Microsoft 365 Security Essentials for CFOs 

Most mid-market UK businesses have a Microsoft 365 Business Premium license that includes robust security tools. Security issues generally isn't the technology: it's that these available tools sit unused or misconfigured whilst your business operates under a false sense of security. 

Security breaches drain bank accounts, damage client relationships, and create regulatory headaches. According to the UK Government's Cyber Security Breaches Survey 2025, 74% of large businesses and 67% of medium-sized businesses experienced cyber breaches in the past year. 

You're already paying for sophisticated protection. The question is whether it's actually configured correctly. 

Identity and Access Management 

Identity controls determine whether compromised credentials become a minor inconvenience or a business-threatening incident. Whilst Access Management ensures that access is granted only when all identity controls are passed and permissions permit.  

Multi-Factor Authentication 

Credential compromise is increasingly subtle and harder to detect. Multi-factor authentication changes this equation: even with compromised credentials, attackers can't get in without the second factor. 

Every user needs MFA. Not just IT staff. Not just finance. Everyone. 

Conditional Access applies different security levels based on risk. Someone logging in from the office on a managed device faces lighter security than someone connecting from an unfamiliar location. These decisions happen automatically. 

Least Privilege 

Most businesses give staff more access than they need. Someone who left finance three years ago still has accounting system access. Every excessive permission creates a potential avenue for data theft. 

Regular permission reviews matter. Quarterly minimum. Check who has financial system access, who holds admin rights, whether they are still required, and whether permissions match current roles. 

Data Protection 

Finance teams handle bank details, payroll information, board papers, and customer financial data. Data Loss Prevention (DLP) stops this information from walking out the door. 

What DLP Protects 

DLP monitors how sensitive information moves through your business. Financial data, personal information for GDPR compliance, confidential documents, and customer records all require protection. 

Generic templates don't work. Too restrictive, and staff find workarounds. Too permissive, and the data walks out anyway. 

Sensitivity Labels 

Classification tells Microsoft 365 which data needs protection. Once applied, protection follows the document everywhere: email, SharePoint, OneDrive, Teams. 

Retention and Governance 

Retention policies automate legal requirements for data storage duration. This supports compliance whilst reducing the risk of keeping data longer than necessary. 

Threat Protection 

The UK Government's Cyber Security Breaches Survey 2025 found phishing was the most disruptive attack type, affecting 85% of businesses that experienced breaches. 

Defender for Office 365: Microsoft Defender for Office 365 sits between your staff and threats. Safe Links inspects URLs in real-time and blocks them prior to your staff being able to follow them. Safe Attachments opens suspicious files in a sandbox environment. Anti-spoofing detects impersonation attacks requesting urgent payments or Google Vouchers 

Default settings leave gaps open to be abused. Correct configuration requires a business context. Which domains should never be blocked? What level of protection do different user groups need? 

Security Monitoring: Microsoft Sentinel provides real-time visibility across your environment. Alerts only protect you if someone acts on them. Sophisticated phishing blocked generates an alert. Suspicious login triggers notifications. These are queued up until someone reviews and responds. 

Compliance and Risk Management 

Security Frameworks 

ISO 27001 demonstrates systematic security management for enterprise contracts. Cyber Essentials offers UK government-backed baseline security, mandatory for certain contracts and increasingly expected by enterprise customers & Government Contracts alike. 

These certifications accelerate enterprise sales and affect cyber insurance. Insurers increasingly refuse claims where businesses haven't implemented reasonable security measures. 

Fitzallan, an independent financial advisor with no internal IT team, needed security confidence for FCA regulatory expectations. They upgraded to Microsoft 365 Business Premium and subscribed to Cyber Care. Ten years into their TSG partnership, they operate with IT specialism despite not having it internally. 

Microsoft Secure Score 

Secure Score measures your security configuration across identity, data, devices, apps, and infrastructure. Microsoft provides in-product benchmarking against similar organisations. 

Secure score recommendations are prioritised by impact. Some improvements deliver significant benefit for minimal effort. Quarterly reviews catch configuration drift as settings change through staff requests and evolving operations. 

The Backup Gap 

Microsoft 365's native retention isn't a backup. You can lose data permanently. 

Under Microsoft's Shared Responsibility Model, customers remain responsible for protecting their data, including backup configuration. 

Microsoft 365 includes 30-day deleted item recovery. Retention policies preserve data for compliance. Neither provides point-in-time recovery. If ransomware encrypts SharePoint sites or someone permanently deletes financial records, retention policies won't help. 

When You Need Backup 

Microsoft offers Microsoft 365 Backup as a separate service. It enables fast restoration of SharePoint sites, OneDrive accounts, and Exchange mailboxes to a previous healthy state. 

Business continuity planning requires defined recovery point and recovery time objectives. How quickly must you restore financial systems? Native retention can't meet aggressive requirements. 

