Coleman Technologies Blog

Your business runs on Microsoft 365. Emails, files, calendars, Teams calls. It all flows through one platform every single day. But here’s the uncomfortable reality about Microsoft 365 security settings for Burnaby businesses: the default configuration Microsoft gives you was built for convenience, not protection. And cybercriminals are counting on you not knowing the difference.

Microsoft 365 is functional out of the box. It’s not secure out of the box. The security tools are built in and available, but most of them are not turned on or configured properly unless someone deliberately does it. That gap between "available" and "activated" is exactly where attackers operate. And for small and medium sized businesses across Burnaby and the Lower Mainland, this blind spot is costing them everything.

The Default Settings Trap That Catches Almost Everyone

Microsoft designed its default settings to get businesses up and running fast. Collaboration tools work immediately. File sharing is frictionless. Email flows without interruption. But that speed comes at a cost that most business owners never realize until something goes wrong.

Default configurations often leave legacy authentication protocols like POP and IMAP active. These older protocols don’t support multi-factor authentication, which means they create a backdoor that completely bypasses your login security. Attackers know this. They actively scan for businesses still running these protocols because it’s the easiest way in.

Your Security Tools Are There but Nobody Turned Them On

Think of it this way. Microsoft hands you a building with a state of the art alarm system, reinforced doors, and security cameras in every hallway. But none of it is plugged in. The building looks secure from the outside. Inside, every door is unlocked and every camera is off.

The 2025 Verizon Data Breach Investigations Report found that ransomware was present in 88% of breaches involving small and medium sized businesses. That’s not a typo. While large enterprises saw ransomware in 39% of their breaches, SMBs absorbed the overwhelming majority of the damage. The reason is straightforward: smaller organizations typically have weaker security configurations, slower patch cycles, and fewer resources dedicated to IT security.

For companies relying on Microsoft 365 security settings for Burnaby businesses to protect sensitive client data, these defaults are a ticking clock.

The Five Settings Most Businesses Never Configure

Understanding where the gaps exist is the first step toward closing them. These are the Microsoft 365 security settings that consistently go unconfigured in small business environments:

• Multi-factor authentication left optional. MFA is available in every Microsoft 365 plan, but it’s not enforced by default for all users. Microsoft has reported that more than 99.9% of compromised accounts didn’t have MFA enabled. One setting. That is all it takes to block the vast majority of credential theft attacks.
• External sharing set to "anyone with a link." SharePoint and OneDrive default sharing settings often allow files to be accessed by anyone who receives a link, with no login required. Confidential documents can be forwarded, intercepted, or posted publicly without your knowledge.
• Too many Global Administrator accounts. During initial setup, businesses commonly assign Global Admin access to multiple people and never revisit it. Every Global Admin account is a high value target. If even one is compromised, an attacker has full control of your entire tenant.
• Email authentication protocols not configured. SPF, DKIM, and DMARC are email authentication standards that prevent attackers from spoofing your domain. Many businesses never set them up, which means criminals can send phishing emails that appear to come from your CEO.
• Audit logging and alerts turned off. Without audit logs and security alerts enabled, suspicious activity like unusual login locations, mass file downloads, or new forwarding rules goes completely unnoticed until the damage is done.

These aren’t advanced enterprise concerns. These are foundational settings that every business using Microsoft 365 should have configured from day one.

Why Burnaby Businesses Are Prime Targets

There’s a persistent myth that cybercriminals only go after large corporations. The data tells a very different story.

According to the 2025 Verizon DBIR, small and medium sized businesses are being targeted nearly four times more frequently than large organizations. The logic is simple from an attacker's perspective. It’s far easier to extract smaller amounts from twenty vulnerable businesses than to breach one company that has a dedicated security operations center.

Canadian businesses are not immune to this trend. A 2024 BDC survey found that 73% of Canadian small businesses have experienced a cybersecurity incident, ranging from phishing attempts to full denial of service attacks. Meanwhile, 61% reported experiencing a phishing attempt via email, the exact attack vector that misconfigured Microsoft 365 settings leave wide open.

