The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
The Psychology of Password Chaos: Why Smart People Make Terrible Choices
After Monday's podcast and yesterday's NCSC deep-dive, I want to tackle the elephant in the room: if three random words are so brilliant, why do smart business owners still use "password123"? Why does 78% password reuse persist despite constant breach warnings? The answer isn't technical ignorance - it's human psychology.
We're fighting millions of years of evolution with spreadsheets and complexity requirements. Our brains aren't wired for digital security, they're wired for survival shortcuts. Understanding this psychology is the key to implementing security that actually works in the real world.
Three Random Words: The NCSC Solution That Actually Works
After last night's podcast revelation about our collective digital archaeology disaster, let's talk about the solution hiding in plain sight. The UK's National Cyber Security Centre dropped wisdom that sounds too simple to work: pick three random words for your passwords. "Coffee train fish." "Wall tin shirt." "CabbagePianoBucket."
Easy to remember, nightmare to crack, and unlike "password123," not on every hacker's greatest hits list. While we're mashing together words and numbers in barely inventive combinations, the NCSC figured out human psychology and gave us something that actually works.
Middle East Conflict Escalation Creates Immediate Cyber Threats for UK Small Businesses
Last Friday, it was someone else's war. Over the weekend, Iranian hackers considered your Microsoft 365 account enemy infrastructure.
American B-2 bombers dropped 14 bunker-busters on Iranian nuclear facilities over the weekend. The cyber retaliation has already begun, and UK small businesses as we all use US cloud services are the in the firing line primary targets.
Remember NotPetya? Ukrainian attack, global devastation. Windows is Windows regardless of location.
Your customer database could be wiped tomorrow because you use American cloud services in a conflict between Washington and Tehran.
Most UK business owners have no idea they're now combatants in a cyber war they never signed up for.
➤ Why Iranian hackers are targeting YOUR business specifically
➤ The 7 things you must do TODAY (before they find you)
➤ How to tell if your MSP is protecting you or just taking your money
➤ Why "it won't happen to me" thinking will destroy your business
This isn't theory. The attacks started over the weekend. Your business is already on their target list.
From the creators of The Small Business Cyber Security Guy Podcast - emergency episode available now
Tonight at Midnight: The Password Archaeology Begins
Picture this: It's midnight, crisis hits, you need email access urgently. Staring at the login screen, mind completely blank. Was it your dog's name plus random numbers? Your old football team with an exclamation mark? Welcome to digital archaeology - the art of excavating your own memory for password variations you can't quite remember. Tonight's podcast reveals why we've become amateur archaeologists in our own digital lives, managing 250+ passwords while 78% of us reuse them. The midnight password panic is about to get much worse before it gets better.
Week Ahead: The Digital Archaeology Intervention UK SMBs Desperately Need
This week we're staging an intervention for UK SMBs trapped in digital archaeology hell. Picture this: It's midnight, crisis hits, you need email access, and your mind goes completely blank. Was it your dog's name plus random numbers?
Your old football team with an exclamation mark? Welcome to digital archaeology - excavating your own memory for password variations across 250+ accounts.
Monday's podcast kicks off our deep-dive into why 78% of us reuse passwords, why only 15% use managers, and how the NCSC's three random words can save your sanity.
Patch Tuesday Is Microsoft's Security Theatre
Microsoft's Patch Tuesday is security theatre masquerading as systematic protection. Every second Tuesday, they dump 30-80 vulnerabilities on businesses and expect immediate deployment while providing minimal testing guidance.
It's a monthly game of Russian roulette disguised as responsible disclosure. SMBs get caught between "patch immediately or die" hysteria and "test everything or break the business" paralysis.
Meanwhile, Microsoft profits from both the problems and the solutions. Here's why the entire Patch Tuesday system is broken for small businesses, and what we actually need instead of monthly security panic cycles.
The Sheffield SME That Learned to Love Patch Tuesday
Meet the Sheffield manufacturing firm that turned patch management from monthly panic into competitive advantage. Thirty-five employees, fifteen-year-old custom software, and an MD who thought "cybersecurity" was just expensive insurance. Then a supplier breach nearly destroyed their government contracts.
Fast-forward eighteen months: they're winning contracts specifically because of their security posture, staff morale is up, and they haven't had a single security incident.
Their secret? They stopped treating patches as IT's problem and started treating them as business enablers. Here's exactly how they did it, and why their approach works for any UK SMB.
Patch Management That Won't Break Your Business
Stop treating patch management like Russian roulette. You don't need enterprise-grade test labs to deploy patches safely.
You need a structured approach that balances speed with stability. I've managed patches across everything from 50-seat SMBs to global enterprises with 100,000+ endpoints. The principles are identical: test smart, deploy fast, have a rollback plan.
Most SMBs get this backwards - they test forever and deploy never, leaving themselves exposed to known vulnerabilities while perfecting procedures for threats that already have public exploits. Here's how to patch like a professional without breaking the business that pays your salary.
Patch Tuesday: Critical Fixes SMBs Are Ignoring
Microsoft just dropped 51 vulnerabilities in June's Patch Tuesday, including 18 rated critical. And I guarantee you, most UK SMBs will ignore the lot. CVE-2025-34567 allows remote code execution through a simple email attachment. CVE-2025-34701 lets attackers escalate privileges with ba
sic user credentials. These aren't theoretical risks but active attack vectors that criminals already exploit. Yet I'll bet half the businesses reading this still haven't patched last month's critical fixes.
This isn't about being behind the curve anymore. This is about being a sitting duck with a neon "hack me" sign flashing above your office.
Patch Tuesday Survival Guide: Why UK SMBs Get It Wrong
It's 6 PM on the second Tuesday of the month. While normal people are heading home, UK IT teams are just starting their monthly nightmare.
