Microsoft 365 powers daily operations for thousands of Pittsburgh small businesses. From email and file sharing to collaboration and scheduling, it has become the digital backbone of local professional services firms, healthcare practices, manufacturers, and nonprofits alike. But with this reliance comes risk.
Cybercriminals target Microsoft 365 tenants because they know the data inside is valuable—and often underprotected. Ceeva helps Pittsburgh organizations strengthen their Microsoft 365 security posture through expert configuration, ongoing monitoring, and strategic guidance tailored to local business needs.
This guide walks you through the essential security controls every Pittsburgh small business should implement. You'll learn how to protect email, identities, and data, plus get clear steps you can follow to reduce your risk today.
Pittsburgh's small business community is diverse. You'll find healthcare practices managing patient records, manufacturing firms protecting proprietary designs, professional services companies handling client financials, and nonprofits safeguarding donor information. Each of these organizations relies on Microsoft 365—and each faces unique cybersecurity challenges.
The shared risk is clear: a compromised Microsoft 365 account can expose sensitive data, disrupt operations, and damage your reputation. For regulated industries like healthcare and finance, a breach can also trigger compliance violations and significant penalties.
Local context matters too. Pittsburgh businesses often work with regional partners, vendors, and clients. A security incident at your organization can ripple through your entire professional network, affecting trust and relationships you've built over years.
Understanding how attackers operate helps you defend against them. Here are the most common tactics targeting small businesses:
Phishing remains the top attack vector. Attackers send emails that appear to come from Microsoft, your bank, or even a colleague. These messages trick employees into entering credentials on fake login pages.
Business email compromise (BEC) takes this further. Once inside an account, attackers study communication patterns and then impersonate executives or vendors to request wire transfers or sensitive data. According to the Cybersecurity and Infrastructure Security Agency (CISA), BEC attacks cost U.S. businesses billions annually.
Attackers use lists of stolen credentials from previous data breaches to attempt logins across many accounts. Password spraying works differently—it tries common passwords against many accounts to avoid triggering lockouts.
Both techniques exploit weak or reused passwords. If your employees use the same password for Microsoft 365 and a personal account that gets breached elsewhere, your business is at risk.
This newer technique tricks users into granting permissions to malicious third-party applications. The app then has ongoing access to your Microsoft 365 data without needing the user's password.
These attacks are especially dangerous because they bypass traditional security controls. The malicious app operates with the permissions the user granted, making detection more difficult.
Multi-factor authentication (MFA) requires users to verify their identity with something beyond just a password. This typically means entering a code from a mobile app, responding to a push notification, or using a hardware security key.
MFA blocks the vast majority of automated attacks. Even if an attacker obtains a password through phishing or a data breach, they cannot access the account without the second factor.
Microsoft 365 supports several MFA methods. Here are the most common options for small businesses:
Microsoft Authenticator App: This free mobile app generates time-based codes and supports push notifications. It's the most practical option for most employees because it doesn't require additional hardware.
SMS Text Messages: Microsoft sends a code to the user's phone. While better than no MFA, text messages can be intercepted through SIM-swapping attacks. Use this only as a backup method.
Hardware Security Keys: Physical devices like YubiKeys offer the strongest protection. They're especially valuable for high-risk accounts like global administrators.
Rolling out MFA requires planning. Here's a practical approach:
Step 1: Start with admin accounts. These have the most access and represent your highest risk. Enable MFA on all global admin and privileged accounts immediately.
Step 2: Communicate with your team. Explain why MFA matters and what to expect. Give employees time to install the authenticator app and configure their accounts before enforcement begins.
Step 3: Enable security defaults or conditional access policies. Security defaults enforce MFA for all users with minimal configuration. Conditional access policies offer more flexibility, letting you require MFA only in specific situations.
Step 4: Establish a help process for employees who get locked out. Have a clear procedure for verifying identity and resetting MFA methods when needed.
Email is where most attacks begin. Protecting your Microsoft 365 email environment requires multiple layers of defense.
Every Microsoft 365 tenant includes Exchange Online Protection (EOP). This baseline filtering catches known malware, spam, and some phishing attempts. However, EOP alone isn't sufficient for today's threat landscape.
Review your EOP settings to ensure quarantine notifications are enabled and that someone is regularly checking the quarantine for legitimate messages that were incorrectly flagged.
Microsoft Defender for Office 365 (formerly Advanced Threat Protection) adds enhanced protection against sophisticated attacks. Key features include:
Safe Attachments: Opens attachments in an isolated sandbox to detect malware that signature-based scanning might miss.
Safe Links: Scans URLs at click time, protecting users even if a link becomes malicious after the email was delivered.
Anti-Phishing Policies: Uses machine learning to detect impersonation attempts and protect against BEC attacks.
Properly configured email authentication helps prevent attackers from spoofing your domain. Three records work together:
SPF (Sender Policy Framework): Lists the mail servers authorized to send email on behalf of your domain. This helps receiving servers identify spoofed messages.
DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing messages, proving they haven't been altered in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receiving servers what to do with messages that fail SPF or DKIM checks and reports on authentication results.
Ceeva configures these records as part of Microsoft 365 security assessments, ensuring Pittsburgh businesses have proper email authentication in place.
Identity management controls who can access what in your Microsoft 365 environment. Strong identity management means the right people have the right access—and attackers can't get in even if they have stolen credentials.
Microsoft 365 uses role-based access control. Different admin roles have different levels of access. The most powerful is Global Administrator, which can access and change anything in your tenant.
Review who holds admin roles in your organization. Many businesses have more global admins than they need. Follow the principle of least privilege: give people only the access required for their job responsibilities.
Admin accounts face the highest risk and need the strongest protections:
Create dedicated admin accounts: Admins should have a separate account for administrative tasks. They should use their regular account for daily work like email and collaboration.
Require strong MFA: Admin accounts should use phishing-resistant MFA methods like hardware security keys, not just the authenticator app.
Enable Privileged Identity Management: If your licensing includes it, PIM offers just-in-time admin access. Admins must activate their role when they need it, reducing the window of exposure.
Conditional access policies evaluate signals about each login attempt and enforce appropriate controls. You can create policies based on:
Location: Block or require MFA for sign-ins from outside your expected geographic area.
Device compliance: Only allow access from devices that meet your security requirements.
Application: Apply different requirements for accessing different applications based on sensitivity.
Risk level: Microsoft assigns risk scores to sign-in attempts. Require additional verification for risky sign-ins.
For Pittsburgh businesses, a common starting point is requiring MFA for all sign-ins from outside the United States and blocking sign-ins from countries where you don't do business.
Your Microsoft 365 environment contains data that needs protection: financial records, customer information, employee data, intellectual property, and more. Microsoft 365 includes several tools for data protection.
Sensitivity labels let you classify and protect documents based on their content. You can create labels like "Confidential," "Internal Only," or "Public" and define what protections apply to each.
Labels can:
Once you create labels, you can let users apply them manually or use auto-labeling policies to apply them automatically based on content patterns like credit card numbers or Social Security numbers.
Data Loss Prevention (DLP) policies monitor for sensitive information and can block or warn users when they try to share it inappropriately.
Common DLP scenarios for Pittsburgh small businesses include:
Preventing external sharing of sensitive data: Block users from emailing documents containing financial data or personal information to external recipients.
Warning users about potential issues: Show a warning when someone is about to share something that might be sensitive, giving them a chance to reconsider.
Audit logging: Track when sensitive data is accessed, shared, or downloaded for compliance and investigation purposes.
Microsoft encrypts data at rest and in transit by default. This means your files in SharePoint, emails in Exchange, and messages in Teams are encrypted even without additional configuration.
For additional protection, you can use:
Sensitivity labels with encryption: As mentioned above, labels can encrypt content and restrict access to specific users or groups.
Customer Key: For organizations with specific regulatory requirements, Customer Key lets you control the encryption keys used to protect your data.
Microsoft Secure Score measures your security posture across Microsoft 365, Azure, and other Microsoft services. It gives you a numerical score and specific recommendations for improvement.
Find your Secure Score in the Microsoft 365 Defender portal under Reports > Secure Score. You'll see your current score, how it compares to similar organizations, and a list of recommended actions.
Not all recommendations are equally important. Focus on high-impact actions first:
Identity-related recommendations: Actions like enabling MFA and reducing admin accounts have major security benefits.
Email protection recommendations: Configuring anti-phishing policies and safe attachments protects against common attack vectors.
Data protection recommendations: Setting up DLP policies and sensitivity labels protects your most valuable information.
Some recommendations may not apply to your organization or may conflict with your business requirements. That's fine—the goal isn't a perfect score but rather a thoughtful security posture.
Even with strong preventive controls, security incidents can happen. Having a plan in place helps you respond quickly and effectively.
Your plan should cover:
Detection: How will you know when something is wrong? Configure alerts for suspicious activities like impossible travel, sign-ins from unusual locations, or mass file downloads.
Containment: What immediate steps will you take to limit damage? This might include resetting passwords, disabling compromised accounts, or blocking suspicious IP addresses.
Investigation: How will you determine what happened? Microsoft 365 includes audit logs and investigation tools to trace attacker activity.
Recovery: How will you restore normal operations? This might involve recovering deleted files from backups, reconfiguring security policies, or communicating with affected parties.
Lessons learned: After the incident, what changes will you make to prevent similar incidents in the future?
Incident response is a team effort. Your plan should identify:
Ceeva's cybersecurity team supports Pittsburgh businesses with incident response planning and execution, helping you prepare for and respond to security events.
Microsoft 365 is a cloud service, which brings both benefits and responsibilities. Here are cloud security practices every Pittsburgh small business should implement.
