BlogContributors

Mauven MacLeod

Mauven MacLeod

Policy analyst

Most security failures are people problems, not technology problems.

Mauven is the policy analyst and behavioural thinker of the publication. She looks at cybersecurity through the lens of human behaviour, organisational culture, and policy, and she starts from the view that most security failures are people problems rather than technology problems.

She writes the Wednesday analysis, framing incidents around the gap between what people should do and what they actually do: incentives, habits, culture, and the odd cognitive bias. Regulation and frameworks such as GDPR, Cyber Essentials, and NCSC guidance appear as context for why things matter, never as a checklist.

She is warm and approachable but precise, and she observes rather than moralises. Regular readers will know she always opens with the same line: “Hello, Mauven here.”

98 articles by Mauven MacLeod

Why SMBs Draw Their Cyber Essentials Scope Around the Comfortable Parts

Why SMBs Draw Their Cyber Essentials Scope Around the Comfortable Parts

After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse. I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. An

Read more →
Russian Hackers Are Silently Reading Your WhatsApp Messages Right Now

Russian Hackers Are Silently Reading Your WhatsApp Messages Right Now

Hello, Mauven here. Yesterday, Dutch military and domestic intelligence confirmed what European security agencies have been circling for weeks: Russian state-sponsored hackers are running a large-scale global campaign to take over Signal and WhatsApp accounts. Not by breaking the encryption. By asking for the keys. Two governments have now issued formal warnings. Dutch officials have confirmed their own employees are among the victims. And the attack method is devastatingly simple. If your busin

Read more →
The ICO Called It a "Significant Victory". Try Telling That to 14 Million People Who Got Nothing.

The ICO Called It a "Significant Victory". Try Telling That to 14 Million People Who Got Nothing.

The ICO's General Counsel called the Currys Court of Appeal ruling "a significant victory." And in strict legal terms, she is right. Lord Justice Warby's judgment closes a dangerous loophole and clarifies that personal data must be assessed from the controller's perspective. But while the lawyers celebrate, roughly 14 million people are sitting with expired limitation periods and no compensation route. The legal system confirmed DSG was in the wrong at the precise moment most victims could no lo

Read more →
Your Cloud Stack Is Not Just Stationery: The Bet Your Business Made Without Realising It

Your Cloud Stack Is Not Just Stationery: The Bet Your Business Made Without Realising It

You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ag

Read more →
Four Game-Changing Cyber Stories in One Episode

Four Game-Changing Cyber Stories in One Episode

The acting head of America's cybersecurity agency just uploaded government secrets to ChatGPT. Meanwhile, a Dublin IT manager discovered £18,000 worth of unused incident response services sitting in his cyber insurance policy. Passkeys can eliminate phishing attacks completely. And those viral Trump cloud cartoons? They're exposing the infrastructure dependency crisis threatening UK businesses. Four critical cybersecurity stories. Three expert guests. 45 minutes that could transform how your bus

Read more →
US Cloud Sovereignty Isn't a Trump Problem, It's a Three-Company Problem: Why UK SMBs Need to Understand Infrastructure Dependency

US Cloud Sovereignty Isn't a Trump Problem, It's a Three-Company Problem: Why UK SMBs Need to Understand Infrastructure Dependency

You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure. They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem. This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outl

Read more →
Fortinet's Security Crisis: Why Does Nobody Care That Your VPN Is a Nation-State Playground?

Fortinet's Security Crisis: Why Does Nobody Care That Your VPN Is a Nation-State Playground?