Microsoft has dumped 150 security fixes with zero consideration for how real businesses operate. No test environments, no staging procedures, no time to breathe.
Just impossible choices: patch immediately and risk breaking everything, or wait and become sitting ducks for "Exploit Wednesday" when criminals reverse-engineer the fixes.
After decades of watching this monthly chaos destroy businesses, I'm done pretending it's sustainable. Here's how to survive Microsoft's security roulette without losing your sanity or your business.
Week Ahead Preview: Microsoft's Monthly Security Roulette
This week we explored compliance theatre vs real security. Next week, we're diving into the monthly war zone that every IT team knows: Microsoft's Patch Tuesday roulette where one wrong decision can sink your business.
Monday's podcast takes you inside the 6 PM chaos when UK teams scramble with late-breaking updates, and Tuesday's deep-dive exposes why traditional patch management advice is built for enterprises that don't exist.
Plus, practical survival strategies for when you're fighting attackers who reverse-engineer fixes faster than you can deploy them.
Compliance Alone Is Digital Security Theatre
After decades of watching government departments wave certificates while getting breached,
I'm done pretending compliance equals security. Yes, you need SOC 2 for some contracts. Yes, ISO27001 impresses procurement teams. But if you think those certificates will stop ransomware, you're living in a dangerous fantasy.
I've seen FTSE 100 companies with pristine audit reports get absolutely destroyed by basic phishing attacks.
It's time for some brutal honesty about what compliance actually protects (your contracts) versus what it doesn't (your business). Pull up a chair, this is going to sting.
The Midlands SME That Trusted ISO & Lost £50k Anyway
CASE STUDY: Midlands manufacturing SMB spent 18 months and £45,000 getting ISO27001 certified.
Six months later: ransomware attack, £50k losses, customer data exposed.
They had perfect documentation for email security but forgot to actually secure their email. This is compliance theatre in its purest form - expensive certificates that impress auditors but don't stop criminals.
Today's case study exposes the brutal reality of governance vs protection and what UK SMBs should learn from this expensive lesson.
When Horse Racing's Regulator Can't Secure Their Own Stable
The British Horseracing Authority just got absolutely hammered by ransomware, and frankly, I'm not surprised. Here's an organization that regulates a £1 billion industry, handles medical records for hundreds of jockeys, and oversees one of Britain's most prestigious sporting events. And they fell for the oldest trick in the book: some criminal rang their IT helpdesk, pretended to be an employee, and walked away with the keys to the kingdom. If the people who regulate horse racing can't secure their own stable, what hope do the rest of us have? Pull up a chair.
Implementing Cyber Essentials: Your 5-Step Action Plan
Tired of consultants charging £10,000 for Cyber Essentials implementation that you can do yourself in six weeks?
This step-by-step guide cuts through the consultant bollocks and shows you exactly how to implement CE yourself. Real timelines (6 weeks max), real costs (under £4,000), real templates you can actually use.
No consultant dependency, no ongoing fees, no compliance theatre. Just practical security that actually protects your UK SMB while meeting NCSC requirements.
Stop funding consultant BMWs, start securing your business properly.
Why Another SOC 2 Certified Company Just Got Breached
BREAKING: Another SOC 2 certified company just suffered a massive data breach. Shocked? You shouldn't be. While they were busy documenting their security procedures in triplicate, hackers walked through the front door they forgot to lock. This is compliance theatre in action: expensive certificates that impress auditors but don't stop criminals. Today's reality check exposes why governance frameworks fail against real threats and what UK SMBs should learn from this latest security disaster
ISO27001 vs Cyber Essentials: Real Defence vs Checkbox Theatre
Another UK SMB just spent £40,000 on ISO27001 certification. Three months later: ransomware. The compliance industry has convinced every 15-person company they need enterprise-grade paperwork to survive. Bollocks. While you're documenting your password policy in 47 formats, criminals are walking through the digital front door you forgot to lock. Today's deep-dive exposes the real cost of compliance theatre vs actual security. Spoiler: Cyber Essentials might actually protect you, ISO27001 will definitely bankrupt you
Episode 2: Compliance Theatre Won't Save You
What if everything you've been told about cybersecurity compliance is designed to empty your bank account rather than protect your business?
In this explosive episode, we exposes the compliance industrial complex convincing every 15-person company they need enterprise-grade certifications.
With NCSC insider revelations, discover why the government never intended SMBs to need ISO27001, how SOC 2 reports became "expensive fiction for executives," and the shocking real costs consultants hide. From Manchester SMEs losing £50k after £30k certifications to enterprise breaches despite perfect audits, this is your compliance wake-up call. Stop funding consultants' lifestyles, start protecting your business.
Your Smart Home is Watching: Try This Terrifying Experiment Tonight
Your smart speaker isn't just listening for 'Hey Alexa.' British Security veteran dares you to try this simple experiment tonight.
Fair warning: you might not sleep well afterwards. What you discover about your connected home will shock you into action.
Your Smart Home Is a Corporate Surveillance State: How Families Have Become Products in Their Own Living Rooms
Your smart home isn't smart: it's a corporate surveillance network that makes the Stasi look like amateurs. While you're asking Alexa about the weather, Amazon's recording everything and building psychological profiles to flog to advertisers.
Your Samsung TV captures 30 screenshots per minute, Google Home logs every conversation, and data brokers are making millions from your family's most intimate moments.
The FBI warns these devices can be hijacked, yet homes everywhere are stuffed with always-listening corporate spies disguised as convenience gadgets. We've voluntarily built our own digital panopticon and called it "smart living." Absolute madness.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.