Frequently Asked Questions

Everything you need to know about M365 security and why it matters for your Australian small business

Why M365 Security Matters

Why does my small business need an M365 security assessment?

Most Australian SMBs think they're secure because they "use the cloud." But M365 security isn't automatic.

Common assumption: "Microsoft handles our security for us."
Reality: Microsoft provides the tools — you need to configure them correctly.

We regularly find businesses with:

  • 6+ admin accounts (should be 2-3 maximum)
  • No MFA on 30-50% of user accounts
  • External sharing set to "Anyone with the link" — files shared in 2021 still accessible today
  • No backup solution for M365 data (Microsoft's recycle bin isn't a backup)
  • Audit logging disabled — no way to detect if someone accessed your data

The average data breach costs Australian SMBs $49,600 in remediation, downtime, notification costs, and lost business. An assessment finds these gaps before they become breaches.

What happens if we get breached?

A data breach can devastate a small business:

Real example: A 30-person law firm had a departing employee's credentials compromised. Within 48 hours: 6,000 client emails accessed, confidential files downloaded, mandatory breach notification required, $73,000 in remediation costs. It was 100% preventable — no MFA on admin accounts, poor offboarding process.

Financial impact:

  • Direct remediation costs ($20,000-$80,000)
  • Cyber insurance claims (and future premium increases)
  • Client trust and reputation damage
  • Business disruption (average 3-7 days downtime)
  • Legal costs if client data was compromised
We're only a small business — why would hackers target us?

Small businesses are specifically targeted because:

  • Lower security posture: Easier to breach than large enterprises
  • Supply chain access: Hackers use SMBs as stepping stones to larger clients
  • Valuable data: Client files, financial records, employee data all have value
  • Less monitoring: Breaches often go undetected for weeks or months
ACSC data: Over 87,400 cyber incidents were reported in Australia in 2024-25. 43% targeted small businesses. Most attacks are automated — hackers scan for misconfigured M365 environments and exploit the easiest targets.

About Our Assessment

How can you deliver assessments in 1-5 days when competitors take 1-2 weeks?

We use a proprietary assessment platform. Instead of manually clicking through settings for hours, our platform conducts comprehensive security analysis efficiently and consistently.

Traditional manual assessment (1-2 weeks):

  • Consultant manually logs into your tenant
  • Clicks through 50+ admin portals and settings pages
  • Takes screenshots and notes
  • Writes report from scratch
  • Variable quality depending on consultant skill

Our platform-powered assessment (1-5 days):

  • Comprehensive security analysis across all critical controls
  • Captures detailed evidence systematically
  • Applies Microsoft best practices consistently
  • Expert review and validation before delivery
  • Professional report with remediation roadmap
  • 100% consistent quality every time
Think of it like a CT scan: The scan takes 10 minutes but costs $1,500. You're not paying for the 10 minutes—you're paying for the million-dollar machine, the radiologist's expertise, and the accuracy that prevents misdiagnosis. Same with our assessments: our platform enables thorough analysis, but you're paying for the comprehensive framework, expert validation, and actionable intelligence.
Is a platform-powered assessment as thorough as manual?

More thorough. Here's why:

Coverage:

  • Manual assessments: Typically 10-15 checks (what one consultant can realistically check in 2-4 hours)
  • Our platform: Up to 30 comprehensive checks (depending on your M365 license)

Consistency:

  • Manual: 85-90% consistency (depends on consultant experience, time pressure, fatigue)
  • Platform-powered: 100% consistency (same checks, same methodology, every time)

Evidence:

  • Manual: "External sharing appears to be enabled" (vague screenshot)
  • Platform-powered: "External sharing is set to 'Anyone with the link' at tenant level. 47 OneDrive links have been shared externally in the past 90 days with no expiry date" (specific, actionable)
Best of both worlds: Platform execution ensures nothing is missed + human expert review ensures the findings make sense for your specific business context + debrief call to answer questions and build your action plan.
What's the difference between assessment tiers?

Pricing is flat per assessment — the same price regardless of how many Microsoft 365 licences or seats you have. Every tier runs the same automated assessment (up to 30 checks, with the exact depth depending on your M365 licence — we only run checks applicable to features you actually have). The tiers differ by the service we add on top of that automated run, not by the scope of the scan.

