Top 10 ways to secure your business - Best practices to follow

Applies to

  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium

Note

This article is designed for small and medium-sized businesses with up to 300 users. If you're an enterprise organization, see Deploy ransomware protection for your Microsoft 365 tenant.

Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection. This article describes how to secure your business, and compares capabilities across Microsoft 365 for business plans.

Diagram listing top 10 ways to secure business data.

Step Task Description
1 Use multi-factor authentication. Multi-factor authentication (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent hackers from taking over if they know your password.

See security defaults and MFA.
2 Protect your administrator accounts. Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs.

See Protect your administrator accounts.
3 Use preset security policies. Your subscription includes preset security policies that use recommended settings for anti-spam, anti-malware, and anti-phishing protection.

See Protect against malware and other cyberthreats.
4 Protect all devices. Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work.

See the following articles:
- Help users set up MFA on their devices
- Protect unmanaged Windows and Mac computers
- Set up managed devices (requires Microsoft 365 Business Premium or Microsoft Defender for Business)
5 Train everyone on email best practices. Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email.

See Protect yourself against phishing and other attacks.
6 Use Microsoft Teams for collaboration and sharing. The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.

See the following articles:
- Use Microsoft Teams for collaboration
- Set up meetings with Microsoft Teams
- Share files and videos in a safe environment
7 Set sharing settings for SharePoint and OneDrive files and folders. Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs.

See Set sharing settings for SharePoint and OneDrive files and folders.
8 Use Microsoft 365 Apps on devices. Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Whether you're using the web or desktop version of an app, you can start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive.

See the following articles:
- Install Office apps on all devices.
- Train your users on Office and Microsoft 365
9 Manage calendar sharing for your business. You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only.

See Manage calendar sharing.
10 Maintain your environment. After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs.

See Maintain your environment.

Comparing Microsoft 365 for business plans

Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include baseline antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection.

The following table compares capabilities in Microsoft 365 for business plans.

Capability Microsoft 365 Business Basic Microsoft 365 Business Standard Microsoft 365 Business Premium
Outlook and Web/mobile versions of Office apps
Word, Excel, and PowerPoint
Included. Included. Included.
Desktop versions of Office apps
Word, Excel, PowerPoint, Publisher, and Access [See note 1]
Included. Included.
Secure communication, collaboration, and file storage
Microsoft Teams, Exchange, OneDrive, and SharePoint
Included. Included. Included.
Antispam, antiphishing, and antimalware protection for email
Exchange Online Protection
Included. Included. Included.
Mobile device management and mobile app management
Microsoft Intune
See note [2] See note [2] Included.
Advanced device security with next-generation protection, firewall, attack surface reduction, automated investigation and response, and more
Defender for Business
See note [3] See note [3] Included.
Advanced protection for email and documents with advanced anti-phishing, Safe Links, Safe Attachments, and real-time detections
Microsoft Defender for Office 365 Plan 1
See note [4] See note [4] Included.
Information protection capabilities to discover, classify, protect, and govern sensitive information
Azure Information Protection
Included.

(1) Microsoft Publisher and Microsoft Access run on Windows laptops and desktops only.

(2) Microsoft Intune is included with certain Microsoft 365 plans, such as Microsoft 365 Business Premium. Basic Mobility and Security capabilities are included in Microsoft 365 Business Basic and Standard. Choose between Basic Mobility and Security or Intune.

(3) Defender for Business is included in Microsoft 365 Business Premium. Defender for Business can also be added on to Microsoft 365 Business Basic or Standard. See Get Defender for Business.

(4) Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Defender for Office 365 Plan 1 can also be added on to Microsoft 365 Business Basic or Standard. See Defender for Office 365 Plan 1 and Plan 2.

Tip

For more information about what each plan includes, see Reimagine productivity with Microsoft 365 and Microsoft Teams.

See also