanning tools probe your network in minutes. They find vulnerabilities and test credentials. They establish persistence while your last audit collects dust. By the time your next check rolls around, they’ve been inside for weeks.
FOIPPA creates another timing problem. Imagine a breach occurs on Day 45 between audits. You discover it on Day 92 during your next check. FOIPPA Section 36.3 requires notification “without unreasonable delay.” Can you explain why detection took 47 days? Quarterly intervals create compliance gaps. Continuous monitoring closes them.
Continuous Monitoring - Already in Your License
Most BC municipalities already pay for Microsoft 365 Business Premium. That license includes two tools for continuous device monitoring. Those tools are Microsoft Intune Plan 1 and Microsoft Defender for Business.
Intune (Microsoft’s device management system) provides real-time device inventory. New devices appear on dashboards immediately. No manual scanning required.
Compliance policies (rules that enforce security requirements) work automatically. You define what’s required. Encryption must be enabled. Operating systems must be updated. Firewalls must be active. Intune marks non-compliant devices immediately, not 90 days later.
Inactive device cleanup runs automatically. Devices that haven’t connected in 30 days get flagged. This prevents the forgotten-device problem. Contractor laptops from last year’s project won’t stay on your “managed” list.
Built-in security baselines (pre-configured security settings) reduce complexity. Microsoft provides tested settings for Windows, iOS, and Android. You can deploy these instead of researching individual settings.
The shift toward continuous monitoring reflects industry trends. A 2025 Institute of Internal Auditors survey found important results. 92% of Chief Audit Executives identified data analytics as essential. 74% named continuous monitoring as a critical technology skill. The market for security posture management is growing. From $26.64 billion in 2025 to $53.31 billion by 2030.
Municipal context makes this urgent. According to industry reports, over 70% of local government agencies experienced cyberattacks in 2024. Average recovery costs reached $2.83 million. That’s more than double the $1.21 million reported in 2023. Organizations using continuous monitoring experience 50% faster incident response times.
You’re already paying for these tools. The question isn’t budget. It’s implementation.
The Implementation Reality Check
Here’s what vendors rarely tell you upfront. This is NOT “set and forget.”
Microsoft security experts are clear about this. “Microsoft Defender for Endpoint is not a product you roll out and forget.” Another source puts it bluntly. “To get the most out of Defender you need to maintain it daily.”
Daily monitoring requires at least one dedicated staff member. Someone needs to review compliance dashboards. Check failed policy deployments. Monitor new device enrollments. Validate critical security policies. Respond to alerts.
Initial setup takes 2-4 weeks of tuning (adjusting settings to fit your environment). You’ll configure policies. Test them with pilot groups. Review audit mode results. Create necessary exclusions. Gradually roll out to full deployment. Most configurations have “medium” user impact. Expect some disruption to normal workflows during implementation.
Ongoing management demands continuous attention. Email notifications arrive daily. Alerts require investigation. Industry averages show 30 minutes per false positive. Compliance reports need weekly review. Exception requests need evaluation and documentation.
Hardware requirements create budget implications. Windows 11 requires TPM 2.0 (Trusted Platform Module version 2.0). It also needs UEFI firmware (modern startup system) and Secure Boot (security feature preventing unauthorized software). Devices older than five years likely lack TPM 2.0. They cannot meet compliance policies. Those devices need replacement, not just software updates. Windows 10 ended support on October 14, 2025. Aging hardware no longer receives security patches.
Small team reality deserves honest assessment. Municipal IT teams with 1-3 staff face capacity constraints. They manage 150-850 devices. Even with automation, daily work is required. Determining which security alerts are real threats versus false alarms takes time. Dashboard interpretation requires skills. Incident response demands dedicated attention.
External managed services become strategic choices, not failure states. Regional IT cooperation works too. Shared security operations centers across multiple municipalities offer practical solutions. So do managed security service providers. Hybrid approaches work where external teams handle alert triage. Internal staff manage policy decisions.
Training resources exist but require time investment. T-minus365 offers Intune-specific courses. Udemy provides Microsoft security training. Microsoft documentation covers detailed scenarios. Learning these systems while maintaining daily operations stretches small teams.
This honest assessment matters. Continuous monitoring delivers significant security improvements. But only if you have resources to implement it properly.
The FOIPPA Compliance Advantage
FOIPPA Section 30 requires “reasonable security arrangements.” That protects personal information. The standard uses a “fair, rational person” test. What would a reasonable person consider appropriate security?
When explaining your security posture to the Office of the Information and Privacy Commissioner for BC (OIPC), continuous monitoring demonstrates due diligence. It works better than quarterly checks.
