BlogContributors

Graham Falkner

Graham Falkner

How-to contributor

Methodical, step-by-step security for people who just want it done properly.

Graham is the practical, methodical voice of the publication. He is the person small business owners trust to explain a complex security topic in plain language, broken into numbered steps you can follow like a checklist.

He writes the Thursday how-to. His tone is everyman rather than expert: here is what worked for me, and here is the trick. Where others would rage, Graham notes the problem with a quiet “which is not ideal” and gets on with fixing it.

He is patient, he never rushes the reader, and he will not sell you a product. If a task needs three sentences to explain properly, he gives it three sentences.

32 articles by Graham Falkner

How to Use SMB1001 as a Practical Roadmap (Not Just Another Badge): A Step-by-Step Guide for UK Small Businesses

How to Use SMB1001 as a Practical Roadmap (Not Just Another Badge): A Step-by-Step Guide for UK Small Businesses

Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables. What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost. SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose

Read more →
From Cyber Essentials to SMB1001 — Is One Badge Ever Enough?

From Cyber Essentials to SMB1001 — Is One Badge Ever Enough?

A week of Cyber Essentials v3.3 done. Scope reviews, cloud scoping rules, MFA for everyone, the 14-day patching window. You now know more about CE than most IT managers I've spoken to this year. Next Monday we zoom out. SMB1001 runs from Bronze to Diamond and was built specifically for small businesses that want a structured security roadmap beyond the CE baseline. It is not a UK government scheme, it does not carry the same procurement weight, and the two frameworks do not map neatly. So the qu

Read more →
Your 30-60 Day Cyber Essentials v3.3 Readiness Plan: A Step-by-Step Guide

Your 30-60 Day Cyber Essentials v3.3 Readiness Plan: A Step-by-Step Guide

Right. Noel and Mauven have told you what's changing in Cyber Essentials v3.3 and why scope failures become legal problems. My job is the bit that comes after: what do you actually do, in what order, with realistic timelines? I have broken this into a 30-60 day plan that works for most UK SMBs, whether you're renewing before 26th April under Willow or preparing for Danzell afterwards. No tools to buy, no consultants to hire for the basics. Mostly time, a spreadsheet, and an honest look at what y

Read more →
March Patch Tuesday 2026: No Zero-Days, No Excuses

March Patch Tuesday 2026: No Zero-Days, No Excuses

Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong. This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through th

Read more →
Your Four-Control Playbook: The Basic Security Measures Currys’ Was Missing (And How to Implement Them This Afternoon)

Your Four-Control Playbook: The Basic Security Measures Currys’ Was Missing (And How to Implement Them This Afternoon)

Malware sat on 5,390 Currys tills for nine months. Nobody noticed. That is not a sophisticated nation-state attack. That is a basic monitoring failure. The ICO called the missing controls "basic, commonplace security measures." In plain English: this was avoidable. If you run a small or medium-sized business and you process payment data, hold customer records, or manage staff information, this week's practical guide gives you four specific controls to implement. No expensive tooling. No consulta

Read more →
Your CLOUD Act Exposure Audit: The Step-by-Step Guide for UK Small Businesses

Your CLOUD Act Exposure Audit: The Step-by-Step Guide for UK Small Businesses

Every UK business using Microsoft 365, Google Workspace, or any US cloud service has an unassessed CLOUD Act exposure. This guide gives you a step-by-step process to map it: list your vendors, identify your crown jewels, check who controls the encryption keys, fold the findings into your DPIAs, and build a realistic exit plan. No consultancy fees, no jargon, no panic. One afternoon with your IT lead and a spreadsheet. By Friday you will know exactly where your business sits and what, if anything

Read more →
Six Zero-Days, One Tuesday, and Your Approval Process Is Still Broken

Six Zero-Days, One Tuesday, and Your Approval Process Is Still Broken

Graham here. Microsoft dropped six actively exploited zero-days on us yesterday, three of them publicly disclosed before the patch even landed. That means attackers had working exploits before you had fixes. Three bypass your security warnings entirely. One gives SYSTEM access through Remote Desktop Services. CrowdStrike confirmed active abuse in the wild. Meanwhile, SAP shipped a CVSS 9.9 code injection flaw and Adobe patched 44 vulnerabilities across nine products. If your patching approval pr

Read more →
January 2026 Patch Tuesday: New Year, New Nightmares for SMB Security

January 2026 Patch Tuesday: New Year, New Nightmares for SMB Security

Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.

