TL;DR: The UK government's £210 million cyber action plan signals a fundamental shift from fragmented defences to coordinated response. For scaling organisations, this creates immediate compliance pressure and long-term opportunity. The path forward is clear: delegate authority to contain identity-led incidents, fund 24x7 response capability and prove control through measurable outcomes.
The Pattern Behind the Numbers
Cyber incidents handled by the NCSC more than doubled to 204 in the 12 months to August 2025. That figure demands scrutiny.
The short answer is this: it is both more attacks and better detection, but detection is the bigger driver in the mid-market.
Attack volume is rising. Automation, ransomware-as-a-service and AI-assisted reconnaissance mean more scanning, more credential stuffing and more opportunistic phishing than 18 months ago. But the real growth is incremental, not exponential.
If attacks had genuinely doubled in impact, we would see systemic outages and catastrophic failures across the mid-market. We are not.
Visibility Changed the Game
The big shift is visibility. As organisations adopt Microsoft Defender, Sentinel, identity protection and basic SOC coverage, they finally see credential abuse that previously went unnoticed, lateral movement attempts that never triggered legacy AV, business email compromise precursors rather than just successful fraud and low-and-slow persistence that lived happily in networks for months.
What used to be invisible is now logged, correlated and reported. So the incident count goes up, even though the underlying activity was already there.
Identity-led attacks dominate the numbers. The majority of "new" incidents are not exotic nation-state attacks. They are MFA fatigue attempts, token theft, OAuth abuse, password reuse from previous breaches and misconfigured conditional access.
These attacks scale cheaply for attackers and were historically very hard for mid-market organisations to detect. Now they show up clearly.
Reporting Maturity Caught Up
There is also a cultural shift. Boards now ask for numbers. Regulators expect evidence. Cyber insurance demands logs.
Incidents that would once have been shrugged off as "IT noise" are now correctly classified and escalated. That inflates official figures, but it is a sign of maturity, not failure.
The uncomfortable truth is this: cyber risk has been critically high for years. What changed is that denial is no longer an option. The mid-market is finally measuring risk instead of guessing, seeing attempted compromise instead of just successful compromise and responding earlier rather than cleaning up afterwards.
That is exactly where organisations need to be if they want resilience rather than false comfort.
Fragmentation as the Hidden Cost
Without modern identity telemetry and 24x7 monitoring, mid-market firms notice compromise far too late.
Based on what we see when we first get visibility into an environment, initial identity compromise happens quickly and quietly. Stolen credentials, token replay or MFA fatigue typically succeed in minutes.
Time to detection without proper tooling: 30 to 180 days is common.
In some cases, it is never formally detected at all. The attacker leaves on their own terms or the signal only surfaces after financial fraud, data exfiltration or an insurance claim.
Why Detection Takes So Long
Legacy AV does not see identity abuse. Firewalls do nothing once valid credentials are used. Microsoft security signals exist but are not connected, tuned or monitored. Alerts are generated but never reviewed outside office hours. No baseline of "normal" user behaviour exists.
This is not negligence. It is a visibility problem.
When identity signals are properly instrumented and watched, time to detection drops to hours or days, not months. MFA fatigue and impossible travel get flagged in near real time. Risky sign-ins are correlated with mailbox and endpoint behaviour. Attack chains are interrupted before data theft or ransomware.
This is the difference between attempted compromise and confirmed breach.
What Changes the Timeline
Three things, in order of impact.
- Identity-First Telemetry
You cannot protect what you cannot see. That means Entra ID risk signals fully enabled, Conditional Access enforced and logged, Defender for Identity or equivalent identity behaviour analytics and legacy protocols and token abuse made visible. This alone collapses dwell time. - Correlation, Not more Alerts
Mid-market firms already have alerts. They just have too many and no context. Linking identity events to mailbox actions, endpoint behaviour, privilege changes and data access turns noise into incidents. That is where Sentinel or a properly run SOC matters. - Someone Watching at 02:00
Identity attacks do not respect business hours. A real 24x7 SOC changes outcomes because MFA fatigue can be stopped while it is happening, token theft can be invalidated before persistence is established and suspicious admin activity can be killed immediately.
Without this, detection waits until Monday morning. By then, the damage is done.
What Coordinated Response Actually Means
The government's new plan talks about a centralised Government Cyber Unit for coordinated decision-making and faster response. Strip away the policy language and "coordinated" really means one thing: clear ownership of decisions, in sequence, at speed.
In the mid-market, incidents rarely fail because tools did not fire. They fail because nobody knows who decides what and when.