User Awareness 

Finance staff are high-value targets. Attackers know finance teams can authorise payments and access bank accounts. 

Simulated phishing exercises test whether staff recognise attacks. Send realistic-looking phishing emails, track who clicks the suspicious links and provide immediate training for those who fail. This creates muscle memory for recognising attacks. 

Security threats evolve monthly. Quarterly updates covering new threat patterns maintain awareness. Integration into onboarding means new staff understand security expectations from day one. 

Licensing and Optimisation 

Office 365 provides productivity applications. Microsoft 365 includes these plus device management and advanced security. 

Business Basic and Business Standard include only basic security. Microsoft 365 Business Premium adds Defender for Office 365, Defender for Endpoint, DLP, and information protection. 

Regular reviews optimise spending. Licence usage monitoring identifies unused licences. Security feature adoption tracking reveals whether you're using the protection you're paying for. Cloud Care includes licensing reviews, ensuring you're paying for what you need. 

The Expertise Problem 

Configuring Microsoft 365 security properly requires specialist expertise that most internal IT teams don't have. Microsoft releases security updates monthly. Configuration spans seven interrelated areas. 24/7 monitoring exceeds most teams' capacity. 

PT Contractors, a building contractor, had no dedicated IT manager. Their design manager handled IT alongside other responsibilities. Hiring full-time IT expertise wasn't practical. Instead, they implemented Cyber Care, upgraded to Microsoft 365 Business Premium, and migrated to cloud infrastructure: specialist cyber security expertise through a manageable monthly subscription. 

Getting Started 

Start with a security assessment. Configuration review reveals what's protecting you versus what should be. Secure Score provides a baseline measurement. Policy gap analysis compares the current state against regulatory requirements. 

Phase Implementation 

Week one: Enforce MFA for all users, especially administrators. This single change dramatically reduces credential compromise risk. 

Months one to two: Enable security defaults, deploy basic DLP policies, and configure Defender for Office 365. 

Months three to four: Deploy Conditional Access, roll out sensitivity labels, and configure retention policies. 

Ongoing: Continuous monitoring, quarterly reviews, and regular security awareness training. 

Build vs Buy 

When DIY works: Small businesses with capable IT teams who have time to monitor and maintain security. 

When managed services make sense: Mid-market complexity, absence of dedicated security staff, need for 24/7 monitoring, and regulatory requirements demanding specialist expertise. 

Partner selection criteria matter. Technology vendor accreditations demonstrate capability. Security certifications like ISO 27001 prove partners practise what they recommend. 

Getting Protected 

Microsoft 365 includes sophisticated tools, but they don't protect automatically. Configuration, management, monitoring, and incident response require expertise and capacity. 

The cost of getting this wrong—breach response, regulatory fines, reputational damage, business disruption—far exceeds proper security investment. 

Start with a security assessment to understand your current state, identify gaps, and prioritise improvements. Contact TSG for a Microsoft 365 security assessment. 

Frequently Asked Questions 

What's the difference between Office 365 and Microsoft 365? 

Office 365 provides productivity applications: Word, Excel, Outlook, and Teams. Microsoft 365 includes these plus device management and advanced security. Microsoft 365 Business Premium adds Defender for Office 365, Defender for Endpoint, DLP, and information protection. Most UK businesses need Microsoft 365 Business Premium for proper security. 

Does Microsoft 365 Business include security features? 

It depends on which licence you have. Business Basic and Business Standard include basic security only. Microsoft 365 Business Premium includes advanced security: Defender for Office 365, Defender for Endpoint, DLP, sensitivity labels, and threat protection. Check your licensing carefully. 

Is Microsoft 365 backup included? 

No. Microsoft 365 includes retention policies and 30-day deleted item recovery, not true backup. Ransomware can encrypt data within Microsoft 365. For business continuity and regulatory compliance, you need Microsoft 365 Backup (separate service) or third-party backup for SharePoint, OneDrive, Exchange, and Teams. 

What is Defender for Office 365? 

Defender for Office 365 protects against phishing, malware, malicious links, and compromised attachments. It's included in Microsoft 365 Business Premium and is essential for businesses handling financial or sensitive data. Basic protection isn't sufficient for today's threat landscape. 

How long does configuration take? 

Initial configuration takes 4-8 weeks for typical mid-market businesses: MFA enforcement, Conditional Access policies, DLP setup, Defender configuration, sensitivity labels, and retention policies. Ongoing management requires continuous monitoring and quarterly reviews. 

Can I configure security myself? 

Small businesses with capable IT staff and time to maintain security can self-configure with training. Mid-market businesses with hybrid environments, regulatory requirements, or limited IT capacity typically benefit from specialist help. Consider: Do you have dedicated security expertise? Can you monitor alerts 24/7? Can you keep current with monthly security updates?