Ransomware isn’t your biggest problem—it’s just the one that finally made you look. Behind every cyberattack sits a decade of crap decisions, from budget-stretched IT to untrained staff, weak passwords, and clueless suppliers.

You didn’t get hit because you were unlucky. You got hit because your house was already on fire.

This is part one of a blistering three-part series breaking down the disease beneath the ransomware epidemic ripping through the UK’s small business sector.

If you think you’re too small to be a target, read this—and pray you’re not already infected.

May’s Patch Tuesday is coming in hot—and if April’s mess left your domain logins broken, WSUS deployments in meltdown, or your Hello PIN sulking in the corner, you’ll want this one.

Microsoft is set to mop up its authentication chaos, plug lingering Windows 10 holes, and squash a few zero-days while it’s at it.

But that’s not all. Adobe, Intel, and SAP are sneaking in updates too. This month’s patch drop might not be as noisy as April, but it’s arguably more important.

Brace yourself for impact on 14 May—and don’t forget to test before clicking “Install.”

Think your MSP has your back? Think again. In Part 4 of Breached, we unpack the brutal truths most businesses only learn after the worst happens.

From useless logs to skyrocketing insurance, and a support ticket that nearly destroyed everything, this is the roadmap you wish you had before the call came. Ten hard lessons, zero fluff.

Why your MSP is there to sell, not protect. Why a good fractional CIO is worth their weight in gold. And why silence from your IT provider isn’t just dangerous—it might be deliberate. This isn’t theory. It’s survival. And you’d better be ready.

Think you're too small to be a target? Think again. UK small businesses are now the top attack vector for state-backed hackers from Russia and China, and your half-baked cybersecurity is a red carpet to our critical infrastructure.

M&S, Harrods, and the Co-op didn’t get hit by chance, they got hit through you. If you’re in the supply chain without Cyber Essentials Plus, real EDR, or even basic patching, you’re not just vulnerable — you’re a national liability. Time to grow up or get out of the way.

The breach was just the beginning. In Part 3 of Breached, the truth is out—and now come the consequences. The MSP tried to hide a misconfiguration. They failed.

Now the clients are calling, the regulators want answers, and the business owner is left holding the fallout. From a quiet boardroom to sleepless nights and rising insurance premiums, this is what happens when a cover-up gets exposed. Contracts are cancelled. Trust evaporates.

And the worst part? It all could have been prevented. If you've ever wondered what happens after the breach, this is the chapter that shows just how far it spreads.

What happens when your IT provider makes a mistake—and then tries to hide it? In Part 2 of Breached, a hidden support ticket, a missing firewall log, and over 400 unpatched vulnerabilities unravel a small business’s trust in the team meant to protect them.

The MSP said, “Don’t tell the client.” But she was accidentally copied in. What followed was seven days of denial, silence, and mounting pressure—until the truth was read aloud, word for word, in a boardroom gone cold. This isn’t about poor support. This is about betrayal, exposure… and what happens when you catch someone in the lie.

Katie Roberts thought it was just another Tuesday—until her personal phone rang at 11:27 a.m. The voice on the other end wasn’t a client. It was the National Crime Agency. Within minutes, her calm, structured world tilted on its axis. A cyber breach. Live. Real. Observed. And her business—the one she’d built from scratch—was now under threat. No plan. No warnings. Just a quiet office and a slow, sinking realisation that everything was about to change. What do you do when your worst-case scenario starts with a phone call? You listen. You freeze. And then… you start asking questions.

Samsung has once again reminded us why blind trust is a cybersecurity death sentence. Researchers discovered a massive vulnerability in Galaxy devices' Secure Element — the hardware vault meant to protect your biometrics and encryption keys. Attackers could exploit this “inadvertent” flaw remotely, with Samsung quietly patching it months later and offering zero transparency.

No warnings. No device list. Just a silent fix and crossed fingers. If you own a Galaxy, you're now part of a grand experiment called cybersecurity roulette. Trust nothing. Verify everything. Then verify it again — especially when your vendor’s motto is basically “Oops, sorry!”

Think 2025 would be the year we finally nailed DDoS protection? Think again. Some poor online betting site just got steamrolled by a 1Tbps brute-force attack — and the industry is clutching its pearls like it’s 2005. Guess what?

If you’re running a high-value, downtime-sensitive business without bulletproof DDoS mitigation, you’re basically waving a “please fuck up my day” flag at the internet. This wasn’t a sophisticated hack; it was raw, stupid power.

And it still worked. If your master plan is “hope and pray,” you deserve every packet flood coming your way. Dive into this raging breakdown of why businesses are still flailing when the digital shitstorm hits.

Spoiler: it's entirely their own bloody fault.

The UK’s new Cyber Security and Resilience Bill is about to shake things up – hard. With fines of up to £100,000 per day for failing to report serious cyber incidents, the days of shrugging off IT failures are officially over.

Critical suppliers like MSPs are firmly in the government’s sights, and mandatory reporting within 24 hours means businesses must be ready to move fast. But is it enough?

Will this finally close the gaps attackers have exploited for years, or will it pile more pressure on already stretched organisations? One thing is clear: ignoring cyber security is no longer an option.

Paper password managers. Charming relics of a simpler time... or a catastrophically bad idea in 2025?

At home? Fine. Lock it up tighter than your secret stash of biscuits.

At work? Absolutely fucking not.

Unless your business strategy includes "hoping Karen does not spill coffee on the master admin password" – get a proper password manager.

Maybe, maybe a sealed "break glass" password for your CRM or M365 admin account. And I mean sealed like you are guarding the Crown Jewels.

Want the full sarcastic (and slightly sweary) breakdown?