What the Microsoft 365 and Australian SMB IT space has actually been doing over the last nine months — anchored to real sources.

From 10 December 2026, businesses that use automated systems to make decisions affecting individuals must disclose it in their privacy policy. Chatbots and triage tools count.

Mid-June saw a dataset of valid credentials for an estimated 75,000 Fortinet firewalls and SSL-VPN gateways validated in the wild. If your perimeter is a VPN box, this is your reminder.

Microsoft made Agent 365 and the M365 E7 plan generally available. AI agents that act on your data need the same governance discipline you (should) already apply to Copilot.

A new remote-code-execution flaw in Veeam Backup & Replication is a reminder that the system protecting your data is also a high-value target. Backup infrastructure needs the same patch discipline as everything else.

A ransomware-as-a-service crew that barely existed in mid-2025 is now one of the most active of 2026 — built almost entirely on compromising internet-facing VPNs, firewalls and management interfaces.

The FBI and multiple security firms are warning about Kali365, an off-the-shelf phishing kit that steals Microsoft 365 session tokens after MFA succeeds. Adversary-in-the-middle attacks are now a commodity.

The 2026 data on unsanctioned AI use is in, and it’s worse than most owners assume. Shadow-AI-related breaches cost an average of US$670,000 more — and most affected businesses had no AI policy at all.

Microsoft’s June 2026 update fixed close to 200 vulnerabilities, including three publicly disclosed zero-days and critical flaws in HTTP.sys, Hyper-V and BitLocker. The differentiator isn’t knowing — it’s patching fast.

From 1 July 2026, AML-CTF reforms drag real-estate agents, accountants, conveyancers, lawyers and high-value-goods dealers into Privacy Act obligations — many for the first time.

New commercial pricing takes effect 1 July 2026: E3 moves to $39, E5 to $60, and the standalone Copilot add-on folds into the plans. A pre-July commitment can lock current rates.

Incident EX1331830 delayed email across North America, Asia-Pacific and Europe in early June. The cause was Microsoft’s; the lesson, as ever, is that your continuity plan can’t assume the cloud never blinks.

Acronis’s May analysis explains the recurring failure: backups that share a domain, credentials and network with the systems they protect aren’t a recovery plan — they’re a second target.

A late-May Azure OpenAI incident hit Australia East particularly hard. As AI gets wired into everyday workflows, the resilience question moves from “is email up?” to “is the model up?”

Veeam’s Data Trust and Resilience Report 2026 found a wide gap between recovery confidence and recovery reality — only 28% of ransomware victims fully recovered their data.

In 2026 the Essential Eight has shifted from “recommended” to expected — and cyber insurers are now asking for proof of maturity before they’ll quote, renew or pay.

The new Data Breach Investigations Report makes the SMB picture stark — 96% of ransomware victims of known size were SMBs, and vulnerability exploitation is now the single biggest way in.

Windows 10 hit end of support on 14 October 2025. Extended Security Updates buy time, but the meter is running and the price doubles each year. If Windows 10 is still in your estate, the clock is the point.

The ACSC flagged active exploitation of a cPanel/WebHost Manager flaw (CVE-2026-4194). Web-hosting control panels are exactly the kind of internet-facing admin surface that gets overlooked.

The ACSC reports a rise in attacks targeting Australia’s critical infrastructure, with the policy focus shifting to resilience. Even if you’re not critical infrastructure, the threat model is the same one aimed at you.

The ACSC warned of ClickFix campaigns spreading through compromised WordPress sites. The trick is social, not technical — it convinces the user to paste and run the malicious command themselves.

Microsoft cut Windows 365 Business pricing by 20%, renamed Frontline to Flex, and previewed AVD Hybrid for running cloud-managed desktops on your own servers. The cloud-desktop calculation is worth redoing.

Australia’s mandatory 72-hour ransomware-payment reporting regime has moved past its education-first grace period. From January 2026 the focus is compliance and enforcement.

Microsoft attributed the global M365 disruption to a maintenance event and third-party network issue, not an attack. The lesson for SMBs is BCDR, not blame.

Microsoft's Threat Intelligence team blocked 8.3 billion phishing emails in Q1 2026. The fastest-growing vector: QR codes that move the attack off email and onto an unmanaged phone.

The annual Data Breach Investigations Report puts the SMB ransomware rate at 88% — and notes operators now disrupt backups in the first hour of intrusion.

Copilot reads what your users can read. Without sensitivity labels and access scoping, that's everything in SharePoint. Purview before Copilot — not after.

The ACSC is pushing Essential Eight from box-tick to measurable. Patching speed, privileged access discipline, and hardening are the three areas tightening this year.