What Coordination Looks Like in Practice
In a well-run environment, an incident flows like this: detection in a single place, not five disconnected alerts. Someone decides quickly whether this is real or noise. The responder is allowed to block a user, kill a session or isolate a device without waiting for a meeting. Identity, email and endpoint actions happen together, not one at a time. The business is told what is happening in plain language, with impact and next steps.
That is coordination. It is boring, repeatable and fast.
Where Fragmented Defences Break Down
There are three failure points we see repeatedly.
Detection without ownership: Identity risk flags sit in Entra ID. Email anomalies sit in Defender. Endpoint alerts fire in AV. No single team or service owns the full picture. Result: everyone assumes someone else is looking at it.
The "can we do this?" pause: An analyst sees something serious but cannot disable a user without IT approval, cannot revoke tokens without worrying about business impact, cannot isolate a device without user consent. That pause is fatal. Attackers move faster than change requests.
Identity, endpoint and email respond separately: This is the most damaging gap. What should be one action becomes three: identity team resets a password, endpoint team investigates malware, email team searches mailboxes. Meanwhile, tokens remain valid, sessions stay active and the attacker keeps working. The breach survives the response.
The Authority Problem
The resistance to pre-approved response actions is emotional first, structural second and legal last. Very few organisations are genuinely blocked by law. They are blocked by fear of disruption and fear of being blamed.
In manufacturing and healthcare especially, the dominant worry is locking out the wrong clinician, stopping a production supervisor or disrupting a night shift. That fear outweighs abstract cyber risk, even when the risk is real and active.
Nobody wants to be the person who approved a user disablement that caused downtime, a device isolation that stopped a critical process or a mailbox purge that removed something important. So authority gets pushed upwards until it hits a meeting. At 02:00, that meeting never happens.
We hear "GDPR", "patient safety" and "regulatory risk" often. In reality, GDPR explicitly allows action to protect systems and data. NHS DSP Toolkit and similar frameworks expect rapid containment. Regulators are far more forgiving of temporary disruption than uncontrolled compromise.
The legal barrier is usually misunderstood, not real.
What Good Enough Looks Like in 18 Months
The government plan mentions stricter cyber resilience standards for commercial companies supporting critical services. For a 700-person financial services firm or a 400-person manufacturer, regulators will not expect zero incidents. They will expect you to see compromise early, act decisively and prove control.
That boils down to three non-negotiable capabilities.
Identity Containment Within Hours
This is the foundation, "Good enough" means Entra ID risk signals fully enabled and enforced, Conditional Access doing real work beyond just MFA everywhere, ability to revoke tokens and kill sessions and disable accounts immediately and privileged identity tightly controlled and time-bound.
If an attacker gets credentials at 01:00, you can shut them out before morning. Every serious incident now starts with identity. If you cannot contain identity fast, everything else is theatre.
Cross-Domain Detection with 24x7 Response
Not more alerts. Fewer, better decisions. "Good enough" means identity, email and endpoint telemetry correlated in one place, a clear incident owner for every alert, pre-approved response actions executed out of hours and evidence retained for audit and regulators.
This does not require a huge SOC team. It requires continuous monitoring with authority to act. Regulators will ask when you detected the incident and what you did next. "We saw it on Monday" will not pass.
Proven Recovery and Business Continuity
"Good enough" means tested backup and recovery for identity and core systems, clear decision paths for isolating systems without stopping the business, executives who know their role in an active incident and regular exercises using realistic ransomware and identity breach scenarios.
You must be able to keep operating while containing damage. Critical services are judged on continuity, not technical elegance.
The Missing Capability
Identity containment authority. Not tooling. Not licences. Authority.
Firms technically can revoke tokens, disable users and block risky access. But they have not pre-approved when this happens, agreed who can do it at 02:00 or accepted the short-term disruption risk. So compromise lingers while people wait for permission.
In 18 months, "good enough" will not be defined by how many controls you own. It will be defined by how fast you can prove you are back in control.
The Economic Case Beyond Fear
The government claims the approach could unlock up to £45 billion in productivity savings. When a CFO asks "what does cyber resilience actually save us?", we stop talking about breaches and start talking about avoided cost and recovered time.
Downtime Avoided
This is the biggest and most credible saving. We model with them average revenue or output per day, cost of staff idle time, penalties or SLA credits and recovery cost for IT and operations.
Typical mid-market reality: Manufacturing firms face £250k to £1m per day of disrupted production. Financial services firms face £150k to £500k per day in lost activity, remediation and client impact.
What resilience changes: Identity-led containment turns a multi-day outage into hours. Ransomware becomes an attempted incident, not a shutdown.
