Microsoft 365 runs most Australian businesses - email, files, Teams, the lot. But out of the box, it's built for convenience, not safety. Here are five gaps worth closing today.
There’s a comfortable assumption that because Microsoft is enormous, your 365 tenant must be secure by default. It isn’t. Microsoft secures their platform; securing your use of it is your responsibility. That line in the contract is called the “shared responsibility model”, and most small businesses have never been told about it.
1. Multi-factor authentication probably isn’t on for everyone
A stolen or reused password is the number-one way businesses get breached. Multi-factor authentication (MFA) - that second tap on your phone - blocks the overwhelming majority of these attacks. Yet plenty of tenants still have it switched off, or on for only a few people. It should be on for every user, on email and remote access. This is also Essential Eight control number seven.
2. Microsoft does not back up your data the way you think
This is the big one. Microsoft keeps your service running and protects against their hardware failing. They do not protect you from you - an employee deleting the wrong folder, a mailbox wiped by ransomware, or an account deleted 90 days ago. Their retention windows are short and easy to miss.
The myth that costs businesses dearly
“It’s in the cloud, so it’s backed up.” No. If a staff member deletes a shared drive and nobody notices for a few months, that data can be gone for good. A proper third-party 365 backup is cheap insurance against an expensive, unrecoverable mistake.
3. Old-style logins leave a side door open
Microsoft 365 still supports legacy sign-in methods that pre-date MFA. Attackers love them because they sidestep your modern protections entirely. Unless someone has explicitly turned “legacy authentication” off, that side door may still be propped open in your tenant.
4. Email spoofing makes scams look real
Ever had a supplier’s invoice quietly redirected to a scammer’s bank account? Often it starts with a convincing fake email. Three technical settings - SPF, DKIM and DMARC - make it far harder for criminals to impersonate your domain. Many businesses have never had them configured, or set up only one of the three.
5. Nobody is watching the logs
Microsoft 365 records a huge amount about who logs in, from where, and what they do. Unattended, it’s just noise. Monitored, it’s an early-warning system - a login from overseas at 3am, a sudden rule forwarding all mail elsewhere. The difference between a scare and a disaster is often whether anyone was watching.
The good news
None of these are expensive or disruptive to fix. They’re configuration and good habits, not new hardware. The catch is that they’re easy to miss when you’re busy running a business - which is exactly why they get missed. When we take on a new client, hardening Microsoft 365 against the Essential Eight is one of the first things we do, and it’s included in every plan.
See where you stand in 2 minutes
Take our free Essential Eight self-assessment - eight questions, instant scorecard, no email required.
Take the free assessment →