Read more →
Your First Cyber Risk Register: 2-Hour Implementation Guide with Template

Your First Cyber Risk Register: 2-Hour Implementation Guide with Template

Create your first cyber risk register in 2 hours. No consultant needed. Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs). Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate). Step 3: Document impact including business closure potential (28% of SMEs). Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores. Step 6: Specify additional controls with costs. Step 7: A

Read more →
The 5-Step IoT Device Audit: Find and Secure Every Forgotten Computer on Your Network

The 5-Step IoT Device Audit: Find and Secure Every Forgotten Computer on Your Network

Practical Value: After Monday's podcast about the marketing agency breach through an unsecured printer, the most common question we've received is: "How do I actually do this audit myself?" Fair question. Telling business owners they have a problem is easy. Providing practical steps to fix it is harder. This guide walks you through conducting a comprehensive IoT device audit using free tools. Time investment: 4-6 hours for initial audit. Cost: Free to £200 for network scanning tools. Difficulty:

Read more →
Three Zero Days And A Christmas Timebomb: December Patch Tuesday Will Hurt If You Ignore It

Three Zero Days And A Christmas Timebomb: December Patch Tuesday Will Hurt If You Ignore It

December 2025 Patch Tuesday is supposed to be the quiet cruise into Christmas, right? Instead we got fifty seven vulnerabilities, three zero days and one actively exploited Windows privilege escalation that hits almost every supported build. Add in one hundred and thirty nine Adobe fixes and an awkward five week gap until the next Patch Tuesday in January and you have a perfect festive storm. Are you really happy to leave servers and laptops unpatched while everyone is on holiday, or do you want

Read more →
The Complete SMB Toolkit for Reverse Benchmarking: Free and Budget Tools That Actually Work

The Complete SMB Toolkit for Reverse Benchmarking: Free and Budget Tools That Actually Work

Right, enough theory. Today we're getting practical: the actual tools, templates, and processes you need to implement reverse benchmarking without spending a fortune. Everything in this guide is either free or costs less than a decent takeaway curry per month. Because I'm sick of "enterprise security" guides that assume unlimited budgets and dedicated staff. This is the real-world, shoestring-budget, one-person-wearing-multiple-hats implementation guide. Asset inventory using Google Sheets: free

Read more →
Demonstrating Reasonable Care: Your Practical Guide to Cybersecurity Accountability

Demonstrating Reasonable Care: Your Practical Guide to Cybersecurity Accountability

Enough theory. Today we're getting practical. Whether or not director liability becomes law, demonstrating reasonable care protects your business now. Insurance claims require evidence. Contracts demand due diligence. Regulators ask what you did before the breach. This guide gives you exactly what you need: the five controls that matter, documentation templates, evidence gathering processes, and realistic timelines for businesses of every size. No enterprise consultants required. No massive budg

Read more →
How to Implement MFA Across Your Business in One Afternoon (Complete Guide)

How to Implement MFA Across Your Business in One Afternoon (Complete Guide)

After this week's coverage of the Synnovis death, many of you have asked: "How do I actually implement MFA in my business?" Here is your complete, practical guide. No jargon, no theory, just step-by-step instructions for enabling multi-factor authentication across your entire organisation. This afternoon. Right now. Whether you are running Microsoft 365, Google Workspace, or a mix of different services, this guide walks you through the exact process. I will show you how to configure systems, dep

Read more →
Opinion: UK SMBs Are Funding AI's Energy Crisis and Nobody Asked Permission

Opinion: UK SMBs Are Funding AI's Energy Crisis and Nobody Asked Permission

Here's a question for your weekend: Did anyone ask if UK small businesses wanted to fund Microsoft's nuclear reactor restart? Because that's what's happening. While Microsoft spends $1.6 billion restarting Three Mile Island, Google partners with Kairos Power for small modular reactors, and Amazon secures nuclear capacity across multiple projects, your cloud bills are climbing to pay for it. Nobody took a vote. Nobody asked permission. Tech giants made a collective decision that AI is worth unlim

Read more →
7 Actions to Stop Your Cloud Bill Funding AI's Nuclear Ambitions

7 Actions to Stop Your Cloud Bill Funding AI's Nuclear Ambitions

Microsoft's restarting Three Mile Island. Google's building small modular reactors. Amazon's buying nuclear capacity. And you're getting the bill. While tech giants scramble for gigawatts to power their AI fantasies, your cloud costs are climbing faster than a hyperactive squirrel on espresso. AWS up 15%, Azure up 12%, SaaS tools adding "AI features" you didn't ask for at 20% premium. But here's what nobody's telling you: you don't need to accept this as inevitable. Seven specific actions you ca

Read more →
InfoSec, CyberSec, IT Security: Vendors Are Selling You the Wrong One on Purpose

InfoSec, CyberSec, IT Security: Vendors Are Selling You the Wrong One on Purpose

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security. The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protecti

Read more →
Cybersecurity is Now Safeguarding - Understanding the 2025 Guidance Game-Changer

Cybersecurity is Now Safeguarding - Understanding the 2025 Guidance Game-Changer

September 1st, 2025 marked a fundamental shift in UK education: cybersecurity officially became a safeguarding issue under the Keeping Children Safe in Education guidance. Paragraph 144 explicitly links cyber security to safeguarding responsibilities, meaning schools can no longer dismiss security as "just an IT problem." This changes everything from a compliance perspective. When framed as "keeping children safe" rather than "good IT security," schools respond differently. Governors now have st

Read more →