Microsoft 365 security settings for Burnaby businesses are especially critical because the industries concentrated in this region, including professional services, legal, accounting, and construction, handle sensitive client information daily. A single breach doesn’t just cost money. It destroys client trust and can trigger compliance violations.

The Phishing Problem Is Getting Worse

Microsoft was the most impersonated brand in phishing campaigns in 2024, appearing in over 51% of all phishing scams worldwide. Attackers create login pages that look identical to the real Microsoft 365 sign in screen. When an employee enters their credentials on a fake page, the attacker walks right into your environment.

Without proper anti-phishing policies configured in Microsoft Defender for Office 365, these emails land in inboxes looking completely legitimate. Safe Links, Safe Attachments, and impersonation protection are all available within the platform. Most businesses have never turned them on.

What Properly Configured Microsoft 365 Security Actually Looks Like

The gap between a vulnerable Microsoft 365 environment and a hardened one is not about buying more software. It’s about configuring what you already have.

A properly secured Microsoft 365 tenant includes:

• MFA enforced for every user account, not just administrators
• Legacy authentication protocols disabled entirely
• Conditional Access policies that evaluate login context, including device, location, and risk level
• External sharing restricted to authenticated users with expiration dates on shared links
• Microsoft Defender for Office 365 configured with Safe Links, Safe Attachments, and anti-phishing policies active

Microsoft's own research confirms that MFA alone reduces the risk of account compromise by 99.2%. That single configuration change eliminates almost all credential based attacks. Yet according to research cited in the 2025 CoreView State of Microsoft 365 Security report, only 41% of organizations have implemented MFA effectively across their environments.

The remaining 59% are operating with the digital equivalent of a screen door on a bank vault. Every day those settings stay unconfigured is another day attackers have a clear path into your environment. And once they’re inside, they move fast. Forwarding rules get created. Data gets exfiltrated. Ransomware gets deployed. All before anyone notices something is wrong.

The businesses that take Microsoft 365 security settings for Burnaby businesses seriously are the ones that treat configuration as an ongoing process, not a one time setup task. Settings drift over time as employees are added, apps are integrated, and Microsoft releases updates. Quarterly reviews of your security posture are not a luxury. They’re a necessity.

The Business Cost of Getting This Wrong

The consequences of misconfigured Microsoft 365 settings extend far beyond the initial breach.

The 2025 Verizon DBIR reported that ransomware attacks rose by 37% year over year and were present in 44% of all confirmed data breaches globally. For small businesses specifically, the operational fallout is devastating. Systems go offline. Client data gets exposed. Recovery takes weeks, not days.

Here is what a breach typically triggers for a small business:

• Immediate loss of access to email, files, and collaboration tools
• Regulatory notification requirements if client data is compromised
• Cyber insurance claims that may be denied if basic security controls like MFA were not in place
• Reputational damage that drives clients to competitors
• Legal exposure from failure to protect sensitive information

The 2025 Verizon DBIR also found that credential abuse accounted for 22% of all breaches, and vulnerability exploitation accounted for another 20%. Both attack vectors are directly addressed by properly configuring Microsoft 365 security settings for Burnaby businesses.

How to Know If Your Settings Are Actually Configured

Microsoft provides a built in tool called Secure Score that evaluates your current security posture and recommends specific actions to improve it. It’s free, it’s already in your admin portal, and most businesses have never looked at it.

Secure Score examines your configurations across identity, data protection, devices, applications, and infrastructure. It then benchmarks your environment against similar organizations and prioritizes recommendations by impact. Most businesses we work with are shocked by how low their initial score is, even when they assumed everything was properly set up.

The tool isn’t a replacement for professional security management. But it gives you an honest snapshot of where you stand today. And for businesses that have never audited their Microsoft 365 configuration, that snapshot is often the wake up call that drives real change.

If you do nothing else after reading this article, take these three steps this week:

• Log into your Microsoft 365 admin center and check your Secure Score
• Verify that MFA is enforced for every user, especially administrators
• Review your external sharing settings in SharePoint and OneDrive

These three actions alone will close the most dangerous gaps in your environment. They cost nothing, they take less than an hour, and they dramatically reduce your exposure.

