Coleman Technologies Blog

Your business runs on Microsoft 365. Emails, files, calendars, Teams calls. It all flows through one platform every single day. But here’s the uncomfortable reality about Microsoft 365 security settings for Burnaby businesses: the default configuration Microsoft gives you was built for convenience, not protection. And cybercriminals are counting on you not knowing the difference.

Microsoft 365 is functional out of the box. It’s not secure out of the box. The security tools are built in and available, but most of them are not turned on or configured properly unless someone deliberately does it. That gap between "available" and "activated" is exactly where attackers operate. And for small and medium sized businesses across Burnaby and the Lower Mainland, this blind spot is costing them everything.

The Default Settings Trap That Catches Almost Everyone

Microsoft designed its default settings to get businesses up and running fast. Collaboration tools work immediately. File sharing is frictionless. Email flows without interruption. But that speed comes at a cost that most business owners never realize until something goes wrong.

Default configurations often leave legacy authentication protocols like POP and IMAP active. These older protocols don’t support multi-factor authentication, which means they create a backdoor that completely bypasses your login security. Attackers know this. They actively scan for businesses still running these protocols because it’s the easiest way in.

Your Security Tools Are There but Nobody Turned Them On

Think of it this way. Microsoft hands you a building with a state of the art alarm system, reinforced doors, and security cameras in every hallway. But none of it is plugged in. The building looks secure from the outside. Inside, every door is unlocked and every camera is off.

The 2025 Verizon Data Breach Investigations Report found that ransomware was present in 88% of breaches involving small and medium sized businesses. That’s not a typo. While large enterprises saw ransomware in 39% of their breaches, SMBs absorbed the overwhelming majority of the damage. The reason is straightforward: smaller organizations typically have weaker security configurations, slower patch cycles, and fewer resources dedicated to IT security.

For companies relying on Microsoft 365 security settings for Burnaby businesses to protect sensitive client data, these defaults are a ticking clock.

The Five Settings Most Businesses Never Configure

Understanding where the gaps exist is the first step toward closing them. These are the Microsoft 365 security settings that consistently go unconfigured in small business environments:

• Multi-factor authentication left optional. MFA is available in every Microsoft 365 plan, but it’s not enforced by default for all users. Microsoft has reported that more than 99.9% of compromised accounts didn’t have MFA enabled. One setting. That is all it takes to block the vast majority of credential theft attacks.
• External sharing set to "anyone with a link." SharePoint and OneDrive default sharing settings often allow files to be accessed by anyone who receives a link, with no login required. Confidential documents can be forwarded, intercepted, or posted publicly without your knowledge.
• Too many Global Administrator accounts. During initial setup, businesses commonly assign Global Admin access to multiple people and never revisit it. Every Global Admin account is a high value target. If even one is compromised, an attacker has full control of your entire tenant.
• Email authentication protocols not configured. SPF, DKIM, and DMARC are email authentication standards that prevent attackers from spoofing your domain. Many businesses never set them up, which means criminals can send phishing emails that appear to come from your CEO.
• Audit logging and alerts turned off. Without audit logs and security alerts enabled, suspicious activity like unusual login locations, mass file downloads, or new forwarding rules goes completely unnoticed until the damage is done.

These aren’t advanced enterprise concerns. These are foundational settings that every business using Microsoft 365 should have configured from day one.

Why Burnaby Businesses Are Prime Targets

There’s a persistent myth that cybercriminals only go after large corporations. The data tells a very different story.

According to the 2025 Verizon DBIR, small and medium sized businesses are being targeted nearly four times more frequently than large organizations. The logic is simple from an attacker's perspective. It’s far easier to extract smaller amounts from twenty vulnerable businesses than to breach one company that has a dedicated security operations center.

Canadian businesses are not immune to this trend. A 2024 BDC survey found that 73% of Canadian small businesses have experienced a cybersecurity incident, ranging from phishing attempts to full denial of service attacks. Meanwhile, 61% reported experiencing a phishing attempt via email, the exact attack vector that misconfigured Microsoft 365 settings leave wide open.