Conservative saving CFOs accept: Avoiding just one day of outage every two to three years pays for modern cyber resilience programmes on its own.
Incident Response Cost Reduction
This is not hypotheticalm, they have already paid it. What incidents actually cost internally: overtime for IT and security staff, emergency third-party responders, legal and compliance work and management time pulled off revenue-driving activity.
For a mid-market firm, a "contained but messy" incident routinely costs £80k to £250k even when no data is lost. Much more if regulators or insurers get involved.
What changes with coordinated response: fewer external consultants, shorter response windows and less executive firefighting. Recognised saving: 20 to 40% reduction in incident handling cost per event. CFOs recognise this because they have signed the invoices before.
Insurance and Insurability
Around 45% of UK businesses currently have some form of cyber insurance, according to the UK Government’s Cyber Security Breaches Survey 2025. That means more than half of UK organisations remain uninsured, even before considering the quality or limits of cover.
For those that are insured, the reality is becoming brutally tangible. Premium increases are now directly linked to poor identity controls. Excesses are rising faster than premiums. Coverage exclusions increasingly hinge on MFA enforcement, logging quality and response times.
Firms with weak resilience face 20 to 50% premium uplifts, higher excesses or outright refusal to quote. What resilience delivers instead is leverage: lower excess exposure, a stronger negotiating position at renewal and a materially reduced risk of denied or constrained claims.
Staff Productivity Recovered
This is where the £45bn narrative makes sense.
Without resilience, security incidents consume weeks of IT time, engineers work on clean-up instead of improvement and projects stall due to "security distractions".
With proper controls, there are fewer escalations, less manual investigation and fewer all-hands incidents. Measured impact we see: 10 to 20% of senior IT and security time reclaimed, fewer weekend and overnight call-outs and faster delivery of planned work.
CFOs recognise this as capacity unlocked without hiring.
The Microsoft Security Advantage
An organisation who already has Microsoft 365 E3 or E5 licences, they are paying for Defender, Sentinel capabilities and Entra ID Premium. But they are not using them properly.
The single biggest capability they already own but are not switching on: Entra ID risk-based Conditional Access with automatic session and token control.
What "On" Actually Means
What we usually find: Entra ID Premium is licensed, risk signals are available, policies exist but are set to report-only or are overly generic and token lifetime and session controls are untouched. So identity attacks are detected, but nothing happens.
What "on" actually means: user and sign-in risk policies enforced, automatic token revocation on high-risk events, session termination tied to risk change beyond just password reset and stronger controls only when risk is present, not blanket friction.
This turns identity from a passive log source into an active control plane.
The Two-Week Pilot
Week One: Observe & Baseline.
No disruption. Just facts. Enable Entra ID risk policies in report-only. Collect high-risk sign-ins, MFA fatigue attempts, impossible travel and legacy protocol usage. Identify who is actually being targeted, which users would have been blocked and when attacks occur out of hours.
Outcome: Leadership sees real attacks against real users, not threat briefings.
Week Two: Enforce On A Controlled Cohort.
Small scope. Big signal. Enforce risk-based Conditional Access on IT admins, finance users and 5 to 10% of general staff. Actions triggered: token revocation on high risk, forced re-authentication and session termination for risky sign-ins. Monitor false positives, user disruption and attack interruption.
Outcome: Attacks stop mid-flow, minimal business impact and clear audit trail of prevented compromise.
This pilot shows three things CFOs and boards care about: the threat is real, the response is automatic and reversible and the business impact is contained. A re-login is cheaper than a breach.
The Risk of Inaction
When compliance deadlines arrive and a mid-market firm's detection, response and reporting remain fragmented, the fallout is not dramatic headlines. It is slow, expensive erosion across regulation, revenue and operations.
Regulatory Friction
Regulators do not usually fine first. They impose friction.
What happens in practice: more frequent and deeper information requests, shorter response deadlines with higher evidence burden, mandatory external assessments at the firm's expense and follow-up audits triggered by weak incident evidence.
Firms with fragmented detection and response cannot prove timelines. They cannot clearly show when compromise started, when it was detected, who decided what and why, or what was contained and when. So regulators assume the worst and keep digging.
Real impact: Six to twelve months of regulatory drag, senior leadership time burned and five to six figure advisory costs without a fine ever being issued.
Insurance Claims Constrained
This one lands hard and late.
What we have seen: Claims paid but only partially, excesses applied aggressively, costs ruled "avoidable due to control weakness" and coverage narrowed at renewal.
