The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
The SME That Discovered 247 Unauthorized Cloud Services in One Week
Buckinghamshire engineering firm thought they had "pretty good visibility" into their IT environment. DNS monitoring revealed 247 unauthorized cloud services, 43 different communication platforms, and £127,000 annual Shadow IT spending they didn't know existed. Dropbox, Google Drive, OneDrive, iCloud, plus dozens of project management tools, design software subscriptions, and messaging platforms. One week of DNS logs exposed six years of unauthorized software proliferation.
The technical implementation took four hours. The business transformation took six months. Today, you can start discovering what's actually running in your network using the same techniques that saved this business from digital chaos.
VPNs are Critical in a Hybrid Working World - But Without MFA They Are Almost Pointless
Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed.
While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook.
Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's already solved this problem with Secure Access Service Edge, but you're still clinging to 1990s network architecture like it's some kind of digital security blanket. Wake up.
When Basics Break: How Simple Security Failures Cripple Big Brands
A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives.
Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches.
While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate job seekers discover their data was protected by supersized digital tissue paper. Pull up a chair.
From 17 Project Management Tools to Zero Productivity: The Communication Chaos Epidemic
Seven communication platforms. Fifteen employees. £23,000 legal discovery bill when employment tribunal demanded complete records. WhatsApp Business for customers, Slack for projects, Discord for "team building," Signal for "confidential" talks, Telegram for contractors. When they needed to reconstruct one client relationship, conversations were scattered across platforms they couldn't control.
Customer satisfaction dropped 40% because every interaction started from zero knowledge. The legal penalty cost three times more than the actual dispute.
Tonight, count how many platforms your business uses. Calculate your exposure. Because communication chaos isn't flexibility - it's liability waiting to explode.
When Britain's Biggest Retailers Get Absolutely Destroyed by a Phone Call
M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call.
The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop.
When Archie Norman admits they had "no cyber attack plan" and describes the response as "pure chaos," you know we're looking at IT malpractice on an industrial scale.
Patch Tuesday July 2025: When Shadow IT Makes Security Updates a Nightmare
Microsoft's July 2025 Patch Tuesday just dropped 130 security fixes while most UK SMBs remain blind to 42% of applications running on their networks. From my NCSC experience, this represents a systematic organizational failure: you cannot patch what you cannot see.
Critical vulnerabilities in Windows Kernel, BitLocker, and authentication systems require immediate deployment, but Shadow IT applications will break unpredictably.
Worse, the buried Secure Boot certificate expiration warning affects every Windows system since 2012 and could cause boot failures by June 2026. Patch management with unauthorized applications is like performing surgery blindfolded while the patient keeps moving.
The Hidden Apps Undermining Your Business Security
Yesterday's Episode 6 dropped the bombshell: 42% of business applications are unauthorized. Today we're diving deeper into the hidden app epidemic destroying UK SMB security.
Karen's Dropbox backup strategy with password "Password" shared via email. Marketing teams feeding confidential data to AI platforms. Customer service operations running through WhatsApp Business storing financial information in chat logs.
DNS monitoring revealing 200+ cloud connections in a single week. This isn't isolated incidents, it's systematic security failure hiding in plain sight. The digital squatters have moved in, and most businesses have no idea they're paying rent to criminals.
The VPN Security Crisis: A perspective on Why Traditional Remote Access Is Failing
After analyzing the Ingram Micro ransomware attack and reviewing the latest threat intelligence, I need to be brutally honest about VPN security. We're facing a 56% increase in VPN-related attacks, an 8-fold surge in edge device exploitation, and zero-day VPN exploits jumping from 3% to 22% of all incidents.
The SafePay group's destruction of a $48 billion distributor through basic VPN misconfiguration isn't an anomaly. It's the new normal.
From my NCSC experience, I can tell you that traditional VPN architectures are fundamentally incompatible with modern threat landscapes. Time for uncomfortable truths.
Shadow IT: The Digital Squatters in Your Business
Episode 6 drops today with a statistic that'll make your blood run cold: 42% of business applications are unauthorized. While you're worrying about hackers, your helpful employees have built them a data highway using WhatsApp customer service, Karen's Dropbox backup strategy (password: "Password"), and seventeen project management tools for twelve people.
Mauven brings her NCSC perspective on government Shadow IT disasters, while Noel shares the DNS monitoring method that revealed 200+ cloud connections in one SMB. This isn't theoretical cybersecurity, this is happening in your business right now. Listen before the digital squatters invite criminal friends.
When a $48 Billion Giant Falls to Basic Password Bollocks: The Ingram Micro Disaster That Should Terrify Every UK Business
A $48 billion global technology giant just got destroyed by criminals who exploited a basic firewall misconfiguration. Ingram Micro, the backbone of every MSP and reseller on the planet, is bleeding £136 million daily because someone forgot to tick a checkbox properly.
SafePay ransomware walked through their VPN like it was an open door, bringing down the entire global IT supply chain. If you're an MSP depending on single vendors, you're about to learn the brutal cost of trusting other people's cybersecurity competence. This disaster should terrify every business owner.
Catwatchful Exposed: When Surveillance Technology Becomes a Weapon
Former NCSC expert Mauven MacLeod exposes the disturbing Catwatchful stalkerware operation that suffered a massive breach in June 2025, revealing 62,000 customer accounts and 26,000 monitored victims across seven countries. This isn't just cybersecurity failure - it's weaponised surveillance technology enabling domestic abuse and stalking.
The breach exposed plaintext passwords, comprehensive victim data dating to 2018, and the operation's Uruguay-based administrator. From a government security perspective, this represents exactly why stalkerware is classified as malicious software. Understanding the psychology behind surveillance abuse is crucial for protecting potential victims and building technology that resists weaponization.