Microsoft 365 security settings for Burnaby businesses are especially critical because the industries concentrated in this region, including professional services, legal, accounting, and construction, handle sensitive client information daily. A single breach doesn’t just cost money. It destroys client trust and can trigger compliance violations.

The Phishing Problem Is Getting Worse

Microsoft was the most impersonated brand in phishing campaigns in 2024, appearing in over 51% of all phishing scams worldwide. Attackers create login pages that look identical to the real Microsoft 365 sign in screen. When an employee enters their credentials on a fake page, the attacker walks right into your environment.

Without proper anti-phishing policies configured in Microsoft Defender for Office 365, these emails land in inboxes looking completely legitimate. Safe Links, Safe Attachments, and impersonation protection are all available within the platform. Most businesses have never turned them on.

What Properly Configured Microsoft 365 Security Actually Looks Like

The gap between a vulnerable Microsoft 365 environment and a hardened one is not about buying more software. It’s about configuring what you already have.

A properly secured Microsoft 365 tenant includes:

• MFA enforced for every user account, not just administrators
• Legacy authentication protocols disabled entirely
• Conditional Access policies that evaluate login context, including device, location, and risk level
• External sharing restricted to authenticated users with expiration dates on shared links
• Microsoft Defender for Office 365 configured with Safe Links, Safe Attachments, and anti-phishing policies active

Microsoft's own research confirms that MFA alone reduces the risk of account compromise by 99.2%. That single configuration change eliminates almost all credential based attacks. Yet according to research cited in the 2025 CoreView State of Microsoft 365 Security report, only 41% of organizations have implemented MFA effectively across their environments.

The remaining 59% are operating with the digital equivalent of a screen door on a bank vault. Every day those settings stay unconfigured is another day attackers have a clear path into your environment. And once they’re inside, they move fast. Forwarding rules get created. Data gets exfiltrated. Ransomware gets deployed. All before anyone notices something is wrong.

The businesses that take Microsoft 365 security settings for Burnaby businesses seriously are the ones that treat configuration as an ongoing process, not a one time setup task. Settings drift over time as employees are added, apps are integrated, and Microsoft releases updates. Quarterly reviews of your security posture are not a luxury. They’re a necessity.

The Business Cost of Getting This Wrong

The consequences of misconfigured Microsoft 365 settings extend far beyond the initial breach.

The 2025 Verizon DBIR reported that ransomware attacks rose by 37% year over year and were present in 44% of all confirmed data breaches globally. For small businesses specifically, the operational fallout is devastating. Systems go offline. Client data gets exposed. Recovery takes weeks, not days.

Here is what a breach typically triggers for a small business:

• Immediate loss of access to email, files, and collaboration tools
• Regulatory notification requirements if client data is compromised
• Cyber insurance claims that may be denied if basic security controls like MFA were not in place
• Reputational damage that drives clients to competitors
• Legal exposure from failure to protect sensitive information

The 2025 Verizon DBIR also found that credential abuse accounted for 22% of all breaches, and vulnerability exploitation accounted for another 20%. Both attack vectors are directly addressed by properly configuring Microsoft 365 security settings for Burnaby businesses.

How to Know If Your Settings Are Actually Configured

Microsoft provides a built in tool called Secure Score that evaluates your current security posture and recommends specific actions to improve it. It’s free, it’s already in your admin portal, and most businesses have never looked at it.

Secure Score examines your configurations across identity, data protection, devices, applications, and infrastructure. It then benchmarks your environment against similar organizations and prioritizes recommendations by impact. Most businesses we work with are shocked by how low their initial score is, even when they assumed everything was properly set up.

The tool isn’t a replacement for professional security management. But it gives you an honest snapshot of where you stand today. And for businesses that have never audited their Microsoft 365 configuration, that snapshot is often the wake up call that drives real change.

