I live in London. I used to work in US government intelligence. And when Google Threat Intelligence Group published their defence industrial base report on 10 February, I did what any former analyst does: I stopped reading the headlines and started reading the primary source. The findings are precise and they are uncomfortable. Chinese state-sponsored actors have exploited more than two dozen zero-day vulnerabilities in edge devices from ten different vendors since 2020. Average dwell time inside compromised networks: 393 days. Your VPN appliance is not a security control. It is a collection target.

Google just dropped a report that should make every UK business owner physically uncomfortable. Chinese state-sponsored hackers have exploited more than two dozen zero-day vulnerabilities in VPNs, routers, and firewalls since 2020. From ten different vendors. The average time they sit inside your network before anyone notices? 393 days. Over a year of unfettered access.

And if you think "I'm not a defence contractor, this doesn't affect me," think again. Manufacturing has been the single most targeted sector on ransomware leak sites since 2020. Your edge devices aren't protecting you. They're welcoming nation-states straight through the front door.

Russia's Sandworm hacking group just attempted the largest cyber attack on Poland's energy infrastructure in years, deploying custom wiper malware called DynoWiper against 30 wind farms, solar installations, and a heat plant serving half a million people. The attack failed, but only barely. The NCSC is now warning UK critical infrastructure operators to act immediately. If you think nation-state attacks on power grids are somebody else's problem, think again. Every UK business sitting in those supply chains just became a potential stepping stone for the next Sandworm operation.

Four concurrent cyberattack campaigns hit last week. Russian military intelligence weaponised a critical Microsoft Office vulnerability within 24 hours of the patch dropping. Commodity criminals started selling the same capability for £50 a month. A Chinese-linked group compromised Notepad++ updates for six months. Three separate macOS infostealer campaigns ran simultaneously. And while all of that was unfolding, the UK's biggest data protection law change since Brexit went live with 48 hours' notice. Cookie fines jumped from £500,000 to £17.5 million overnight. We broke all of it down in this week's episode.

The acting head of America's cybersecurity agency just uploaded government secrets to ChatGPT. Meanwhile, a Dublin IT manager discovered £18,000 worth of unused incident response services sitting in his cyber insurance policy. Passkeys can eliminate phishing attacks completely. And those viral Trump cloud cartoons? They're exposing the infrastructure dependency crisis threatening UK businesses. Four critical cybersecurity stories. Three expert guests. 45 minutes that could transform how your business approaches security. This isn't your typical cybersecurity podcast. Listen now.

You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure.

They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem.

This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outlast any political cycle.

Let's dissect what those images actually represent, why they're simultaneously right and wrong, and what UK SMBs need to understand about where their data actually lives.

The reality is this: the acting director of America's civilian cybersecurity agency uploaded sensitive government contracting documents to ChatGPT's public platform. Multiple automated alerts were triggered.

A Department of Homeland Security investigation was launched. And somehow, this still happened. From my former life in government service, I can tell you this isn't just embarrassing.

It's a systems failure that reveals fundamental problems with how we approach privileged access, AI governance, and the dangerous assumption that senior officials understand operational security better than the controls designed to protect them.

Your firewall vendor just announced another critical vulnerability. Last week brought two more. Last month? Six. When does "routine security update" become a vendor reliability crisis that threatens your business?

For UK SMBs running Fortinet or SonicWall, the CISA Known Exploited Vulnerabilities catalogue tells an uncomfortable story: your perimeter security is under active, documented attack. This isn't vendor marketing or compliance theatre.

This is your board-level "do we stay or do we leave" conversation, backed by evidence, decision frameworks, and a migration playbook that won't destroy your operations. Time to score your vendor.

OT (operational technology) security protects industrial control systems, SCADA, and production equipment from cyberattacks. Unlike office IT security, OT security focuses on systems that control physical processes - CNC machines, production lines, and factory automation. A 2025 UK government study found 90% of OT attacks originate from IT network vulnerabilities, with downtime costing manufacturers £195,000 to £2.2 million per hour.

Here's a question that should keep every director awake: what happens when the device meant to protect your network becomes the primary way attackers get in?

Between 2023 and now, Fortinet's SSL VPN has been exploited three separate times using the same type of vulnerability. Chinese intelligence services stole configurations from 20,000 organizations worldwide.

Cyber insurers charge double the premiums for businesses using Fortinet kit. Yet Fortinet posted 50% revenue growth and continues to dominate the enterprise firewall market.

This isn't a technical problem. It's a market failure that puts your business at risk while nobody gives a damn.

Right, so I'll be honest. Six months ago, I thought cyber insurance was just another checkbox on the compliance list. Pay the premium, tick the box, hope you never need it. Then Noel challenged me to actually read my policy and treat my insurer as an incident response partner. What I found changed everything. Turns out my €10,200 annual premium wasn't buying risk transfer. It was buying a specialist IR team, forensics support, tabletop exercises, and gap assessments I'd been trying to budget for separately. Here's what I learned implementing this approach at our 100-person Dublin firm.

The Apple App Store feels safe. That is the story many people tell themselves. Firehound and Vulnu show why that comfort can be dangerous. Researchers have flagged this week insecure iPhone apps that expose user data through badly secured cloud storage. Some leak private chats, email addresses, and location traces. Many of these apps look polished and carry strong ratings. That is the trap. In this guest post, Corrine Jefferson explains how slop apps slip through review, why AI apps raise the stakes, and what you can do today to cut your risk. What is on your phone right now?

Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.

The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.

Monday, 12th January 2026. Instagram denies a breach while millions get password reset emails. Nissan admits attackers stole employee data. A UK school in Nuneaton faces "serious" cyber attack. Three London councils still recovering from November breach affecting 100,000 households. India's entire mobile security infrastructure looks dodgy as hell. BreachForums, the criminal marketplace itself, gets its database leaked. And the US withdraws from global cyber coordination bodies right when we need cooperation most. Eight incidents. One common thread: credentials, governance failures, and shared infrastructure vulnerabilities. Tomorrow is Patch Tuesday, but you can't patch stupid.

UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.

I watched a board meeting where someone was asked to turn off their hearing aid during a security discussion. Bluetooth concerns, apparently.

The company meant well, but they'd created a policy that would exclude anyone using assistive technology.

I've seen this same pattern emerge in charity governance—organisations pursuing Cyber Essentials creating barriers for disabled trustees and staff.

This isn't about security frameworks being flawed. It's about implementation requiring thought beyond checklists. Here's how charities can build security AND inclusion together, not force people to choose between them.

You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.