Your SharePoint Is Probably Your Biggest Security Risk

SharePoint is one of the best things Microsoft has ever built for business productivity. It's also one of the easiest ways to accidentally expose your entire company's data.

When Eric Thompson evaluates a new Microsoft 365 environment, he's yet to find one with the security defaults properly configured. Of the tenants we've looked at, every single one had the default security settings left untouched. Not most. Not 90%. Zero configured correctly.

The settings that control who can access your data, how they authenticate, and what they're allowed to do, left exactly the way Microsoft shipped them. That's not a security posture. That's an open door.

How SharePoint Becomes a Problem Without Anyone Noticing

SharePoint's greatest strength is how easy it is to get started. Microsoft gives you SharePoint access with the licenses you already own, and they integrate it into Windows so tightly that somebody on your team can start storing documents without any formal rollout, and automatically now you have a SharePoint site, whether you know it or not.

Somebody discovers they can co-edit an Excel file in real time. Somebody else realizes they can pull up documents from their phone through Teams. Word spreads. Before IT is even aware, the whole company is using SharePoint as their primary file storage.

The productivity gains are real. The problem is that nobody stops to think about security configuration, permissions structure, or backup during this organic adoption. By the time somebody does (usually us, during an evaluation) the environment is a sprawling mess: open permissions, default settings, and data scattered across locations nobody planned for.

The Three Things We Find Wrong in Every Environment

After years of evaluating Microsoft 365 environments, the findings are remarkably consistent. The specifics vary, but three problems show up every time.

1. Permissions Are Wide Open

This is the biggest issue, and it's the one that creates the most risk. When companies adopt SharePoint organically, without a deliberate structure, they give everyone access to everything. People don't know you can reassign permissions, you can make groups, you can scope access to specific document libraries. So they don't. They leave files wide open.

The result: employees can see files they have no business seeing. Sensitive financial data, HR records, strategic plans, all accessible to anyone with a Microsoft 365 login.

Business owners are often the worst offenders. The thinking is: "I'm the owner, I need access to everything." But the owner is the last person who should have global access. You're the one who's going to be targeted.

2. Multi-Factor Authentication Is Incomplete

MFA (requiring a second form of verification beyond just a password) is one of the most effective security controls available. It's also almost never fully deployed.

In our evaluations, we regularly find MFA partially implemented: some users have it, some don't, and some have it turned on but not enforced. Half-deployed MFA is not a rounding error. If even a few accounts lack MFA, those are the accounts that will be targeted.

As Eric puts it bluntly: "I don't think I've come across one yet that's fully compliant from MFA." It's always spotty. And on its own, your password is garbage. MFA is the layer that stops attackers even when they have the password. A huge share of the breaches we see come down to spotty MFA.

3. Security Settings Are Still at Factory Defaults

Microsoft 365 has hundreds of security settings. Conditional access policies, session timeouts, external sharing controls, device compliance requirements, sign-in risk policies. The list goes on. Microsoft provides all of these. They're built into the admin portal. They just aren't turned on by default.

In every evaluation we do, the security defaults haven't been touched. The settings are buried across multiple admin screens, and there's no single dashboard that shows what is configured and what is not. We use a third-party management tool that consolidates everything into a single pane of glass. It's the only way to assess this efficiently.

Microsoft's Position: It's Your Responsibility

Microsoft's official stance on your data, whether it is in SharePoint, OneDrive, Teams, or email, is that it is your data, you own it, and it's your responsibility to manage and protect it.

Microsoft provides the platform. They handle infrastructure-level security, their data centers, their networks, their physical security. But the configuration of your tenant (who can access what, how authentication works, what security policies are enforced, whether your data is backed up) is entirely on you.

Three Questions to Ask Your IT Team Today

What to Ask Any Cloud or SaaS Provider

These same principles apply beyond Microsoft. Whenever a client tells us they're evaluating a new cloud application, Eric asks the same three questions every time on their behalf:

How is our data backed up? Walk us through the process. How often do backups run? Where is the backup stored? Can we get a copy of our data if we need to?

Who has access to our data? Is it just our account team on your side, or does every employee technically have access? With hyperscale cloud, you trust the provider's internal controls, you can't name the individuals who administer your tenant.

Where is our data stored? Is it in Azure, AWS, or a private cloud? What country is the data center in? Is the vendor compliant with relevant standards? If the answers are vague ("oh yeah, your stuff is protected" or "we are compliant" without specifics) that tells you something about the vendor's maturity.