Stop Assuming Microsoft Has You Covered

Microsoft gives you the tools. They don’t configure them for you. That distinction is the single biggest security risk facing small and medium sized businesses running Microsoft 365 today.

The businesses that avoid breaches are not the ones with the biggest budgets. They’re the ones that took the time to properly configure their Microsoft 365 security settings. For Burnaby businesses handling sensitive client data across professional services, legal, accounting, and construction, getting this right is not optional. It’s the foundation of everything else.

If you’re not sure whether your Microsoft 365 security settings for Burnaby businesses are properly configured, Coleman Technologies offers a comprehensive security assessment that identifies exactly where your gaps are and what it takes to close them. Call (604) 513-9428 or book a courtesy 30 minute consultation at colemantechnologies.com to find out where you stand.

Sources:

1. Verizon, "2025 Data Breach Investigations Report (DBIR)," April 2025: verizon.com/business/resources/reports/dbir/
2. Microsoft, "Security at Your Organization: MFA Statistics," Microsoft Partner Center: learn.microsoft.com/en-us/partner-center/security/security-at-your-organization
3. Microsoft, "One Simple Action You Can Take to Prevent 99.9% of Account Attacks," Microsoft Security Blog: microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
4. Microsoft, "Microsoft Digital Defense Report 2023": microsoft.com/en/security/security-insider/microsoft-digital-defense-report-2023
5. CoreView and Help Net Security, "Why Your Microsoft 365 Setup Might Be More Vulnerable Than You Think," July 2025: helpnetsecurity.com/2025/07/14/microsoft-365-attack-surface/
6. BDC (Business Development Bank of Canada), "Survey of Cybersecurity and Canadian SMEs," September 2024: bdc.ca/en/articles-tools/blog/cyberattacks-small-businesses-remain-denial
7. Hunto AI, "60+ Phishing Attack Statistics: Insights for 2026": hunto.ai/blog/phishing-attack-statistics/

Let me ask you something: how well does your current IT support function?

If your first instinct is to say something vaguely positive, like “good” or “fine,” you’re probably missing out on significant benefits that could come from a more immersive and fleshed-out service delivery, rather than a stopgap meant to preserve the status quo. If your provider has never asked you about the future and your goals for it, it may be time to seek what else is out there.

It feels good to use tools you’re familiar with, but there comes a time when old tools start to hold you back. You might start to see unexpected costs that only surface over time. Let’s take a look at how you can know when it’s time to update your business’ tech and some of the hidden costs associated with not updating it.

Any computer issue you have can be extremely frustrating, but when something happens you should know you’re not alone. There are a few things that anyone that uses a computer has dealt with. This month, we take a look at three extremely common technical problems people deal with and what to do about them.

Every business relies on technology to function. Some wouldn’t be able to deliver any value to their customers without it, while others would be severely hindered if they suffered a data breach. For this reason, cybersecurity has to be a priority. In today’s blog, we will discuss five issues that business owners run into that can muddle their cybersecurity efforts.

Nobody likes getting large support bills from technology companies—especially when they are unexpected. This is the case for both the business owners footing the bill and the employees who might be held responsible for racking up the bill in the first place. This puts SMBs in a bit of an impossible situation; either spend money to keep employees productive, or save money and suffer from productivity issues.

Technology allows businesses to leverage high-impact practices, but only if that technology works the way it’s supposed to. Even simple issues with network connectivity problems, outdated technology, and cybersecurity can impact operations. The key to a successful technology deployment is understanding where potential disruptions could occur and taking measures to proactively address them ahead of time.

IT support is essential for businesses, but traditional on-site support can be expensive and inefficient.

Thankfully, remote IT support, such as that offered through managed services, is now available. This is a game-changer for small to medium-sized businesses. Let's explore the benefits of remote IT support.

