Microsoft 365 is powerful — but out of the box, it is not fully secure. Here are the essential steps every Toronto small business should take to protect their accounts, data, and email from today's most common threats.
Microsoft 365 Is Not Secure by Default
Microsoft 365 is the backbone of most small business operations in Toronto. Email, file storage, Teams meetings, shared calendars — it handles all of it. But there is a common and dangerous misconception: that because Microsoft is a global enterprise company, their product is automatically secure.
It is not. Out of the box, Microsoft 365 ships with settings optimized for ease of use, not security. Many of the most important protections are turned off by default and require deliberate configuration. Phishing attacks, business email compromise, and ransomware incidents increasingly exploit exactly these gaps — and small businesses are frequent targets because attackers know that setup is often rushed.
This guide walks through the most important security steps for Microsoft 365, roughly in order of priority. You do not need to do all of this in a single afternoon — but every item on this list meaningfully reduces your risk.
1. Enable Multi-Factor Authentication for Every Account
This is the single most impactful thing you can do. Multi-factor authentication (MFA) requires users to verify their identity with a second method — typically a phone app — in addition to their password. Microsoft's own data shows that MFA blocks over 99% of automated account compromise attacks.
Microsoft provides detailed setup instructions in their Microsoft 365 MFA setup guide. For most small businesses, the Microsoft Authenticator app is the simplest and most secure option.
Do not allow SMS text message codes as your only MFA method. SIM-swapping attacks can intercept SMS codes. Use an authenticator app whenever possible.
Require MFA for every user — including administrators, who are higher-value targets. Admin accounts with only a password are an open door.
2. Set Up Conditional Access Policies
Conditional Access lets you define rules for when and how users can access Microsoft 365. For example: block sign-ins from countries you do not operate in, require MFA when logging in from a new device, or restrict access to company-managed devices only.
This feature is available in Microsoft 365 Business Premium and above. Microsoft's documentation on Conditional Access policies is comprehensive, but configuration requires care — a misconfigured policy can lock users out. If you are unsure, have a professional set this up.
At minimum, configure a policy that blocks legacy authentication protocols. Legacy auth bypasses MFA entirely and is a common attack vector that should be disabled for all users.
3. Configure Microsoft Secure Score
Microsoft provides a built-in security measurement tool called Microsoft Secure Score — available directly in the Microsoft 365 Defender portal. It audits your configuration across identity, devices, apps, and data, and gives you a scored list of recommended actions ranked by impact.
A newly configured Microsoft 365 tenant typically scores between 20 and 40 out of 100. Working through the high-impact recommendations — most of which are configuration changes, not additional purchases — can push that score significantly higher within a few hours.
Review your Secure Score regularly. It updates as your environment changes and as new recommendations are added.
4. Enable Microsoft Defender for Office 365
Standard Microsoft 365 plans include basic spam filtering, but they do not include the full suite of email threat protection. Microsoft Defender for Office 365 adds:
Safe Links: Scans URLs in emails and Office documents in real time, blocking malicious links even if they were safe at the time of delivery.
Safe Attachments: Opens email attachments in a sandboxed environment before delivering them, catching malware that signature-based antivirus misses.
Anti-phishing policies: Detects impersonation attempts — emails that appear to come from your CEO, your bank, or a trusted vendor but are actually fraudulent.
Defender for Office 365 is included in Microsoft 365 Business Premium. If you are on a lower-tier plan, it is available as an add-on. The Canadian Centre for Cyber Security specifically recommends layered email security controls as a baseline for Canadian organizations.
5. Audit and Restrict Admin Accounts
Most small businesses set up their Microsoft 365 tenant with a single global admin account — often the owner's personal email — and never revisit it. This is a significant risk. Global admin accounts have unrestricted access to everything: email, files, billing, security settings. A compromised global admin account is a catastrophic event.
Best practices for admin accounts:
Use dedicated admin accounts. Create separate accounts used only for administration, not for daily email. Your day-to-day account should not be a global admin.
