KVS365

We do IT so you don’t have to

Author: kenkvs

  • 5 Microsoft 365 Mistakes Small Businesses Make (And How to Fix Them)

    Microsoft 365 is brilliant — when it’s set up properly. The problem is, most small businesses either set it up themselves in a hurry, or inherited a setup that nobody’s properly looked at since.

    The result is a system that mostly works, but has a few gaps that could cause real problems down the line.

    Here are the five mistakes we see most often — and what to do about them.

    1. MFA isn’t switched on for everyone

    Multi-factor authentication (MFA) is the single most effective thing you can do to protect your Microsoft 365 accounts. It means that even if someone gets hold of a password, they still can’t get in without a second verification — usually a code on your phone.

    Microsoft themselves say that MFA blocks over 99% of account compromise attacks.

    And yet, in a surprising number of the setups we look at, MFA either isn’t switched on at all, or it’s only switched on for some users — often because it was “too complicated” for a few people when it was first rolled out.

    The fix: Switch on MFA for every account, no exceptions. In the Microsoft 365 admin centre, go to Users → Active users → Multi-factor authentication. If you’re not sure how, this is something we can sort out quickly — it takes less than an hour for most small businesses.

    2. Old accounts are still active

    When someone leaves a business, their Microsoft 365 account should be disabled (or at minimum, have their password changed and MFA reset) immediately. In reality, this often gets forgotten — especially in small teams where there’s no dedicated IT person to handle offboarding.

    An active account belonging to an ex-employee is an open door. If they still know their password, they can still access your emails, files and systems. If their credentials have been compromised elsewhere, attackers can use them to get into your business.

    We regularly find accounts for people who left months or even years ago, still sitting there active.

    The fix: Go to Users → Active users in the Microsoft 365 admin centre and check every account. Anyone who’s no longer with you should be blocked immediately. Their emails and files can be preserved without the account staying active.

    3. You think Microsoft is backing up your data — it isn’t

    This is probably the most common and most costly misconception we come across.

    Microsoft 365 keeps your emails and files available and synced across devices, but that’s not the same as a backup. If a file gets accidentally deleted, overwritten, or encrypted by ransomware, Microsoft’s standard retention policies may not save you — especially if you don’t notice for a while.

    Microsoft’s own service agreement is clear: they recommend that customers use third-party backup solutions to protect their data. Most small businesses either don’t know this or assume it’s covered.

    The fix: Add a proper backup solution for your Microsoft 365 data — email, SharePoint, OneDrive and Teams. There are good, cost-effective options designed specifically for Microsoft 365. If you’re not sure what you have in place, that’s worth checking as a priority.

    4. You’re on the wrong licence

    Microsoft 365 comes in a range of plans — Business Basic, Business Standard, Business Premium, and various others. Each one has different features, particularly around security.

    The issue we see most often is businesses on a cheaper plan that’s missing security features they actually need — or sometimes the reverse, paying for Business Premium when Basic would do the job.

    Business Premium is where the advanced security features live — things like Microsoft Defender, Intune for device management, and the tools needed to properly meet Cyber Essentials requirements. If you’re handling client data, working towards Cyber Essentials, or have staff on multiple devices, Business Premium is usually the right choice.

    The fix: Check what licences you’re on (Billing → Your products in the admin centre) and compare them against what you actually need. If you’re not sure, this is exactly the kind of thing we review in our free IT and Security Check.

    5. Security defaults haven’t been configured

    When Microsoft 365 is first set up, it comes with a set of defaults. Some of those defaults are fine. Some of them leave your business more exposed than it needs to be.

    Common examples:

    • External email forwarding allowed — meaning anyone whose account is compromised can quietly forward all their emails to an outside address
    • Too many global admins — admin accounts have full access to everything; most businesses have far more than they need
    • Apps with excessive permissions — third-party apps that have been connected to Microsoft 365 and never reviewed
    • Audit logging switched off — meaning if something does go wrong, there’s no trail to investigate

    None of these are obvious if you don’t know what to look for. But they all create real risk.

    The fix: A proper security review of your Microsoft 365 configuration. Microsoft’s Secure Score (in the Security admin centre) gives you a starting point — it scores your setup and suggests improvements. A score below 50% is a sign there’s meaningful work to do.

    How do you know if any of these apply to you?

    The honest answer is: unless someone has specifically reviewed your setup, you probably don’t.

    Most of these issues don’t cause any visible problems day-to-day. They only become apparent when something goes wrong — an account gets compromised, a file goes missing, or an auditor asks questions.

    The best time to find them is before that happens.

    We offer a free IT and Security Check for small businesses — 30 minutes, plain English, no pressure. We’ll look at your Microsoft 365 setup and tell you honestly what’s there, what’s missing, and what (if anything) needs fixing.

