You're reading The SME Security Brief, practical IT, cyber security and technology advice for Irish and UK businesses. No jargon. No scare tactics. Just what you need to know, every week.
If someone forwarded this to you, you can subscribe at thesmesecuritybrief.com.
THIS WEEK'S THREAT 🔴
The attack that works because nothing stops it
Here is something that surprises a lot of SME owners when I tell them: one of the most common ways attackers get into business accounts is not through sophisticated hacking. It is through guessing.
Not manually guessing, obviously. Attackers use automated tools that can try thousands of username and password combinations every minute. They take lists of commonly used passwords, lists of leaked credentials from previous breaches, and they fire them at your Microsoft 365 login page one after another.
This is called a brute force attack or password spraying attack. And if your business has no account lockout policy in place, there is nothing stopping them. They can just keep trying until something works.
The scary part? This is not a targeted attack. These tools run constantly, against millions of accounts, all day every day. Your business does not need to be specifically on anyone's radar. You just need to be unlocked.
In a large enterprise, account lockout is a given. It is one of the first things any IT team puts in place. In many SMEs, particularly those that have grown without a dedicated IT function, it has simply never been set up. The business is running on default settings, and default settings are often not secure settings.
What is an account lockout policy?
It is exactly what it sounds like. After a set number of failed login attempts, such as five wrong passwords in a row, the account is locked for a period of time. The attacker's automated tool hits a wall. The attack stops.
Simple. Effective. Free.
What you should do this week:
Ask whoever manages your Microsoft 365 account to confirm whether an account lockout or Smart Lockout policy is in place.
If you do not have anyone managing it, log into the Microsoft 365 admin centre and check. We cover exactly where to look in the tip section below.
If it is not configured, fix it today. This takes less than 10 minutes and costs nothing.
THIS WEEK'S TIP 💡
How to check your lockout settings in Microsoft 365
Microsoft 365 includes a feature called Smart Lockout through Microsoft Entra ID (previously known as Azure Active Directory). It is built in and available to all Microsoft 365 business plans.
Here is how to check and configure it:
Go to entra.microsoft.com and sign in with your Microsoft 365 admin account
Navigate to Protection, then Authentication methods, then Password protection
You will see settings for lockout threshold and lockout duration
Recommended settings for an SME:
Lockout threshold: 3 (account locks after 3 failed attempts)
Lockout duration: Locked until released — require an admin to unlock the account manually via the Microsoft 365 Admin Centre rather than allowing automatic unlock after a set time
Microsoft's Smart Lockout is intelligent enough to distinguish between genuine failed attempts and legitimate users who have simply forgotten their password, so you do not need to worry about locking out your own staff constantly.
One important note: if your business also uses on-premise servers or a local Active Directory alongside Microsoft 365, you will want to check your Group Policy settings there as well. Search for Account Lockout Policy in Group Policy Management on your server. The same principle applies.
If you are unsure how to do any of this, it is worth a 30-minute call with an IT support provider. It is one of the quickest wins available.
THIS WEEK'S TOOL 🛠️
Microsoft Entra ID: the security hub most SMEs already own and never use
If your business is on Microsoft 365, you already have access to Microsoft Entra ID. Most SMEs have never looked at it.
Entra ID is Microsoft's identity and access management platform. Think of it as the control centre for who can access what in your business. Beyond Smart Lockout, it gives you:
A full log of sign-in activity across your organisation, so you can see failed login attempts, unusual locations, and suspicious patterns
Multi-factor authentication management for all users ( I will cover this in another Issue)
Conditional access policies, for example blocking logins from outside Ireland and the UK if your team never works internationally ( I will cover this in another issue)
A real-time view of any accounts that have been flagged as compromised
Most of this is available on standard Microsoft 365 Business plans at no extra cost. Some advanced features require Microsoft Entra ID P1 or P2, which is available as an add-on, but the basics are already there.
To get started, go to entra.microsoft.com and sign in as an admin. Spend 20 minutes clicking around. You will almost certainly find something that needs attention.
QUICK COMPLIANCE CHECKLIST
Before your next team meeting, run through these four questions:
Do you have an account lockout policy configured in Microsoft 365 or your Active Directory?
Do you know how many failed login attempts trigger a lockout in your environment?
Have you reviewed your Microsoft 365 sign-in logs in the last 30 days?
Do you have a process for immediately disabling accounts when a staff member leaves?
If you are answering no or "I'm not sure" to most of these, you are not alone. But each one is fixable, and none of them require significant budget or technical expertise.
BEFORE YOU GO
Account lockout is not a glamorous security topic. It will never make the headlines. But it is one of those foundational controls that, once in place, quietly does its job every single day.
The businesses that get breached are not always the ones that ignored the big, obvious threats. Often they are the ones that never got around to the basics.
This is one of the basics. And it takes less than 10 minutes to sort.
See you next week.
The SME Security Brief