Skip to main content
Lake CumberlandComputers
All articles

The Microsoft 365 Security Basics Every Small Business Gets Wrong

Most small-office Microsoft 365 setups share the same five gaps — and none of them take a big budget to close. Here's what to check this week.

Microsoft 365 runs most of the offices in south-central Kentucky now — email, calendars, files, Teams. And nearly every 365 setup we're asked to look at, from Somerset law offices to Columbia clinics, shares the same handful of gaps. Not because anyone was careless, but because 365 works well enough out of the box that nobody goes back to finish the job.

Here are the five we find most often, in the order we'd fix them.

1. MFA that's "available" but not required

Microsoft makes multi-factor authentication available on every account, but available isn't enforced. In many small offices, the owner has MFA and half the staff quietly don't — often whoever set up their phone last found it annoying and skipped it.

One account without MFA is one phished password away from an attacker reading that mailbox — and email is where everything else resets its passwords. Make it mandatory for everyone, including (especially) the accounts that forward to the boss's phone.

2. The departed employee who still has a mailbox

Someone left eight months ago. Their account still works because "we might need their email." Their password hasn't changed, they know it, and so does anyone who ever stole it.

There's a right way to keep a former employee's mail — convert it to a shared mailbox, block sign-in — and it doesn't leave a live login lying around. If you can name a former employee whose account might still work, that's this week's task.

3. Nobody actually backs up 365

Microsoft keeps the service running. It does not promise to recover the folder someone emptied in March, the mailbox of an employee you removed, or files encrypted by malware that synced through OneDrive. Retention settings help, but they're not a backup — and most offices have never tested what they could actually get back.

A proper 365 backup is inexpensive and quiet. It's on our standard checklist in every Microsoft 365 engagement for a reason: the day you need it, nothing else will do.

4. Email records that let anyone impersonate you

Three public DNS records — SPF, DKIM, and DMARC — decide whether the world's mail systems can tell real email from your domain apart from forgeries. Most small businesses have SPF (their provider set it up), half-configured DKIM, and no DMARC at all. That combination means forged mail "from" your business gets delivered, and you'll never know.

We wrote a plain-English guide to SPF, DKIM, and DMARC if you want the full picture — or run the free health check, which grades your domain's records in about fifteen seconds.

5. Everyone's an admin

Small offices trend toward "just make everyone an admin so nothing's ever blocked." Every admin account is a master key; a phished admin doesn't lose one mailbox, they lose the building. Most people need none of those permissions for daily work. Two admin accounts — used only when actually administering, protected with the strongest MFA you have — covers nearly every small office.

The pattern

None of these five require new hardware, new licenses, or a security budget. They're configuration — an afternoon or two of deliberate work by someone who knows where the switches are. That's the frustrating part and the good news at once: the gap between a typical setup and a solid one is mostly attention.

Want to know where yours stands? Start with the free M365 Security Health Check — it reads your domain's public records, grades them, and emails you a report a non-technical office manager can act on. If you'd rather have the whole setup reviewed properly, book a free consultation — we've been doing this for local offices since 2001.

Got a question this didn't answer?

Call the shop, use the chat, or book time with a technician — plain answers are the whole business model.