Apply the principle of least privilege. Give users and admins only the permissions they need. Most tasks do not require global admin — use scoped roles like Exchange Admin or User Admin instead.
Enable Privileged Identity Management (PIM). Available in higher-tier plans, PIM requires admins to explicitly activate elevated permissions for a limited time window rather than having them permanently.
6. Configure Data Loss Prevention (DLP) Policies
Data Loss Prevention policies automatically detect and block the sharing of sensitive information — credit card numbers, Social Insurance Numbers, health record identifiers — via email or file sharing. For Toronto businesses in healthcare, legal, and finance, DLP is often a compliance requirement, not just a best practice.
Microsoft's DLP policy documentation covers how to create policies from templates — including pre-built templates for Canadian privacy regulations — and how to run DLP in audit-only mode before enforcing it, so you can see what would be blocked without disrupting workflows.
7. Back Up Your Microsoft 365 Data
This surprises many business owners: Microsoft's standard Terms of Service do not guarantee data recovery from accidental deletion, ransomware, or malicious insider activity. Microsoft maintains infrastructure availability — they do not provide granular backup and restore for individual emails, SharePoint files, or Teams conversations beyond a limited retention window.
The Microsoft shared responsibility model explicitly places responsibility for data protection on the customer. A third-party backup solution — Veeam, Acronis, or a solution provided by your managed IT provider — is essential for true recoverability.
At minimum, ensure you have a backup that covers Exchange Online (email), SharePoint Online (files), and OneDrive for Business, with a retention period that matches your business needs.
8. Review External Sharing Settings in SharePoint and OneDrive
By default, Microsoft 365 allows users to share files and folders with anyone via a link — no sign-in required. This is convenient, but it means a single misclick can expose confidential client documents to the entire internet.
Audit your SharePoint and OneDrive sharing settings in the SharePoint admin centre. For most professional services firms, the right setting is "Only people in your organization" or "Existing guests only." If you need to share externally, use expiring links and require recipients to authenticate rather than using anonymous access links.
9. Enable Unified Audit Logging
Microsoft 365 keeps a detailed log of user and admin activity — sign-ins, file access, email forwarding rules, configuration changes — but audit logging is not always enabled by default on older tenants. Without it, you have no forensic trail if something goes wrong.
Enable Unified Audit Logging in the Microsoft 365 Compliance Centre. Set your log retention period based on your industry requirements — 90 days is the minimum; one year is recommended for regulated industries. Audit logs are essential for incident response and, in some industries, for demonstrating compliance.
10. Train Your Staff — Technology Alone Is Not Enough
The majority of successful cyberattacks on small businesses begin with a human mistake — a clicked phishing link, a reused password, a wire transfer approved based on a spoofed email. The CIRA Canadian Internet Security Survey consistently identifies employee error as the leading cause of security incidents among Canadian SMBs.
Security awareness training does not need to be a full-day course. Short, regular sessions covering phishing recognition, password hygiene, and safe file sharing habits make a measurable difference. Simulated phishing campaigns — sending fake phishing emails to your own staff to see who clicks — are one of the most effective ways to identify and address gaps before an attacker does.
The Office of the Privacy Commissioner of Canada publishes guidance on employee privacy and security training obligations under PIPEDA that is directly applicable to most Toronto SMBs.
Need Help Securing Your Microsoft 365 Environment?
Properly configuring Microsoft 365 security takes time and expertise. Many of the settings described above interact with each other, and a misconfiguration can disrupt access or create gaps rather than closing them. Our cybersecurity team and cloud services specialists work with Toronto SMBs to audit, configure, and maintain Microsoft 365 environments — so you get the security benefits without the risk of getting the setup wrong.
Contact us for a free Microsoft 365 security assessment. We will review your current configuration against best practices and give you a clear, prioritized list of what to fix — with no obligation to engage us further.