Over the past quarter, we helped 10 Singapore SMEs audit their Microsoft 365 security configurations. The results were… sobering. Every single company had at least 3 critical gaps, and most didn’t know it.
I’m sharing the anonymized findings here because these patterns repeat so consistently that they’re practically universal among businesses running M365 without dedicated security oversight.
Finding #1: MFA Not Enforced for All Users (9 out of 10)
Nine companies had MFA enabled for “most” users but not enforced for everyone. The gaps were usually service accounts, the CEO’s account (“it’s annoying”), or newly onboarded employees who hadn’t completed setup. One unprotected admin account is all it takes.
Finding #2: No Conditional Access Policies (7 out of 10)
Seven companies had zero Conditional Access policies. That means any device, from any location, could access company data with just a username and password. No geo-restrictions, no device compliance checks, no risk-based authentication.
Finding #3: External Sharing Wide Open in SharePoint (8 out of 10)
Eight companies had SharePoint external sharing set to “Anyone with the link.” Files shared externally stayed shared forever — no expiration, no password, no audit trail of who accessed what.
Finding #4: No Email Backup (10 out of 10)
Every single company assumed Microsoft backs up their email. Microsoft doesn’t. Their retention policies protect against infrastructure failure, not against accidental deletion, ransomware encryption, or a disgruntled employee wiping their mailbox. Cloud backup solutions like Acronis exist specifically for this gap.
Finding #5: Audit Logging Disabled (6 out of 10)
Six companies had unified audit logging turned off. When something goes wrong — and it eventually will — you need logs to understand what happened. Without them, incident response is guesswork.
What You Can Do Today
If you’re running Microsoft 365 for your team, these five checks take less than an hour:
- Verify MFA is enforced (not just enabled) for every account, including service accounts
- Set up at least one Conditional Access policy blocking sign-ins from impossible travel locations
- Restrict SharePoint external sharing to “Only people in your organization” as the default
- Deploy a third-party backup solution for Exchange, OneDrive, and SharePoint
- Enable unified audit logging in the Microsoft 365 compliance center
If you’d rather have someone else handle this, managed cybersecurity services exist for exactly this reason. A good provider will set up Conditional Access, DLP policies, and continuous monitoring so you can focus on your actual business.
For companies already on Microsoft 365 Business Premium or E5, you’re sitting on powerful security tools (Defender, Intune, Information Protection) that are included in your license but probably not configured. That’s like buying a car with airbags and never connecting them.
