Passwords alone are no longer enough to protect schools and businesses from modern cyber threats. With phishing attacks, credential theft and AI-powered scams increasing, organisations must strengthen their security beyond a basic login. This guide explains the essential upgrades every school and SME should implement to stay secure in 2026.

Why Passwords Alone Are No Longer Enough: Simple Security Upgrades Every School and Business Should Enable Today

For years, passwords were the main barrier protecting organisations from cyber attacks. But modern cyber criminals use automated tools, credential stuffing, password spraying and AI-generated phishing to break into accounts – meaning passwords alone are no longer effective.

At Remedian IT Solutions, we support schools and SMEs across Greater Manchester and the North West. During Microsoft 365 audits, we regularly find environments with strong passwords but critical missing security layers. In today’s threat landscape, relying solely on passwords leaves your organisation exposed.

1. Multi-Factor Authentication (MFA) – The Most Important Upgrade

MFA is the single most effective way to prevent account breaches. It requires staff to verify their identity using something they know (password) and something they have (authenticator app or code).

MFA should be enabled for:

• All staff and admin accounts
• Finance, HR and safeguarding roles
• Microsoft 365 and Google Workspace logins
• Remote access and VPN connections

If a password is compromised but MFA is enabled, attackers are stopped. Explore Remedian’s cybersecurity services.

2. Conditional Access – Control How and Where People Sign In

Conditional Access adds smart rules to Microsoft 365 logins, such as requiring MFA when off-site or blocking sign-ins from outside the UK.

Useful examples include:

• Blocking high-risk countries
• Requiring MFA outside trusted school or business networks
• Allowing access only from managed devices
• Automatically blocking risky sign-ins

Without Conditional Access, every login is treated the same — even suspicious ones. See how our managed IT support helps protect your organisation.

3. Disable Legacy Authentication

Legacy authentication (POP, IMAP, basic auth) does not support MFA and is one of the leading causes of account compromises in schools and SMEs.

Unless absolutely required, these old protocols must be disabled. Where they are still needed, exceptions should be tightly controlled and monitored.

4. Email Protection – The First Line of Defence

Phishing remains the number one method attackers use to steal passwords. Microsoft Defender adds essential layers of email filtering.

Key features include:

• Safe Links – checks website links at click-time
• Safe Attachments – opens suspicious files in a secure sandbox
• Anti-phishing rules for VIP users
• SPF, DKIM and DMARC email authentication

These controls significantly reduce the chance of staff clicking on a malicious link or opening a dangerous attachment.

5. Device Security – Protecting Staff and Pupil Devices

Even if Microsoft 365 is secure, unsafe devices can still allow attackers in. Modern device security is essential for both schools and SMEs.

Essential protections include:

• Full-disk encryption (BitLocker)
• Microsoft Defender for Endpoint or similar
• Regular security patching
• Compliance policies through Intune or Google Admin

A secure cloud account is only as safe as the device accessing it. For schools, this is especially important where devices are shared across classes. Learn how we support school IT environments.

6. Safer Sharing in OneDrive and SharePoint

“Anyone with the link” file sharing is one of the biggest causes of accidental data leaks in both schools and businesses.

Safer defaults include:

• Internal-only sharing as the default option
• Restricting external sharing to approved domains
• Setting expiry dates for external links

These changes help prevent sensitive files – such as HR documents, pupil records or financial data – from being accessed by the wrong people.

7. Backup and Recovery – Because Microsoft 365 Does Not Back Up Your Data

Microsoft provides availability, not full backup. Accidental deletion, misconfiguration, or ransomware can still cause permanent data loss if you rely solely on Microsoft.

A proper backup solution should:

• Back up Exchange, OneDrive, SharePoint and Teams
• Store copies in a separate, secure location
• Offer point-in-time restores
• Provide long-term retention for compliance

A dedicated backup system is essential for both safeguarding and business continuity. Please find out more about our secure backup services.

8. Monitoring and Alerts

Security alerts help spot suspicious activity early, before it becomes a serious incident.

Key events to monitor include:

• Repeated login failures
• Logins from unusual locations or devices
• New mailbox forwarding rules
• Changes to admin roles or permissions

These alerts should be reviewed regularly – ideally by a managed IT provider who can investigate and resolve issues quickly. See how our proactive IT health monitoring works and how it supports managed IT support.

Quick Security Checklist

• MFA enabled for all staff
• Conditional Access rules configured
• Legacy Authentication disabled
• Email security (Safe Links / Safe Attachments) enabled
• Anti-phishing policies are in place
• Device encryption and compliance enforced
• Safe sharing defaults in OneDrive and SharePoint
• Dedicated Microsoft 365 backup implemented
• Security monitoring and alerts are actively reviewed

Need Help Strengthening Your Cyber Security?

Schools and businesses face more cyber risks than ever, and passwords alone are no longer enough. With a few focused upgrades, you can dramatically reduce the likelihood of a data breach or account compromise.

Next steps:

• Book a cybersecurity health check
• Review your Microsoft 365 security settings
• Get a phased improvement plan tailored to your organisation

Contact Remedian today to secure your organisation