Securing Microsoft 365 or Google Workspace for SMEs: The Key Switches to Turn On.

A Letterkenny accountancy firm was paying for Microsoft 365 Business Premium — a licence that includes Conditional Access, Advanced Threat Protection, Microsoft Intune device management, and Defender for Business. None of these features had been enabled. Their IT provider had set up the basic email and SharePoint configuration and moved on.

They were paying for a comprehensive security platform and using it as an email service.

This pattern is extremely common in Irish SMEs. The licences that most businesses hold — particularly Microsoft 365 Business Premium and Google Workspace Business Standard and above — include security features that would materially improve their security posture if enabled. Most are not enabled by default. Most require deliberate configuration. Most have never been touched.

Microsoft 365: The Key Security Features

Security Defaults or Conditional Access. Security Defaults is Microsoft's preconfigured baseline — a set of basic policies that enforce MFA for all users and administrators, block legacy authentication protocols that bypass MFA, and require MFA for privileged actions. Enabling Security Defaults takes one toggle in the Azure Active Directory admin centre. It is the fastest, most impactful action available to an Irish SME that has no existing Conditional Access policies.

For businesses ready to go further, Conditional Access policies provide more granular control: requiring MFA based on location, device compliance, or user risk level; blocking logins from countries the business does not operate in; and restricting access from unmanaged devices. These require more configuration but provide significantly better security than Security Defaults alone.

Microsoft Defender for Business. Included in Microsoft 365 Business Premium, Defender for Business provides enterprise-grade endpoint detection and response for up to 300 devices. It includes behavioural monitoring, automatic threat investigation, and centralised security management across all enrolled devices. Compared to standard antivirus, it provides significantly better detection of modern attack techniques including fileless malware, lateral movement, and persistence mechanisms. Enabling it requires enrolling devices through the Microsoft Defender portal — a half-day project for most SMEs.

Microsoft Defender for Office 365. This protects email and collaboration tools against phishing, malicious attachments, and malicious links. Safe Links rewrites URLs in emails to check them against Microsoft's threat intelligence before the user clicks. Safe Attachments opens email attachments in a sandboxed environment before delivering them. Anti-phishing policies apply machine learning to identify impersonation attempts. Included in Business Premium and above — requires enabling in the Microsoft 365 Defender portal.

Does your IT provider manage your Microsoft 365 security features, or just your email and file storage? For many Irish SMEs, the answer is the latter — leaving significant included security capability unused. Book a free 20-minute strategy call — Microsoft 365 security configuration review is one of the most consistently high-value assessments we run.

Microsoft Purview Audit. Enables detailed activity logging across your Microsoft 365 environment — who accessed which files, who changed which permissions, who logged in from where. Essential for incident investigation and for demonstrating compliance with GDPR and NIS2. Enable Audit Log Search in the Microsoft Purview compliance portal and configure the retention period to at least 90 days.

Exchange Online Protection tuning. The default anti-spam and anti-malware configuration in Microsoft 365 is reasonable but not optimal. Review the default spam filter policies, enable the strict preset security policy for your highest-risk users, and configure the quarantine notification settings so that quarantined messages are reviewed rather than silently dropped.

Google Workspace: The Key Security Features

2-Step Verification enforcement. Google Workspace allows administrators to require two-factor authentication for all users in the domain. In the Admin Console under Security > 2-Step Verification, set enforcement to On for all users. This is the Google equivalent of Microsoft's Security Defaults and should be the first action for any Irish SME on Google Workspace.

Advanced Protection Programme for high-risk users. For users who are most targeted — executives, finance staff, administrators — Google's Advanced Protection Programme provides the strongest available account security, requiring a hardware security key for login. Enrol your highest-risk users specifically.

Data Loss Prevention. Google Workspace includes DLP rules that can detect and block sensitive data — financial information, personal data, national insurance numbers — from being shared externally via Drive, Gmail, or Chat. Configure DLP policies that match your most sensitive data categories and set them to alert or block as appropriate.

Context-Aware Access. The Google equivalent of Microsoft's Conditional Access — allows you to restrict access to Workspace based on device health, network location, and user identity. Available in Business Plus and Enterprise tiers.

Admin activity logs. Google Workspace logs all administrative actions in the Admin Console. Enable email alerts for specific high-risk administrative actions — user account creation, administrator role assignment, and external sharing policy changes.

The Implementation Priority

For both Microsoft 365 and Google Workspace, the implementation priority is consistent. First, enforce MFA for all users — this provides the most significant risk reduction for the least implementation effort. Second, enable the included threat protection features (Defender for Business / Workspace DLP). Third, implement Conditional Access or Context-Aware Access for more granular control. Fourth, enable comprehensive audit logging and configure alerting for high-risk administrative actions.

Most Irish SMEs can implement the first two priorities in a single half-day with a competent IT provider. The investment is primarily in IT provider time — the features themselves are included in the licence already being paid for.

Why This Matters Right Now

Irish SMEs are paying for security features that are not enabled. The NCSC Ireland's guidance on cloud platform security consistently notes that the failure to enable included security features is one of the most common and most easily addressed vulnerabilities in Irish SME environments [^1].

The features described above are included in licences that most Irish SMEs are already paying for. Enabling them is not an additional cost. It is a configuration decision that has not been made — and making it can substantially improve the security of the business in a single afternoon.

What Next

1. Ask your IT provider which Microsoft 365 or Google Workspace security features are currently enabled in your tenant. Request a written list. Compare it against the features above.

2. Enable Security Defaults or MFA enforcement immediately if neither is currently active. This is the single highest-impact action and takes under an hour.

3. Schedule a half-day with your IT provider to enable the remaining included security features. Prioritise Defender for Business or equivalent, Safe Links and Safe Attachments, and audit logging.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• The One Microsoft 365 Setting That Stops 90% of Credential Attacks
• Microsoft 365 Session Hijacking: The MFA Bypass Irish SMEs Must Know About
• The Minimum Security Baseline Every Irish Small Business Should Have in 2026

[^1]: NCSC Ireland — Cloud Security Guidance [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.