A recent audit by the Western Australian Office of the Auditor General has laid bare just how badly things can go wrong when Microsoft 365 isn’t configured properly. Across seven WA government entities, auditors found widespread gaps in security controls that directly led to two serious incidents: the exposure of sensitive personal data about 32 individuals — including children — and a separate $71,000 invoice fraud, as reported by iTnews.

For not-for-profits that handle vulnerable client data — donor records, case files, information about children or people in crisis — this is a wake-up call. The WA entities had no data loss prevention controls across OneDrive, SharePoint, Teams, or Exchange. They were using SMS-based multi-factor authentication instead of phishing-resistant methods. Third-party vendors were given access without security assessments. In one case, sensitive data was uploaded to an unmanaged Dropbox account that was later compromised. These aren’t exotic attack vectors. They’re basic configuration gaps that any organisation using M365 could have right now.

Here’s what to do: ask your IT provider to run a security audit of your M365 tenant. Specifically, check whether data loss prevention policies are active, whether MFA is set to something stronger than SMS codes, and whether external sharing is locked down. If you’re sharing sensitive data with third parties, make sure there’s a formal process for vetting their security before handing anything over.

If your not-for-profit runs on Microsoft 365, All IT Services can review your tenant’s security configuration and help close exactly these kinds of gaps before they become headline-making incidents.