Is built-in Microsoft 365 security enough for Australian businesses?

Microsoft 365 continues to have a massive impact in Australia, with organisations such as Grant Thornton Australia, Australia Post and the Australian government using Microsoft 365 and exploring its advanced capabilities.

Businesses all over Australia have also adopted the suite. However, widespread adoption of Microsoft 365 in Australia and globally has made the suite a prime target for cyberattacks. Research from Acronis shows that attacks on Microsoft 365 are on the rise.Microsoft 365 does provide data protection, but managed service providers (MSPs) and their clients have the option to adopt solutions that offer enhanced protection. In an era of increasingly dangerous threats and tightening compliance regulations, they should. 

Microsoft 365 provides a range of security controls, including multifactor authentication (MFA) and Microsoft Secure Score, which helps organisations identify and mitigate security vulnerabilities. Some higher-tier plans, such as Microsoft 365 E5, offer advanced security features such as Microsoft Defender for Office 365, which includes Safe Links and Safe Attachments to protect against malicious content.

But some lower-cost plans lack the most advanced security capabilities. For instance, users with lower-tier Microsoft 365 subscriptions need to seek third-party protection from advanced, targeted cyberattacks and malicious threats. Customers at those subscription levels are more open to cyberattacks than those who pay more for Microsoft 365.

Third parties can also step in to offer ransomware rollback, granular backup and advanced threat detection. If an organisation without a rollback tool is struck by a ransomware attack, it will not be able to retrieve clean data stored before the attack occurred. It also might suffer data loss without granular backup. As such, organisations need to implement additional security measures through third-party solutions.

Because of its prevalence, Microsoft 365 is a frequent target for cyberattacks. Reports of large-scale cyberattacks are commonplace. For example, in February 2025, a massive botnet “sprayed” a cyberattack at Microsoft 365 accounts worldwide. From January to June 2024, the Office of the Australian Information Commissioner received the highest number of data breach notifications since July to December 2020. The number represented an increase of 9% compared to the previous six months.

Small businesses, schools and government entities are particularly vulnerable to threats, especially if they are using default configurations of Microsoft 365. Default settings often lack the advanced security features necessary to protect against sophisticated attacks. In fact, the Australian Signals Directory provides a comprehensive guide to how organisations should configure Microsoft 365 security. For a lot of organisations, it’s a lot to take on. Clients need protection, and MSPs can provide it.

In general, Australian organisations must comply with various standards, including those laid out in the Essential Eight, the Information Security Manual (ISM), and the Privacy Act. Those sources provide specific guidelines for protecting sensitive information and ensuring data sovereignty. Some measures are required, and others are strong suggestions, but organisations are better off following all of them to ensure adequate protection and in compliance with regulations.

Microsoft’s shared responsibility model leaves several critical elements of data protection to the customer. While Microsoft takes responsibility for the security of cloud infrastructure, customers are responsible for securing their own data and applications. This model emphasises the importance of implementing robust security measures beyond the native features provided by Microsoft 365.

MSPs hold the key to data security and compliance in Microsoft 365 for businesses and other organisations. They can ensure that their clients' Microsoft 365 environments are secure and compliant when clients can’t — and for many organisations, attempting to protect Microsoft 365 in house is just too complex.  

By delivering additional security measures such as third-party backup, endpoint protection and compliance tooling, MSPs can enable their clients to meet regulatory requirements and protect against cyberthreats. They can also provide critical services that go beyond managing applications by offering regular security assessments and aiding with the implementation of multilayered security strategies.

To provide comprehensive protection, MSPs need Acronis Ultimate 365. The solution offers:

• Backup and recovery, which ensures all data within Microsoft 365 is protected and can be quickly restored in the event of a disaster. Automated backups, granular recovery options and seamless integration with Microsoft 365 ensure that client data is always safe and accessible.
• Email security, which provides comprehensive email security to protect against phishing, malware and spam. AI- and behaviour-based threat detection, real-time monitoring and advanced filtering capabilities ensure that MSPs can identify and mitigate email threats before they can cause harm to clients.
• Collaboration app security, which protects sensitive data from cyberthreats with real-time threat detection, data loss prevention and secure file-sharing capabilities.
• Email archiving, which ensures that all emails are securely stored and easily accessible, meeting regulatory standards and providing a reliable record of communication.
• Security posture management, which provides tools to identify and address security gaps, ensuring that the environment is always up to date and secure. Real-time threat intelligence, vulnerability assessments and automated remediation capabilities help MSPs stay ahead of potential threats.
• Security awareness training, which educates employees on security best practices and reduces the risk of human error. Interactive training modules, phishing simulations and detailed reporting tools help MSPs and their clients build a strong security culture.
• Endpoint security: which protects against a wide range of threats with AI-driven threat detection, real-time monitoring and automated response capabilities.

With Acronis Ultimate 365, MSPs can simplify the management of security and backup tasks, reduce costs and improve overall security posture. This consolidated approach provides faster detection and response to incidents and ensures compliance with regulatory requirements.

While the native security features of Microsoft 365 are helpful, they are not sufficient for a comprehensive security strategy. MSPs can differentiate themselves by delivering layered security, compliance readiness and faster recovery. Proactive assessment of client Microsoft 365 environments is essential to identify and mitigate potential threats.

Contact Acronis to schedule a demo with an Acronis expert for more information on how to enhance your Microsoft 365 security with a unified cyber protection platform.

Acronis Ultimate 365

Discover Acronis Ultimate 365

Click now