Cyber Breaches Survey Lessons for M365
The best thing about the breaches survey is that it pulls the conversation back to operational reality - phishing, access control, incident handling, and the quality of basic security hygiene.
The UK Cyber Security Breaches Survey is worth reading every year because it tends to reward plain thinking.
The 2025/2026 survey says 43% of businesses and 28% of charities identified a cyber breach or attack in the last 12 months. Phishing remained most common, affecting 38% of businesses and 25% of charities.
That points back to ordinary controls: identity, mail protection, endpoint state, alert ownership and response practice.
That is why this report matters to Microsoft 365 owners. It is not really telling you to buy more things. It is telling you to run the basics properly.
What the survey means in tenant terms
When government data says phishing is still the dominant problem, the Microsoft 365 reading is pretty direct:
| Survey theme | Microsoft 365 translation |
|---|---|
| Phishing stays common | Review mail flow, anti-phishing posture, user reporting, and mailbox abuse paths |
| Impact still lands on business operations | Build containment steps that work in the first hour |
| Governance matters | Give named owners to identity, endpoint, mail, and collaboration controls |
| Reputation damage is real | Make sure the communications side of incident response is not improvised |
One line in this year's survey stands out to me. Businesses reporting reputational damage rose from 1% to 3%, and loss of revenue or share value rose from 2% to 5%. Those are still minority outcomes, but they are the kind of outcomes leadership actually pays attention to.
The Microsoft 365 controls I would prioritise
If you are trying to turn the survey into action, start here:
- Enforce MFA cleanly, especially for privileged access.
- Review mailbox forwarding, inbox rules, and delegated access.
- Make incident ownership and escalation explicit.
- Check guest access and external sharing settings.
- Make sure device compliance and update reporting are not stale.
None of that is a grand strategy. It is tenant operations. That is the point.
A useful weekly rhythm
Many teams lose control because everything security-shaped gets batched into a monthly review deck. For Microsoft 365, I prefer a simpler rhythm:
- Weekly: suspicious sign-ins, mailbox abuse indicators, compromised users, key alerts.
- Fortnightly: admin role review, exclusions, forwarding controls, external sharing hot spots.
- Monthly: device compliance drift, patching evidence, policy exceptions, incident lessons learned.
It is less dramatic than a long consultancy programme, but it usually works better.
What not to take from the survey
Do not take it as proof that every organisation needs a heavy, expensive stack.
Take it as proof that normal operating discipline is still rare enough to matter.
The survey is a reminder that phishing, weak ownership and poor response handling still create avoidable pain. Microsoft 365 gives you tools; the question is whether someone runs them.
References
Related notes
22 Jan 2026 · 5 min
Related: phishing, defender for office 365, uk cyber security.
02 Mar 2026 · 3 min
Related: incident response, microsoft 365, defender.
05 Mar 2026 · 4 min
Related: email security operations, security operations, phishing.
Need help mapping this to your own tenant, controls, or assessment timeline?