What the Five Eyes security statement means for MSPs managing Microsoft 365

4 min read
Jul 6, 2026 3:05:05 PM

The Five Eyes just told leaders to act now on AI risks. Here's what it means for managing your customers’ Microsoft 365 environments 

The cyber security agencies of the Five Eyes - the UK's National Cyber Security Centre (NCSC, part of GCHQ), plus their counterparts in the US, Canada, Australia and New Zealand - have put out a joint statement on AI and cyber risk. The message is short, and unusually blunt. AI is changing the threat landscape faster than most organisations are reacting, it's lowering the barrier for attackers, and it's shrinking the gap between a vulnerability being found and being exploited. Their line on timing: "the timeline is not years, it is months."

It’s difficult to overstate how unusual this is. Over the past 10 years intelligence agencies have collaborated ever-closer with private businesses on assessing and mitigating cyber risk, but public announcements like this are rare and a signal to pay extra attention.

The statement is aimed squarely at leaders and boards, and it implicitly calls on vendors and suppliers too. If you manage environments like Microsoft 365 for your customers, that includes you. A few things stand out.

Your customers perhaps won't read this statement, so you're the one who has to act on it 

The statement is pitched at boards and executives who can "reassess long-standing trade-offs" and back their cyber leaders with authority and resources. Most of the SMBs you look after don't have that layer. They don't have a CISO, they're not reading NCSC bulletins, and they're not going to translate a Five Eyes call to action into config changes. You are their security function, whether that's written into the contract or not.

The good news is that the five practical actions in the statement aren't new, and they're not exotic. They're the work you already know how to do:

  1. Reduce the attack surface. Limit unnecessary access and external connectivity, and isolate what doesn't need to be exposed.
  2. Accelerate patching. The window between disclosure and exploitation is closing, so security updates can't sit in a long queue.
  3. Address legacy systems. Unsupported kit isn't just technical debt, it's a soft target.
  4. Strengthen identity and access. Limit who can reach critical systems, enforce strong authentication, review permissions.
  5. Prepare for incidents and invest in "right-of-boom". Assume a breach will happen, rehearse fast containment and recovery, and ensure you have the right tooling to do this effectively.

None of that is a surprise, and it maps across to industry practices for effectively managing M365 environments at scale – whether that’s Conditional Access, securing devices with Intune, or managing security with Defender policies.

The shift the agencies are flagging is that "later" is no longer an acceptable answer. The practical move is to take that list and check it honestly against every tenant you run. Not the one you set up last month, the one you inherited eighteen months ago and haven't looked at since.

"It's not enough to have controls" is the line that should stick 

The sharpest sentence in the whole statement is this one: it's not enough to have controls, leaders must be confident those controls will actually perform during a real incident. 

That's the gap that applies to MSPs specifically. A baseline you applied once and never revisited is a control on paper. Across 50 or 100 tenants, configurations drift. An exclusion gets added for a noisy app and never removed, a policy gets adjusted to fix a support ticket, a new tenant gets stood up just short of the standard. Each change is small and reasonable in the moment. Added up across a tenant estate, they're the difference between "we have MFA and conditional access everywhere" and "we have it almost everywhere, and we're not sure which ones." Under pressure, almost everywhere is where you get hurt. 

So the action here isn't "buy more controls." It's to get visibility on whether the controls you've already deployed are still in place and consistent tenant to tenant, and to know when one drifts rather than finding out during an incident. 

Getting the basics right beats buying more tools 

The statement is clear that AI cuts both ways. Adversaries are already using it to move faster, and defenders should use it deliberately to detect issues earlier and respond quicker, not just to shave a bit of efficiency. But it's equally clear about what wins. In the agencies' words, success "will not come from having the most tools." It comes from getting the basics right, acting quickly, and treating cyber security as core business strategy. As always – it's a combination of technology, process, and people.

For MSPs, that's a useful steer. The foundational work (attack surface minimisation, patching, identity hygiene, consistent secure-by-default baselines) is what moves the needle, and it's most of what frameworks like CIS have been asking for all along.

The thread running through the whole statement is that risk assumptions now go stale in months, not years, and the value of any capability depends on how well the environment around it is governed. That's been true of every major shift in this space; AI is just moving far faster than previous technological revolutions. The agencies' point to leaders is "act now."

For MSPs, acting now means:

  • Making sure the basics such as secure-by-design, and zero-trust, are genuinely consistent across every tenant you manage.
  • Being prepared for when (not if) a security incident occurs – coverage of right-of-boom is just as salient as it ever was.
  • Ensuring the above are integrated and without gaps. The statement calls out "defence in depth" specifically for this reason.

 

Frederick Bendzius-Drennan
Frederick Bendzius-Drennan
VP of AI Transformation
false