    👉 Book your free IT & Security Check(opens in new window)

    Or if you’d like to find out more about how we look after Microsoft 365 for small businesses: Microsoft 365 at KVS365(opens in new window)

    Ken Strettle is the founder of KVS365, a UK-based IT consultancy helping small businesses get Microsoft 365 working properly, stay secure, and get Cyber Essentials ready. Based in Newark, working with businesses across the UK.

  • Do I Need Cyber Essentials? An Honest Guide for Small Businesses

    If you’ve heard the term “Cyber Essentials” but aren’t sure whether it applies to you, you’re not alone. It’s one of the questions I get asked most often — and the honest answer is: it depends, but probably yes.

    Here’s a plain-English guide to what Cyber Essentials actually is, who needs it, and what’s involved. No jargon. No sales pitch.

    What is Cyber Essentials?

    Cyber Essentials is a UK government-backed certification scheme that helps businesses protect themselves against the most common cyber attacks. It was introduced because the vast majority of successful cyber attacks — around 80% — exploit basic security weaknesses that are completely preventable.

    The scheme covers five core areas:

    • Firewalls — controlling what comes in and out of your network
    • Secure configuration — making sure devices and software are set up safely
    • User access control — limiting who can access what, and when
    • Malware protection — keeping malicious software out
    • Patch management — keeping software and devices up to date

    There’s also a higher level called Cyber Essentials Plus, which involves a hands-on technical audit rather than a self-assessment. Most small businesses start with the standard Cyber Essentials.

    Who actually needs it?

    The short answer: more businesses than you’d think.

    You almost certainly need it if:

    • You bid for government contracts — it’s been a requirement for central government suppliers since 2014, and increasingly required further down the supply chain
    • Your clients (especially larger ones or those in regulated sectors) are starting to ask about your security posture
    • Your cyber insurance requires it — this is becoming increasingly common as insurers tighten their requirements
    • You handle personal data and want to demonstrate good GDPR practice

    You should seriously consider it if:

    • You use Microsoft 365 for email, files and day-to-day work
    • You have staff working remotely or on multiple devices
    • You’ve had a security incident (or a near miss) and want to make sure it doesn’t happen again
    • You want to give clients confidence that their data is safe with you

    You can probably wait if:

    • You’re a sole trader with minimal client data and no plans to bid for contracts — though even then, the discipline of going through the process is genuinely useful.
    What does it actually involve?

    The standard Cyber Essentials certification is a self-assessment questionnaire. You answer questions about how your IT is set up, submit it to a certifying body, and they assess it against the standard.

    It’s not as scary as it sounds — but it does require your IT to be set up properly. Common issues we find when helping businesses prepare include:

    • Multi-factor authentication (MFA) not switched on for all users
    • Old staff accounts still active
    • Devices not being patched and updated regularly
    • Unsupported software still in use
    • Overly permissive access — people having access to more than they need

    Most of these are straightforward to fix. The questionnaire just forces you to actually check.

    How long does it take?

    For a small business that’s reasonably well set up, getting Cyber Essentials ready typically takes a few weeks. Larger or more complex organisations may take longer, particularly if there’s a lot of remediation needed first.

    The certification itself (once you submit) is usually turned around within a few days.

    How much does it cost?

    The certification fee itself is currently around £300–£500 depending on the certifying body. That’s just the assessment — it doesn’t include any IT work needed to get your systems up to standard first.

    If you need support getting ready (fixing the gaps, updating configurations, setting up MFA properly), that’s where a company like ours comes in. We help businesses get Cyber Essentials ready without the stress — and because we’re already looking after Microsoft 365 for most of our clients, it’s usually far less work than people expect.

    Does it actually make a difference?

    Yes — and not just on paper.

    The five controls Cyber Essentials requires you to have in place genuinely block the most common attack types. You’re not going to be immune to every threat, but you’ll be a much harder target than businesses that haven’t done this work.

    There’s also a reputational angle. More and more businesses — and their insurers — are asking their suppliers about security. Having Cyber Essentials certification is a simple, credible answer to that question.

    What’s the first step?

    The best starting point is understanding where you currently stand. That means looking at your Microsoft 365 configuration, your device setup, and your current security policies, and identifying any gaps before you attempt the certification.

    We offer a free IT and Security Check — 30 minutes, plain English, no obligation. We’ll look at your setup and tell you honestly what needs addressing before you’d be ready for Cyber Essentials.

    From there, we can either help you get everything in place, or point you in the right direction if you’d prefer to handle it yourselves.

    👉 Book your free IT & Security Check(opens in new window)

    Or find out more about how we help businesses get Cyber Essentials ready: Cyber Essentials at KVS365(opens in new window)

    Ken Strettle is the founder of KVS365, a UK-based IT consultancy helping small businesses get Microsoft 365 working properly, stay secure, and get Cyber Essentials ready. Based in Newark, working with businesses across the UK.