Darren Warren asked for five thousand pounds in compensation for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement.

The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired.

This is a case study in how 14 million victims ended up with nothing, and what it means for every business owner who thinks "the system will sort it out."

Switzerland looked at Palantir and said no. The UK leaned in. That should worry you. Your business runs on the same US owned platforms that governments argue about. Email, files, chat, identity, backups. The CLOUD Act means a provider can face legal demands for data, even when the servers sit outside the US. UK hosting does not always mean UK control. This teaser sets up the real question: if access rules changed tomorrow, could you prove who can touch your data, and how you would know?

Could you answer that today?

Three hundred and ninety-three days. That's how long Chinese state hackers camped inside defence networks before anyone bloody noticed. Over a year. Reading emails. Mapping systems. Making themselves at home while everyone assumed the firewall was doing its job. Google just published the receipts, and the uncomfortable truth is this: manufacturing is the most targeted sector on ransomware leak sites.

Not banks. Not hospitals. Factories. Your VPN appliance is the front door nobody's watching, and the attackers know it better than your MSP does. This week, Mauven MacLeod and Dr Corrine Jefferson tear apart Google's report and hand you a 90-day survival plan.

Four concurrent cyberattack campaigns hit last week. Russian military intelligence weaponised a critical Microsoft Office vulnerability within 24 hours of the patch dropping. Commodity criminals started selling the same capability for £50 a month. A Chinese-linked group compromised Notepad++ updates for six months. Three separate macOS infostealer campaigns ran simultaneously. And while all of that was unfolding, the UK's biggest data protection law change since Brexit went live with 48 hours' notice. Cookie fines jumped from £500,000 to £17.5 million overnight. We broke all of it down in this week's episode.

The acting head of America's cybersecurity agency just uploaded government secrets to ChatGPT. Meanwhile, a Dublin IT manager discovered £18,000 worth of unused incident response services sitting in his cyber insurance policy. Passkeys can eliminate phishing attacks completely. And those viral Trump cloud cartoons? They're exposing the infrastructure dependency crisis threatening UK businesses. Four critical cybersecurity stories. Three expert guests. 45 minutes that could transform how your business approaches security. This isn't your typical cybersecurity podcast. Listen now.

Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.

The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.

UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.

You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.

Create your first cyber risk register in 2 hours. No consultant needed.
Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs).
Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate).
Step 3: Document impact including business closure potential (28% of SMEs).
Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores.
Step 6: Specify additional controls with costs.

Step 7: Assign board-level owners.

Step 8: Create quarterly review schedule.

Total time: 2 hours creation plus 30 minutes quarterly.

Eight hours annually to manage business-ending risks. Template included.

Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline.

Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection.

Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confident ignorance. Graham Falkner demonstrated all these biases on Episode 31. Understanding this psychology changes how you present cyber risk to boards.

Facts alone don't work. Systematic bias dismantling does.

Graham Falkner told me before recording that small businesses don't need formal cyber risk registers. By the end of Episode 31, he'd completely changed his mind.

UK government data shows only 27% of businesses have board-level cyber security responsibility, down from 38% in 2021. Meanwhile, 43% got breached and 28% of SMEs say a single attack could put them out of business. The evidence is overwhelming. Risk registers aren't bureaucracy - they're systematic thinking applied to survival.

This episode documents Graham's complete conversion from skeptic to believer, and challenges every UK board to create a risk register this week.

What if I told you the biggest cyber threat to your business isn't hackers, but your office printer? Sounds mad, right? That's what a 30-person marketing agency thought before someone accessed their client files for weeks through an HP printer with factory default credentials. Episode 30 reveals the devices everyone forgets are computers: printers storing documents, CCTV systems livestreaming your premises, thermostats providing network access. Currently Top 12 in Apple Podcasts Management category worldwide with 3,500 daily downloads. Thirty episodes making cybersecurity almost entertaining whilst being brutally honest. Listen now. Check your printer later. You'll understand why.

Most people copy what the big players do and call it a cyber strategy. That works for them. It probably kills you. This episode flips the script. Instead of worshipping best practice, we dissect the car crashes.

Target, Equifax, Colonial Pipeline and SolarWinds. We ask one question. What actually went wrong and have you quietly made the same mistakes in your own business.

If you run a UK small or mid sized firm and feel lost in security buzzwords, this is your shortcut. Learn from other peoples disasters before you become the next case study. Your future self will approve.

After two days discussing frameworks and technical standards, let's examine why personal accountability actually works when corporate fines consistently fail. The psychology is fascinating and explains decades of regulatory success and failure.

When British Airways faced a £20 million fine, nobody lost their job. When HSE prosecutes directors, workplace safety transforms overnight. The difference isn't the amount of money. It's whose money gets spent and whose freedom gets threatened. Human psychology responds very differently to personal consequences versus corporate abstractions.

Yesterday's podcast proposed criminal liability for cybersecurity negligence. Today, we're dismantling the three-tier framework piece by piece so you know exactly where your business stands. Tier One protects small businesses with explicit gross negligence thresholds and Cyber Essentials safe harbour. Tier Two raises the bar for medium organisations whilst maintaining proportionate standards. Tier Three brings genuine consequences for large enterprises and public sector bodies that still can't implement MFA. This isn't fear-mongering. It's showing you precisely what reasonable care looks like at every business size so you can demonstrate compliance before anyone asks.

Yes, you read that correctly. Prison time for directors who allow catastrophic cybersecurity failures. Before you close this tab in horror, hear me out. We already send directors to prison for health and safety failures. Workplace fatalities dropped 85% after the Health and Safety Executive got proper enforcement powers. The ICO? They send sternly worded letters whilst breaches affecting millions go unpunished. Today, Mauven and I lay out exactly what a proper UK cybersecurity enforcement regime would look like - one that protects small businesses whilst holding negligent executives accountable. Pull up a chair.

This week, we established why directors should face criminal prosecution for gross cybersecurity negligence. We examined the Synnovis case where a patient died because free MFA was not enabled. We provided technical analysis, psychological examination, and practical implementation guides. Saturday's opinion piece argued forcefully for criminal liability. Next week, we move from "why" to "how."

What would a Corporate Cyber Negligence Act actually say? What are the thresholds between bad luck and criminal negligence? How do we protect small businesses while targeting genuine negligence? What defences exist? How would enforcement work? We are designing the solution. Join us Monday.

I am tired of watching preventable disasters kill people while executives walk away with bonuses intact.

A patient died because Synnovis did not enable free multi-factor authentication. Nobody will face criminal prosecution.

If a construction director failed to provide hard hats and a worker died, that director would go to prison.

Yet when healthcare executives fail to enable free security controls and a patient dies, nothing happens. This is not justice. This is not accountability.

This is a broken system that treats cybersecurity negligence as an acceptable cost of doing business. It needs to stop. Here is why directors should face prison time for gross cyber negligence.