Home/Blog/Data Breach Costs
⚠️ Security

The true cost of a Microsoft 365 data breach for a small business

Most SMEs think a cyber breach is something that happens to bigger businesses. The reality is the opposite — small businesses are the primary target, and the financial and reputational consequences can be business-ending. Here's what a breach actually costs.

SR
SRX IT Solutions
📅 March 2025⏱ 7 min read

The reality of SME cyber attacks

43%
of cyber attacks target small businesses
£15k+
average breach cost for UK SMEs
60%
of breached SMEs go out of business within 6 months
90%
of breaches caused by human error

The numbers are stark. Small businesses are targeted more frequently than enterprises — partly because they're perceived as easier targets, and partly because they hold valuable data (client financial information, legal records, personal data) without the security infrastructure to protect it.

And Microsoft 365 is frequently at the centre of these attacks. Business email compromise — where attackers take over a Microsoft 365 account and use it to intercept payments, steal data, or impersonate the business — is one of the fastest-growing forms of cybercrime targeting SMEs.

⚠️
Microsoft 365 is the most targeted cloud platform
Microsoft 365 accounts are among the most actively targeted by cybercriminals — not because Microsoft's security is weak, but because so many businesses use it and so few configure it properly. A properly secured Microsoft 365 environment is extremely difficult to breach. An improperly configured one is a relatively easy target.

What a breach actually costs — broken down

Immediate (Days 1–7)
Incident response costs
  • Emergency IT forensics and containment — identifying how the breach occurred, what was accessed, and stopping further damage. £2,000–8,000
  • Business downtime — staff unable to work while systems are investigated and restored. For a 10-person business, even 2 days of downtime can cost £5,000–15,000 in lost productivity
  • Emergency communications — informing affected clients, suppliers, and staff. Management time alone can represent £1,000–3,000
  • Password resets, MFA re-enrolment, and account recovery across the entire organisation
Short Term (Weeks 1–12)
Regulatory and legal exposure
  • ICO notification is mandatory within 72 hours if personal data is breached. Failure to notify can result in fines. Fines for serious breaches can reach 4% of annual turnover
  • Legal costs for advice on GDPR obligations, client notifications, and potential claims. Typically £2,000–10,000 for a small business
  • Client notification costs — particularly significant for accountants and solicitors who hold large volumes of personal data
  • Cyber insurance claim processing — if you have insurance, the claims process takes time and management resource
Long Term (Months 3–24)
Reputational and ongoing costs
  • Client loss — businesses in regulated sectors (accountancy, legal) can lose clients permanently after a breach. Losing even two significant clients can mean £20,000–100,000+ in lost annual revenue
  • Increased cyber insurance premiums — typically 30–100% higher after a claim, for 3+ years
  • Remediation investment — properly securing the environment after a breach typically costs more than it would have cost to do it correctly in the first place
  • Management distraction — the time spent dealing with breach consequences takes senior management away from running the business for months

Business email compromise — the most common M365 attack

Business email compromise (BEC) is the most financially damaging form of cybercrime targeting SMEs. Here's how a typical attack unfolds:

  1. Account takeover. An attacker obtains an employee's Microsoft 365 credentials — usually through phishing — and signs into their account. Without MFA enforced, this is trivial.
  2. Silent monitoring. The attacker reads emails silently for days or weeks, learning the business's payment processes, client relationships, and communication patterns.
  3. Interception. When a significant payment is expected — a client paying an invoice, a property transaction, a supplier payment — the attacker intercepts the communication and substitutes their bank account details.
  4. Discovery. The fraud is typically discovered when the legitimate payment doesn't arrive, often weeks later. By then, the money is gone.

Average losses from business email compromise attacks on UK SMEs range from £15,000 to over £200,000. Banks rarely refund these losses in full, as the payment was authorised by the business.

🛡️
MFA alone would prevent over 99% of account takeovers
Microsoft's own data shows that MFA prevents over 99.9% of identity attacks. Business email compromise is almost exclusively a problem for Microsoft 365 accounts without MFA enforced. It is the single most impactful security control available — and it costs nothing extra if you're on Business Premium.

The cost of prevention vs the cost of a breach

Let's put this in concrete terms for a 10-person SME:

Cost comparison Monthly Annual
SRX IT Standard plan (10 users)~£400~£4,800
Average breach cost for 10-person SMEN/A£25,000–75,000
Years of prevention for the cost of one breach5–15 years

The economics are not complicated. Proper Microsoft 365 security costs a fraction of a single breach. The question isn't whether you can afford to secure your environment — it's whether you can afford not to.

Good news — Microsoft 365 is very secure when configured correctly
The tools to prevent the vast majority of breaches are already included in Microsoft 365 Business Premium — MFA, Conditional Access, Defender, Intune, anti-phishing. The problem is almost never Microsoft's security. It's businesses not configuring the features they're already paying for. A properly configured Business Premium environment is genuinely difficult to breach.

Find out how secure your Microsoft 365 is right now

Book a free Microsoft 365 Health Check. We'll assess your security configuration and tell you honestly whether you're at risk — before an attacker finds out for you.

Book Your Free Health Check →

Key takeaways

About SRX IT Solutions
Microsoft 365 security specialist based in Birmingham. We help SMEs configure and maintain proper Microsoft 365 security — so a breach doesn't happen in the first place. Learn more →