We were speaking with an organization who needed to pass their Microsoft SSPA Compliance Audit. SSPA (Supplier Security and Privacy Assurance) is a security assessment to pass to do business with a specific company.
They were confident their approach was solid: contractors signed annual agreements confirming they had antivirus installed, completed security training, and promised to delete company documents after each use.
“We make them sign a document,” they explained.
“Plus they do annual training. Isn’t that enough?”
We’ve heard variations of this story dozens of times from Toronto businesses trying to manage their own compliance. It’s an understandable approach. After all, if people sign something promising to be secure, that should count for something, right?
Here’s the uncomfortable truth: It counts for almost nothing in a real compliance audit.
The critical distinction is:
- Administrative controls (training, policies, signed documents) = honor system
- Technical controls (device management, conditional access, remote wipe) = enforceable, verifiable security
Here’s the pattern we see repeatedly: businesses research compliance requirements, implement what seems reasonable, and feel confident they’re protected.
Then they face their first serious vendor screening and discover their controls don’t actually meet the requirements. Or, they accidentally lied on their self attestation.
At best, this delays business opportunities. At worst, it costs them contracts they were counting on – because when SSPA says “device management,” they don’t mean “we asked people to manage their devices.” They mean centralized technical controls that enforce security automatically.
In addition to losing the client and trust, you are also left with significant exposure to data breaches that your insurance may not cover.
The Honor System Doesn't Scale in Cybersecurity
Let’s talk about how humans actually behave with technology, because that’s at the heart of why administrative controls fail where technical controls succeed.
We’re all guilty of taking shortcuts. Maybe you’ve answered “yes” to an agreement you didn’t fully read. Perhaps you’ve clicked through a security training module while thinking about your next meeting. We’ve all promised ourselves we’d delete a file later, then forgotten about it entirely.
This isn’t a character flaw. It’s human nature. We’re flawed creatures who are exceptionally prone to optimism bias, present bias, and the planning fallacy. We genuinely believe we’ll follow through on security practices, even when our track record suggests otherwise.
Security frameworks like Microsoft SSPA are designed by people who understand this reality. That’s why they require technical controls that don’t rely on human perfection.
What Microsoft SSPA Actually Requires (And Why)
Microsoft’s SSPA framework exists to protect sensitive data flowing through their ecosystem. When you’re handling Microsoft data or serving Microsoft customers, they need verifiable proof that your security controls work, not just promises that they should work.
The Non-Negotiables
SSPA mandates several technical capabilities that cannot be satisfied through training or signed agreements:
Centralized Device Management: The ability to monitor, configure, and control all devices accessing company data. This means knowing what’s installed, what’s outdated, and what’s misconfigured – in real-time, not based on what someone attested to six months ago.
Conditional Access Enforcement: Automatically blocking access from devices that don’t meet security requirements, are in unusual locations, or show signs of compromise. A signed document can’t prevent a compromised device from accessing your systems.
Remote Data Protection: The ability to remotely wipe company data if a device is lost, stolen, or an employee becomes a threat. Once data is downloaded to a personal device, hoping someone will delete it isn’t a security control.
Comprehensive Audit Logging: Detailed records of who accessed what data, when, from which device, and what actions they took. This becomes critical during incident response or forensic investigation.
Data Loss Prevention: Technical controls preventing unauthorized downloading, sharing, or copying of sensitive information. A promise to delete files later doesn’t prevent them from being emailed to personal accounts or saved to USB drives first.
For organizations with contractors or remote workers, meeting these requirements means either:
- Providing company-owned devices with full security controls, or implementing comprehensive IT policies and technical controls.
- Implementing approved BYOD programs with containerization and mobile device management.
- Using virtual desktop infrastructure where no company data touches personal devices.
- Restructuring operations to eliminate personal device access entirely.
Why Personal Devices Are Explicitly Prohibited
Many businesses assume that because contractors use their personal devices “rarely” or have “limited access,” the risk is minimal. This fundamentally misunderstands how data breaches occur.
It only takes one compromised device accessing your environment once to create a catastrophic breach. The frequency of access is irrelevant – what matters is whether you can enforce security controls when that access occurs.
