After auditing Microsoft 365 environments for dozens of Singapore businesses, we’ve noticed the same security mistakes showing up again and again. These aren’t obscure edge cases — they’re basic configuration gaps that Microsoft leaves turned off by default, and that most businesses never think to enable.
Here are the five most common Microsoft 365 security mistakes we find in Singapore SME environments — and what to do about each one.
Mistake 1: MFA Is Not Enforced for Everyone
Multi-factor authentication is the single most effective security control you can implement. Microsoft’s own data shows that MFA blocks 99.9% of automated attacks. Yet we regularly find organisations where MFA is only enabled for admins — or worse, not enabled at all.
The excuse is usually convenience: “Our team finds it annoying.” But the alternative — a compromised account that leads to a business email compromise (BEC) attack — is far more inconvenient. BEC attacks cost Singapore businesses millions annually.
Fix: Enable MFA for all users using Microsoft Authenticator. Set up Conditional Access to require MFA for all sign-ins outside your office network. Use number matching to prevent MFA fatigue attacks.
Mistake 2: No Microsoft 365 Backup
This is the most dangerous misconception in cloud computing: “Microsoft backs up my data.”
They don’t. Microsoft 365’s native retention protects against their own infrastructure failures — not against accidental deletion, ransomware, or malicious insiders. If an employee permanently deletes a year’s worth of emails, or ransomware encrypts your SharePoint, Microsoft’s recycle bin won’t save you after the retention window closes.
Fix: Deploy a third-party backup solution like Acronis Cyber Protect that covers Exchange Online, OneDrive, SharePoint, and Teams. Set up daily backups with 12-month retention. Test restores quarterly.
Mistake 3: SharePoint Permissions Are a Mess
Over time, SharePoint permissions accumulate like technical debt. Sites created years ago with “Everyone” access still exist. Shared links from old projects are still active. Former employees’ access was never revoked because it was granted via nested groups nobody tracks.
This isn’t just a security problem — it’s a Copilot problem. When you deploy Microsoft Copilot, it can access everything your users can access. If permissions are a mess, Copilot will surface confidential documents to the wrong people.
Fix: Run a SharePoint permissions audit. Remove “Everyone except external users” from all sites. Review and revoke external sharing links. Implement sensitivity labels for confidential documents. Schedule quarterly permission reviews.
Mistake 4: No Conditional Access Policies
MFA is step one. Conditional Access is step two — and most SMEs skip it entirely. Conditional Access lets you define rules like:
- Block sign-ins from countries where you have no employees
- Require compliant devices for accessing sensitive data
- Force re-authentication for risky sign-ins (impossible travel, new locations)
- Block legacy authentication protocols that bypass MFA
Without Conditional Access, a compromised password plus a phished MFA token gives an attacker full access from any device, anywhere in the world.
Fix: Start with three baseline Conditional Access policies: block legacy authentication, require MFA for all users, and block sign-ins from high-risk countries. These can be configured in under an hour and dramatically reduce your attack surface.
Mistake 5: Audit Logging Is Disabled
When a security incident happens — and eventually, it will — the first question is: “What did the attacker access?” If audit logging isn’t enabled in your Microsoft 365 tenant, the answer is: “We have no idea.”
Microsoft 365 audit logging is available on all business plans, but it’s not always enabled by default. And even when enabled, the default retention is only 180 days on standard plans.
Fix: Enable unified audit logging in the Microsoft Purview compliance portal. Extend log retention to at least 12 months. Set up alerts for suspicious activities: mass file downloads, mailbox forwarding rules, admin role changes, and unusual sign-in patterns.
How Secure Is Your Microsoft 365?
If you recognised your business in any of these mistakes, you’re not alone — most Singapore SMEs have at least three of these five gaps. The good news: all of them are fixable, most within a few hours of configuration work.
Sakal Network provides Microsoft 365 security assessments for Singapore businesses. We check your Secure Score, audit your configurations, and deliver a prioritised action plan.