The January 2026 M365 outage — what really took it down
Microsoft attributed the global M365 disruption to a maintenance event and third-party network issue, not an attack. The lesson for SMBs is BCDR, not blame.
QR-code phishing doubled in Q1 2026 — your existing filters won't see it
Microsoft's Threat Intelligence team blocked 8.3 billion phishing emails in Q1 2026. The fastest-growing vector: QR codes that move the attack off email and onto an unmanaged phone.
Verizon's 2025 DBIR: 88% of SMB breaches now involve ransomware
The annual Data Breach Investigations Report puts the SMB ransomware rate at 88% — and notes operators now disrupt backups in the first hour of intrusion.
If you turn Copilot on before Purview, you have a data problem
Copilot reads what your users can read. Without sensitivity labels and access scoping, that's everything in SharePoint. Purview before Copilot — not after.
Essential Eight 2026 — tighter, not optional
The ACSC is pushing Essential Eight from box-tick to measurable. Patching speed, privileged access discipline, and hardening are the three areas tightening this year.
72 hours to report — Australia's mandatory ransomware payment law is live
Since May 2025, organisations with turnover above $3M (or critical-infrastructure responsibility) must report any ransomware payment to the ASD within 72 hours.
Privacy Act expansion — 100,000+ small businesses regulated from 1 July 2026
An estimated 100,000 small businesses become Privacy Act-regulated from 1 July 2026. If you handle customer data and you've never read the APPs, the time is now.
Your VPN is the breach vector. Stop calling it the perimeter.
Microsoft's 2026 threat reporting consistently puts VPN authentication at the start of domain-wide compromise. AVD with Conditional Access is the modern replacement.
Immutable backup is the baseline now. Tested immutable backup is the standard.
Modern ransomware operators delete or encrypt backups before triggering the main payload. Immutable storage plus monthly restore-tests is no longer optional.
The $254K SMB attack — and why insurance doesn't make it go away
Microsoft Security pegs the average SMB cyber-attack cost at $254,445. NinjaOne data shows 60% of SMBs fail within six months of a serious breach.
Microsoft critical vulnerabilities doubled in 2025 — what that actually means
Critical Microsoft vulnerabilities surged from 78 to 157 year-over-year. Azure and Dynamics critical CVEs jumped 9x. Patching cadence is the differentiator.
Microsoft 365 Business Premium is doing more work than most owners realise
M365 Business Premium quietly bundles Intune, Defender for Business, Conditional Access and AIP. Most SMBs are paying for it and using ~30% of it.
AI-powered phishing — when the bait stops being clumsy
The new generation of phishing campaigns uses generative AI to produce grammatically perfect, context-aware lures. The old "watch for bad English" advice is dead.
AVD without cost control is an Azure invoice waiting to surprise you
Azure Virtual Desktop is powerful and, without orchestration, expensive. Nerdio Manager Enterprise auto-scales host pools and keeps the monthly bill predictable.
Security Defaults isn't Conditional Access — don't confuse the two
M365's free Security Defaults are a good starting line. Conditional Access is the actual finishing line, and most SMBs need it.
Supply-chain attacks via MSP tooling — why your provider's posture is your posture
MSP tooling has been a high-value target for nation-state and ransomware groups for years. In 2025–26, your provider's RMM and PSA are part of your attack surface.
ACSC responded to 1,200+ incidents in FY24–25 — up 11%
The Australian Cyber Security Centre's annual figures show 1,200+ incidents responded to and 1,700+ alerts issued. The volume isn't slowing.
The thirteen ways IT delivery breaks in fast-growing firms
DKB Innovative's 2026 analysis of managed-IT delivery problems is required reading for any SMB outgrowing its current provider.
Azure, Dynamics 365 and M365 — fresh IRAP assessments published
Microsoft's 2026 independent IRAP assessments of Azure, Dynamics 365 and M365 are now available, supporting Australian Government and regulated-industry workloads.
Shadow AI — your staff are using it. Your governance probably isn't.
