The Only DIY Cyber Security Guide Your Small Business Using Microsoft 365 Will Ever Need
a day ago
7 min read
0
15
0
Prefer to watch rather than read, check out the You Tube video below
If you run a small professional services firm, you probably rely heavily on Microsoft 365.
Emails
Client files
Teams calls
Contracts
Finance software
Day-to-day communication.
Your whole business runs through it.
And here’s the simple truth.
Most small businesses are nowhere near as secure as they think they are.
Not because anyone has done anything wrong.
But because Microsoft 365 does not come secure out of the box.
The tools are there.
They just aren’t switched on.
This guide shows you exactly what to turn on, what to configure, and how to protect your business using plain English.
No jargon.
No technical waffle.
Just clear steps that work.
And if you ever get halfway through and think, “I’d rather have someone do this for me,” you’re always welcome to take a look at our Managed Cyber Security services or our Managed IT Support.
But let’s begin with what you can do yourself.
1. Start With Microsoft 365 - The Heart of Your Business
Your Microsoft 365 tenant controls everything.
If someone gets into one account, they can get:
Emails
OneDrive files
SharePoint data
Teams messages
Contacts
Calendars
Client information
Confidential documents
Financial records
So we secure this first.
If you want deeper help with Microsoft 365, you can always look at our Microsoft 365 services.
Let’s get the foundations right.
1.1 Turn on MFA for every account
Multi-Factor Authentication (MFA) is the strongest and simplest protection you can enable.
If someone steals your password, MFA still stops them.
It should be on for:
Staff
Directors
Admins
Shared accounts
Temporary users
If an account exists, it needs MFA.
1.2 Turn on number matching to stop accidental approvals
Attackers try “MFA fatigue” attacks by sending endless approval prompts.
Number matching fixes this.
The user must type a number from the screen into their phone.
You cannot approve by accident.
1.3 Block legacy authentication
Legacy authentication includes old login methods like:
POP
IMAP
Basic Authentication
SMTP AUTH (unless needed)
These don’t support MFA.
Leaving them on is like having a brand-new lock on your front door but leaving a side door open.
Turn them off.
1.4 Remove old accounts and shared mailboxes
Every small business has “ghost accounts”:
Staff who left years ago
Temporary accounts
Old shared mailboxes
Test users
These accounts can be used to break in.
Review your user list quarterly
Remove what you don’t need
Block and archive accounts properly.
1.5 Use Conditional Access to enforce sensible rules
Conditional Access is one of the most important tools inside Microsoft 365.
It lets you set simple rules like:
Only allow logins from the UK
Only allow access from devices you trust
Block outdated or risky operating systems
Require MFA for risky situations
Block access from outside your business network
A few basic rules make a huge difference.
If you want help with Conditional Access or Intune, you can read more here:👉 Microsoft Intune & Conditional Access
1.6 Turn off insecure protocols and apps
Disable anything that:
Uses old authentication
Does not support MFA
Isn’t needed for your business
It removes unnecessary entry points.
2. Protect Every Laptop - Your Most Common Entry Point
Most cyber-attacks start with a device.
Someone clicks a link.
Downloads a file.
Uses an out-of-date machine.
Runs software they shouldn’t.
Or logs into email on an unprotected laptop.
Here’s how to fix that.
2.1 Use modern endpoint protection (not old antivirus)
Old antivirus tools rely on recognising known viruses.
Modern attacks don’t work that way.
You need endpoint protection that:
Detects unusual behaviour
Blocks attacks instantaneously
Rolls back damage
Monitors continuously
Uses cloud intelligence
Protects against ransomware
It’s like having a guard dog on every laptop.
2.2 Automate Windows and third-party updates
Updates fix security holes.
If devices aren’t updated automatically, attackers will eventually find a way in.
Make sure:
Windows updates automatically
Office updates automatically
Browsers update automatically
Tools like Adobe update automatically
Do not rely on staff
Automate it.
2.3 Turn on device encryption (BitLocker)
If a device is lost or stolen, encryption keeps the data safe.
Without BitLocker:
Anyone can remove the laptop’s drive and read the data.
With BitLocker:
Everything is protected.
Turn this on for every device.
2.4 Remove local admin rights
Local admin rights allow staff to:
Install risky software
Disable security
Change protected settings
Bypass controls
Remove local admin rights from everyone.
Grant temporary admin access only when needed, then remove it.
3. Manage Everything Centrally With Microsoft Intune
Intune lets you manage laptops, desktops, and mobile devices from one place.
No guessing.
No hoping everything is configured correctly.
No relying on staff to follow instructions.
Intune enforces your rules for you.
If you want more help with Intune, here’s a full guide:👉 Microsoft Intune & Conditional Access
3.1 Enforce security policies automatically
Intune can enforce:
Encryption
Antivirus
Password rules
Screen lock timers
Device compliance rules
Once you set it, every device follows it.
3.2 Stop risky or unknown apps
If you don’t allow it, staff can’t install it.
This stops:
Malware
Games
Consumer apps
High-risk tools
Unapproved software
Your devices stay clean and secure.
3.3 Wipe company data from lost or stolen devices
Staff lose phones.
Laptops get stolen.
It happens.
Intune lets you wipe just the business data remotely.
