Security

Most organizations are one configuration change away from dramatically better security. They just haven’t made it yet.

If your organization uses Microsoft 365 or Google Workspace, you are already paying for a security platform. Not just email and documents — a layered set of tools designed to block intrusion, flag anomalies, enforce access controls, and give your team visibility into what’s actually happening on your network.

Most organizations are using maybe 20% of it.

I’ve seen this firsthand managing infrastructure for a large nonprofit. The tools were there. Microsoft Defender, Secure Score, conditional access policies, MFA enforcement — all licensed, all available, most of it sitting at default settings that were never tightened after initial setup. It’s not negligence. It’s the reality of IT teams that are stretched thin and focused on keeping the lights on.

But “keeping the lights on” and “actively secured” are not the same thing anymore.

Microsoft 365 Business Premium includes Defender for Business, which provides endpoint detection and response across every device in your organization. It’s not a stripped-down version — it’s the real thing, tuned for smaller teams. If you haven’t onboarded your devices to it, you’re paying for a security operations capability and running blind.

Microsoft Secure Score is a dashboard that literally tells you what you haven’t turned on yet and ranks the impact of each gap. It’s one of the most underutilized tools in the Microsoft ecosystem. You can open it right now, look at your score, and get a prioritized list of things to fix — many of which take less than ten minutes to implement.

Conditional access policies let you say things like: this account can only log in from approved locations, on approved devices, and if something looks off, require re-authentication. That alone blocks a significant percentage of credential-based attacks. It’s not turned on by default.

Google Workspace has its own version of this — the Admin Console security dashboard, context-aware access, alert policies, and audit logs that most admins never look at until something goes wrong. At that point, looking at the logs is no longer proactive. It’s forensic.

Multi-factor authentication is not optional anymore. It hasn’t been for years. And yet a surprising number of organizations still have it set to “encouraged” rather than enforced — which means the one person who finds it inconvenient is the one person who becomes your breach vector.

Enforce it. All accounts. No exceptions for executives who travel frequently or volunteers who only log in once a month. Those are exactly the accounts attackers target — high privilege or low attention.

If you’re on Microsoft 365, open Secure Score today. Don’t try to fix everything — pick the top three recommendations under 30 minutes of effort and implement them. Check device onboarding status in Defender. Review your conditional access policies and make sure MFA is enforced, not just available.

If you’re on Google Workspace, pull up the Admin Console security dashboard. Look at your alert policies — are they configured to notify someone who will actually act on them? Check your audit logs for anything unusual in the last 30 days. Review which apps have been granted third-party access to your users’ accounts.

None of this requires a new vendor, a new budget line, or a six-month project. It requires someone to sit down, open the dashboards, and make decisions that have been sitting unmade.

That’s the work. And most of it is already paid for.

Sources

Microsoft Secure Score Documentation · Microsoft Defender for Business Overview · Google Workspace Security Dashboard