Microsoft 365 is already at the centre of how your organisation works. The real question is whether it is also at the centre of how you protect your data.
Too often, security is something that “got added later.” It looks a few settings turned on. A policy or two. Maybe Multi-factor authentication (MFA) for admins if they're feeling real crazy. (And a quiet hope that it’s enough.) It rarely is.
It's time to bring Microsoft 365 back to basics!!
Security boils down to this: data protection comes first. Not more tools. Not more noise. Just a clear, practical way to harden what you already have without slowing people down.
Most environments we review looks pretty similar. Microsoft 365 is mostly adopted and staff rely on tools like Teams, SharePoint, OneDrive and email every day. Access has grown organically and yet, security remains inconsistent across users and devices. It's here where the uncomfortable questions start to pop up. Things like:
If those answers don't come immediately, you're not alone, but you are at risk. Attackers are not looking for complex weaknesses. They look for gaps in identity, devices, and data controls. Microsoft 365 can close those gaps, but only if it is configured deliberately.
Before ANYTHING is changed, get some visibility! This is not just an internal mantra for our team, but it is best practice (and common sense in a world where that doesn't often exist!).
You need a simple, honest, complete snapshot of your environment:
When I say it needs to be simple, I mean it. Don't waste your time writing a 40 something paged document. It just needs to be accurate, not a literary endeavour.
From there, define a minimum baseline. Think of this as your "non-negotiables".
Yes backups.
I cannot overstate this, retention policies are Not backups.
If you are using Microsoft 365 Business Premium, you already have most of what you need. The issue is rarely licensing. It's (lack of) configuration that causes the most problems.
You don't need dozens of controls. You need three done well.
This is your front door. You wouldn't leave the house and leave it unlocked for anybody walking past to waltz on in and grab whatever they wanted, so why would you leave your organisation exposed?
For example, a finance user logging in from an unknown overseas location from a personal device should trigger stronger authentication or be blocked entirely! If that's not what is happening already, your identity layer is far too open and you need to change that ASAP!
Devices are typically where the consistency element breaks down. Each staff member may have a differing preference for the kind of device they want to use. That means a myriad of builds, patch levels and policies that make it very difficult to confidently secure each one.
Standardising devices through Intune changes that through:
For shared environments, you need to set clear patterns:
This reduces both risk and support overhead. (Believe me, your IT team will thank you for it.)
This is where most organisations struggle. Data is everywhere. It's often duplicated, mislabled, misplaced and misclassified. A good starting point is just making it visible and structured. We recommend:
Once you've done that, it's time to layer in protections like:
This means that a confidential document for example, shouldn't be downloadable to a personal device or shared externally without approval. Once again, backups matter. Whether your data is on Exchange, SharePoint, OneDrive or Teams, everything should be recoverable independently of Microsoft's retention settings.
Governance fails when it becomes too complex to understand or practically implement. Simple, consistent rules across the organisation are the key to successful data protection. Start with a few areas:
A handful of policies like those are enough to prevent a spiral into chaos. You can refine and alter these later as things change and organisations grow or shrink. You just need a solid starting point. Once you've done that, we recommend introducing a light rhythm. This can look like quarterly reviews, regular access clean-ups - especially when there's staff turnover - and ongoing policy tuning. It's also good to track a handful of metrics to show how well these policies are working. These can be:
If you cannot measure it, how do you expect to be able to improve it? (Here's a hint: You can't!)
Security that slows people down and hinders their day-to-day ends up being bypassed. The reality is if there's no flexibility and it can't keep up with the pressures of a fast-paced or unpredictable industry like aged care, healthcare or professional services, then it will get sidelined in favour of speed and convenience.
The goal isn't maximum restriction. It's controlled flexibility.
This is where training comes in. No one wants to sit through hours of cheesy, hypothetical scenario videos or role-playing. Training should be short, role-based, practical and to the point. It shouldn't be detracting from critical work and it should focus on real risks, not hypotheticals. This includes:
Annual training sessions with everyone in a big group do not change behaviour. Regular, short reminders do.
When Microsoft 365 is configured well:
When it is not:
The difference is not technology. It's intent and follow-through.