Not their photos.
Not their personal apps.
Just your confidential information.
3.4 Deploy apps and settings automatically
New staff get:
All the right apps
All your settings
All your security controls
No manual setup needed.
4. Use Autopilot for Clean, Consistent Laptop Deployment
Autopilot makes onboarding simple.
A brand-new laptop arrives.
The user logs in.
Everything configures itself.
Your security.
Your apps.
Your policies.
Your compliance rules.
It’s quick, clean, and consistent.
And if you ever need them, there’s a full explanation of Intune reset methods here:👉 Autopilot Reset & Fresh Start
5. Back Up Your Microsoft 365 Data Properly
This part is crucial.
Microsoft does not back up your data in the way most people think.
You need a proper backup system that protects:
Emails
OneDrive files
SharePoint sites
Teams chats
Deleted items
Long-term versions
Ransomware recovery
And you need backups that are immutable, meaning they can’t be changed or deleted by attackers.
Test your backups monthly.
If you haven’t tested a backup, it isn’t a backup.
I always advise clients that backups are worthless, but restores are priceless.
You must be willing to invest the time and money into protecting your data.
6. Block Dangerous Websites With DNS Filtering
DNS Filtering is a method of protection that stops you going to dangerous websites, you get blocked before you ever get to the site. keeping that danger well away from your business.
DNS filtering protects staff from:
Fake login pages
Phishing websites
Malware downloads
Dangerous redirects
High-risk domains
It works silently in the background.
You won’t even notice it.
But it will protect you from a lot of trouble.
7. Secure Your Internet Connection
Even the best internal security won’t help if your internet connection is weak.
Check your router:
Update the firmware
Change the default password
Disable features you don’t use
Remove old port-forwarding rules
Enable WPA3 if available
Use a business-grade router where possible
If staff work from home, ask them to do the same.
8. Protect Mobile Devices
Phones hold a surprising amount of sensitive data.
Emails
Files
Teams chats
Contacts
Client information.
Use Intune to:
Enforce PIN or biometric login
Encrypt the phone
Block copying data into personal apps
Wipe business data if the phone is lost
A lost phone shouldn’t mean a data breach.
9. Train Your Team to Spot Threats
Your people are your biggest vulnerability.
But also your strongest defence.
Short, regular training is best.
Teach them to spot:
Phishing attempts
Fake Microsoft pages
Dodgy links
Invoice scams
Impersonation attempts
Suspicious attachment types
You don’t need long sessions.
You just need to build awareness over time.
Our Cyber Security services page explains more about the risks businesses face.
10. Stop Accidental File Sharing and Guest Access Leaks
One of the easiest mistakes in Microsoft 365 is sharing something publicly without realising.
Check:
OneDrive sharing settings
SharePoint permissions
Teams guest access
Old “anyone with the link” shares
Shared folders that should be private
Review external sharing quarterly.
Remove anything unnecessary.
11. Reduce Shadow IT
Shadow IT happens when staff use:
Personal Dropbox
Personal Google Drive
WhatsApp
Personal emails
Unapproved apps
They are trying to make life easier, but it creates risk.
Give them approved tools and explain why it matters.
A lot of Shadow IT disappears once people understand the risks.
12. Enable DMARC, SPF, and DKIM
These stop criminals sending emails pretending to be you.
If you’ve ever had a client say:
“I got an email from you, but it didn’t look right.”
This is why.
You can read more here:👉 DMARC, SPF & DKIM Explained
Turn all three on.
13. Have a Simple Incident Response Plan
You don’t need a thick binder.
Just a clear, calm, simple plan.
If something looks wrong:
1. Stay calm
Panic makes the damage worse.
2. Disconnect the device
Turn off Wi-Fi.Unplug the cable.
3. Change the affected password
Start with Microsoft 365.
4. Alert whoever manages your IT
5. Check other devices
Look for unusual activity.
6. Restore what you need from backup
7. Fix the gap so it doesn’t happen again
Simple.
Effective.
Clear.
14. Do Weekly and Monthly Checks
Nothing too heavy.
Just simple checks.
Weekly (5 minutes)
Any odd login attempts
Any strange inbox rules
Any failed backups
Any unexpected file sharing
Any devices not reporting in
Monthly
Review admin accounts
Check external file sharing
Confirm Conditional Access rules
Confirm BitLocker is enabled
Review guest users
Check backup restore tests
Review Intune compliance
Check security alerts
These small checks prevent big disasters.
15. Align Everything With Cyber Essentials
Cyber Essentials focuses on the basics:
Firewalls
Secure configuration
Access control
Patch management
Malware protection
Most of this guide directly supports Cyber Essentials certification.
If you plan to certify later, you’ll already be most of the way there.
Bringing It All Together
Cyber security does not need to be complicated.
You just need the right protections, in the right order, kept simple and clear.
Secure Microsoft 365.
Protect your devices.
Use Intune.
Use Autopilot.
Back up your data.
Train your team.
Check things regularly.
And have a simple plan for when something goes wrong.
Do that, and your business becomes far harder to attack.
If you ever want someone to take this off your hands, our Managed Cyber Security services and Managed IT Support are designed specifically for small professional services firms that want simple, secure, personal support.
Simplifying IT, Securing Your Business.
