Ten Questions to Ask Your IT Provider This Week
You do not need to understand SAML or KEV. You need to ask grown-up questions and expect plain-English answers. Here are ten of them.
Read more →
How-to contributor
Methodical, step-by-step security for people who just want it done properly.
Graham is the practical, methodical voice of the publication. He is the person small business owners trust to explain a complex security topic in plain language, broken into numbered steps you can follow like a checklist.
He writes the Thursday how-to. His tone is everyman rather than expert: here is what worked for me, and here is the trick. Where others would rage, Graham notes the problem with a quiet “which is not ideal” and gets on with fixing it.
He is patient, he never rushes the reader, and he will not sell you a product. If a task needs three sentences to explain properly, he gives it three sentences.
You do not need to understand SAML or KEV. You need to ask grown-up questions and expect plain-English answers. Here are ten of them.
Read more →
Fifteen minutes for Microsoft 365. Fifteen for your firewall. Thirty for a weekly review process. Here is the practical logging guide your IT provider should have given you.
Read more →
TPM plus PIN BitLocker is one Group Policy change, one command per device, and a Tuesday of user communication. The whole job fits in two weeks. Here is how.
Read more →
Seven questions. Ask them calmly, in writing, before your next contract renewal. A good provider will welcome them. A bad one will hand-wave. That is the test.
Read more →
137 patches. 30 critical. No zero-days. The four bugs UK SMBs must fix this week, plus the perfect-10 one that needs no action at all.
Read more →
53% of UK businesses have no MFA. 56% have no continuity plan. Five steps to beat the average this week. No budget. No consultants. No excuses.
Read more →
The Pledge launches this summer. Certification takes four to six weeks. Here is the exact process, with costs, timelines, and the steps your IT provider should handle.
Read more →
Website not loading? Before you blame DNS, follow these five steps. A practical guide that saves hours of wasted time.
Read more →
167 CVEs. Two zero-days. One SharePoint flaw needs no password to exploit. April 2026 Patch Tuesday demands your attention today, not next week.
Read more →
UK insurers check six specific technical controls after a breach. If they're not in place and documented, your claim is at risk. Here's the practical checklist for UK SMBs.
Read more →
Paste-and-run is now the dominant attack method. Mac is not safe. Vidar is back. Red Canary's March data, translated into steps you can actually take.
Read more →
Every answer on your cyber insurance proposal form will be checked against your network logs if you ever claim. Most SMBs answer how they'd like things to be, not how they actually are.
Read more →
A 30-minute walkthrough any small business owner can do without specialist knowledge. By the end, you'll have a clear list of what's safe, risky, and what needs to go.
Read more →
Political donations need cybersecurity to prevent foreign interference. Secure your processes and build trust with these practical steps.
Read more →
Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables. What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost. SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose
Read more →
A week of Cyber Essentials v3.3 done. Scope reviews, cloud scoping rules, MFA for everyone, the 14-day patching window. You now know more about CE than most IT managers I've spoken to this year. Next Monday we zoom out. SMB1001 runs from Bronze to Diamond and was built specifically for small businesses that want a structured security roadmap beyond the CE baseline. It is not a UK government scheme, it does not carry the same procurement weight, and the two frameworks do not map neatly. So the qu
Read more →
Right. Noel and Mauven have told you what's changing in Cyber Essentials v3.3 and why scope failures become legal problems. My job is the bit that comes after: what do you actually do, in what order, with realistic timelines? I have broken this into a 30-60 day plan that works for most UK SMBs, whether you're renewing before 26th April under Willow or preparing for Danzell afterwards. No tools to buy, no consultants to hire for the basics. Mostly time, a spreadsheet, and an honest look at what y
Read more →
Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong. This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through th
Read more →
Malware sat on 5,390 Currys tills for nine months. Nobody noticed. That is not a sophisticated nation-state attack. That is a basic monitoring failure. The ICO called the missing controls "basic, commonplace security measures." In plain English: this was avoidable. If you run a small or medium-sized business and you process payment data, hold customer records, or manage staff information, this week's practical guide gives you four specific controls to implement. No expensive tooling. No consulta
Read more →
Every UK business using Microsoft 365, Google Workspace, or any US cloud service has an unassessed CLOUD Act exposure. This guide gives you a step-by-step process to map it: list your vendors, identify your crown jewels, check who controls the encryption keys, fold the findings into your DPIAs, and build a realistic exit plan. No consultancy fees, no jargon, no panic. One afternoon with your IT lead and a spreadsheet. By Friday you will know exactly where your business sits and what, if anything
Read more →
Graham here. Microsoft dropped six actively exploited zero-days on us yesterday, three of them publicly disclosed before the patch even landed. That means attackers had working exploits before you had fixes. Three bypass your security warnings entirely. One gives SYSTEM access through Remote Desktop Services. CrowdStrike confirmed active abuse in the wild. Meanwhile, SAP shipped a CVSS 9.9 code injection flaw and Adobe patched 44 vulnerabilities across nine products. If your patching approval pr
Read more →
Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.
