The UK Government’s Cyber Security Breaches Survey 2025/2026 says 43% of businesses identified a cyber breach or attack in the last 12 months, which equates to around 612,000 UK businesses. If you run a 50-person company, the figure that should probably catch your eye is even sharper: 65% of medium-sized businesses reported a breach or attack.
That does not mean your company is doomed. It does mean that cyber risk is not a background IT issue anymore. For a business of your size, it is now a practical management problem involving people, devices, Microsoft 365, suppliers, passwords, backups, incident response and day-to-day support.
The awkward part is that most attacks do not look dramatic at first. They often start with a routine email, a fake Microsoft login page, a supplier invoice query or a staff member approving something in a rush. That is why the real question is not “could this happen to us?” It is “would we notice quickly, and would we know what to do next?”
What the 2026 breach figures really mean
The 612,000 figure comes from businesses that identified a breach or attack. That wording matters. It means the true number may be higher, because some businesses will not detect incidents at all.
For a 50-person business, that is important. You are probably large enough to have a meaningful digital footprint, but not always large enough to have a full internal security team. You may have Microsoft 365, shared files, cloud applications, remote workers, finance systems, mobile devices, a CRM, and several third-party suppliers. Each one adds convenience. Each one also adds another place where access, configuration and monitoring need to be right.
This is where good managed IT support services London can make the difference between vague reassurance and visible control. You do not need an over-engineered security programme. You need a sensible, documented, monitored setup that matches how your business actually works.
| 2026 survey figure | What it means for a 50-person company | Practical response |
|---|---|---|
| 43% of UK businesses identified a breach or attack | Cyber incidents are now common across the wider business population | Do not treat cyber security as a once-a-year policy exercise |
| Around 612,000 UK businesses were affected | This is not just an enterprise problem | Build practical controls around users, cloud accounts and devices |
| 65% of medium businesses identified a breach or attack | A 50-person firm sits in a higher-risk size band | Review monitoring, response planning and staff reporting habits |
| 38% of businesses experienced phishing attacks | Email and identity remain major routes in | Combine filtering, training and realistic phishing testing |
| 29% of affected businesses experienced breaches or attacks at least weekly | Some businesses face repeated attempts, not isolated incidents | Monitor patterns, not just one-off alerts |
| 31% of businesses had board-level cyber responsibility | Many firms still lack clear ownership | Give one senior person responsibility for cyber risk and reporting |
Why a 50-person company is in an uncomfortable middle ground
A 10-person business may have a simpler setup. A 500-person business may have a security team, formal governance and dedicated tooling. A 50-person company often sits between the 2.
You may have enough complexity to attract risk, but not enough internal time to manage everything properly. That can create a dangerous sense of “we’re probably fine”.
For example, imagine your finance manager receives what looks like a normal supplier email. The email asks them to update bank details before the next payment run. It uses the right supplier name, the right tone and a convincing email signature. The message arrives during month-end, when everyone is busy.
That single moment is where policy, training, email security and reporting culture all meet. If your team knows how to spot a phishing email, they may pause. If they have a simple reporting process, they may forward it to IT. If your email controls are strong, the message may never arrive. If you use realistic training, the finance team may already have seen a similar scenario in a safe environment.
If none of that is in place, you are relying on someone being calm, alert and sceptical at exactly the right moment.
That is not a strategy.
Phishing is still the everyday problem
Phishing remains the most common type of breach or attack reported by UK businesses. That should not surprise anyone who has worked in a busy office.
Most phishing is not clever in a Hollywood sense. It is simply timed well. It arrives when someone is rushing, distracted, tired or trying to be helpful.
A good anti phishing company should not just send staff a training video and call the job done. It should help you understand how phishing reaches your users, how your Microsoft 365 environment is configured, how staff report suspicious activity, and how you respond when someone does click.
Northern Star’s own guide on how to run phishing simulations makes a useful point: simulations should improve behaviour, not shame people. That matters. Staff are more likely to report mistakes quickly if they believe the process is there to protect the business, not embarrass them.
You can also strengthen the technical side through Anti-Phishing for Microsoft 365, because many 50-person firms now rely heavily on Microsoft accounts, Teams, SharePoint and OneDrive. That creates a large identity surface. Attackers know this.