If you do nothing else after reading this article, take these three steps this week:

• Log into your Microsoft 365 admin center and check your Secure Score
• Verify that MFA is enforced for every user, especially administrators
• Review your external sharing settings in SharePoint and OneDrive

These three actions alone will close the most dangerous gaps in your environment. They cost nothing, they take less than an hour, and they dramatically reduce your exposure.

Stop Assuming Microsoft Has You Covered

Microsoft gives you the tools. They don’t configure them for you. That distinction is the single biggest security risk facing small and medium sized businesses running Microsoft 365 today.

The businesses that avoid breaches are not the ones with the biggest budgets. They’re the ones that took the time to properly configure their Microsoft 365 security settings. For Burnaby businesses handling sensitive client data across professional services, legal, accounting, and construction, getting this right is not optional. It’s the foundation of everything else.

If you’re not sure whether your Microsoft 365 security settings for Burnaby businesses are properly configured, Coleman Technologies offers a comprehensive security assessment that identifies exactly where your gaps are and what it takes to close them. Call (604) 513-9428 or book a courtesy 30 minute consultation at colemantechnologies.com to find out where you stand.

Sources:

1. Verizon, "2025 Data Breach Investigations Report (DBIR)," April 2025: verizon.com/business/resources/reports/dbir/
2. Microsoft, "Security at Your Organization: MFA Statistics," Microsoft Partner Center: learn.microsoft.com/en-us/partner-center/security/security-at-your-organization
3. Microsoft, "One Simple Action You Can Take to Prevent 99.9% of Account Attacks," Microsoft Security Blog: microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
4. Microsoft, "Microsoft Digital Defense Report 2023": microsoft.com/en/security/security-insider/microsoft-digital-defense-report-2023
5. CoreView and Help Net Security, "Why Your Microsoft 365 Setup Might Be More Vulnerable Than You Think," July 2025: helpnetsecurity.com/2025/07/14/microsoft-365-attack-surface/
6. BDC (Business Development Bank of Canada), "Survey of Cybersecurity and Canadian SMEs," September 2024: bdc.ca/en/articles-tools/blog/cyberattacks-small-businesses-remain-denial
7. Hunto AI, "60+ Phishing Attack Statistics: Insights for 2026": hunto.ai/blog/phishing-attack-statistics/

You want to know what’s scary? Anytime your company’s IT fails and you’re left wondering if you can afford a new piece of hardware or the maintenance to fix what’s broken. When you rely on break-fix IT, you’re basically living in a horror film; you never know when the slasher is going to leap out of the shadows and strike. With managed IT, you can sidestep the scaries and know with confidence you’re taking care of your business’ future.

Here are three reasons why managed IT is the superior option for managing your technology solutions.

Does this sound familiar? Your business is growing, but you haven’t changed your server hardware since you began operations. It’s hindering growth at this point, and you don’t know what to do. The best solution out there is to turn to the cloud. With the right implementation of a cloud-first model, you can effectively future-proof your business so it can grow unhindered.

So, you’ve added an antivirus to your business’ cybersecurity protections. That’s great—it’s an essential element of the comprehensive defenses that a modern business needs. However, it is important that the antivirus you’re relying on is, in fact, reliable.

Let’s go over how not all antivirus tools are the same, and what makes it so important to implement one that meets your business’ needs and protects against the threats you would otherwise have to deal with.

Your IT budget can cause you a lot of stress, but if you approach it right, it doesn’t have to. Like every other part of your business, you want to have a good idea where to invest your technology budget. Not that many people do. We recommend you build out an IT roadmap, and a strategy on how to keep downtime to a minimum; and a lot of that is getting experts to manage and maintain your business’ IT.

How do you know when it’s time to fire one of your vendors? Better yet, how do you know when you’re better off firing your IT vendor to find a better option? These kinds of situations can be stressful, but they’re not impossible. We’re here to help you make the call, as well as to offer a better alternative that saves you time, energy, and money.

