Cybersecurity Basics Every Small Business Should Review Quarterly

Cybersecurity for small businesses does not require a dedicated security operations center, enterprise-grade tools, or a six-figure annual budget. It requires consistent attention to a defined set of foundational practices — reviewed regularly, not just set up once and forgotten. This article covers what matters most and why each item reduces real risk in the environments most small businesses actually operate.

Why Quarterly Reviews Make Sense

Security is not a project you complete — it is a practice you maintain. A quarterly review is a practical interval because your environment changes: employees join and leave, access permissions drift, vendors change, and new threats emerge. A four-times-per-year review is manageable as a scheduled business task and catches changes before they become problems. More frequent is better; quarterly is the minimum that prevents conditions from deteriorating unnoticed.

1. Multi-Factor Authentication — Who Is Enrolled and Who Is Not

MFA is the most impactful security control available to small businesses. The goal is not just to have MFA enabled — it is to have MFA enforced for all users with no exceptions. Each quarter, verify:

• Is every Microsoft 365 user account protected by MFA? Run the user list and confirm enrollment status.
• Are new employees enrolled in MFA before they start using email? (Onboarding runbooks should require this.)
• Are any accounts using SMS-based MFA that could be upgraded to an authenticator app?

The most common gap is not that MFA is completely absent — it is that it is partially deployed. One unprotected account is all an attacker needs. Partial MFA enforcement is meaningfully less protective than full enforcement.

2. Admin Account and Privilege Review

Administrative accounts are the highest-value targets in any Microsoft 365 tenant. A compromised Global Admin account gives an attacker the ability to create new accounts, access all data, set up forwarding rules, and lock out legitimate administrators. A quarterly review should include:

• List all users with Global Administrator role. Is the list current? Does it include anyone who should no longer have this access?
• Check other elevated roles — Exchange Admin, SharePoint Admin, Security Admin — and verify each is appropriately assigned.
• Remove or deactivate any admin accounts belonging to former employees or vendors whose engagements have ended.
• Confirm that admin accounts are protected by the strongest available MFA method.

3. User Account Audit — Departures and Access Drift

Every employee departure that is not properly offboarded creates a persistent access risk. Former employees whose accounts were not deactivated on departure day represent an ongoing vulnerability. Quarterly account audits should include:

• Review the Microsoft 365 user list against your current employee roster. Any accounts that do not correspond to current employees should be disabled and reviewed for data preservation needs.
• Check for generic or shared accounts (info@, admin@, sales@) and confirm that access to these is current and appropriate.
• Review whether any accounts have significantly more access than their current role requires.

4. Email Forwarding Rule Audit

Email forwarding rules are a primary persistence mechanism for attackers who have compromised an account. They are easy to set up, easy to miss during investigation, and can remain active for months or years after an incident. Quarterly review of inbox rules should be routine for any business handling sensitive communications.

• Review inbox rules for user accounts — particularly executives, finance personnel, and anyone with access to sensitive client data.
• Check tenant-level automatic external forwarding settings in Exchange Admin Center.
• Flag any rules forwarding to external addresses — particularly personal email domains (Gmail, Yahoo, Hotmail).

5. Backup Status and Test Verification

Most small businesses have some form of backup in place. The problem is usually not the existence of backups — it is the assumption that backups are working without verification, and the complete absence of a tested recovery process. Quarterly backup review should include:

• Confirm backups are running successfully — check backup logs, not just the dashboard status indicator.
• Verify that Microsoft 365 data (SharePoint, OneDrive, Teams data, email) is being backed up by a third-party solution. Microsoft does not provide the retention and recovery capabilities most businesses assume are included.
• At least annually (quarterly is better), test a restoration from backup to confirm the backup is usable.
• Confirm that someone other than the primary IT contact knows the recovery procedure.

6. Endpoint Patch Status

Unpatched software is consistently one of the most exploited attack vectors. Quarterly patch status review should establish:

• Are all Windows endpoints receiving and applying updates? Check Windows Update status across devices.
• Are critical applications (browsers, Office/M365 apps, line-of-business software) current?
• If using Intune or another MDM solution, review device compliance status — how many devices show as non-compliant and why?
• Are there any devices running operating systems no longer receiving security updates (Windows 10 approaching EOL in October 2025, for example)?

7. Software and Service Inventory Review

SaaS tools accumulate in small businesses faster than they are reviewed. Each quarter, a brief review of your active SaaS subscriptions and user permissions reduces both security exposure and unnecessary spending:

• Are there tools still being paid for that are no longer actively used?
• Do any SaaS tools have user permissions that should be reviewed — former employees with active accounts, users with admin access who do not need it?
• Are any tools using OAuth connections to your Microsoft 365 tenant that you did not knowingly authorize?

8. Phishing Awareness — Current Threats

Phishing remains the most common initial attack vector against small businesses. Technical controls reduce the risk, but awareness matters too. Quarterly awareness items do not require formal training programs:

• Brief team on any phishing attempts that employees have encountered recently — normalizing reporting of suspicious emails
• Remind staff of the business email compromise pattern — requests for wire transfers, gift card purchases, or credential resets that appear to come from executives
• Review whether your email security settings (anti-phishing policies, external sender banners) are still enabled and configured

Making the Review Sustainable

The quarterly review does not need to be a multi-day exercise. Most of the items above can be completed in two to four hours if the basics are already in place. The first review will take longer — use it to establish the baseline and identify which items need immediate attention. Subsequent reviews primarily involve verifying that conditions have not degraded and addressing any changes since the last cycle.

If you want help establishing a structured security review process for your business — or want an external perspective on your current security posture — that is what Morse Technology Group's cybersecurity consulting provides for Florida small businesses.