Microsoft 365 is often the centre of the risk
For many businesses, Microsoft 365 has become the office. Email, files, calendars, Teams chats, SharePoint permissions and user accounts all sit inside it.
That is efficient, but it also means a compromised Microsoft 365 account can cause real damage. An attacker may read emails, create forwarding rules, access client files, impersonate staff, delete data or use the account to target suppliers.
This is why microsoft 365 support services london should include more than licence management and password resets. You need secure configuration, MFA reviews, access control, backup planning, monitoring and regular checks for suspicious activity.
Northern Star has also covered why Microsoft 365 MFA may not be enough against device-code phishing. This is worth reading if your business assumes MFA alone has solved account takeover risk. MFA is important, but the method matters. Some approaches are more resistant to phishing than others.
You should also think about backup. Microsoft 365 retention is not the same as a proper recovery plan. If a user account is compromised and files are deleted or altered, you need to know what can be restored, how quickly, and at what cost. The article on what cloud-to-cloud backup really costs is useful if you are weighing this up properly rather than just assuming “it’s in the cloud, so it’s safe”.
The breach might start outside your business
The survey also highlights that relatively few businesses formally review supplier cyber risk. For a 50-person company, this can be a blind spot.
Your own systems might be reasonably well managed, but what about your payroll provider, marketing platform, outsourced finance support, CRM, software suppliers or external consultants? If one of them is compromised, attackers may use that trusted relationship to reach you.
This is where business email compromise becomes especially relevant. Attackers often exploit trust. They may not need to break into your network if they can take over a supplier email account and send a believable message.
A practical review should ask:
- Which suppliers have access to your systems or data?
- Which suppliers send payment instructions or sensitive documents?
- Which accounts have admin privileges?
- What happens if a supplier email account is compromised?
- Who verifies changes to payment details?
- How quickly would your team report something suspicious?
These are not glamorous questions, but they are the kind that stop avoidable incidents.
Endpoint security still matters
It is easy to focus on cloud accounts and forget the devices people use every day. Laptops, desktops and mobile devices remain common points of exposure.
A user may click a link. A device may miss patches. A remote worker may use an unsecured network. A laptop may run outdated software. A malicious attachment may be opened on a machine with weak protection.
Northern Star’s article on how endpoint security helps stop ransomware before encryption starts explains the key issue well: by the time files start encrypting, the attacker may already have been inside the environment for some time.
That is why Endpoint Security That Pays Off and Why EDR Matters More Than Ever are worth reviewing alongside your current antivirus setup. Traditional antivirus is not always enough for modern attacks. Behavioural detection, containment and response capability can make a material difference.
You should also monitor security performance over time. The article on endpoint security metrics gives a useful way to think about what should be tracked monthly, rather than only asking whether a tool is installed.
Cyber risk becomes harder when you work across locations
A 50-person company may not be confined to one office. You may have staff in London, remote workers across the UK, a small European presence, or a US office that needs support across time zones.
The security problem then becomes consistency. Are all users protected to the same standard? Are devices patched in every location? Do overseas staff get the same response times? Are Microsoft 365 policies applied globally? Does someone own escalation when incidents happen outside UK hours?
If you have European staff or customers, european it services can help keep support standards consistent. If your business operates across several countries, multinational it support services become even more important because security gaps often appear between regions, providers and time zones.
Northern Star’s article on writing SLAs for multinational IT support is helpful here. Your support plan should not quietly give better coverage to one office while leaving another to “best endeavours”.
The same applies if you are changing systems. During platform migration services, temporary access, duplicate accounts, legacy systems and configuration changes can all create short-term risk. A migration should include security continuity, not just technical delivery.
Dark web monitoring gives you an earlier warning
Many breaches begin with credentials that are already exposed somewhere else. Staff reuse passwords. Old accounts remain active. Personal and work email addresses appear in breach datasets. Attackers then test those details against cloud platforms, VPNs and business systems.
A dark web monitoring company can help you spot exposed credentials or company information before it turns into account misuse. This does not prevent every attack, but it gives you useful visibility.
You can read Northern Star’s article on dark web monitoring explained for a realistic view of what it can and cannot tell you. The comparison of dark web monitoring vs breach monitoring is also useful if you want to understand the difference before choosing a service.
The key is speed. If an alert shows that a user credential is exposed, the response should be clear: reset the password, revoke sessions, check MFA, review sign-in logs and confirm whether any suspicious activity has already occurred.