Since May 2025, organisations with turnover above $3M (or critical-infrastructure responsibility) must report any ransomware payment to the ASD within 72 hours.

An estimated 100,000 small businesses become Privacy Act-regulated from 1 July 2026. If you handle customer data and you've never read the APPs, the time is now.

Microsoft's 2026 threat reporting consistently puts VPN authentication at the start of domain-wide compromise. AVD with Conditional Access is the modern replacement.

Modern ransomware operators delete or encrypt backups before triggering the main payload. Immutable storage plus monthly restore-tests is no longer optional.

Microsoft Security pegs the average SMB cyber-attack cost at $254,445. NinjaOne data shows 60% of SMBs fail within six months of a serious breach.

Critical Microsoft vulnerabilities surged from 78 to 157 year-over-year. Azure and Dynamics critical CVEs jumped 9x. Patching cadence is the differentiator.

M365 Business Premium quietly bundles Intune, Defender for Business, Conditional Access and AIP. Most SMBs are paying for it and using ~30% of it.

The new generation of phishing campaigns uses generative AI to produce grammatically perfect, context-aware lures. The old "watch for bad English" advice is dead.

Azure Virtual Desktop is powerful and, without orchestration, expensive. Nerdio Manager Enterprise auto-scales host pools and keeps the monthly bill predictable.

M365's free Security Defaults are a good starting line. Conditional Access is the actual finishing line, and most SMBs need it.

MSP tooling has been a high-value target for nation-state and ransomware groups for years. In 2025–26, your provider's RMM and PSA are part of your attack surface.

The Australian Cyber Security Centre's annual figures show 1,200+ incidents responded to and 1,700+ alerts issued. The volume isn't slowing.

DKB Innovative's 2026 analysis of managed-IT delivery problems is required reading for any SMB outgrowing its current provider.

Microsoft's 2026 independent IRAP assessments of Azure, Dynamics 365 and M365 are now available, supporting Australian Government and regulated-industry workloads.

Staff are pasting client data into ChatGPT, Claude, Gemini and a dozen other tools to get work done. The governance question is what you do about it — not whether it's happening.

Microsoft Teams suffered a significant worldwide messaging-delay event on 20 December 2025. The cause was infrastructure. The lesson is comms-channel diversity.

The naming is genuinely confusing. The licensing matters. A short guide to which SKU SMBs should actually be on in 2026.

The "never pay" mantra is sound public-policy advice. It's also a much harder call when it's your business and your customers' data on the clock.

Maturity Level One was always a starting line. In 2026 it's increasingly being read by insurers and regulators as the floor, not the goal.

Since 10 June 2025, individuals can sue for serious invasions of privacy directly under a new statutory tort. The bar is high. The exposure is real.

Industry data through 2025–26 shows SMB cyber spend rising sharply — driven less by enthusiasm than by insurance, customer questionnaires, and recent pain.

Microsoft's own Learn documentation now states: enable Purview Audit before Copilot activation, and verify that Copilot-specific events are captured.

Mainstream support for Windows Server 2016 ended in January 2022. Extended support ended January 2027. If it's still in your environment, the migration window is closing.

MFA is no longer enough on its own. Adversary-in-the-middle attacks steal session tokens after auth completes. The defence is Conditional Access and continuous evaluation.

The line between backup and security has blurred. Acronis, Veeam and others now ship MDR overlays on top of the data-protection stack. The convergence is the point.

Most SMB SharePoint environments have years of permission sprawl. Copilot, sensitivity labels, and DLP all assume the permissions are right. They usually aren't.

Breaking AC's May 2026 analysis catalogues the recurring "hidden" IT risks in high-stakes SMBs. None are exotic. All are expensive when they bite.

The 2026 MSP industry data points to a sustained engineering-talent shortage. The visible effect on customers is slower response, junior reassignments, and churn.

Azure has accumulated a stack of cost-management features over the past two years. Most SMB tenants use a fraction. The unused features are usually the biggest payoff.

Data Privacy Week is a useful annual prompt. Use it for the housekeeping work that doesn't get done the other 51 weeks of the year.

Microsoft's Purview DLP now supports prompt-level controls for Copilot. You can specify what kinds of content Copilot is allowed to be asked about, and what isn't.

Microsoft has been pushing legacy auth retirement for years. In 2026, the deferrals stop being optional. Identify dependencies and plan the remediation.

Most SMBs don't have a written incident-response plan. They will. The question is whether it gets written this month, or under deadline at 2 a.m.

Intune-driven device compliance ties Conditional Access to device posture. It's bundled in Business Premium. Most SMBs are paying for it and not using it.

Hourly break-fix IT support is shrinking quietly but persistently. The driver isn't fashion — it's that the threat model has outgrown the model.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director