top of page

Microsoft 365 Security: Why Most Irish Businesses Are Only Using 30% of What They Pay For

  • Jun 26
  • 4 min read

Your business pays for Microsoft 365 every month. Depending on your licence tier, you are almost certainly paying for Defender for Business, conditional access policies, multi-factor authentication enforcement, and advanced anti-phishing protection. The uncomfortable truth is that the majority of SMEs have most of these features sitting switched off, either because nobody configured them, or because the defaults are deliberately permissive to avoid disrupting users at setup.


Young man types at a transparent futuristic desk with floating blue holographic screens, facing forward in a calm, focused mood.

The Gap Between Licensed and Deployed

Microsoft's own research has found that a significant portion of SMB customers using Microsoft 365 have not fully enabled the security features included in their subscription. The reason is straightforward: deploying these controls properly requires time, expertise, and a willingness to test configurations carefully before they affect users.


In practice, many businesses, and even some IT providers, turn on the minimum required to get email working and move on. Advanced threat protection stays at default. Conditional access rules that would block suspicious logins from unfamiliar locations are never created. Defender for Business is licensed but not configured.


This gap is exactly what attackers look for. Business email compromise, account takeover, and ransomware distribution via email are now the most common entry points for Irish businesses facing cyber incidents.


What Fully Deployed Microsoft 365 Security Looks Like

A properly secured Microsoft 365 environment includes multi-factor authentication enforced for every account including administrators, conditional access policies that block login attempts from high-risk locations or unmanaged devices, Microsoft Defender for Business configured with real-time protection and automated investigation, anti-phishing and anti-spoofing rules that go beyond the defaults, email encryption for sensitive communications, and Data Loss Prevention policies that flag potential data exfiltration.


Savenet's 365 Security Shield is specifically designed to close this gap. We deploy and maintain Microsoft 365 security above a verified 85% Secure Score, the industry-standard measure of how well your Microsoft environment is protected, and we keep it there through ongoing management, not a one-time configuration.


The Secure Score: What It Is and Why It Matters

Microsoft Secure Score is a measurement from 0 to 100 that reflects how well your Microsoft 365 environment is configured against security best practices. A score of 30 to 40 is common for businesses that have never had a dedicated Microsoft security review. A score above 80 represents a well-hardened environment.


Insurers and compliance auditors are increasingly using Secure Score, or equivalent measures, as evidence of due diligence. A low score can affect your cyber insurance premium, or in some cases your ability to obtain coverage at all.


Our 365 Security Shield includes a live Secure Score dashboard so you can see your posture at any time, with month-on-month improvement tracking.


Common Microsoft 365 Security Mistakes

The most common misconfigurations we encounter when auditing new client environments include global administrator accounts being used for day-to-day tasks, legacy authentication protocols left enabled, no MFA on shared mailboxes or service accounts, and Defender for Business present but running in audit-only mode.


Each of these represents a material risk. Legacy authentication bypasses modern MFA entirely, an attacker with a stolen password can authenticate directly without needing a second factor. Global admin accounts used daily are high-value targets; if compromised, an attacker has unrestricted access to your entire Microsoft tenant.


What is Microsoft Secure Score and what is a good score?

Microsoft Secure Score is a measure from 0 to 100 of how well your Microsoft 365 environment is configured against security best practices. A score of 30 to 40 is common for businesses that have never had a dedicated security review. A score above 80 is considered well-hardened. Savenet's 365 Security Shield targets and maintains a score above 85 for all clients.

If we are paying for Microsoft 365, are we not already protected?

Having a Microsoft 365 licence is not the same as having the security features in that licence switched on and correctly configured. Most security features ship in a permissive default state to avoid disrupting users at setup. Without deliberate configuration and ongoing management, the majority of the protection you are paying for is simply not active.

What is multi-factor authentication and why does it matter?

Multi-factor authentication (MFA) requires users to verify their identity using a second method, such as a phone notification or authentication app, in addition to their password. It is one of the most effective controls available because even if an attacker obtains a password, they cannot access the account without the second factor. Many cyber insurance policies now require MFA as a condition of coverage.

What is a conditional access policy?

A conditional access policy in Microsoft 365 allows you to set rules about when and how users can access company resources. For example, you can block logins from countries your business does not operate in, require MFA when someone logs in from an unfamiliar device, or restrict access to company data from personal unmanaged devices. These policies can significantly reduce the risk of account compromise.

What is Defender for Business and is it included in our Microsoft 365 licence?

Microsoft Defender for Business is an endpoint protection and detection tool included in Microsoft 365 Business Premium licences. It provides real-time threat protection, automated investigation of alerts, and vulnerability reporting across all enrolled devices. It is included in the licence for many businesses but must be configured and enrolled to provide any protection.

How often should Microsoft 365 security settings be reviewed?

Microsoft regularly updates its security features and recommendations, and the threat landscape evolves continuously. Security settings should be reviewed at a minimum quarterly, and any significant change to your organisation, such as staff growth, a new application deployment, or a change in working practices, should trigger an immediate review of relevant policies.

What is business email compromise and how does Microsoft 365 security help prevent it?

Business email compromise (BEC) is an attack where a criminal gains access to a legitimate business email account and uses it to commit fraud, typically by redirecting payments or impersonating senior staff to authorise transactions. Properly configured Microsoft 365 security, including MFA, anti-phishing rules, and mailbox auditing, significantly reduces both the likelihood of an account being compromised and the time before a compromise is detected.


Interested about Microsoft 365 security shield?

bottom of page