Summary
- Most Australian businesses running Microsoft 365 are already paying for tools that can protect them
- Those tools only work as well as the governance and policies directing them
- Common gaps like unreviewed access, unapproved AI tools, and unmanaged third-party accounts leave businesses exposed
- Cyber governance does not need to be complicated to be effective
Most Australian businesses running Microsoft 365 are already sitting on a solid security foundation. The tools are included in the licence. The capability is there.
What determines how well that foundation actually protects the business is not the software. It is the decisions behind it: who has access to what, which tools staff are permitted to use, and how often any of that gets reviewed. That is governance. And for most small businesses, it is the piece that is missing.
The IT Agency’s Managing Director Ron Rosenbaum joined a cyber security panel at Fin365 Symphony 2026 alongside Jay Staal and Dan Goffredo. The conversation kept returning to the same point.
“Governance is really important. It’s got to come from top-down. Cyber security is a business risk, and management needs to be involved just as much as your IT team.”
— Ron Rosenbaum, Managing Director, The IT Agency
The tools can only protect what they have been told to protect
Microsoft 365 Business Premium includes Conditional Access, Microsoft Defender, Purview, and Intune. Between them, these tools can control who gets into your environment, monitor for threats, protect sensitive data, and manage the devices connecting to your systems.
But none of them arrive configured for your business. Out of the box, they do not know which staff should have access to which systems, what your sensitive data looks like, or which tools your team is permitted to use. That context has to come from the business. Without it, the tools are running without direction.
According to the Australian Cyber Security Centre, a cyber incident hits a business in Australia every six minutes, with an average cost of $56,600 for small businesses. Cyber crime continues to increase in frequency, with ransomware attacks and data breaches presenting major risks to Australian organisations.
Three places governance gaps show up most often
“You have the tools to be able to protect yourself if it’s properly implemented.”
— Ron Rosenbaum, Managing Director, The IT Agency
Understanding where the gaps tend to appear makes the problem more manageable. These are the three areas that come up most consistently for small businesses.
Who can access what. Over time, access tends to accumulate. Staff change roles. New tools get added. Old accounts stay active. When access is not mapped to current roles, a single compromised account can reach far more of the business than it should.
AI tool usage. Many businesses have a preferred AI tool but no formal policy around it. Without a clear boundary and a technical control to enforce it, staff use free alternatives that sit entirely outside the business environment, tools that can harvest the data entered into them. A preference is not a policy.
Contractor and third-party access. External parties often need temporary access to systems to do their work. Without a clear process for granting, scoping, and removing that access when the engagement ends, those connections can stay open long after they are needed.
What governance actually looks like day-to-day
Governance is not a compliance project or a one-time audit. It is a set of ongoing decisions about how the business operates and who has access to what. Dan Goffredo from Microsoft put it well: cyber security functions like “brakes on a car, not to stop you, but just to help you go quicker, safely.”
In practice, building a governance foundation starts with four things.
- Map who has access to what. Review every user, contractor, and third-party integration connected to your systems. Ask whether each one still needs that access and whether the level of access reflects their current role.
- Create an AI use policy. Decide which tools are approved, communicate it clearly to staff, and put a technical control in place to back it up.
- Know where your sensitive data lives. Which systems hold it, who can reach it, and is any of it flowing into external platforms?
- Set a review cadence. Roles change, staff come and go, and new tools get added. A quarterly review of access and permissions keeps governance current rather than letting gaps build up quietly.
None of this requires technical expertise. It requires the business to make clear decisions and make sure those decisions are reflected in how the environment is configured.
A framework that makes this easier
SMB1001 is a cyber security certification framework developed specifically for small and medium businesses by Dynamic Standards International. Its tiered structure means you can start at a level that fits your business today and build from there, without overinvesting in controls you do not yet need. Its framework maps directly to the governance decisions described above, giving you and your IT partner a shared reference point for what a properly configured environment looks like. Achieving SMB1001 certification also carries practical business benefits, including potential reductions in cyber insurance premiums and improved standing in supply chain and tender processes.
Working with the right partner
If you are not sure where your business currently stands, The IT Agency can review your cyber security position, identify the gaps in your current Microsoft environment, and recommend a governance pathway suited to your business size and industry. That includes identifying which controls you can apply within your existing licences, so you are not investing in tools you do not need.
The tools to protect your business are likely already there. The IT Agency can help you work out what to do with them.
Frequently asked questions
Does Microsoft 365 include cyber security tools for small businesses?
Yes. Microsoft 365 Business Premium includes built-in security tools covering identity, devices, email, and data protection. These include Conditional Access, Microsoft Defender, Purview, and Intune. The tools are included or available as add-ons, but they require deliberate configuration to be effective. Having an active Microsoft 365 licence does not mean a business is protected.
What is the biggest cyber security risk for Australian small businesses using Microsoft 365?
Misconfiguration and weak policy enforcement are common causes of security failures in Microsoft 365 environments. Common gaps include overly broad permissions, unmanaged contractor accounts, and unsanctioned tools used outside the business environment. In Australia, cyber crime remains frequent and costly, with ACSC-linked reporting showing thousands of incidents and significant average costs for small businesses.
What does cyber security governance mean for a small business owner?
Cyber security governance means business leadership taking responsibility for security decisions, with IT and security teams carrying out the technical work. It includes defining access rules, approving new tools before they connect to the business environment, and setting policies for handling sensitive data. Governance does not require leaders to be technical experts, but it does require active oversight and accountability from those running the business.
Are AI tools like Microsoft Copilot a cyber security risk?
AI tools inside Microsoft 365 inherit the access permissions already in place across the business environment. The greater risk for most small businesses is staff using free AI tools outside the business environment entirely, tools that can harvest the data entered into them. A clear AI use policy, backed by a technical control, addresses this directly.
What is SMB1001 and how does it help with cyber security?
SMB1001 is a cyber security certification framework built for small and medium businesses. Its tiered model gives business owners and their IT partners a practical benchmark for secure operations, aligns well with common Microsoft 365 controls, and can help strengthen trust in insurance, tender, and supply-chain conversations.