Shared Microsoft 365 accounts are incredibly common in small businesses, and most of the time nobody gives them a second thought. But behind that convenience sits a surprisingly long list of risks, and most business owners do not find out about them until something goes wrong.

You Lose Track of Who Did What

Microsoft 365 keeps detailed logs of activity, which is genuinely useful if something goes wrong. You can look back and see who accessed a file, who sent an email, or who changed a setting. But if three people are all logging in under the same account, those logs become worthless. You just see the account name, not the person.

If a file gets deleted, a client gets sent the wrong thing, or something suspicious happens, you have no way of knowing who was responsible or when it happened. That is a problem even in a small team.

Leavers are a Bigger Risk than you Might Expect

When someone leaves your business, you want to make sure they can no longer access your systems. With individual accounts, that is straightforward. With a shared account, it is almost impossible. Unless you change the password immediately and make sure every remaining user gets the new one, your ex-employee could technically still be logging in.

Even if their intentions are entirely good, that is an open door you probably do not want to leave unlocked.

It Creates a Headache for GDPR

Under GDPR, businesses need to be able to demonstrate who accessed personal data, when, and why. If you are using shared accounts, you simply cannot do that. You cannot point to a specific person who accessed a specific record on a specific date.

In the event of a data breach or an investigation, that gap in your records could make a difficult situation considerably worse.

One Compromised Account can Open the Door to Everything

Cyber criminals regularly target business email accounts. If a shared account gets compromised, the attacker potentially has access to everything that account can see, and you might not even notice for a while because the suspicious activity is buried among multiple users all doing normal things.

Individual accounts with multi-factor authentication (MFA) switched on make this kind of attack far harder to pull off, and much easier to detect if one does happen.

It may also be Against your Licensing Terms

Microsoft 365 licences are issued per person. Using a single account for multiple users is a breach of Microsoft’s terms of service. It is a detail that often gets overlooked, but it is worth knowing about, particularly if you are ever subject to a software audit.

So what Should you do?

The good news is that the fix is not complicated or particularly expensive. The basics are:

• Give every person in your business their own individual account
• Switch on multi-factor authentication across the board
• Have a proper offboarding process so accounts are disabled the moment someone leaves
• Review who has access to what on a regular basis

If you are unsure where to start, or you suspect your current setup has some gaps, it is worth having someone take a look before a problem finds those gaps for you.

Need a hand reviewing your Microsoft 365 setup?

At Three Cherries, we help businesses across Bristol and the South West get their IT in good shape, without the jargon or the hard sell. If you would like a straightforward conversation about how your Microsoft 365 accounts are set up, we would be happy to help. Get in touch! At Three Cherries, we take the gamble out of business technology.