Most security failures are people problems, not technology problems.
Mauven is the policy analyst and behavioural thinker of the publication. She looks at cybersecurity through the lens of human behaviour, organisational culture, and policy, and she starts from the view that most security failures are people problems rather than technology problems.
She writes the Wednesday analysis, framing incidents around the gap between what people should do and what they actually do: incentives, habits, culture, and the odd cognitive bias. Regulation and frameworks such as GDPR, Cyber Essentials, and NCSC guidance appear as context for why things matter, never as a checklist.
She is warm and approachable but precise, and she observes rather than moralises. Regular readers will know she always opens with the same line: “Hello, Mauven here.”
A Defender zero-day with public exploit code, a Vidar infostealer surge hitting developer toolchains, and a quiet but significant change to Cyber Essentials Plus certification.
Two max-severity vulnerabilities are being actively exploited right now. If your office runs Ubiquiti kit or any ColdFusion-backed web infrastructure, read this first.
CVE-2026-48282 is being exploited in the wild. Meanwhile, a criminal group called Pink is ringing your staff and talking their way past MFA. Here is what both mean for your business.
Three active campaigns with direct UK SMB exposure: a sophisticated M365 phishing platform, a legal-lure ransomware framework, and a residential proxy botnet the FBI just cracked open.
Ransomware gangs are now exploiting a Windows Defender privilege escalation flaw confirmed by CISA. If your MSP uses SimpleHelp, you have a second problem to deal with today.
The Data Use and Access Act 2025 clarifies that direct marketing can be a legitimate interest. The data broker industry is delighted. You should pay attention.
Oracle's E-Business Suite is being actively exploited right now. And a new initial access broker is turning legitimate websites into malware delivery points.
KEV is not interesting. It is known exploited. Turning the catalogue into a five-minute weekly check is the cheapest security upgrade most SMBs can make.
73,000 Fortinet VPN credentials leaked, Evil Corp's botnet dismantled, and WordPress plugin supply chain compromised again. Three stories that matter to UK small businesses today.
Three active threats UK SMBs cannot ignore today: ransomware hiding in Microsoft's own infrastructure, a Joomla CMS exploit already in the wild, and an unpatched Defender zero-day.
DragonForce is hiding ransomware command traffic inside Microsoft Teams. Fortinet FortiSandbox has critical flaws being actively exploited. Here is what UK SMBs need to know today.
Microsoft 365 Copilot has a critical vulnerability chain that lets an attacker steal your mailbox data with a single crafted URL. Cisco SD-WAN is under active exploitation. Both matter to UK SMBs right now.
A high-volume ransomware operation with Russian-speaking roots and an AI-powered phishing platform impersonating trusted brands. Both are active today.
Two active campaigns are hitting organisations that look exactly like UK SMBs. One calls your staff pretending to be IT support. The other fakes LinkedIn and Indeed.
Three active threats converging on UK SMBs today: a mass phishing platform bypassing MFA, a RAT delivered via Microsoft Teams, and two unpatched maximum-severity router vulnerabilities.
Three active threats that UK SMBs need to act on today: a Java RAT delivered via Microsoft Teams, a two-year-old Oracle flaw now on the CISA KEV list, and 33 malicious npm packages stealing cloud credentials.
Patch windows have closed. Both the Windows Netlogon RCE and Palo Alto GlobalProtect auth bypass are now being exploited in the wild. Here is what that means for your business.
Three active threats converge today: a FortiClient EMS zero-day delivering infostealers, a PhaaS kit with MFA bypass, and AI-assisted espionage campaigns lowering the barrier for every attacker downstream.
Two financially-motivated threat groups are running active campaigns that should concern every UK business with a helpdesk, a SaaS stack, or customers whose data you hold.
Blockchain-based C2 infrastructure, an actively exploited cPanel flaw, and an extortion gang that now shows up in person. Mauven explains what the advisories are not telling you.
Three separate threats with direct SMB exposure landed today. One targets Microsoft 365 credentials, one hits developers and their clients, and one is already being exploited in the wild.
Active exploitation of Drupal's SQL injection flaw began within 48 hours of disclosure. If your website or your supplier's runs Drupal, this is not a drill.
A malware-signing service is making ransomware harder to detect. npm packages with millions of downloads are compromised. And Cisco just patched a perfect-10 vulnerability.
A days-old NGINX vulnerability is already being probed and exploited. Grafana's source code was stolen via a single access token. Two stories, one theme: patch windows are collapsing.
