Here's a question that should keep every director awake: what happens when the device meant to protect your network becomes the primary way attackers get in?

Between 2023 and now, Fortinet's SSL VPN has been exploited three separate times using the same type of vulnerability. Chinese intelligence services stole configurations from 20,000 organizations worldwide.

Cyber insurers charge double the premiums for businesses using Fortinet kit. Yet Fortinet posted 50% revenue growth and continues to dominate the enterprise firewall market.

This isn't a technical problem. It's a market failure that puts your business at risk while nobody gives a damn.

Right, so I'll be honest. Six months ago, I thought cyber insurance was just another checkbox on the compliance list. Pay the premium, tick the box, hope you never need it. Then Noel challenged me to actually read my policy and treat my insurer as an incident response partner. What I found changed everything. Turns out my €10,200 annual premium wasn't buying risk transfer. It was buying a specialist IR team, forensics support, tabletop exercises, and gap assessments I'd been trying to budget for separately. Here's what I learned implementing this approach at our 100-person Dublin firm.

The Apple App Store feels safe. That is the story many people tell themselves. Firehound and Vulnu show why that comfort can be dangerous. Researchers have flagged this week insecure iPhone apps that expose user data through badly secured cloud storage. Some leak private chats, email addresses, and location traces. Many of these apps look polished and carry strong ratings. That is the trap. In this guest post, Corrine Jefferson explains how slop apps slip through review, why AI apps raise the stakes, and what you can do today to cut your risk. What is on your phone right now?

Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.

The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.

Monday, 12th January 2026. Instagram denies a breach while millions get password reset emails. Nissan admits attackers stole employee data. A UK school in Nuneaton faces "serious" cyber attack. Three London councils still recovering from November breach affecting 100,000 households. India's entire mobile security infrastructure looks dodgy as hell. BreachForums, the criminal marketplace itself, gets its database leaked. And the US withdraws from global cyber coordination bodies right when we need cooperation most. Eight incidents. One common thread: credentials, governance failures, and shared infrastructure vulnerabilities. Tomorrow is Patch Tuesday, but you can't patch stupid.

UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.

I watched a board meeting where someone was asked to turn off their hearing aid during a security discussion. Bluetooth concerns, apparently.

The company meant well, but they'd created a policy that would exclude anyone using assistive technology.

I've seen this same pattern emerge in charity governance—organisations pursuing Cyber Essentials creating barriers for disabled trustees and staff.

This isn't about security frameworks being flawed. It's about implementation requiring thought beyond checklists. Here's how charities can build security AND inclusion together, not force people to choose between them.

You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.

Remember that fun photo booth snap at your mate’s wedding? The one where you’re pulling faces with the bridesmaids? It’s been sitting on an unprotected server for the past three weeks, accessible to anyone who could count to 1,000. Hama Film, an Australian photo booth company with operations in the UAE and United States, spent months exposing customer photos through a security flaw so basic it makes WannaCry look sophisticated. No authentication. No rate-limiting. Just pure, unfiltered incompetence serving up private moments to anyone curious enough to look. And they’re still not fixing it properly.

If you run a small or medium-sized business in the UK, the government just sent you a message: you are on your own. The November 2025 Cyber Security and Resilience Bill protects hospitals and power grids. It does not protect you.

Of 5.5 million UK SMBs, exactly zero gained new cybersecurity protection.

This was deliberate policy.

Meanwhile, 43% of UK businesses experienced breaches last year, costing an average £3,550 per incident. Germany took a different approach—and it works.

This article gives you the statistics, the proof, and the action plan you can start Monday morning.

Directors should face criminal prosecution for cyber security negligence. The HSE precedent proves personal criminal liability transforms director behaviour. Before HSE had teeth, workplace deaths were common. After directors faced imprisonment, safety transformed. Civil liability isn't working for cyber security: 73% of businesses lack board responsibility despite 43% breach rates and 28% closure risk. Friday's case study showed £3.337 million loss preventable with £90 investment. Proposed: Criminal prosecution when directors fail documented risk assessment, basic controls, board-level responsibility, systematic review, causing serious harm. Test: reasonable care. Penalty: up to two years imprisonment. Business lobbying will kill this. Meanwhile preventable disasters continue.

March 2024: UK manufacturing company with £18 million turnover lost £2.4 million to business email compromise. Finance director phished, email credentials stolen (no MFA), attacker monitored for two weeks, sent fraudulent payment instruction from compromised account, major client processed payment overseas. Total immediate costs £3.337 million. Company survived through private equity investment that diluted family ownership from 100% to 23%. Managing director resigned. Eight redundancies. What would have prevented it: two-hour risk register workshop identifying the CRITICAL risk. Additional controls needed: MFA on email (£0), FIDO2 keys (£90), payment verification procedures (policy change). Total prevention cost: £90 plus seven hours implementation.

Create your first cyber risk register in 2 hours. No consultant needed.
Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs).
Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate).
Step 3: Document impact including business closure potential (28% of SMEs).
Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores.
Step 6: Specify additional controls with costs.

Step 7: Assign board-level owners.

Step 8: Create quarterly review schedule.

Total time: 2 hours creation plus 30 minutes quarterly.

Eight hours annually to manage business-ending risks. Template included.

Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline.

Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection.

Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confident ignorance. Graham Falkner demonstrated all these biases on Episode 31. Understanding this psychology changes how you present cyber risk to boards.

Facts alone don't work. Systematic bias dismantling does.

Most cyber risk registers are useless compliance documents.

They contain vague descriptions, unverifiable controls, and no honest assessment of likelihood or impact.

A working risk register has exactly seven columns: specific risk scenarios, likelihood based on real UK statistics, quantified impacts including business closure potential, verifiable current controls, residual risk ratings, costed additional controls, and named board-level owners.

Every UK SME must address five mandatory risks: phishing (85% of breaches), ransomware, supply chain compromise, insider threats, and cloud misconfiguration.

Ten critical technical controls cover 90% of actual threats. Implementation costs £150-300 per user annually. One prevented £3,398 breach pays for years of protection.

Apple released iOS 26.2 on 12 December 2025 patching two WebKit zero-day vulnerabilities that were actively exploited before patches existed. Google's Threat Analysis Group discovered CVE-2025-43529 and CVE-2025-14174 being used in sophisticated attacks against targeted individuals. These vulnerabilities allow arbitrary code execution through malicious websites with no user interaction required.

The update patches over 20 vulnerabilities total, including a kernel bug allowing root access and an App Store flaw exposing payment tokens. For business owners, running unpatched devices with known exploits fails UK GDPR requirements and creates director liability. Update every business iPhone immediately.

Graham Falkner told me before recording that small businesses don't need formal cyber risk registers. By the end of Episode 31, he'd completely changed his mind.

UK government data shows only 27% of businesses have board-level cyber security responsibility, down from 38% in 2021. Meanwhile, 43% got breached and 28% of SMEs say a single attack could put them out of business. The evidence is overwhelming. Risk registers aren't bureaucracy - they're systematic thinking applied to survival.

This episode documents Graham's complete conversion from skeptic to believer, and challenges every UK board to create a risk register this week.