Microsoft 365 is the backbone of most Australian small businesses. But here is the hard truth: out of the box, its default security settings are nowhere near enough to protect you from modern cyber threats.
If you just activated your licenses and started working without reviewing the security center, your email and data are essentially sitting in front of an unlocked door. Here are the 5 settings you, or your IT provider, need to change right now.
1. Enforce Multi-Factor Authentication (MFA) Globally
This is non-negotiable. If you rely on passwords alone, it is only a matter of time before an account is compromised. Ensure that MFA is enforced for every single user in the organisation, especially administrators. Microsoft’s free "Security Defaults" makes this easy, but if you have a premium license, Conditional Access policies give you far more control.
2. Disable Legacy Authentication Protocols
Old email protocols like POP3 and IMAP do not support modern MFA. Hackers actively scan for accounts that still have these enabled because they can bypass your MFA entirely. In the Microsoft 365 admin center, disable legacy authentication across the entire tenant.
3. Block Auto-Forwarding Rules to External Addresses
When hackers get into a staff member's email, the first thing they do is set up a silent forwarding rule. Every email your staff receives is automatically forwarded to the hacker so they can spy on invoices and wait for the perfect moment to strike. Disable the ability for users to auto-forward emails to external domains.
4. Turn on Unified Audit Logging
If you suffer a breach, you need to know exactly what the hacker touched and when. By default, Microsoft keeps some logs, but you need to explicitly enable Unified Audit Logging in the compliance center to ensure you have a comprehensive paper trail during an investigation.
5. Enable Advanced Threat Protection (Safe Links & Safe Attachments)
Basic spam filtering won't catch sophisticated phishing. If you have Business Premium or Defender for Office 365, make sure Safe Links (which scans links at the time of click) and Safe Attachments (which detonates attachments in a sandbox) are fully activated and configured to block threats proactively.
Don't Leave Your Cloud Unlocked
Checking these five settings takes very little time but significantly reduces your risk of a devastating business email compromise.
Not sure if your IT provider has actually configured this properly? Book a Cubit cyber security assessment today. We will audit your M365 tenant and provide a clear, jargon-free roadmap to securing your business.
To understand where your business stands, we offer a free initial consultation - get in touch.