B&R Computers - Business Risk Advisors | IT & Cybersecurity in Lehigh Valley

Managed IT Services in Allentown, Reading & Berks County

B&R Computers provides continuous system monitoring, expert IT support, patch management, server and workstation management, network optimization, backup and disaster recovery, and help desk support for businesses in Allentown, Reading, Wyomissing, Kutztown, and throughout Lehigh Valley and Berks County, Pennsylvania. Our managed IT services follow industry-leading security frameworks and best practices.

Cybersecurity Solutions for Lehigh Valley Businesses

Protect your business with continuous security and threat monitoring, advanced endpoint protection, security incident response, vulnerability assessments, and compliance management from B&R Computers. We also provide security awareness training to help your team recognize and prevent cyber threats.

About B&R Computers

B&R Computers has over 20 years of experience providing IT services and cybersecurity solutions to businesses in the Lehigh Valley and Berks County. We are locally owned and operated in Kutztown, PA. Connect with us on Facebook and LinkedIn. We follow cybersecurity best practices recommended by the U.S. Small Business Administration (SBA).

Why Choose B&R Computers

B&R Computers is your trusted partner for managed IT support and regulatory compliance. We serve businesses of all sizes across the Lehigh Valley and Berks County with tailored technology solutions. View our sitemap for a complete overview of our services.

Contact B&R Computers

Call (484) 641-8083 or email [email protected]. Visit us at 7 S. Kemp Rd., Kutztown, PA 19530. Contact us today for a free consultation. Serving Allentown, Reading, Wyomissing, Kutztown, and all of Berks County and Lehigh Valley, Pennsylvania. Book a strategy call online.

B&R Computers - Managed IT and Cybersecurity Services in Lehigh Valley PA
Back to Blog
May 15, 2026Microsoft 365

7 Mistakes You're Making with Microsoft 365 Security (and How to Fix Them)

7 Mistakes You're Making with Microsoft 365 Security (and How to Fix Them)

Microsoft 365 is the backbone of the modern SMB. It’s where your emails live, where your files are stored, and where your team collaborates every single day. Because it’s so ubiquitous, there’s a common misconception that because Microsoft is a tech giant, the platform is "secure by default."

While Microsoft provides the tools for world-class security, they operate on a Shared Responsibility Model. This means Microsoft secures the infrastructure, but you are responsible for securing the data, the identities, and the configurations within your specific environment.

In our experience at B&R Computers, we see many businesses running on "out of the box" settings that leave the digital back door wide open. If you’re managing your own tenant or haven’t had a deep-dive security audit recently, you’re likely making at least a few of these common mistakes.

Here are the top seven Microsoft 365 security blunders we see in the wild and exactly how to fix them.

1. Multi-Factor Authentication (MFA) is Inconsistent

If you’ve spent five minutes on our blog, you know we beat the drum for MFA constantly. Why? Because it blocks over 99% of automated identity attacks.

The mistake isn't just "not having MFA": it's having it applied inconsistently. We often see tenants where the owners have MFA, but the interns or the part-time bookkeeper do not. Attackers don’t always go for the CEO first; they look for the weakest link to gain a foothold in your network and then move laterally.

The Fix: Don't just "suggest" MFA; enforce it. If you have the right licensing, use Conditional Access policies to require MFA for every single user, every single time they sign in from an untrusted location. If you’re on a basic plan, enable Security Defaults. Also, move away from SMS-based codes, which can be intercepted via SIM swapping. Use the Microsoft Authenticator app or FIDO2 hardware keys for much better protection.

A professional approving a secure login request using the Microsoft Authenticator app on a smartphone.

2. Too Many "Global Admins"

The Global Administrator role is the "God Mode" of your Microsoft 365 environment. A Global Admin can read every email, delete every file, and shut down your entire operation.

The mistake we see? SMBs giving "Global Admin" status to five different people just because it’s easier than figuring out specific permissions. If one of those five people gets phished, your entire company is compromised.

The Fix: Follow the Principle of Least Privilege. You should only have 2 to 4 Global Admins. Everyone else who needs to perform administrative tasks should be assigned a specific role (like "Helpdesk Administrator" or "User Administrator").

Furthermore, your admins should have two accounts: a standard account for their daily email and document work, and a separate "admin" account used only for configuration changes. This way, if they click a bad link in their daily email, they aren't signed in with the keys to the kingdom.

3. Legacy Authentication is Still Active

Legacy authentication refers to older protocols (like POP3, IMAP, and SMTP) that don’t support modern security features like MFA. Hackers love legacy auth because it allows them to run "password spraying" attacks: where they try common passwords against thousands of accounts: without being blocked by an MFA prompt.

