I spent time with Mauven this week working through the Unit 42 Global Incident Response Report 2026. Seven hundred and fifty incident response engagements. Fifty-plus countries. Real cases. The headline statistic, 89% of investigations involving identity as a material factor, is striking.

But it's not the number that should concern you most. It's what that number tells us about where organisations are spending their security budgets versus where attackers are actually operating.

They are not in the same place. That gap is the problem. And it is one that UK small businesses are exceptionally well-positioned to close, if they choose to.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.

Your passwords are already for sale. The only question is whether you know it yet. Stolen credentials jumped from 10% to 16% of all cyberattacks in just one year, making it the second most common attack vector behind exploits. With 3.9 billion passwords compromised by infostealer malware and 94% of people reusing the same credentials across multiple sites, your business authentication isn't just vulnerable; it's already broken. While you're investing in firewalls and endpoint protection, criminals are buying your employees' passwords for pennies on the dark web. Time to stop pretending multi-factor authentication is optional.

Microsoft Teams is the new darling of UK business. It’s chat, calls, meetings, file sharing and productivity all in one app. Unfortunately, it’s also a goldmine for attackers, and they know it.

With the Tycoon 2FA phishing kit now targeting Microsoft 365 users through fake Teams login prompts, criminals are bypassing multifactor authentication in real time. It’s slick. It’s scary.

And worst of all, it works. If your business still believes Teams is “safe because it’s Microsoft,” you’re dangerously behind the curve.

Phishing has moved in. And it brought its own desk chair.