Personal devices, by definition, are outside your control. You cannot:
- Verify what software is actually installed (regardless of what someone attests)
- Confirm that antivirus definitions are current
- Detect if the device is already compromised
- Prevent malware from accessing your company data
- Remove your data if the device is sold, stolen, or repurposed
- Audit what data was accessed or downloaded
- Control how that data is subsequently used or shared
Learn more in our BYOD Security Guide. →
The Three Most Dangerous Misconceptions
Misconception #1: "We Make Them Complete Annual Training"
Annual training is valuable for creating security awareness, but it doesn’t create security capability.
Training teaches someone what they should do. Technical controls ensure they actually do it, and more importantly, prevent them from doing what they shouldn’t, even accidentally.
Consider this scenario: Your contractor completes their annual security training in January. In March, their teenage daughter downloads a pirated game on the family laptop that the contractor uses for work. That game includes sophisticated malware designed to steal business credentials.
The contractor legitimately doesn’t know their device is compromised. They log into your Google Workspace or Microsoft 365 environment. The malware captures their credentials and begins systematically downloading your client data.
No amount of training prevents this. Technical controls that verify device health before allowing access is what prevents this.
Misconception #2: "They Sign Documents Confirming Security Measures"
Signed attestations create legal accountability, not technical security. They’re important for compliance documentation, but they don’t prevent breaches.
When someone signs a document confirming they have antivirus installed, what does that actually verify? Did they check? Is it active? Is it updated? Does it actually work? Are there other security vulnerabilities present?
More importantly: What happens between annual attestations? Software becomes outdated. Subscriptions expire. Devices get infected. Operating systems become unsupported.
A document signed in January provides zero protection in December when that antivirus subscription lapsed in March.
Misconception #3: "They Promise to Delete Documents After Use"
This is perhaps the most dangerous misconception because it seems so reasonable. If contractors delete files after use, the data isn’t at risk, right?
Except:
- Did they actually delete the file?
- Did they delete the file from their downloads folder, recycle bin, and any backup systems?
- Did they delete it from their email if they emailed it to themselves?
- Was it cached by their browser or stored in application temp files?
- Did they copy it to a USB drive or personal cloud storage first?
- Did they screenshot sensitive information for reference?
Even well-intentioned people cannot reliably sanitize data from personal devices. And that assumes they remember to delete it at all, which research consistently shows people don’t.
How Shortcuts Can Short Change You
We’ve written extensively about why compliance shortcuts end up costing more, including the real ROI calculations and long-term business impacts. The short version: most businesses find that proper compliance pays for itself with a single enterprise client contract that requires vendor security screening.
Working with experienced IT compliance consultants is a wiser strategy.
The Partnership Approach to Compliance
We recently worked with a research firm in a similar situation. They had contractors accessing sensitive healthcare research data from personal devices, armed only with signed security agreements. They were confident this was adequate until a potential pharmaceutical client required a full security audit.
The audit revealed what they feared: their administrative controls didn’t satisfy technical requirements. They faced losing a major contract opportunity and potentially others under similar scrutiny.
Rather than rushing to implement the cheapest possible solution, we worked together to understand their actual requirements, operational constraints, and budget realities. We implemented a phased approach to get aligned.
The result wasn’t just compliance – it was confidence.
When they complete vendor security questionnaires now, they can answer accurately. When clients ask for evidence of security controls, they have it. When their insurance requires specific protections, they’re implemented. Their marketing department has revamped their website copy to demonstrate their attractive security posture to draw in additional potential clients seeking this level of data security protection. The solutions we implemented will pay back for years to come.
Need Help With Microsoft SSPA or Vendor Security Screenings?
Microsoft SSPA and similar vendor security frameworks require verifiable technical controls, not just policies and training. If you’re facing vendor security requirements and need to understand what’s actually required versus what feels like it should be enough, we help businesses implement the technical controls enterprise clients verify.
Common scenarios we address:
- Contractors accessing company data from personal devices.
- Self-attestation requirements you can’t actually verify.
- Technical control gaps discovered during vendor audits.
- Moving from administrative controls to enforceable security.
Learn about Vendor Security Screening services →