Read more →
Create your first cyber risk register in 2 hours. No consultant needed. Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs). Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate). Step 3: Document impact including business closure potential (28% of SMEs). Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores. Step 6: Specify additional controls with costs. Step 7: A
Read more →
Practical Value: After Monday's podcast about the marketing agency breach through an unsecured printer, the most common question we've received is: "How do I actually do this audit myself?" Fair question. Telling business owners they have a problem is easy. Providing practical steps to fix it is harder. This guide walks you through conducting a comprehensive IoT device audit using free tools. Time investment: 4-6 hours for initial audit. Cost: Free to £200 for network scanning tools. Difficulty:
Read more →
December 2025 Patch Tuesday is supposed to be the quiet cruise into Christmas, right? Instead we got fifty seven vulnerabilities, three zero days and one actively exploited Windows privilege escalation that hits almost every supported build. Add in one hundred and thirty nine Adobe fixes and an awkward five week gap until the next Patch Tuesday in January and you have a perfect festive storm. Are you really happy to leave servers and laptops unpatched while everyone is on holiday, or do you want
Read more →
Right, enough theory. Today we're getting practical: the actual tools, templates, and processes you need to implement reverse benchmarking without spending a fortune. Everything in this guide is either free or costs less than a decent takeaway curry per month. Because I'm sick of "enterprise security" guides that assume unlimited budgets and dedicated staff. This is the real-world, shoestring-budget, one-person-wearing-multiple-hats implementation guide. Asset inventory using Google Sheets: free
Read more →
Enough theory. Today we're getting practical. Whether or not director liability becomes law, demonstrating reasonable care protects your business now. Insurance claims require evidence. Contracts demand due diligence. Regulators ask what you did before the breach. This guide gives you exactly what you need: the five controls that matter, documentation templates, evidence gathering processes, and realistic timelines for businesses of every size. No enterprise consultants required. No massive budg
Read more →
After this week's coverage of the Synnovis death, many of you have asked: "How do I actually implement MFA in my business?" Here is your complete, practical guide. No jargon, no theory, just step-by-step instructions for enabling multi-factor authentication across your entire organisation. This afternoon. Right now. Whether you are running Microsoft 365, Google Workspace, or a mix of different services, this guide walks you through the exact process. I will show you how to configure systems, dep
Read more →
Here's a question for your weekend: Did anyone ask if UK small businesses wanted to fund Microsoft's nuclear reactor restart? Because that's what's happening. While Microsoft spends $1.6 billion restarting Three Mile Island, Google partners with Kairos Power for small modular reactors, and Amazon secures nuclear capacity across multiple projects, your cloud bills are climbing to pay for it. Nobody took a vote. Nobody asked permission. Tech giants made a collective decision that AI is worth unlim
Read more →
Microsoft's restarting Three Mile Island. Google's building small modular reactors. Amazon's buying nuclear capacity. And you're getting the bill. While tech giants scramble for gigawatts to power their AI fantasies, your cloud costs are climbing faster than a hyperactive squirrel on espresso. AWS up 15%, Azure up 12%, SaaS tools adding "AI features" you didn't ask for at 20% premium. But here's what nobody's telling you: you don't need to accept this as inevitable. Seven specific actions you ca
Read more →
Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security. The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protecti
Read more →
September 1st, 2025 marked a fundamental shift in UK education: cybersecurity officially became a safeguarding issue under the Keeping Children Safe in Education guidance. Paragraph 144 explicitly links cyber security to safeguarding responsibilities, meaning schools can no longer dismiss security as "just an IT problem." This changes everything from a compliance perspective. When framed as "keeping children safe" rather than "good IT security," schools respond differently. Governors now have st
Read more →Cookie consent
We use Google Analytics to understand how visitors use this site. No personal data is sold or shared. Privacy Policy