Brisbane IT & cybersecurity support · 15+ years · no outsourcing · 0491 054 503
Ewan Me ITFree scan →
← All articles

24 October 2025 · 4 min read

Top security settings every small business should enable today

There's an afternoon of free security work sitting in your Microsoft 365 admin centre right now - protections you're already paying for, switched off by default.

Attackers don't pick locks; they try doors until one opens. These eight settings shut the doors small businesses most often leave open, and none of them cost anything extra.

The checklist

1. Turn on multi-factor authentication (MFA) for everyone. MFA means a password alone isn't enough to log in - you also approve a prompt on your phone. It's the single biggest win here, and it stops the overwhelming majority of account takeovers. Do this one first, even if you do nothing else.

2. Block legacy authentication. Legacy auth is old sign-in methods that can't do MFA - the exact door attackers use to skip the prompt you just set up. Blocking it in Microsoft 365 closes that gap. A handful of very old apps may need updating, but for most small businesses nothing breaks.

3. Set up the conditional access basics. Conditional access is a set of simple rules for when and where sign-ins are allowed - for example, require MFA on every login, or flag sign-ins from countries you never work in. You don't need anything fancy. A couple of sensible rules quietly stop a lot of nonsense.

4. Review your admin accounts and cut back the access. Admin accounts can change anything, so they're the prize attackers want. Check who actually has admin rights, remove anyone who doesn't need it, and give people only the access their job requires. Fewer admins means fewer keys to the kingdom.

5. Turn on audit logging. Audit logging records who did what and when across your Microsoft 365 environment. If something ever goes wrong, this is the difference between knowing exactly what happened and guessing. It's off or under-used in a lot of tenants - switch it on now so the history is there when you need it.

6. Sort out your email authentication - SPF, DKIM and DMARC. These are three DNS records that prove your emails genuinely came from you. Without them, scammers can send messages that look like they're from your business, and your real emails are more likely to land in spam. Getting all three in place protects your name and your customers.

7. Turn on device encryption and check your backups. Encryption (BitLocker on Windows, FileVault on Mac) scrambles the data on a laptop so a stolen device doesn't hand over your files. Backups mean that if a device dies or gets hit by ransomware, you can restore and carry on. Confirm both are actually on - don't assume.

8. Set a sensible password and passkey policy. Long passwords beat complicated ones, so encourage passphrases and stop forcing constant resets that just push people to write them on a sticky note. Better still, enable passkeys or the Microsoft Authenticator app for passwordless sign-in - it's harder to steal and easier to use.

Why these are the cheap wins

None of the above needs new software or a big budget. It's mostly toggling on protections you're already paying for inside Microsoft 365, plus a few DNS records.

Attackers go for the easy targets - the accounts with no MFA, the admin logins nobody's checked, the domain anyone can spoof. Close those and you've dealt with the bulk of the real-world risk. The expensive, complicated security work matters far less if the basics aren't done first.

A quick note on order: MFA and blocking legacy auth are the two to prioritise. Everything else strengthens the walls, but those two lock the front door.

A realistic way to tackle it

You don't have to do all eight in one sitting. A reasonable run:

  • This week: MFA for everyone, block legacy auth.
  • Next: review admin accounts, turn on audit logging.
  • After that: SPF/DKIM/DMARC, conditional access rules.
  • Ongoing: device encryption, backups and password/passkey policy as part of normal setup.

Tick them off one at a time and you'll be in far better shape than most small businesses in Brisbane.

Take the list and run

Genuinely - screenshot the checklist, hand it to whoever looks after your IT, and ask which ones are done. If the answer comes back fuzzy, the free scan will give you the honest version.

Want me to check your domain?

Free health check, plain-English action list, yours to keep.