What happened to Knights of Old?

Knights of Old was a 158-year-old Northamptonshire haulage company destroyed by a single ransomware attack in 2023. The entry point was a reused employee password. Despite spending over £100,000 annually on IT security and holding cyber insurance, the business collapsed within months. 730 jobs were lost. The board trusted their own people's assurances but had no independent mechanism to test the assertion 'we are in a good place' against evidence. The question that was not being asked: does our confidence in our security posture rest on independent evidence, or on internal reassurance alone?

Why is Microsoft 365 configuration a board-level risk?

Microsoft 365 centralises identity, access, email, documents and collaboration on a single platform. A single misconfiguration can affect the entire organisation. Boards are personally accountable for oversight, yet most receive no independent evidence on how Microsoft 365 is configured. They rely on management reassurance and supplier attestations. Real-world incidents at organisations like Knights of Old, LastPass, and Jaguar Land Rover illustrate governance gaps that were not visible at board level until after the damage was done. The question for any board is straightforward: do you have independent evidence that these gaps do not exist in your organisation?

Why This Matters Now

Systems stopped failing separately

For most of our professional lives, digital systems failed in isolation. When something broke, it broke somewhere specific. You could point to it, contain it, and fix it.

Then organisations connected everything. Not recklessly — sensibly. Fewer systems, less friction, more collaboration, lower cost. Microsoft 365 was adopted because it made work easier, not because anyone intended to redesign the organisation's risk profile.

The blast radius of digital failure has changed beyond recognition. Identity, access and data now converge on a single platform. A single misconfiguration can affect the entire organisation. But the oversight model in most boardrooms is still built on delegation, dashboards, and assumption. That is sustainable until something goes wrong. Then the board discovers whether it had evidence, or merely reassurance.

Risk moved. Responsibility didn't.

Boards continued to delegate as if failures were still local. Risk travelled further than anyone intuitively expected.

Reassurance stopped scaling

Everyone can be competent, well-intentioned, and telling the truth — and the organisation can still be exposed in ways nobody fully sees.

The real failure mode is surprise

The uncomfortable realisation is rarely 'we ignored risk.' It is 'we didn't realise how far it could travel.'

Next: Four Forces

Four forces converging

Expectations placed on boards in relation to digital risk, operational resilience, and governance have changed materially in recent years.

01

Regulatory expectation

Regulators expect organisations to demonstrate how operational and information risks are governed, not simply that policies exist.

02

Insurance pressure

Insurers place increasing emphasis on evidence of control effectiveness. Claims are questioned where controls cannot be evidenced.

03

Operational resilience

Disruption caused by identity compromise, access failure, or data exposure is now treated as a business continuity issue, not an IT incident.

04

Personal accountability

Directors are expected to show that reasonable steps were taken to understand and manage material risks, including those arising from core digital platforms.

These pressures are converging. The organisations that respond are those whose boards treat Microsoft 365 as a governed control, not a delegated assumption.

What Changed Next: Real-World Evidence

What happens without oversight

These organisations believed they were protected. None of them had independent governance assurance over their configuration.

These are not obscure examples. They are publicly documented, widely reported, and between them they have cost billions in damage, thousands of jobs, and irreversible reputational harm. In each case, the board lacked independent visibility over configuration risk. Independent assurance does not guarantee prevention. But it ensures the right questions are being asked before a breach forces them.

Trust without evidence

Knights of Old (2023)

A 158-year-old Northamptonshire haulage company was destroyed by a single ransomware attack. The entry point was a reused employee password that was guessed. Despite spending over £100,000 annually on IT security and holding cyber insurance, the business collapsed within months. 730 jobs were lost. 500 trucks came off the road. The former director said afterwards: "We felt we were in a very good place in terms of our security, our protocols, the measures we had gone to protect the business."

The board trusted their own people's assurances. Nobody translated configuration risk into language directors could challenge. There was no independent mechanism to test the assertion "we are in a good place" against evidence. The board did not know what it did not know. Inquilion exists to ensure that question gets asked, independently and in governance language, before the answer arrives in the form of a ransom note.

BBC Panorama: Fighting Cyber Criminals

Supplier governance failure

LastPass (2022, ICO penalty November 2025)

LastPass, the password management platform used by over 33 million individuals and 100,000 businesses, suffered cascading breaches in 2022. Attackers compromised a developer's laptop, stole source code, then targeted one of only four engineers with access to vault decryption keys by exploiting an unpatched media server on their home computer. Encrypted customer vaults were stolen wholesale. Years later, attackers continue to crack those vaults. Over $438 million in cryptocurrency has been stolen from compromised vault contents. The UK Information Commissioner's Office issued a monetary penalty against LastPass UK Ltd in November 2025 for failures to implement appropriate technical and organisational measures.

Thousands of organisations depended on LastPass to protect the credentials that access their most sensitive systems. The boards of those organisations had no independent way of knowing how their credential management supplier was actually configured and secured. When the supplier's protections failed, every client organisation inherited the consequences. The question that was not being asked: what third-party tools hold or manage access to our environment, and what evidence do we have that those suppliers' controls are adequate? Inquilion's assessment identifies which external services have access to organisational data, what permissions they hold, and whether that access has been formally approved. It is the governance equivalent of asking: who else has keys to the building, and who authorised them?

ICO enforcement action

The hidden attack surface

Jaguar Land Rover (2025)

Jaguar Land Rover, a major Microsoft 365 customer with over 160 Power Apps embedded in Teams, Power Automate workflows connecting Outlook, SharePoint, and legacy systems, and operational data flowing through SharePoint across global manufacturing facilities. In March 2025, the HELLCAT ransomware group breached JLR using stolen credentials from a third-party tool (Jira) that connected to their environment. Infostealer credentials dating back to 2021 were still valid. In September 2025, a second attack by Scattered Lapsus$ Hunters shut all global production for five weeks. The Cyber Monitoring Centre classified it as the most financially damaging cyberattack in British history, with an estimated impact of £1.9 billion to the UK economy. Over 5,000 organisations in the supply chain were affected.

JLR's board knew they were a Microsoft 365 organisation. Microsoft published a customer story about their Power Platform adoption. But the questions that were not being asked at board level: what external tools and accounts have access to this environment? What credentials exist outside the organisation's control that could provide a route in? What does the audit trail show about those connections? Who approved them, and when were they last reviewed? How many automated processes connect internal data to external services? Inquilion's assessment covers all of these: which external services connect to the environment, what permissions they hold, how data flows between internal and external systems, and whether that access is governed, approved, and visible at board level. Whether asking these questions earlier could have changed the outcome at JLR is unknowable. That nobody was asking them independently at board level is the governance failure.

Microsoft Customer Story: Jaguar Land Rover Cyber Monitoring Centre: JLR Incident Analysis

These are not Inquilion clients. We were not involved, and we make no claim that our involvement would have changed the outcome. But each case illustrates a governance gap that was not visible at board level until after the damage was done. The question for any board is straightforward: do you have independent evidence that these gaps do not exist in your organisation? If not, that is where the conversation starts.

Four Forces The Question Has Changed

The question has changed

It is no longer 'do we have IT controls?' It is 'can we evidence to an insurer, auditor or regulator that our digital controls are operating as the board expects?'

Most boards cannot answer that question today. Inquilion exists so they can.

See who this is designed for
Start a conversation