Even if you have MFA turned on for your users, if legacy auth is enabled in your tenant, a hacker can bypass that MFA entirely by connecting through an older protocol.

The Fix: You need to block legacy authentication across the board. You can do this through Conditional Access policies. Before you do, make sure your team is using modern versions of Outlook (2016 or newer) or the Outlook mobile app, as older versions might break once these protocols are disabled. It’s a small technical hurdle for a massive jump in security.

4. Over-Permissive Sharing in SharePoint and OneDrive

Microsoft 365 makes it incredibly easy to share files. Sometimes, it’s too easy. By default, many tenants allow users to create "Anyone" links. These are links that allow anyone on the internet to view or edit a document without signing in.

We’ve seen situations where a sensitive spreadsheet containing payroll or client data was shared via an "Anyone" link three years ago, and that link is still active, floating around in someone’s old inbox or cached in a search engine.

The Fix: Audit your external sharing settings. In the SharePoint Admin Center, you should restrict sharing so that only "Existing Guests" or "New and Existing Guests" can access files. This requires the recipient to verify their identity.

Also, set an expiration date on all sharing links. For a deeper look at how to manage these risks, we recommend booking a Strategy Session to review your data governance policies.

Business professionals collaborating securely in an office, showcasing safe document sharing practices.

5. Ignoring Email Authentication (SPF, DKIM, and DMARC)

Email is still the #1 vector for cyberattacks. Many SMBs set up their Microsoft 365 mailboxes but fail to properly configure the technical "behind-the-scenes" records that prove your email is actually from you.

Without SPF, DKIM, and DMARC records, it is much easier for attackers to spoof your domain: sending emails that look like they’re coming from your @company.com address to trick your employees or clients into sending money or sensitive info.

The Fix: You need to ensure your DNS records are fully optimized.

  • SPF (Sender Policy Framework): Lists which IP addresses are allowed to send mail for your domain.
  • DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receiving servers what to do if an email fails SPF or DKIM (e.g., send it to spam or block it entirely).

Setting these up correctly not only protects your brand but also improves your email deliverability.

6. No Data Loss Prevention (DLP) Policies

Do you know if an employee just emailed a list of 500 Social Security numbers or credit card digits to their personal Gmail account? Without Data Loss Prevention (DLP), you’re flying blind.

Most business leaders assume that if they trust their employees, they don't need this. But DLP isn't just about catching "bad actors": it's mostly about preventing accidents. It stops an employee from accidentally hitting "Reply All" on a message containing sensitive PII (Personally Identifiable Information).

The Fix: Set up basic DLP policies within the Microsoft Purview compliance portal. You can start with templates that automatically detect "U.S. Financial Data" or "HIPAA" data. When the system detects this sensitive info being shared externally, it can block the email, encrypt it, or simply alert your IT team. Proactive IT management means stopping the leak before it happens.

An IT expert managing data loss prevention settings to proactively secure sensitive company data.

7. Relying on "Default" Defender Settings

If you have a Business Premium or Enterprise license, you have access to Microsoft Defender for Office 365. However, the default "Standard" protection is often quite conservative. It might catch the obvious viruses, but it often lets sophisticated phishing attempts or "Safe Links" bypasses through.

The Fix: Tune your anti-phishing, anti-spam, and anti-malware policies. Specifically, look into impersonation protection. This allows you to list your executives and key domain names so that if someone sends an email from "Ryan Hertzog" using a lookalike Gmail address, the system flags it immediately as a potential fraud attempt.

Also, ensure Safe Links and Safe Attachments are turned on. These features "detonate" attachments and scan links in a virtual sandbox before they ever reach your user's inbox.

Why Proactive IT is the Only Way Forward

The common thread through all these mistakes is passivity. Setting up Microsoft 365 and "leaving it be" is a recipe for a breach. Cybersecurity in 2026: and beyond: requires a proactive approach. You need to be looking for the gaps before the bad guys do.

If you’re unsure where your tenant stands, our Resources hub has several guides on how to audit your internal systems. Or, if you’d rather focus on running your business while we handle the technical heavy lifting, we can manage your M365 security for you as part of our Managed IT services.

Securing your business doesn’t always require a million-dollar budget; it requires the right configurations and a commitment to hygiene. And if you're looking to upgrade your team's hardware to support these modern security features without breaking the bank, check out our Refurbished Store for business-grade machines that are ready for the job.

Don't wait for a "suspicious login" alert to start taking this seriously. Audit your settings today.

All Posts

Find out where your business is exposed

Most businesses don't know their biggest risks until it's too late. Get a clear picture of your vulnerabilities — and a plan to address them.