Build the basics before chasing complexity
There is a tendency in cyber security to make everything sound more advanced than it needs to be. For a 50-person company, the basics still carry a lot of weight.
Northern Star’s article on the importance of secure IT defences covers the foundation: firewalls, antivirus, encryption, secure passwords, system updates and staff education. The older but still relevant guide on securing your small business network and the post on corporate firewall security are also useful reminders that basic configuration still matters.
Cyber Essentials remains a sensible framework for many UK organisations because it focuses on core controls. Northern Star’s guide on becoming Cyber Essentials accredited is a good starting point if you want a structured way to assess your position.
You should also look at device age and patching. The 72-hour patch window article is relevant because monthly updates may not be enough for serious vulnerabilities. The zombie tech audit is also worth considering if you have forgotten routers, cameras, printers or old devices still connected to the network.
A practical 50-person cyber review
You do not need to turn this into a 6-month internal project. Start with a structured review that answers the questions most likely to expose risk.
| Area to review | Question to ask | Why it matters |
|---|---|---|
| Microsoft 365 | Are MFA, conditional access, admin roles and backup properly configured? | Microsoft 365 is often the centre of daily business activity |
| Email security | Are phishing protections tested and understood by staff? | Phishing remains the most common attack route |
| Devices | Are all laptops and desktops patched, monitored and protected? | Endpoints are still common entry points |
| Backups | Can you restore key data quickly after deletion, corruption or ransomware? | Recovery speed affects downtime and cost |
| Dark web exposure | Do you know whether staff credentials are already exposed? | Stolen credentials can lead to account takeover |
| Suppliers | Do you verify payment changes and review supplier access? | Supplier compromise can become your incident |
| Incident response | Who does what in the first hour after a suspected breach? | Speed and clarity reduce impact |
| Leadership | Who reports cyber risk to senior management? | Ownership prevents cyber security becoming nobody’s job |
If this feels like more than your internal team can handle, that is not a failure. It is a resourcing decision. Northern Star’s article on the benefits of outsourcing your IT to an MSP explains why many businesses use external support to access expertise they cannot justify hiring full-time.
You can also build this into a broader plan. The article on building a proactive IT support and management plan is useful if your current IT support feels too reactive.
FAQs
What is the Cyber Security Breaches Survey?
The Cyber Security Breaches Survey is a UK Government survey that looks at cyber security breaches, attacks, risk management and resilience among UK businesses, charities and education institutions. The 2025/2026 report found that 43% of businesses identified a breach or attack in the last 12 months.
Is a 50-person business classed as a medium-sized business?
In the survey context, a business with 50 employees sits at the start of the medium-sized category. That matters because medium-sized businesses reported a higher breach or attack rate than the overall business population.
What is the most common cyber attack against UK businesses?
Phishing remains the most common type of breach or attack reported by businesses. It often works because it targets normal human behaviour, such as urgency, trust and routine work habits, rather than only technical weaknesses.
Does cyber security matter if my business is not in finance or technology?
Yes. Cyber incidents affect businesses across many sectors. Even if you do not think of yourself as a high-risk organisation, you probably still hold staff data, client data, financial information, supplier details and cloud accounts that attackers can exploit.
What should a 50-person company do first?
Start with visibility. Review Microsoft 365 security, MFA, backups, endpoint protection, phishing controls, dark web exposure, supplier access and incident response. Then prioritise the gaps that could cause the most disruption if exploited.
Do we need Cyber Essentials?
Cyber Essentials can be a useful benchmark for many UK businesses because it focuses on practical technical controls. It can also support client confidence, procurement requirements and internal discipline around basic cyber hygiene.
Ready to understand your real cyber exposure?
If you are running a 50-person business, the 2026 figures should not cause panic. They should prompt a sensible review.
You need to know where your risks are, whether your Microsoft 365 setup is properly secured, whether your users are prepared for phishing, whether your backups will work, and whether someone will spot suspicious activity before it becomes a serious incident.
Northern Star helps businesses strengthen IT support, cyber security, Microsoft 365, endpoint protection, dark web monitoring and international support in a practical way. If you want a clear view of where your current setup is strong and where it needs work, get in touch with Northern Star and have a straightforward conversation with the team.