Do you have an internal IT department for your business? Small businesses often don’t have dedicated IT staff, and if they do, chances are they’re overwhelmed with tasks and constantly playing catch-up (IT is a big job, after all). In fact, they might feel like they can never take time off because they’re so busy. If you want to ensure your business always has the IT it needs, then you should consider outsourcing as an option.

Surprises can be exciting, but one part of your business where you don’t want them is in your IT. A server crash, a wireless connectivity outage, or a security threat can all create multiple surprise problems that you simply aren’t ready to handle—particularly in the realm of your wallet. Instead of spinning the wheel and gambling on your IT bill, you can instead treat your IT like a predictable utility cost, and it’s all thanks to proactive managed IT services.

When something goes wrong with your company’s technology, the last thing you want to do is be the one at fault. Unfortunately, that’s what comes with the territory in the world of business IT. If you’re sick of technicians who make excuses rather than own up to their mistakes and correct their course, read on. We’re going to showcase just what accountability in IT looks like and how we strive to embody it.

Real talk: does running your business feel less like you’re crushing it and more like you’re the unpaid, stressed-out IT guy? One second you're closing deals, the next your whole system crashes and you're stuck on a support forum trying to figure out what a "DNS propagation error" is. I can easily say, that’s not the vibe you’re looking for.

Nobody likes getting large support bills from technology companies—especially when they are unexpected. This is the case for both the business owners footing the bill and the employees who might be held responsible for racking up the bill in the first place. This puts SMBs in a bit of an impossible situation; either spend money to keep employees productive, or save money and suffer from productivity issues.

Unexpected downtime can wreak havoc on businesses large and small, which is especially bad when so many paths lead to it. Let’s explore some of downtime’s causes, and equally importantly, how it can be avoided.

While your business might last into the near future, your IT is more challenging to upkeep and preserve over time. You’ll have to consider reworking and restructuring your infrastructure to ensure that it stands the test of time. Let’s review some warning signs that it might be time to do just that.

Your business needs IT expertise, regardless of how much it is integrated into your operations. You need someone on staff who not only understands your technology, but someone who can help you make the most of it to get the leg up on competition. Today, we want to explore how you can hire the right IT professionals for your organization’s specific needs, including both hard and soft skills.

Technology is a major pain point for just about all businesses, whether you’re a small mom-and-pop store or a medium-sized (and quickly growing) name in your community. You’ll always have the technology to upkeep, from computers and servers to software solutions or point-of-sale registers. This month, we want to discuss how managed IT solutions can help you maximize your resources by offering a simple, easy, and cost-effective alternative to hiring multiple in-house technicians.

We love to highlight how technology helps businesses thrive, particularly small and medium-sized businesses with a lot of growth potential but limited by their budgets. This is why we provide SMBs with managed IT services specifically designed to drive business growth. If you have yet to consider outsourcing your IT needs, you could be missing out on a golden opportunity to alleviate many of the pain points your organization suffers from on a daily basis.

One of the biggest signs that your business is doing well is that it is growing. When it starts to grow, you might notice that your office suddenly feels a little cramped. While moving an office can be stressful, it is often necessary to ensure that your company can continue to flourish. From an IT perspective, it can be even more challenging.

All organizations rely on their information systems to be consistently available when required, with some businesses being unable to function without them. When these systems undergo necessary maintenance, such as software patches, it can pose challenges for employees who rely on their continuous availability. In this discussion, we delve into the proactive approach to IT maintenance, exploring its strategic benefits in preventing downtime for businesses.

As a small business, we’re sure you want to improve your profit margin so that you can offer more exciting and innovative services or products. One way that many businesses bleed capital is through their IT expenses. While it might make sense on paper to address technology challenges only when they present themselves, the truth is the exact opposite.

While most of us know that Santa Claus lives at the North Pole, fewer know that he’s specifically built his big, rambling castle in the Laughing Valley. It is there that he and his workforce, the elves, sprites, pixies, and fairies that help him make his toys all live, all working hard to give the children of the world their presents each year.

Of course, as magical as Santa and his team may be, it isn’t unheard of for them to need a little help every once in a while.