Three active threats converge today: an exploited Exchange zero-day, a surge in device code phishing targeting Microsoft 365, and a supply chain attack that caught OpenAI. All three have direct implications for UK SMBs.
An initial access broker is using Microsoft Teams to own corporate networks in five minutes flat. A Linux kernel privilege escalation with working exploit code dropped today. Neither is theoretical.
A new ransomware operation with Qilin connections is accelerating. Supply chain attacks are poisoning developer tools and AI platforms. Here is what matters today.
Signed packages, a six-minute supply chain blitz, and ransomware using blockchain to hide its C2. Today's brief covers two threats that reach well beyond enterprise targets.
AI is now writing zero-day exploits. Cloud infrastructure is being weaponised against your staff. And TrickMo just made its banking trojan significantly harder to detect.
APT28 is rewriting your router's DNS settings. Ivanti EPMM has a zero-day with active exploitation. And threat actors are abusing remote management tools to drop malware via phishing. Here is what UK SMBs need to know today.
State-sponsored actors had a month inside Palo Alto firewalls before the advisory came out. Storm-1175 is still moving. And your developers may have already run the poisoned package.
A Palo Alto firewall zero-day is being actively exploited right now. And MuddyWater is using Microsoft Teams to walk through your front door. Both matter today.
Awareness went up. Risk assessments went down. Continuity plans dropped 9 points. If concern was a control, the survey numbers would look very different.
A fake Teams installer is dropping backdoors globally. A third-party analytics vendor handed ShinyHunters 119,000 email addresses. And UK romance fraud hit £102M last year. Three stories, one briefing.
Three high-impact threats landed simultaneously on 4th May 2026. If your business uses MOVEit, runs Linux servers, or has developers using Python, read this now.
A supply chain attack on open-source security tooling and a Linux privilege escalation exploit with working code in the wild. Two threats. One uncomfortable Friday.
A critical cPanel flaw is being actively exploited with ransomware already reported. TeamPCP is poisoning open-source security tools. The NCSC says a patch wave is coming. Today is not a quiet day.
A critical cPanel authentication bypass has been exploited since February. A new Linux root exploit dropped today. And 43% of UK businesses were compromised last year. Pick your priority.
This week's threat brief covers a critical cPanel auth bypass requiring emergency patching, ClickFix phishing campaigns stealing credentials via PowerShell, and VECT ransomware that wipes files it cannot encrypt.
Three active campaigns converge on UK small businesses this week: voice-driven extortion, poisoned developer packages, and OAuth phishing that bypasses MFA. Here is what they are not telling you.
NCSC's SilentGlass is technically sound government kit, now available commercially. But if you're still fighting phishing, it's probably not your next purchase.
Voice phishing plus credential harvesting. Malicious Python packages with 11 million monthly downloads. This is what active UK cyber threats look like today.
The NCSC has blocked 1.5 million malicious domains with Protective DNS. Private sector SMBs do not qualify. Here is what that gap means and how to close it.
Your cyber policy probably excludes losses from state-backed attacks. You may not have read that clause. If a nation-state campaign sweeps through your sector, it could void your cover entirely.
Article 32 of UK GDPR requires 'appropriate technical measures' to protect personal data. Running unpatched, out-of-support software is very difficult to defend as appropriate.
Your remote workers aren't in your office, but your data still is. Here's why most home working security failures are people problems, not tech problems.
Noel left us unsupervised, two bottles of Prosecco, and a microphone. What followed was a serious conversation about the security vulnerability nobody likes to name: overconfidence. The kind that sounds completely reasonable in a meeting — and has preceded some very expensive afternoons.
