At the same time, Microsoft is reporting a rise in identity-based attacks, especially targeting Entra ID. 

And it makes sense. 

Attackers don’t need to break in anymore. 
If they can log in, they’re already where they need to be. 

The focus shifts from keeping attackers out to managing what happens if they get in: who has access, what they can reach, and the impact that access could have.

Data is everywhere (and that’s part of the issue) 

Most environments aren’t simple anymore. Critical data is scattered across Microsoft 365, cloud platforms, SaaS applications, backup environments and now AI tools.

The real issue isn’t volume, it’s visibility. Many organisations struggle to identify where their most important data resides, how it’s being accessed, and what would need to be restored if the worst happened.

Without that clarity, recovery can quickly become a complex and stressful process.

Backups ≠ resilience 

This is probably the biggest misconception we come across. 

Having backups is important. Obviously. 

But it doesn’t mean you’re resilient. 

We’ve seen situations where: 

• backups exist, but haven’t been properly tested 

• recovery takes far longer than expected 

• or the data that’s restored isn’t clean or usable 

You don’t really know how strong your recovery is until you try it under pressure. 

And most organisations haven’t. 

Where things tend to break down 

From our perspective at Freestyle TS, the issues are usually pretty consistent: 

• Too much confidence in the plan, not enough testing 

• Security policies that look good on paper but aren’t enforced properly 

• No single view of identity, data, and access 

• Unclear ownership, especially when AI tools are involved 

Individually, none of these seem critical. 
Together, they create real risk. 

What better looks like 

The organisations that handle incidents well don’t necessarily have more tools. 

They just do a few things differently: 

• They understand where their data is and what matters most 

• They lock down access properly (especially around identity) 

• They test recovery regularly, not once a year 

• And they treat resilience as a business issue, not just an IT one 

It’s not complicated. But it does require discipline. 

A quick reality check

If you’re confident you could recover from a cyber attack, it’s worth asking: 

• When was the last time we actually tested that? 

• How long did it take? 

• Did everything come back clean? 

• Who was involved in the process? 

If those answers aren’t clear, there could be opportunities to strengthen your recovery plans before they’re put to the test.

Understanding your resilience starts with understanding your reality

Cyber resilience isn’t about having the right slide deck or policy in place. 

It’s about knowing, not assuming – that your business can recover. 

Because when something does happen, there’s no time to figure it out.