Schedule quarterly reviews of your Microsoft 365 security configuration. Check for:
Microsoft includes some data retention, but it's not a substitute for backup. Microsoft's shared responsibility model makes it clear: Microsoft protects the infrastructure while you're responsible for your data.
Consider a third-party backup solution that captures your Exchange mailboxes, SharePoint sites, OneDrive files, and Teams data. This protects against accidental deletion, malicious insiders, and ransomware.
Review the third-party applications connected to your Microsoft 365 tenant. Each app has permissions to access your data—sometimes more than you realize.
Remove apps that are no longer needed. For apps you keep, verify that their permissions are appropriate and that the vendor has a good security reputation.
Ceeva has served Pittsburgh businesses since 1992, building deep expertise in Microsoft 365 security through decades of experience. As a trusted Microsoft Partner, Ceeva helps organizations implement the security controls described in this guide.
Ceeva's security assessments evaluate your current Microsoft 365 configuration against industry standards and identify gaps. You'll receive a clear report with prioritized recommendations and a roadmap for improvement.
Ceeva's managed IT services include monitoring for suspicious activity in your Microsoft 365 environment. When alerts trigger, the team investigates and responds quickly to contain potential threats.
Technical controls are important, but your employees are your first line of defense. Ceeva offers cybersecurity awareness training and phishing simulations to help your team recognize and report threats.
Use this checklist to track your progress securing Microsoft 365:
In working with Pittsburgh organizations, certain mistakes appear frequently. Avoiding these common pitfalls will strengthen your security posture.
MFA is essential, but it's not enough by itself. Attackers have developed techniques to bypass MFA, including adversary-in-the-middle attacks and MFA fatigue attacks. You need layered defenses.
Users can grant third-party apps access to your Microsoft 365 data. Without governance, you may have dozens of apps with permissions you never approved. Review and clean up app permissions regularly.
Having a backup solution isn't enough if you've never tested restoration. Schedule regular tests to verify you can recover data when you need it.
The strongest technical controls can't prevent a user from voluntarily handing over credentials. Regular training helps employees recognize and resist social engineering attacks.
Securing Microsoft 365 for your Pittsburgh small business requires attention to identity, email, and data protection. Start with the fundamentals—MFA, admin account security, and email authentication—then build toward more advanced controls like conditional access and data loss prevention.
Remember that security is ongoing, not a one-time project. Regular reviews, updated training, and evolving policies keep your defenses aligned with current threats.
For Pittsburgh businesses looking for expert guidance, Ceeva delivers Microsoft 365 security assessments and ongoing managed services that help you protect what matters most. Reach out to start a conversation about your organization's security needs.
Multi-factor authentication is the single most impactful security setting. It blocks over 99% of automated account compromise attacks. Enable MFA for all users, starting with admin accounts.
Beyond MFA, focus on conditional access policies and email protection to build layered defenses.
Many essential security features are included in Microsoft 365 Business Premium licensing. Advanced features like Defender for Office 365 Plan 2 or Microsoft Entra ID P2 require additional licensing.
Ceeva helps Pittsburgh businesses choose the right licensing mix to balance security needs with budget constraints.
Conduct a formal security review at least quarterly. This should include checking admin accounts, reviewing third-party app permissions, verifying security policies, and addressing new Secure Score recommendations.
Additionally, review settings whenever you make significant changes like adding new users or deploying new applications.
You can implement many security controls yourself using Microsoft's documentation. However, professional help ensures configurations are correct and aligned with your specific business requirements.
Ceeva's IT consultants bring years of Microsoft 365 expertise to Pittsburgh businesses, helping you avoid configuration mistakes and optimize your security posture efficiently.
Act immediately. Reset the password for the affected account. Review sign-in logs for unauthorized access. Check for mail forwarding rules or inbox rules an attacker may have created.
If you suspect a broader compromise, contact Ceeva or your IT team for incident response support. Timely action limits damage and speeds recovery.
Ceeva delivers security assessments, configuration, and ongoing monitoring for Microsoft 365 environments. As a trusted Microsoft Partner with over three decades of Pittsburgh experience, Ceeva helps local businesses implement the security controls that protect email, identities, and data.
The team also supports incident response planning and cybersecurity awareness training to build organizational resilience.
Compliance requirements depend on your industry. Healthcare organizations must meet HIPAA requirements for protecting patient data. Financial services firms face regulations around data protection and retention.
Microsoft 365 includes compliance tools like audit logging, retention policies, and data loss prevention that help address these requirements. Work with your IT team and legal counsel to understand your specific obligations.
Yes. Legacy authentication protocols don't support MFA, making them a target for attackers. Microsoft has been phasing out legacy authentication, and you should disable it in your tenant.
Before disabling, verify that no critical applications or devices rely on legacy protocols. Test carefully to avoid disrupting business operations.
For Pittsburgh businesses looking for expert guidance, Ceeva delivers Microsoft 365 security assessments and ongoing managed services that help you protect what matters most. Reach out to start a conversation about your organization's security needs.