After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse. I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. An
Hello, Mauven here. Yesterday, Dutch military and domestic intelligence confirmed what European security agencies have been circling for weeks: Russian state-sponsored hackers are running a large-scale global campaign to take over Signal and WhatsApp accounts. Not by breaking the encryption. By asking for the keys. Two governments have now issued formal warnings. Dutch officials have confirmed their own employees are among the victims. And the attack method is devastatingly simple. If your busin
The ICO's General Counsel called the Currys Court of Appeal ruling "a significant victory." And in strict legal terms, she is right. Lord Justice Warby's judgment closes a dangerous loophole and clarifies that personal data must be assessed from the controller's perspective. But while the lawyers celebrate, roughly 14 million people are sitting with expired limitation periods and no compensation route. The legal system confirmed DSG was in the wrong at the precise moment most victims could no lo
You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ag
The acting head of America's cybersecurity agency just uploaded government secrets to ChatGPT. Meanwhile, a Dublin IT manager discovered £18,000 worth of unused incident response services sitting in his cyber insurance policy. Passkeys can eliminate phishing attacks completely. And those viral Trump cloud cartoons? They're exposing the infrastructure dependency crisis threatening UK businesses. Four critical cybersecurity stories. Three expert guests. 45 minutes that could transform how your bus
You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure. They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem. This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outl
Here's a question that should keep every director awake: what happens when the device meant to protect your network becomes the primary way attackers get in? Between 2023 and now, Fortinet's SSL VPN has been exploited three separate times using the same type of vulnerability. Chinese intelligence services stole configurations from 20,000 organizations worldwide. Cyber insurers charge double the premiums for businesses using Fortinet kit. Yet Fortinet posted 50% revenue growth and continues to do
Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline. Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection. Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confiden
After this week's podcast revelation about the marketing agency losing client files through an unsecured printer, my inbox has been full of variations on the same question: how do intelligent business owners with otherwise solid security miss something this obvious? The answer isn't comfortable, but it's important: IoT security failures aren't about lack of intelligence. They're about systematic psychological blind spots that affect everyone from small business owners to government departments.
Noel spent Monday and Tuesday explaining what reverse benchmarking is and how to implement it technically. Both excellent. Both necessary. Both completely inadequate if you don't understand why organizations systematically fail to learn from disasters. Here's the uncomfortable truth: most breaches happen not because organisations don't know what to do, but because human psychology actively prevents them from doing it. Normalcy bias makes us believe disasters happen to others. Optimism bias creat
After two days discussing frameworks and technical standards, let's examine why personal accountability actually works when corporate fines consistently fail. The psychology is fascinating and explains decades of regulatory success and failure. When British Airways faced a £20 million fine, nobody lost their job. When HSE prosecutes directors, workplace safety transforms overnight. The difference isn't the amount of money. It's whose money gets spent and whose freedom gets threatened. Human psyc
Nobody wakes up and decides to let patients die through cybersecurity negligence. Yet that is precisely what happened at Synnovis. The executives who failed to enable multi-factor authentication were not cartoon villains. They were educated professionals running a critical healthcare organisation. So why did they make a decision that, in hindsight, seems obviously catastrophic? The answer lies in the psychological mechanisms that allow intelligent people to rationalise terrible choices, the orga
Ofcom admits it is monitoring VPN use across Britain with a secret AI tool and unnamed data sources. That should worry any small business that relies on encrypted links for daily work. The tool cannot tell a secure office connection from someone dodging age checks. Section 121 still sits in law, ready to force scanning of encrypted chats. Does that sound like a free internet to you? Document your use. Keep your controls tight. Ask your MP why this is acceptable. Do you want regulators watching y
Twenty-three employees. Eighteen months. Forty-seven thousand pounds wasted on cloud infrastructure they didn't need, SaaS subscriptions nobody used, and auto-scaling rules designed by a consultant who'd never checked back. This isn't a horror story about a massive enterprise with unlimited budget. This is CloudBridge Digital, a Nottingham digital agency that discovered they'd been hemorrhaging cash while Microsoft, AWS, and a parade of SaaS vendors quietly helped themselves to the company bank
Three Mile Island. You remember it, right? The 1979 nuclear accident that terrified an entire generation and effectively killed nuclear power plant construction in America for 40 years? Microsoft just spent $1.6 billion to restart Unit 1. Not for clean energy virtue signaling. Because they're bloody desperate. Google committed to 500 megawatts of Small Modular Reactors. Amazon's all-in on multiple nuclear projects. Meta wants up to 4 gigawatts. Billions in nuclear investment. Timeline: 2028 to 2
The British Library decided not to implement MFA on administrator accounts. Their reasoning: "practicality, cost and impact on ongoing programmes." That decision cost them £7 million in recovery, 600GB of staff data dumped on the dark web, and over a year of service disruption. This is Mauven's Take on one of the clearest examples of the doorman fallacy in UK history. When cost-cutting decisions focus narrowly on immediate expense whilst ignoring catastrophic downside risk, you get exactly this
