Skip to content

We’re upgrading our Minimum Standard Security Recommendations – Here’s how & why

Australian organisations large and small are facing a relentless surge in sophisticated cyber threats, many of which consistently target Microsoft 365 accounts. Recent trends (and our own experience) are showing that even with Multi-Factor Authentication (MFA) and Security Awareness Training in place, attackers are finding new and creative was to successfully breach accounts by exploiting gaps in legacy authentication methods as well as user fatigue and complacency.

For businesses, the elevated risk is not just technical—it’s operational and reputational. A single compromised account can lead to data loss, privacy breaches, financial impact, and disruption of client trust. To safeguard your business continuity and reputation, we are rolling out a targeted set of security uplifts that address these evolving risks head-on. These enhancements represent an uplift in our Minimum Standard Security Recommendations for Maxsum clients and are designed to position your organisation to remain resilient and compliant in the face of fast-emerging, more sophisticated attack methods.

Is this urgent and why now?

The hot-off-the-press Australian Signals Directorate’s (ASD) ACSC Annual Cyber Threat Report 2024–25 highlights new trends and actors in the threat landscape. Over the last 12-18 months, security professionals are seeing attackers increasingly able to bypass legacy MFA methods (such as SMS and TOTP codes) using advanced interception, phishing and social engineering tactics, and scaling up newer attack modes.

Malicious cyber actors are able to leverage vulnerabilities in the technology and security practices of individuals and businesses throughout the public and private sectors. Internet-facing vulnerabilities in edge devices are common, and they require network owners to rigorously monitor and configure securely. ‘Living off the land’ tradecraft has persevered, requiring an adjustment in the way network defenders prioritise understanding behavioural patterns of networks in order to detect the most sophisticated threats.

ASD ACSC Annual Cyber Threat Report 2024-2025

The ASD and ACSC now explicitly recommend “phishing-resistant multi-factor authentication” and stronger controls such as geo-blocking and device compliance. The average cost of cybercrime for Australian businesses has risen sharply, as has the reporting of newer tactics and threats. Delaying action increases your exposure to these risks.

The urgency for making these changes is further reinforced this year by the key themes of this year’s ASD Cyber Security Awareness Month 2025; specifically around replacing and upgrade legacy technology, hardware and software and managing configuration changes.

Businesses should operate with a mindset of ‘assume compromise’ and prioritise the assets or ‘crown jewels’ that need the most protection. ASD recommends businesses and network owners focus on 4 ‘big moves’ to bolster their cyber defences and prepare for future challenges: implement best-practice logging, replace legacy IT, effectively manage third-party risk and prepare for post-quantum cryptography.

ASD ACSC Annual Cyber Threat Report 2024-2025

What’s Changing?

We’re implementing additional controls to strengthen your security posture, especially in relation to Microsoft 365 accounts and services. The following controls will now be added to Maxsum’s Minimum Standard Security Recommendations.

  • MFA Hardening: Moving away from SMS and TOTP codes and transitioning to phishing-resistant Microsoft Authenticator push-based MFA for all users.
  • Geoblocking: Blocking login attempts from outside Australia, with flexibility for approved overseas travel.
  • Device Compliance: Ensuring company accounts can only be accessed from company-approved devices, with admin approval required for registering new devices.
  • M365 Baseline Policies: Revising, deploying and automating robust new policies for conditional access, authentication methods, device compliance, and office macro hardening.

These measures are designed to keep your organisation ahead of evolving threats and ensure your data remains secure.

Your Questions Answered

Q: Why isn’t MFA enough anymore?
A: Attackers can now trick users into completing MFA challenges, rendering traditional methods less effective. ASD and ACSC recommend moving to phishing-resistant MFA and implementing additional controls like device compliance and geo-blocking.

Q: What is geoblocking and why is it important?
A: Geoblocking prevents login attempts from outside Australia, reducing exposure to overseas attacks. As attackers adapt, we’ll continue to refine these controls to keep you protected.

Q: How will device compliance work?
A: Only company-approved devices will be able to access accounts. Registering a new device will require admin approval, adding another layer of defence against unauthorised access.

Q: Will this affect my day-to-day work?
A: You may notice changes when logging in or registering new devices, but these steps are essential for your security. Our team will guide you through the process to ensure a smooth transition.

Q: Will we be charged for baseline security uplifts?
A: Yes, baseline security uplifts are considered and provided as billable works because they represent additional, specialised work outside the scope of routine IT maintenance. They require expert resources to design, deploy, and monitor, and are tailored to your organisation’s unique needs and risk profile.

Q: Why do I need to approve these upgrades if you are already managing our IT?
Security threats and best practices constantly evolve. These upgrades go beyond standard IT management—they involve new technologies, policies, and controls that require careful planning, configuration, and ongoing support. Approval ensures you understand and consent to these changes, as they may affect how your team accesses systems and data. By approving and investing in these uplifts, you proactively protect your business against the latest threats, in line with guidance from Australian authorities.

Q: Is there an ongoing component?
A: Yes, once enabled, these tools will allow us to monitor for baseline drift (changes that could weaken security), manage user access for overseas travel, and support device onboarding. Any ongoing adjustments or corrections will also be handled as Move, Add, Change requests.

Q: Once in place, do these uplights make us fully compliant
A: No. These uplifts represent an improvement in the recommended baseline security protections. More comprehensive, proactive security services, including Proactive Managed IT SEcurity, automated Managed Detection & Response and Vulnerability Scanning, for example are strongly recommended for organisaitons seeking best in class IT security coverage and compliance.

Q: What do I need to do next?
A: Contact us to discuss your current security setup and schedule your uplift. Acting now is crucial —delaying could leave your organisation exposed to increasingly sophisticated threats.

Security threats are evolving, and so must your defences. Maxsum is introducing a suite of new Minimum Standard Security Recommendations designed to provide the best possible protection for your business, in line with the latest ASD and ACSC guidance. Upgrading your current security protections to meet the new Minimum Standard Security Recommendations will require your consideration, due diligence and some investment, but the cost of inaction could be far greater. The time to act is now. Contact us to get started.