Your EV Charger Is a 47-Meter Security Disaster: The Brokenwire Wake-Up Call
Right, pull up a chair. We need to have a bloody serious conversation about the EV charging disaster that's been hiding in plain sight.
Oxford researchers just confirmed what should terrify every electric vehicle owner: your charging cable is a 47-meter antenna broadcasting your vulnerability to anyone with £200 worth of kit from eBay.
The "Brokenwire" attack can kill charging sessions wirelessly, and it's built into the bloody standards that govern 12 million EVs worldwide. Known since 2019, still unfixed in 2025.
The industry's solution? "Don't use DC fast charging." That's like saying don't use the motorway. Brilliant.
When Janet Jackson Accidentally Became a Cyber Weapon: The Pop Song That Crashed Laptops
Janet Jackson's "Rhythm Nation" music video could crash laptops just by playing the audio. Not through software exploits or malware, but because the bloody song contained the exact resonant frequency that turned 5400 RPM hard drives into expensive paperweights. Even better: playing the video on one laptop could crash OTHER laptops sitting nearby through pure acoustic warfare.
Microsoft engineers had to add secret audio filters to prevent pop music from destroying computers. If a 1989 dance track can accidentally weaponise your hardware, what else can deliberate attackers do?
Pull up a chair, this is peak engineering incompetence.
Passkeys, Passwordless, and the End of Excuses: Why This Time It's Actually a Good Thing
Passwords are circling the drain, and this time it’s for real. Microsoft, Apple, and Google are killing off passwords and pushing passkeys by default across their platforms.
Microsoft is going passwordless by force, Apple is making it seamless, and Google is syncing passkeys everywhere. The UK government is onboard too, rolling out passkeys across public services.
This isn’t future talk, it’s happening now. If your IT provider is still clinging to complex password policies and SMS MFA, you’re being left behind.
Passkeys work. They’re safer, faster, and available today. So why are you still dragging your feet?
The Psychology of Password Chaos: Why Smart People Make Terrible Choices
After Monday's podcast and yesterday's NCSC deep-dive, I want to tackle the elephant in the room: if three random words are so brilliant, why do smart business owners still use "password123"? Why does 78% password reuse persist despite constant breach warnings? The answer isn't technical ignorance - it's human psychology.
We're fighting millions of years of evolution with spreadsheets and complexity requirements. Our brains aren't wired for digital security, they're wired for survival shortcuts. Understanding this psychology is the key to implementing security that actually works in the real world.
Three Random Words: The NCSC Solution That Actually Works
After last night's podcast revelation about our collective digital archaeology disaster, let's talk about the solution hiding in plain sight. The UK's National Cyber Security Centre dropped wisdom that sounds too simple to work: pick three random words for your passwords. "Coffee train fish." "Wall tin shirt." "CabbagePianoBucket."
Easy to remember, nightmare to crack, and unlike "password123," not on every hacker's greatest hits list. While we're mashing together words and numbers in barely inventive combinations, the NCSC figured out human psychology and gave us something that actually works.
Middle East Conflict Escalation Creates Immediate Cyber Threats for UK Small Businesses
Last Friday, it was someone else's war. Over the weekend, Iranian hackers considered your Microsoft 365 account enemy infrastructure.
American B-2 bombers dropped 14 bunker-busters on Iranian nuclear facilities over the weekend. The cyber retaliation has already begun, and UK small businesses as we all use US cloud services are the in the firing line primary targets.
Remember NotPetya? Ukrainian attack, global devastation. Windows is Windows regardless of location.
Your customer database could be wiped tomorrow because you use American cloud services in a conflict between Washington and Tehran.
Most UK business owners have no idea they're now combatants in a cyber war they never signed up for.
➤ Why Iranian hackers are targeting YOUR business specifically
➤ The 7 things you must do TODAY (before they find you)
➤ How to tell if your MSP is protecting you or just taking your money
➤ Why "it won't happen to me" thinking will destroy your business
This isn't theory. The attacks started over the weekend. Your business is already on their target list.
From the creators of The Small Business Cyber Security Guy Podcast - emergency episode available now
Tonight at Midnight: The Password Archaeology Begins
Picture this: It's midnight, crisis hits, you need email access urgently. Staring at the login screen, mind completely blank. Was it your dog's name plus random numbers? Your old football team with an exclamation mark? Welcome to digital archaeology - the art of excavating your own memory for password variations you can't quite remember. Tonight's podcast reveals why we've become amateur archaeologists in our own digital lives, managing 250+ passwords while 78% of us reuse them. The midnight password panic is about to get much worse before it gets better.
Week Ahead: The Digital Archaeology Intervention UK SMBs Desperately Need
This week we're staging an intervention for UK SMBs trapped in digital archaeology hell. Picture this: It's midnight, crisis hits, you need email access, and your mind goes completely blank. Was it your dog's name plus random numbers?
Your old football team with an exclamation mark? Welcome to digital archaeology - excavating your own memory for password variations across 250+ accounts.
Monday's podcast kicks off our deep-dive into why 78% of us reuse passwords, why only 15% use managers, and how the NCSC's three random words can save your sanity.
Patch Tuesday Is Microsoft's Security Theatre
Microsoft's Patch Tuesday is security theatre masquerading as systematic protection. Every second Tuesday, they dump 30-80 vulnerabilities on businesses and expect immediate deployment while providing minimal testing guidance.
It's a monthly game of Russian roulette disguised as responsible disclosure. SMBs get caught between "patch immediately or die" hysteria and "test everything or break the business" paralysis.
Meanwhile, Microsoft profits from both the problems and the solutions. Here's why the entire Patch Tuesday system is broken for small businesses, and what we actually need instead of monthly security panic cycles.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.