The Small-Office Security Scorecard: Rate Your Own Setup in 5 Minutes

Your office runs on Microsoft 365 Business Premium. You have somewhere between one and twenty employees. You have probably not had a security incident — yet. The question is whether your current setup would hold up if you did.

This checklist has six items. Score one point for each honest yes. It takes about five minutes.

Summary: A six-point yes/no check across MFA, backups, email filtering, device updates, offboarding procedures, and admin-account separation gives most small offices a reliable read on their security posture. Scoring four or fewer points indicates gaps that enable the most common attacks — account takeover, ransomware, and unauthorized access by former employees. Enabling MFA and establishing an external backup close more risk per hour of effort than any other combination of controls on this list.

The scorecard

Give yourself one point for each honest yes.

1. MFA is required for every account — no exceptions

Open the Entra ID admin center (the renamed Azure Active Directory) and check whether Security defaults are on, or whether Conditional Access policies require MFA for all users. Every account — yours, your staff's, any outside bookkeeper or attorney with access to your tenant — should require approval on a second device before sign-in completes. If that is true without exception, score 1.

Why it matters: A stolen or guessed password cannot access an MFA-protected account on its own. This is the single highest-return control on this list.

2. You have a backup that lives outside Microsoft 365

Microsoft 365 includes retention policies and version history, but these are not the same as a restorable point-in-time backup. If an attacker encrypts your OneDrive files, those encrypted versions can sync back to the cloud before you notice, overwriting clean copies. If a third-party service takes daily snapshots of your email, SharePoint, and OneDrive to a separate storage location, score 1.

Why it matters: Without an external backup, ransomware or an accidental mass-delete can be permanent.

3. Email filtering is active — not just licensed

Business Premium includes Microsoft Defender for Office 365 Plan 1, which provides Safe Links and Safe Attachments. Licensing these features does not automatically activate them. Open the Microsoft Defender portal, go to Email & collaboration > Policies & rules, and confirm that Safe Links and Safe Attachments policies are enabled and applied to your users. If yes, score 1.

Why it matters: Phishing links and malicious attachments are among the most common ways attackers get an initial foothold. These controls intercept both before they reach a user's inbox.

4. Every work device has current updates

Check Windows Update on each machine, or review device compliance reports in Microsoft Intune if you have enrolled your devices. If every computer used to access company email or files — including employee-owned laptops — has been updated within the last 30 days, score 1.

Why it matters: Most widely exploited vulnerabilities have available patches at the time of the attack. Unpatched machines are the lowest-effort entry point for opportunistic attackers.

5. You have an offboarding checklist and you use it

When an employee leaves, the steps should include: disabling the Microsoft 365 account, revoking active sessions, converting or exporting the mailbox, and reassigning OneDrive files. If you completed all of those steps for the last person who left — and you have them written down for the next time — score 1.

Why it matters: An active account belonging to a former employee is an open door with a name on it. It stays open until someone closes it.

6. Your admin account is separate from your daily account

The Microsoft 365 account you use for email and documents should not carry Global Administrator permissions. If you manage your tenant from a dedicated admin account used only for configuration — while your everyday account is a standard user — score 1.

Why it matters: A phishing email that compromises a Global Administrator account gives an attacker full control of your tenant. A standard-user account limits what that same attack can do.

What your score means

• 5–6 points: Your baseline is in reasonable shape. Review this list annually and any time you hire, terminate a staff member, or change IT vendors.
• 3–4 points: You have real gaps. Work through the list in order, starting with MFA and backups.
• 0–2 points: Your office has significant exposure right now. MFA is the first action and the fastest.

Where to start

If MFA is off, enable Security defaults in Entra ID today. It is a single toggle in the admin center. Users will be prompted to register an authentication method at their next sign-in, and no additional licensing is required — it is already included in Business Premium.

If MFA is on but you have no external backup, that is the second task. A dedicated Microsoft 365 backup service runs at a modest per-user monthly cost. It is one of the lowest-cost risk reductions available to a small office.

Checks 3 through 6 involve policy configuration and process. They take more time than enabling a toggle, but no additional licensing. If you are not comfortable in the Microsoft Defender portal or Intune, a dedicated team that knows your environment can verify and complete all six checks in a single working session.

Rerun this checklist in 90 days, and any time your staff or IT setup changes.