We've assessed hundreds of Australian small businesses over the past 3 years. The patterns are clear: 80% of SMBs have the same five critical security gaps.
The good news? These aren't complex, expensive problems. They're simple misconfigurations that can be fixed in under 2 hours — often less.
Here are the five most dangerous issues we find (and how to fix them).
#1: External Sharing Set to "Anyone with the Link"
Found in: 73% of assessments
Fix time: 15 minutes
Risk level: CRITICAL
The Problem
Most businesses don't realize that when SharePoint/OneDrive external sharing is set to "Anyone with the link," files shared in 2021 are still accessible today — with no expiry, no password, and no audit trail of who accessed them.
This happens because:
- M365 defaults to permissive sharing settings
- Staff don't understand "Anyone with the link" vs "Specific people"
- Links are shared via email, then forwarded without thinking
- No expiry dates are set (links live forever)
The Fix
1. Change tenant-wide default to "Specific people" (not "Anyone"):
- SharePoint Admin Center → Policies → Sharing
- Set "Default sharing link type" to "Specific people"
- Enable "Limit external sharing by domain" if needed
2. Set default link expiry (30-90 days):
- Same location → "Advanced settings"
- Set "These links must expire within" to 30-90 days
3. Audit existing external links:
- SharePoint Admin Center → Active sites → Sharing
- Review and revoke old links
Fix time: 15 minutes to change settings, 30-60 minutes to audit existing links
#2: No MFA on Admin Accounts
Found in: 64% of assessments
Fix time: 30 minutes
Risk level: CRITICAL
The Problem
Admin accounts have keys to the kingdom: they can access all user mailboxes, read all files, reset passwords, and delete data. Yet we routinely find businesses with 4-8 admin accounts protected by just a password.
Why it happens:
- Admins find MFA "inconvenient" for frequent logins
- "I'll enable it later" becomes "never"
- Shared admin accounts (big red flag)
- MFA is enabled for users but not admins
The Fix
1. Enable MFA for ALL admin accounts immediately:
- Azure AD → Users → Multi-Factor Authentication
- Select ALL admin accounts → Enable
- Choose: Microsoft Authenticator app (most secure)
2. Create emergency break-glass account:
- One admin account with NO MFA (stored in safe)
- Used ONLY if primary admins are locked out
- Monitor this account closely
Fix time: 30 minutes to enable MFA for 5-10 admin accounts
#3: Too Many Admin Accounts
Found in: 58% of assessments
Fix time: 45 minutes
Risk level: HIGH
The Problem
The average 30-person business should have 2-3 admin accounts maximum. We regularly find 6-8, including:
- Ex-employees who left 2 years ago (still Global Admin)
- External IT consultants no longer used
- Staff who needed temporary admin for a project (never removed)
- Users who don't need admin but got it "just in case"
The Fix
1. Audit all admin accounts:
- Azure AD → Roles and administrators → Global Administrator
- Review ALL accounts with admin privileges
2. Apply principle of least privilege:
- Remove admin from anyone who doesn't actively need it
- Use specific admin roles (Exchange Admin, SharePoint Admin) instead of Global Admin
- Target: 2-3 Global Admins maximum for SMB
Fix time: 45 minutes to audit and clean up admin roles
#4: Audit Logging Disabled
Found in: 52% of assessments
Fix time: 10 minutes
Risk level: HIGH
The Problem
If audit logging isn't enabled, you have zero visibility into who accessed what, when.
This means:
- You can't detect if someone accessed confidential files
- You can't prove compliance for Privacy Act breach reporting
- You can't investigate suspicious activity
- You can't satisfy cyber insurance requirements
The Fix
Enable Unified Audit Logging:
- Microsoft 365 Compliance → Audit
- Click "Start recording user and admin activity"
- Set retention to 90 days minimum (1 year for Business Premium/E3/E5)
Note: Audit data only captures activity AFTER it's enabled. Past activity is not logged retroactively.
Fix time: 10 minutes (literally just turn it on)
#5: No Backup Solution for M365 Data
Found in: 67% of assessments
Fix time: 2-4 hours (including testing)
Risk level: HIGH
The Problem
Most businesses think Microsoft backs up their M365 data. Microsoft does not provide backup. They provide:
- Recycle bin: 30-93 days (then permanently deleted)
- Retention policies: Keep data from being deleted, but don't protect against ransomware or accidental deletion
You need backup for:
- Ransomware recovery
- Accidental mass deletion (user accidentally deletes entire site)
- Compliance (long-term retention beyond M365 limits)
- Legal hold (litigation, investigations)
The Fix
Implement third-party M365 backup solution:
Options (prices for ~30 users):
- Veeam Backup for M365: $12-15/user/month
- AvePoint Cloud Backup: $8-12/user/month
- Barracuda Cloud-to-Cloud Backup: $5-8/user/month
What to backup:
- Exchange Online (emails)
- SharePoint/OneDrive (files)
- Teams (chat, files, settings)
Test your backup: Actually restore a file/mailbox to verify it works.
Fix time: 2-4 hours to set up and test (then automated daily)
Not Sure If You Have These Issues?
Our automated M365 security assessment checks for all of these misconfigurations (and 25 more). Get your report in 2-3 business days.
Book M365 Security Assessment - From $499The Pattern We See
Here's what's interesting: most businesses we assess have 3 out of 5 of these issues. It's not negligence — it's just that M365 security isn't intuitive, defaults aren't always secure, and small businesses don't have dedicated security staff.
The good news? Once you know what to fix, the fixes are straightforward. Total time to address all five issues: 4-6 hours.
That's a few hours of work to close the security gaps that put 80% of Australian SMBs at risk.
Worth it? When the average breach costs $49,600 — absolutely.