Most Perth business breaches start with a compromised identity. A stolen password — obtained through phishing, credential stuffing or data breach — gives an attacker everything they need to access email, files, Teams and SharePoint. Identity and access management is the control layer that stops a stolen password becoming a full breach.
Get Free Cyber Risk Snapshot →Properly enforced MFA blocks over 99% of automated credential attacks.
Access controlled by user role, device compliance, location and risk level.
Older protocols that bypass MFA completely are disabled.
Global administrator accounts reduced to minimum required — typically two to four.
External user access reviewed, inactive guests removed, permissions tightened.
Book a Cyber Risk Snapshot and get a plain-English report on your current cyber exposure. 30 minutes. No obligation.
Get Free Cyber Risk Snapshot →For a Perth business with 5 to 50 staff, the most common way in for an attacker is no longer a virus on a laptop. It is a working username and password. Once a Microsoft 365 sign-in is valid, an attacker is simply your staff member as far as the system is concerned. They read email, download SharePoint files, and reset payment details without tripping a single alarm. Most owners we speak to assume their staff use unique, strong passwords. The reality is people reuse the same one across LinkedIn, a supplier portal, and their work account.
This matters more in WA than people think. A lot of local firms in accounting, legal, engineering and NDIS work with lean back-office teams, fly-in fly-out staff, and contractors who come and go between projects. That creates accounts that outlive the person, logins shared between two people "just for now", and former employees whose access was never switched off. Every one of those is an open door, and most businesses cannot say with confidence who currently has access to what.
The pattern is consistent. A staff member's password turns up in a known breach from an unrelated website. An attacker tries it against your Microsoft 365 tenant, it works, and there is no second check to stop them. From there it is quiet. They set up an inbox rule that hides their own activity, watch your email for a few weeks, then wait for a real invoice to land. They change the bank details and send it on. Your client pays the wrong account, and nobody notices until the supplier chases the money.
For a small Perth team the cost is rarely just the diverted payment. It is the days spent rebuilding trust with a client, the awkward conversation with your insurer, and the scramble to work out everything that account could see. A medical or allied health practice faces Privacy Act exposure over patient records. A legal firm faces questions about trust account data and privilege. An accounting practice has ATO portal credentials and client financials sitting behind that one login. The damage is wide because the account had wide access, and almost nobody sets access narrowly by default.
The second common failure is offboarding. Someone leaves, their email is closed, but their access to a shared mailbox, a SharePoint site, or a third-party app lingers for months. That is the kind of gap an attacker or a disgruntled former staffer can use long after the farewell card.
You almost certainly already pay for the tools to fix this inside your Microsoft 365 licensing. The problem is they ship switched off or wide open. We turn them on properly and tune them to how your business actually works.
We start by mapping reality: every account in your tenant, who it belongs to, what it can reach, and which ones should not exist anymore. That alone usually surprises owners. From there we enforce MFA everywhere, build Conditional Access rules around your real working patterns, and trim over-broad access back to what each role needs.
Week to week it runs quietly in the background. New starters get the right access on day one through a defined onboarding step. Leavers are cut off the same day they walk out, across email and connected apps, not weeks later. Risky sign-ins get reviewed and acted on, not left blinking in a dashboard nobody opens. Access creep, where people accumulate permissions as they change roles, gets caught and reversed instead of quietly building up.
Good looks like this: you can name everyone who can reach your client data, every login needs a second factor, a leaver loses access the day they go, and a stolen password on its own gets an attacker nowhere. No lock-in, month to month, one Perth team that knows your setup.
If you are not certain who has access to your systems right now, that is exactly the gap worth closing first. A Free Cyber Risk Snapshot is a 30-minute external look that shows you, in plain English, where your identity is exposed and what to fix first. Book it at https://calendly.com/corewest/30min.