Breach notification timing illustrates the difference. Section 36.3 requires notification “without unreasonable delay.” Continuous monitoring detects unauthorized access within hours or days. Quarterly audits may not discover breaches for weeks or months. That detection delay is difficult to defend. Especially when tools for immediate detection exist in your licensed software.
This challenge isn’t theoretical. As explored in our analysis of [[Published/Blog/2025-09-22 FOIPPA Compliance Gap in M365 - Blog|FOIPPA compliance gaps in M365]], default configurations often create exposure. Periodic audits fail to catch these problems. Continuous monitoring addresses these gaps systematically.
Access logging requirements gain new dimensions. FOIPPA mandates logging who accessed personal information. Also why and when. Continuous monitoring provides complete audit trails automatically. Quarterly approaches create gaps. Compliance issues go undetected between review periods.
One-year retention requirements become simpler. Personal information used in certain ways must be kept one year. That includes access logs. Continuous monitoring systems maintain these logs automatically. Quarterly approaches require manual retention management.
Municipal context intensifies compliance pressure. All 161 BC municipalities fall under OIPC jurisdiction. A 2025 OIPC investigation examined 160 municipalities. The focus was disclosure and access request handling. Privacy breach reporting became mandatory in February 2023. The regulatory environment favors proactive monitoring.
Risk mitigation shifts from reactive to proactive. Quarterly audits discover violations too late. 30-90 days of exposure already occurred. Real-time detection enables immediate remediation. That difference matters when explaining your security program. Whether to OIPC investigators or municipal council.
Continuous monitoring doesn’t guarantee FOIPPA compliance. But it strengthens your demonstration significantly. Better than periodic checking.
Your Practical Path Forward
Moving to continuous monitoring requires systematic assessment. Not impulsive implementation.
Step 1: Hardware Assessment - Use Intune’s hardware inventory. Identify which devices meet TPM 2.0 requirements. Create a replacement timeline for devices that cannot meet Windows 11 policies. Budget for hardware upgrades over 2-3 years. This beats emergency spending when quarterly audits find problems.
Step 2: Capacity Assessment - Honestly evaluate your team’s bandwidth. Calculate current quarterly audit time. Typically 2-5 days per quarter. Compare against continuous monitoring requirements. Initial 2-4 week setup. Then 1-2 hours monthly review. Plus immediate alert response. If your team already operates at capacity, you need additional resources.
Step 3: Training Evaluation - Identify skills gaps. You need skills for dashboard interpretation. Compliance policy configuration. Incident response. Review T-minus365 courses and Udemy Microsoft security training. Check Microsoft documentation. Estimate realistic skill development timelines. Factor training time into capacity assessment.
Step 4: Phased Rollout - Start with pilot groups of 10-20 devices. Test compliance policies in audit mode. Run for 2-4 weeks before switching to enforcement. Review events and configure necessary exclusions. Document user impact. Use pilot experience to refine policies.
Step 5: External Support Decision - Evaluate managed security service providers. Consider regional shared security operations centers. Look at hybrid approaches. External teams can handle alert triage. Internal staff manage policy decisions. Calculate costs against current quarterly audit effort. Add security incident risk to the calculation. Position external support as strategic capacity addition.
Step 6: Security Baseline Implementation - Leverage Microsoft’s pre-built security baselines. Don’t configure individual settings manually. These tested configurations cover Windows, iOS, and Android. Start with baseline defaults. Document customizations for municipal requirements. Implement gradually with pilot groups.
This path acknowledges reality. Continuous monitoring delivers significant advantages. But successful implementation requires honest capacity assessment. Realistic timelines matter. Strategic decisions about external support are critical.
Moving Forward
The 90-day blind spots create real risks. Both security and compliance risks. The 565% device discrepancy from our opening isn’t theoretical. It represents genuine security exposure. Quarterly checks cannot adequately address this.
You’re already paying for continuous monitoring tools. Through Microsoft 365 Business Premium. The question isn’t whether these capabilities exist. Or whether they’re budgeted. The question is implementation capacity.
Can your team realistically add daily monitoring? Alert triage? Ongoing policy management? Or does external support make strategic sense? Consider your municipality’s size and resource constraints.
That capacity question deserves honest evaluation. Implementing continuous monitoring without adequate resources creates new problems. It fails to solve existing ones. But maintaining quarterly audits when continuous tools exist creates gaps. Defendable security and compliance gaps.
What’s your take? Are quarterly audits sufficient? Or is continuous monitoring the new baseline for municipal IT? Let’s discuss.