All right folks, buckle in. Last Monday, the planet just got schooled yet again in why we've put all our digital eggs in one totally cracked basket. AWS US-EAST-1 region had a DNS hiccup and half the world's internet decided it was nap time. Snapchat, Venmo, even the app that tells you if your cat's used the loo, all snuffed out. Why does a digital sneeze in Virginia take out customer payments in Edinburgh? And here's the kicker: this is the third major outage in five years for the same bloody r
Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security. The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protecti
Only 30% of schools have Multi-Factor Authentication enabled, but the reality is worse than that statistic suggests. Many schools have "partial MFA" - enabled for head teachers and SENCOs but not teaching assistants or admin staff. From a security perspective, everyone with access needs MFA, or you're not protected. The challenge? Phone-based authenticator apps conflict with safeguarding policies that ban phones near children. Hardware security keys offer the solution. FIDO2-certified tokens fro
When the Chancellor, three Cabinet Ministers, the NCSC CEO, and the Director General of the National Crime Agency personally co-sign a letter to UK business leaders, you don't ignore it. The NCSC just reported 204 nationally significant cyber incidents, with 18 highly significant attacks marking a 50% increase for the third consecutive year. Marks & Spencer lost over £300 million. A healthcare attack contributed to a patient death. Empty shelves appeared in supermarkets. The government has g
Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes undergroun
September 2025's Collins Aerospace and JLR cyberattacks weren't just operational disasters - they triggered Europe's first cross-border regulatory crisis under DORA. While aviation experts focused on flight delays, they missed the real story: EU authorities now have direct oversight powers over US companies like Collins Aerospace serving European financial infrastructure. DORA's January 2025 implementation created unprecedented cross-border enforcement mechanisms that most businesses don't under
Let's examine the data: 30 years of single IT manager failures. The patterns are consistent, the outcomes predictable, and the business impact devastating. Here's what happens when your "Dave from IT" model reaches its inevitable breaking point.
Most UK businesses think they're fine without strategic IT leadership until they're not. These five diagnostic questions expose the difference between thriving with technology and merely surviving despite it. Question 1: Are technology decisions made strategically or reactively? If you're replacing servers because they died rather than planned refresh cycles, you need help. Question 5: Will current systems scale gracefully as you grow? Planning to double in size without considering technology im
Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis. This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential. Written for directors and leaders, it lays out practical steps to protect your business befo
Hello, Mauven here. After Monday's podcast and yesterday's technical deep-dive, I want to tackle the elephant in the room: if Cyber Essentials is so brilliant, why do smart business owners avoid it like a tax audit? The answer isn't ignorance or stubbornness - it's human psychology. Our brains evolved to make quick survival decisions, not manage enterprise cybersecurity frameworks. We're fighting millions of years of evolution with documentation requirements and compliance deadlines. Understandi
After analyzing the global response to CVE-2025-53770, the critical SharePoint zero-day that's compromised 75+ organizations in 48 hours, I'm convinced this isn't about technical competence. It's about human psychology. Right now, IT administrators who know their systems are vulnerable (CVSS 9.8) are doing nothing because of normalcy bias, sunk cost fallacy, and optimism bias. The organizations getting breached aren't those lacking knowledge - they're the ones whose psychology prevents acting on
After this week's podcast on technical debt and supply chain failures, I want to examine why intelligent, well-meaning IT teams consistently create tomorrow's security disasters. Technical debt isn't just a coding problem - it's a psychological trap that 78% of UK businesses fall into repeatedly. We take shortcuts under pressure, defer security updates for stability, and convince ourselves that "temporary" solutions won't become permanent vulnerabilities. Understanding the cognitive biases behin
Former UK Government Cyber analyst Mauven MacLeod exposes the disturbing Catwatchful stalkerware operation that suffered a massive breach in June 2025, revealing 62,000 customer accounts and 26,000 monitored victims across seven countries. This isn't just cybersecurity failure - it's weaponised surveillance technology enabling domestic abuse and stalking. The breach exposed plaintext passwords, comprehensive victim data dating to 2018, and the operation's Uruguay-based administrator. From a government security
After Monday's podcast and yesterday's NCSC deep-dive, I want to tackle the elephant in the room: if three random words are so brilliant, why do smart business owners still use "password123"? Why does 78% password reuse persist despite constant breach warnings? The answer isn't technical ignorance - it's human psychology. We're fighting millions of years of evolution with spreadsheets and complexity requirements. Our brains aren't wired for digital security, they're wired for survival shortcuts.
Last Friday, it was someone else's war. Over the weekend, Iranian hackers considered your Microsoft 365 account enemy infrastructure. American B-2 bombers dropped 14 bunker-busters on Iranian nuclear facilities over the weekend. The cyber retaliation has already begun, and UK small businesses as we all use US cloud services are the in the firing line primary targets. Remember NotPetya? Ukrainian attack, global devastation. Windows is Windows regardless of location. Your customer database could b