Technology is a major pain point for just about all businesses, whether you’re a small mom-and-pop store or a medium-sized (and quickly growing) name in your community. You’ll always have the technology to upkeep, from computers and servers to software solutions or point-of-sale registers. This month, we want to discuss how managed IT solutions can help you maximize your resources by offering a simple, easy, and cost-effective alternative to hiring multiple in-house technicians.

Small and medium-sized businesses (SMBs) face the challenge of managing complex IT systems with very limited resources. Enter managed service providers, or MSPs, the guardians of IT that can help your business stay ahead of the game. An MSP's approach to IT support delivery offers many benefits that traditional IT support and even an in-house team might struggle to match.

Let's delve into three compelling reasons why our innovative approach is best for your IT support needs, especially if you want to scale up and streamline operations.

We love to highlight how technology helps businesses thrive, particularly small and medium-sized businesses with a lot of growth potential but limited by their budgets. This is why we provide SMBs with managed IT services specifically designed to drive business growth. If you have yet to consider outsourcing your IT needs, you could be missing out on a golden opportunity to alleviate many of the pain points your organization suffers from on a daily basis.

Among IT professionals, an acronym is sometimes used when discussing certain issues and challenges: “PEBKAC,” or Problem Exists Between Keyboard And Chair. In other words, user error. 

The entire premise of managed IT services is that they can save your business money, but in what specific ways does working with us make your budget more predictable? It’s really quite simple, and it encompasses three primary pillars: an established level of service, proactive maintenance and management, and the reliability and access to expertise that might otherwise put a stopper on your business’ potential.

All organizations rely on their information systems to be consistently available when required, with some businesses being unable to function without them. When these systems undergo necessary maintenance, such as software patches, it can pose challenges for employees who rely on their continuous availability. In this discussion, we delve into the proactive approach to IT maintenance, exploring its strategic benefits in preventing downtime for businesses.

In business, there are always issues that need to be met. Often, there are so many that finding which ones to give priority is a chore all in itself. Choosing the best path forward depends on the situation, so when you are considering your organization’s disaster recovery you have to take into account every troubling situation your business can encounter. This month let’s go through some of the most prevalent disasters that a business can face. 

I was meeting with an old colleague the other day. We met over Microsoft Teams to just check in and see how they were doing—no real itinerary, just to check in with a familiar face that I haven’t personally talked to in a few years. They had a little trouble getting into Microsoft Teams, since they were used to Zoom. I patiently smiled and helped them through it, and told them “No worries, it’s always the little differences that complicate things!”

At the time, I said this just to be empathetic. At first, the nerdy computer-geek part of my brain told me that the process to get into a Zoom meeting vs a Teams meeting, from their perspective, is exactly the same. But after the call, I really thought about this small interaction, and you know what? Things have gotten complicated.

Technology is complex, and it’s definitely not everyone’s cup of tea. This is more the case for business technology than consumer technology. Even those who consider themselves tech-savvy might be lost when it comes to managing business-grade technology solutions. How can you make sure that your business technology is receiving the service it needs to stay operational long-term?

In business, experience is always useful. Nowhere is that more apparent than when managing your organization’s IT infrastructure. The problem is that acquiring the expertise to do just that can be quite confusing for most business owners. Today, we’ll talk about how technology management experience can produce better business from one end to the other. 

Businesses need to adjust their technology to meet their operational goals. Oftentimes, this can be the difference between loads of inefficiency and things going smoothly.  Unfortunately, it isn’t always easy to ascertain where your business should spend its capital. Let’s take a look at how you can match your technology with your operational goals.

Defining Managed Services

On a very fundamental level, managed services and tech support are very different due to the way they operate.

Traditional tech support, also referred to as break-fix IT, are those that most people think of. Whenever a piece of technology breaks down or has some other issue, an IT technician is called to fix it. This was the predominant—and really, the only—option to receive any level of IT support for some time, despite the expensive repeat visits and prolonged operational interruptions that came with it. For larger enterprises, hiring full-time IT staff solved this problem. It’s still costly, and often too costly for small businesses, but it does lead to faster turnaround times and ongoing support.