Here's a question that should keep every director awake: what happens when the device meant to protect your network becomes the primary way attackers get in? Between 2023 and now, Fortinet's SSL VPN has been exploited three separate times using the same type of vulnerability. Chinese intelligence services stole configurations from 20,000 organizations worldwide. Cyber insurers charge double the premiums for businesses using Fortinet kit. Yet Fortinet posted 50% revenue growth and continues to do

Read more →
The Psychology of Risk Denial: Why Smart People Convince Themselves They're Too Small to Matter

The Psychology of Risk Denial: Why Smart People Convince Themselves They're Too Small to Matter

Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline. Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection. Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confiden

Read more →
Why Smart People Keep Ignoring Smart Device Security: The Psychology Behind IoT Blindness

Why Smart People Keep Ignoring Smart Device Security: The Psychology Behind IoT Blindness

After this week's podcast revelation about the marketing agency losing client files through an unsecured printer, my inbox has been full of variations on the same question: how do intelligent business owners with otherwise solid security miss something this obvious? The answer isn't comfortable, but it's important: IoT security failures aren't about lack of intelligence. They're about systematic psychological blind spots that affect everyone from small business owners to government departments.

Read more →
The Psychology of Security Failures: Why Smart People Keep Making the Same Stupid Mistakes

The Psychology of Security Failures: Why Smart People Keep Making the Same Stupid Mistakes

Noel spent Monday and Tuesday explaining what reverse benchmarking is and how to implement it technically. Both excellent. Both necessary. Both completely inadequate if you don't understand why organizations systematically fail to learn from disasters. Here's the uncomfortable truth: most breaches happen not because organisations don't know what to do, but because human psychology actively prevents them from doing it. Normalcy bias makes us believe disasters happen to others. Optimism bias creat

Read more →
Why Personal Accountability Changes Everything: The Psychology of Director Liability

Why Personal Accountability Changes Everything: The Psychology of Director Liability

After two days discussing frameworks and technical standards, let's examine why personal accountability actually works when corporate fines consistently fail. The psychology is fascinating and explains decades of regulatory success and failure. When British Airways faced a £20 million fine, nobody lost their job. When HSE prosecutes directors, workplace safety transforms overnight. The difference isn't the amount of money. It's whose money gets spent and whose freedom gets threatened. Human psyc

Read more →
The Psychology of Cybersecurity Negligence: Why Smart People Make Fatal Decisions

The Psychology of Cybersecurity Negligence: Why Smart People Make Fatal Decisions

Nobody wakes up and decides to let patients die through cybersecurity negligence. Yet that is precisely what happened at Synnovis. The executives who failed to enable multi-factor authentication were not cartoon villains. They were educated professionals running a critical healthcare organisation. So why did they make a decision that, in hindsight, seems obviously catastrophic? The answer lies in the psychological mechanisms that allow intelligent people to rationalise terrible choices, the orga

Read more →
Ofcom's Secret VPN Surveillance: When Britain Embraced the Authoritarian Playbook

Ofcom's Secret VPN Surveillance: When Britain Embraced the Authoritarian Playbook

Ofcom admits it is monitoring VPN use across Britain with a secret AI tool and unnamed data sources. That should worry any small business that relies on encrypted links for daily work. The tool cannot tell a secure office connection from someone dodging age checks. Section 121 still sits in law, ready to force scanning of encrypted chats. Does that sound like a free internet to you? Document your use. Keep your controls tight. Ask your MP why this is acceptable. Do you want regulators watching y

Read more →
The Nottingham Agency That Spent £47,000 on Cloud Bills They Didn't Need

The Nottingham Agency That Spent £47,000 on Cloud Bills They Didn't Need

Twenty-three employees. Eighteen months. Forty-seven thousand pounds wasted on cloud infrastructure they didn't need, SaaS subscriptions nobody used, and auto-scaling rules designed by a consultant who'd never checked back. This isn't a horror story about a massive enterprise with unlimited budget. This is CloudBridge Digital, a Nottingham digital agency that discovered they'd been hemorrhaging cash while Microsoft, AWS, and a parade of SaaS vendors quietly helped themselves to the company bank

Read more →
When the Panic Becomes Obvious

When the Panic Becomes Obvious

Three Mile Island. You remember it, right? The 1979 nuclear accident that terrified an entire generation and effectively killed nuclear power plant construction in America for 40 years? Microsoft just spent $1.6 billion to restart Unit 1. Not for clean energy virtue signaling. Because they're bloody desperate. Google committed to 500 megawatts of Small Modular Reactors. Amazon's all-in on multiple nuclear projects. Meta wants up to 4 gigawatts. Billions in nuclear investment. Timeline: 2028 to 2

