With most Small to Medium businesses running Microsoft 365 amid the ever-present threat of cybercrime, Lancom Technology’s Chief Customer Officer Ben Walton has shared the top priorities every company should have to secure their environment.

Previously known as Office 365, the renamed Microsoft 365 is the world’s most popular productivity suite, with 86.3 million Microsoft 365 Consumer subscribers as of Q2 FY25. It enjoys significant adoption among small businesses, with nearly three quarters of users worldwide falling into this category

Part of the appeal is that Microsoft 365 offers robust tools to bolster your security posture, many of which are about configuration rather than cost, says Walton. “You’ve already paid for Microsoft 365, so making use of the embedded security services is both good practise and delivers full value,” he notes.

Why improve your security? Microsoft detected and investigated 35 million business email compromise attempts between April 2022 and April 2023. And Microsoft customers face 600 million cyberattacks per day.

Walton recommends these top five actionable tips to safeguard your Microsoft 365 environment in 2025.

1. Enable Multi-Factor Authentication (MFA)

Seems shocking, but many haven’t done this. Passwords alone are no match for today’s threats, and a single breach can expose emails, files, and sensitive data. MFA adds a further layer of protection by requiring a second verification step, like a mobile code or biometric check. MFA is already enforced for your Admin accounts, and most users are well versed in the MFA authenticators from Microsoft, Google and others. This simple step blocks most unauthorized login attempts, especially for remote workers.

2. Leverage Conditional Access Policies

Conditional Access in Azure Active Directory lets you control access based on context, such as device type or location. For instance, you can block any attempts to login from an unknown country, force travelling users to re-authenticate & confirm their identity, or allow access to company resources only from approved devices. Most policies can be enabled without any impact on your team’s day to day work but can quietly protect resources from malicious actors in the background.

3. Deploy Microsoft Defender Suite

Elevate your security with unified visibility, investigation, and response across the cyberattack chain with Microsoft Defender XDR (Extended detection and response) and Defender for 365 solutions. Regardless of where the attack starts, whether Phishing, ransomware or device malware, Microsoft Defender XDR covers Emails, Teams, SharePoint, Desktops & Laptops as well as user Identities to provide a seamless, fully integrated system to stop threats before they reach your people and information.

4. Use Data Loss Prevention (DLP)

Sensitive data, like credit card numbers or IDs, can accidentally leak via email or file sharing. Microsoft 365’s Data Loss Prevention (DLP) feature scans content and applies rules to block or warn users about sharing confidential information. DLP can ensure compliance to standards such as GDPR and keeps sensitive data secure without hindering collaboration.

5. Encrypt and Classify Documents

Microsoft Information Protection lets you label documents as ‘Confidential’ or ‘Internal Use Only,’ tying them to encryption and access restrictions. This prevents unauthorized access, even if files are shared externally. Align labeling policies with your business needs and train employees on their importance. Automated classification streamlines compliance audits by logging file access and protection details, enhancing both security and accountability.

Some final thoughts

To reiterate, stresses Walton, better security is mostly configuration, not cost. “Securing Microsoft 365 doesn’t require complex or expensive measures. By applying the five techniques outlined above, your business will significantly reduce risk.” he points out. “All of the features discussed above are included within the Microsoft Business Premium Suite – a license over 90% of our customers already have.”

And as always, a security-conscious workforce is your greatest asset, so he advises equipping them with clear guidelines and ongoing education to protect data, maintain client trust, and ensure operational stability. “Every organisation using Microsoft 365 should create a resilient defense with these built-in tools. And for best effect, combine with regular training and policy reviews for your people.”