Standard ($499 + GST):

  • Automated Microsoft 365 security assessment (up to 30 checks by licence tier)
  • CyberChex Score + Microsoft Secure Score
  • Professional branded PDF report
  • Prioritised, plain-English recommendations + secure portal access
  • Delivery: 1–5 business days

Premium ($1,299 + GST) — most popular:

  • Everything in Standard, plus:
  • Consultant-led findings walkthrough (call)
  • Prioritised remediation roadmap
  • Re-assessment after remediation (before/after improvement)
  • Priority email support

Enterprise ($1,999 + GST):

  • Everything in Premium, plus:
  • Quarterly scheduled re-assessments
  • Comparison reporting between assessments (track improvement over time)
  • Executive / board-ready summary
Not sure which tier? During your intake call, we'll confirm your M365 licence and recommend the right fit. We only run checks applicable to features you actually have.

Practical Questions

What access do you need to our M365 environment?

Read-only access only. We never make changes to your environment.

Specifically, we request:

  • Global Reader role: Read-only access to view settings (no edit permissions)
  • Security Reader role: Read-only access to security & compliance settings

What we CAN do:

  • View configuration settings across your M365 tenant
  • Review security policies and controls
  • Check Secure Score and recommendations
  • View audit log status (but not read the logs themselves)

What we CANNOT do:

  • Make any configuration changes
  • Access mailbox content or read emails
  • View files stored in SharePoint/OneDrive
  • Export user data
  • Delete or modify anything
How access works: You grant access via email (we send you instructions). Access is typically granted for 24-48 hours to complete the assessment, then you can revoke it immediately. We provide step-by-step instructions and can walk you through it on the intake call.
What happens after the assessment?

You get a clear action plan and multiple options for how to proceed.

Step 1: Report Delivery (1-5 business days)

  • Professional PDF report with findings, risk ratings, and remediation roadmap
  • Executive summary (1 page for board/stakeholders)
  • Prioritised action list: Immediate (48 hours) / 30 days / 90 days
  • Portal access for ongoing tracking

Step 2: Debrief Call (scheduled within 3 days of report)

  • 45-90 minute video call (depending on tier)
  • Walk through every finding
  • Answer questions
  • Build your implementation plan
  • Discuss options for remediation

Step 3: Your Options

Option A: DIY Implementation

  • Use our report and roadmap to fix issues yourself
  • We provide links to Microsoft documentation for each item
  • Email support during your support window (14-60 days depending on tier)
  • Best for: Businesses with internal IT resources

Option B: CyberChex Remediation

  • We fix the critical issues for you (charged hourly or project basis)
  • Typical remediation: 5-15 hours depending on findings
  • We make the changes, test, and document
  • Best for: Businesses without internal IT or time constraints

Option C: Monthly Monitoring

  • Monthly scans to track progress
  • Change detection alerts
  • Ongoing compliance evidence
  • Best for: Businesses wanting ongoing visibility
No obligation: The assessment gives you a roadmap. What you do with it is entirely up to you. We're here to help if you want us, but there's no pressure or lock-in contracts.
How long does remediation take?

It depends on your findings, but here's a realistic timeline:

Critical issues (within 48 hours):

  • Enable MFA on admin accounts: 30 minutes
  • Remove excessive admin privileges: 1 hour
  • Enable audit logging: 15 minutes
  • Disable risky sharing settings: 30 minutes

30-day priorities:

  • Configure SPF/DKIM/DMARC email authentication: 2-4 hours
  • Set up Conditional Access policies: 3-6 hours
  • Implement backup solution: 4-8 hours (including testing)
  • Review and update external sharing policies: 2-3 hours

90-day improvements:

  • Implement DLP (Data Loss Prevention) policies: 8-12 hours
  • Configure device compliance policies: 4-8 hours
  • Set up retention policies: 4-6 hours
  • Document processes and train staff: 8-16 hours
Quick wins matter: Most businesses can address 60-70% of critical findings within the first week. The remaining items are ongoing process improvements that can be phased over 90 days.

Ready to Secure Your M365 Environment?

Get your comprehensive security assessment delivered in 1-5 business days. Find your gaps before attackers do.

View Pricing & Book Assessment

More questions? Contact us or call us directly at [YOUR PHONE]

← Back to Home