Field note
Cyber Breaches Survey Lessons for M365
The best thing about the breaches survey is that it pulls the conversation back to operational reality - phishing, access control, incident handling, and the quality of basic security hygiene.
The UK Cyber Security Breaches Survey is worth reading every year because it tends to reward plain thinking.
The 2025/2026 survey says 43% of businesses and 28% of charities identified a cyber breach or attack in the last 12 months. Phishing remained the most common type by far, affecting 38% of businesses and 25% of charities. That is not glamorous. It does not point to some exotic, cinematic threat model. It points back to the ordinary controls that still decide whether a Microsoft 365 tenant is calm or chaotic.
That is why this report matters to Microsoft 365 owners. It is not really telling you to buy more things. It is telling you to run the basics properly.
What the survey means in tenant terms
When government data says phishing is still the dominant problem, the Microsoft 365 reading is pretty direct:
| Survey theme | Microsoft 365 translation |
|---|---|
| Phishing stays common | Review mail flow, anti-phishing posture, user reporting, and mailbox abuse paths |
| Impact still lands on business operations | Build containment steps that work in the first hour |
| Governance matters | Give named owners to identity, endpoint, mail, and collaboration controls |
| Reputation damage is real | Make sure the communications side of incident response is not improvised |
One line in this year's survey stands out to me. Businesses reporting reputational damage rose from 1% to 3%, and loss of revenue or share value rose from 2% to 5%. Those are still minority outcomes, but they are the kind of outcomes leadership actually pays attention to.
The Microsoft 365 controls I would prioritise
If you are trying to turn the survey into action, start here:
- Enforce MFA cleanly, especially for privileged access.
- Review mailbox forwarding, inbox rules, and delegated access.
- Make incident ownership and escalation explicit.
- Check guest access and external sharing settings.
- Make sure device compliance and update reporting are not stale.
None of that is a grand strategy. It is tenant operations. That is the point.
A useful weekly rhythm
Many teams lose control because everything security-shaped gets batched into a monthly review deck. For Microsoft 365, I prefer a simpler rhythm:
- Weekly: suspicious sign-ins, mailbox abuse indicators, compromised users, key alerts.
- Fortnightly: admin role review, exclusions, forwarding controls, external sharing hot spots.
- Monthly: device compliance drift, patching evidence, policy exceptions, incident lessons learned.
It is less dramatic than a transformation programme, but it usually works better.
What not to take from the survey
Do not take it as proof that every organisation needs a heavy, expensive stack.
Take it as proof that normal operating discipline is still rare enough to matter.
The survey is basically a reminder that phishing, weak ownership, and poor response handling still create a lot of avoidable pain. Microsoft 365 already gives you a lot to work with. The question is whether the tenant is being run like a living system or just configured once and admired from a distance.
References
Related notes
22 Jan 2026 · 5 min
Phishing Still Pays: A Microsoft 365 Action Plan for UK SMEs
Related: phishing, defender for office 365, uk cyber security.
02 Mar 2026 · 3 min
Microsoft 365 Incident Response Plan
Related: incident response, microsoft 365, defender.
05 Mar 2026 · 4 min
Defender Office 365 Operations
Related: defender for office 365, security operations, phishing.
Need help mapping this to your own tenant, controls, or assessment timeline?