Most SMB security problems aren't "advanced attacks." They're basic gaps: no MFA enforcement, weak admin controls, unmanaged devices, and email policies left at defaults.
This 30-day plan is designed to be practical — meaning: it improves security without breaking daily work.
Week 1: Identity first (stop account takeovers)
Separate admin accounts
Admins should have a dedicated admin account (not their daily mailbox account).
Create break-glass accounts
At least two emergency accounts with strong credentials stored securely. Exclude them from Conditional Access only if required, and monitor sign-ins.
Enforce MFA for everyone
No permanent exceptions. If you must exclude someone, document why and set an expiry date.
Week 2: Conditional Access baseline (reduce risky sign-ins)
Start simple:
- Require MFA for all users
- Require compliant devices for admin access
- Block legacy authentication where feasible
- Restrict access from unmanaged devices (browser-only, limited download)
Week 3: Protect endpoints (Intune + Defender)
If you manage Windows devices, this is where you'll see massive risk reduction:
- Enrollment coverage: confirm every business device is enrolled
- Compliance policy: encryption + OS version + basic posture checks
- Update rings: predictable updates (not "whenever")
- Defender onboarding and tuning (license dependent)
Week 4: Email + data + recovery
- Configure anti-phishing policies
- Enable external sender tagging
- Publish SPF/DKIM/DMARC for your domain
- Review SharePoint/OneDrive sharing (guests, external links)
- Define recovery strategy (native retention vs third-party backup)
- Test at least one restore
The goal
By day 30 you should have:
- MFA + Conditional Access baseline live
- Managed devices + updates under control
- Email protections tuned
- A simple monitoring + incident workflow
- A backlog of improvements (owned, prioritized, scheduled)