The language is polite. The outcome is brutal. Fragmented monitoring means delayed detection, incomplete logs and no proof that controls were active. That gives insurers room to push cost back onto the business.
Real impact: Cash outlay that finance teams assumed was insured suddenly hits the P&L.
Commercial Trust Erodes
This is increasingly visible in financial services, healthcare and manufacturing.
What actually happens: security questionnaires escalate from tick-box to evidence-led, customers ask for detection and response SLAs, contracts include breach notification and audit rights and deals slow down or stall pending "assurance".
Firms with fragmented controls struggle to answer confidently. So sales teams pull in IT and security late, miss deadlines and offer concessions to close.
Real impact: Lost momentum, margin pressure and deals quietly lost to "lower risk" competitors.
Internal Disruption Becomes Default
This is the underestimated consequence.
What actually happens: Without coordinated response, every alert becomes a mini-crisis, IT teams context-switch constantly, executives get dragged into avoidable escalations and projects stall because "security is on fire again".
Nothing explodes, but nothing moves properly either.
Real impact: Chronic inefficiency, staff burnout and a growing gap between strategy and execution.
The 90-Day Decision
When a mid-market leader reads this analysis and wants to act, there is a single decision to make in the next fortnight that unlocks everything else.
Delegate and pre-approve out-of-hours authority to contain identity-led incidents, backed by a funded 24x7 response capability.
Everything else hangs off that.
What That Decision Commits To
Not strategy. Not architecture. Authority and cover.
It means the COO or Finance Director signs off that specific identity attack scenarios are agreed in advance, named people or a named service can disable accounts, revoke tokens, terminate sessions and isolate endpoints, those actions can happen at 02:00 without escalation and leadership will support the decision even if there is short-term disruption.
That is the pivot point.
Why This Unlocks Everything
Once that authority exists, tooling suddenly matters. Defender, Entra ID and Sentinel stop being passive dashboards and become control systems. Runbooks become real. People stop writing procedures for auditors and start executing them. Detection investment pays off. There is no point finding attacks you are not allowed to stop. Reporting becomes credible. Timelines, actions and outcomes are clear and defensible.
Without this decision, every technical improvement hits a ceiling.
What Funded 24x7 Response Looks Like
For a 500-person firm that will not build an internal SOC, the answer is very clear: a fully outsourced, Microsoft-aligned MXDR service with defined authority and a named internal escalation point.
Not a hybrid SOC. Not "alerts to a mailbox". Not best-efforts monitoring.
Primary response is fully outsourced MXDR: 24x7 monitoring of identity, email, endpoint and cloud, authority to execute pre-approved actions immediately, correlation across Microsoft Defender, Entra ID and Sentinel and incident ownership from detection to containment.
Internal role is escalation, not investigation. One named business owner on call, engaged only when a critical role is impacted, a service disruption threshold is crossed or regulatory or customer notification is likely.
This keeps internal teams focused on the business, not staring at dashboards.
The Realistic Cost
For a 500-person organisation, typical annual range is £40k to £100k per year for a solid Microsoft-aligned MXDR service (depending on the service level). More if environments are very complex, there are heavy Operational Technology or legacy systems or regulatory reporting is unusually demanding. Less if Microsoft E3 or E5 is already well deployed, scope is tightly defined and identity and endpoint hygiene are reasonable.
That is not a rounding error, but it is materially less than one serious incident, one prolonged outage or one failed insurance claim.
A simple CFO test: is this cheaper than one unmanaged incident every three years? For mid-market firms, the answer is unambiguously yes.
What to Do Next
The UK government's £210 million cyber action plan is not just policy. It is a signal that fragmented defences are no longer acceptable and coordinated response is now the baseline.
For organisations, the path forward is clear.
In the next fortnight: delegate and pre-approve out-of-hours authority to contain identity-led incidents. Fund a 24x7 response capability, either internal or outsourced MXDR.
In the next 30 days: run a two-week pilot on Entra ID risk-based Conditional Access. Enforce on a small cohort. Measure attacks stopped, false positives and business impact.
In the next 90 days: define pre-approved response scenarios for common identity attacks. Map detection signals across identity, email and endpoint. Establish clear incident ownership and escalation paths. Test recovery and business continuity under attack.
The firms that move early gain control and credibility. The firms that wait inherit friction and doubt.
If you are evaluating whether MXDR is the right route for your organisation, download the MXDR Buyer’s Guide. It sets out what good looks like, what questions to ask providers, where responsibility must sit and how to avoid “alert-only” services that look good on paper but fail in real incidents.
The time to act is now. Compliance deadlines are coming. The tools are already in place. What you need is the permission and business case to act.