1. Turn on Security Defaults — or properly configure Conditional Access
If you've never opened the Entra ID admin centre, the single highest-leverage thing you can do today is flip Security Defaults to On. It enforces multi-factor authentication for every user, blocks legacy authentication, and requires admins to MFA every session. Microsoft's own data puts the resulting account-compromise reduction north of 99%.
If you're on Microsoft 365 Business Premium (or any Entra ID P1 SKU), do the slightly more grown-up version: switch Security Defaults off and build Conditional Access policies that require MFA for all users, block legacy auth, and require compliant or hybrid-joined devices for admin roles. Same outcome, more flexibility.
"We're too small to be a target" is the most expensive sentence in Australian small business IT. Attackers don't pick targets — they pick passwords.
2. Block legacy authentication, properly
Legacy protocols — IMAP, POP3, SMTP AUTH, older Exchange Web Services clients — can't do MFA. They're the side door every credential-stuffing bot tries first. Even with Security Defaults on, double-check the Exchange Online Authentication Policies and explicitly disable basic auth on every mailbox.
- Audit which mailboxes still allow SMTP AUTH (it's used by some scan-to-email setups and old line-of-business apps)
- Move those workloads to OAuth-based SMTP or a dedicated, locked-down mail relay
- Then disable SMTP AUTH at the org level
3. Get serious about external email warnings and anti-impersonation
The fanciest endpoint protection on earth won't help when your bookkeeper gets an invoice "from the director" asking to redirect a payment. In Defender for Office 365, raise the anti-phishing policy to enable impersonation protection for your top 5-10 internal recipients (directors, finance, ops manager) and your top external domains (your bank, your accountant, your top suppliers).
Then turn on the native external email banner via the ExternalInOutlook mailbox configuration. It puts a yellow "External" tag in front of every message from outside your tenant — a one-second visual cue that catches an enormous amount of impersonation.
4. Set up a real backup of Microsoft 365 data
Microsoft replicates your data. Microsoft does not back it up. Their retention policies will not save you from a deleted SharePoint site, a compromised mailbox, or an angry departing employee. Run a third-party backup of Exchange, OneDrive, SharePoint and Teams to immutable cloud storage. We use AWS S3 with Object Lock for our clients — restore-tested quarterly.
This is the single recommendation that has paid for itself the most times in our 25 years.
5. Tighten Teams & SharePoint external sharing
Out of the box, SharePoint and OneDrive allow "Anyone" links — meaning anyone with the URL can access the document, no sign-in required. For most Australian SMBs that's wildly more permissive than they realise. In the SharePoint admin centre, switch the external sharing default to New and existing guests. Users still get to share with whoever they need to, but every share is auth'd and audit-logged.
While you're there, set link expiry to 30 days for guest links. Most "I just need to send this once" links are still discoverable by Google twelve months later.
One bonus: actually look at the Secure Score
The Microsoft 365 Secure Score is hiding in the Defender portal. It scores your tenant against a baseline of best practice and gives you a prioritised, plain-English list of what to fix next. Get yourself to 60% and you're already ahead of most small businesses in the country.
Need a hand?
If you'd rather not do this on a Sunday night, this is exactly what we do. Book a free 30-minute review and we'll walk through your tenant with you, screen-share, and tell you what's worth fixing first — no obligation.