Staff are pasting client data into ChatGPT, Claude, Gemini and a dozen other tools to get work done. The governance question is what you do about it — not whether it's happening.
The December 2025 Teams outage — messaging delay, real lessons
Microsoft Teams suffered a significant worldwide messaging-delay event on 20 December 2025. The cause was infrastructure. The lesson is comms-channel diversity.
Office 365 vs Microsoft 365 — still the most-asked question of 2025
The naming is genuinely confusing. The licensing matters. A short guide to which SKU SMBs should actually be on in 2026.
Why ransomware victims pay — and why "don't pay" is harder than it sounds
The "never pay" mantra is sound public-policy advice. It's also a much harder call when it's your business and your customers' data on the clock.
Essential Eight maturity levels — stop treating ML1 as a destination
Maturity Level One was always a starting line. In 2026 it's increasingly being read by insurers and regulators as the floor, not the goal.
Australia's new statutory tort for serious invasions of privacy — quietly active
Since 10 June 2025, individuals can sue for serious invasions of privacy directly under a new statutory tort. The bar is high. The exposure is real.
What SMBs are actually spending on cybersecurity in 2026
Industry data through 2025–26 shows SMB cyber spend rising sharply — driven less by enthusiasm than by insurance, customer questionnaires, and recent pain.
Microsoft's official guidance: enable Purview Audit before turning Copilot on
Microsoft's own Learn documentation now states: enable Purview Audit before Copilot activation, and verify that Copilot-specific events are captured.
Windows Server 2016 — the end-of-life conversation everyone's deferring
Mainstream support for Windows Server 2016 ended in January 2022. Extended support ended January 2027. If it's still in your environment, the migration window is closing.
Session token theft — the MFA-bypass trend you can't ignore
MFA is no longer enough on its own. Adversary-in-the-middle attacks steal session tokens after auth completes. The defence is Conditional Access and continuous evaluation.
Backup vendors becoming security vendors — the Acronis MDR direction
The line between backup and security has blurred. Acronis, Veeam and others now ship MDR overlays on top of the data-protection stack. The convergence is the point.
SharePoint permissions audit — the silent prerequisite for everything else
Most SMB SharePoint environments have years of permission sprawl. Copilot, sensitivity labels, and DLP all assume the permissions are right. They usually aren't.
The hidden risk report — why high-stakes SMBs need proactive managed services
Breaking AC's May 2026 analysis catalogues the recurring "hidden" IT risks in high-stakes SMBs. None are exotic. All are expensive when they bite.
The MSP staffing shortage — why your tickets sit longer than they used to
The 2026 MSP industry data points to a sustained engineering-talent shortage. The visible effect on customers is slower response, junior reassignments, and churn.
Azure cost controls in 2026 — what most SMBs are still leaving on the table
Azure has accumulated a stack of cost-management features over the past two years. Most SMB tenants use a fraction. The unused features are usually the biggest payoff.
Data Privacy Week 2026 — the practical things SMBs should actually do
Data Privacy Week is a useful annual prompt. Use it for the housekeeping work that doesn't get done the other 51 weeks of the year.
Purview DLP for Copilot prompts — finally a sensible control surface
Microsoft's Purview DLP now supports prompt-level controls for Copilot. You can specify what kinds of content Copilot is allowed to be asked about, and what isn't.
Legacy authentication retirement — the migration the industry kept deferring
Microsoft has been pushing legacy auth retirement for years. In 2026, the deferrals stop being optional. Identify dependencies and plan the remediation.
The minimum-viable incident response runbook — four pages, written this month
Most SMBs don't have a written incident-response plan. They will. The question is whether it gets written this month, or under deadline at 2 a.m.
Intune device compliance — the policy you already own, the policy you should turn on
Intune-driven device compliance ties Conditional Access to device posture. It's bundled in Business Premium. Most SMBs are paying for it and not using it.
The quiet disappearance of break-fix IT
Hourly break-fix IT support is shrinking quietly but persistently. The driver isn't fashion — it's that the threat model has outgrown the model.