Microsoft 365 Security: The 2026 SME Checklist

Over 80% of Swiss SMEs use Microsoft 365. The default configuration is not secure enough. This checklist covers the 10 most important security settings you can implement straight away.

Your company uses Microsoft 365. Email, files, Teams, SharePoint, everything runs through the Microsoft cloud. Your IT partner set it up, and it has been running ever since. But have you ever reviewed the security settings? The default M365 configuration prioritises usability, not security. According to the SME Cyber Study 2025, only 42% of Swiss SMEs feel adequately protected, and a large share of successful phishing attacks exploit exactly these default gaps.

Securing Identity and Access

The first three settings address the most critical attack vector: stolen credentials. First, enable multi-factor authentication (MFA) for all users, no exceptions. Use the Microsoft Authenticator app or FIDO2 keys, not SMS. Second, set up Conditional Access policies: access only from managed devices, only from Switzerland, only with current security updates. Third, disable legacy authentication protocols (IMAP, POP3, SMTP Auth). These bypass MFA entirely and are the most common entry point.

Configuring Email Security

Email remains the number one attack vector. Fourth, enable Safe Attachments and Safe Links in Microsoft Defender for Office 365, so attachments are checked in a sandbox and links are verified on click. Fifth, configure SPF, DKIM and DMARC for all your domains to prevent attackers from sending emails in your name. Sixth, enable anti-phishing policies with impersonation protection for your executive team. CEO fraud reports in Switzerland rose by 48% in 2024.

Protecting Data and Devices

Seventh, set up Data Loss Prevention (DLP) rules so that sensitive data (AHV numbers, credit card numbers, health data) cannot accidentally leave the organisation via email or Teams. Eighth, enable BitLocker encryption via Intune for all company devices, so a lost laptop does not become a data protection incident. Ninth, configure automatic session timeout (idle timeout of 15 minutes) for web sessions, so open browser tabs do not pose a risk.

Monitoring and Accountability

Tenth, enable the Unified Audit Log and set up alert policies for suspicious activity: impossible travel (login from Zurich and Lagos within one hour), mass downloads from SharePoint, creation of inbox forwarding rules. These logs are also required for nDSG (Swiss Data Protection Act) compliance, because without an audit trail you can neither detect nor correctly report a data incident.

Next Steps

These ten settings cover the most critical gaps and can be implemented in a single working day. For a complete M365 security assessment, we also recommend using Microsoft Secure Score as a benchmark (target: above 80%), conducting regular access reviews for guest users and external shares, and reviewing the configuration annually. MilesGuard conducts M365 security assessments for SMEs: we review your current configuration against best practices, create a prioritised action plan and support the implementation.