Read more →
The British Library's £7 Million MFA Decision

The British Library's £7 Million MFA Decision

The British Library decided not to implement MFA on administrator accounts. Their reasoning: "practicality, cost and impact on ongoing programmes." That decision cost them £7 million in recovery, 600GB of staff data dumped on the dark web, and over a year of service disruption. This is Mauven's Take on one of the clearest examples of the doorman fallacy in UK history. When cost-cutting decisions focus narrowly on immediate expense whilst ignoring catastrophic downside risk, you get exactly this

Read more →
When DNS Goes Down, Civilisation's Collapse Plays Out in Your Suburban Flat

When DNS Goes Down, Civilisation's Collapse Plays Out in Your Suburban Flat

All right folks, buckle in. Last Monday, the planet just got schooled yet again in why we've put all our digital eggs in one totally cracked basket. AWS US-EAST-1 region had a DNS hiccup and half the world's internet decided it was nap time. Snapchat, Venmo, even the app that tells you if your cat's used the loo, all snuffed out. Why does a digital sneeze in Virginia take out customer payments in Edinburgh? And here's the kicker: this is the third major outage in five years for the same bloody r

Read more →
Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached

Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security. The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protecti

Read more →
The MFA Reality Check - Why Only 30% of Schools Have It Properly Enabled

The MFA Reality Check - Why Only 30% of Schools Have It Properly Enabled

Only 30% of schools have Multi-Factor Authentication enabled, but the reality is worse than that statistic suggests. Many schools have "partial MFA" - enabled for head teachers and SENCOs but not teaching assistants or admin staff. From a security perspective, everyone with access needs MFA, or you're not protected. The challenge? Phone-based authenticator apps conflict with safeguarding policies that ban phones near children. Hardware security keys offer the solution. FIDO2-certified tokens fro

Read more →
When Six Ministers Co-Sign a Letter to Your CEO, It's Time to Listen

When Six Ministers Co-Sign a Letter to Your CEO, It's Time to Listen

When the Chancellor, three Cabinet Ministers, the NCSC CEO, and the Director General of the National Crime Agency personally co-sign a letter to UK business leaders, you don't ignore it. The NCSC just reported 204 nationally significant cyber incidents, with 18 highly significant attacks marking a 50% increase for the third consecutive year. Marks & Spencer lost over £300 million. A healthcare attack contributed to a patient death. Empty shelves appeared in supermarkets. The government has g

Read more →
Confessions of a Reformed School Hacker: How Getting Caught Changed My Career

Confessions of a Reformed School Hacker: How Getting Caught Changed My Career

Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes undergroun

Read more →
The DORA Reckoning: How September's Cyberattacks Just Triggered Europe's First Cross-Border Regulatory Crisis

The DORA Reckoning: How September's Cyberattacks Just Triggered Europe's First Cross-Border Regulatory Crisis

September 2025's Collins Aerospace and JLR cyberattacks weren't just operational disasters - they triggered Europe's first cross-border regulatory crisis under DORA. While aviation experts focused on flight delays, they missed the real story: EU authorities now have direct oversight powers over US companies like Collins Aerospace serving European financial infrastructure. DORA's January 2025 implementation created unprecedented cross-border enforcement mechanisms that most businesses don't under

Read more →
Five Questions That Reveal Your Business Needs Strategic IT Leadership (And It's Not What You Think)

Five Questions That Reveal Your Business Needs Strategic IT Leadership (And It's Not What You Think)

Most UK businesses think they're fine without strategic IT leadership until they're not. These five diagnostic questions expose the difference between thriving with technology and merely surviving despite it. Question 1: Are technology decisions made strategically or reactively? If you're replacing servers because they died rather than planned refresh cycles, you need help. Question 5: Will current systems scale gracefully as you grow? Planning to double in size without considering technology im

Read more →
Why Small Businesses Must Rethink Cybersecurity NOW (Before It’s Too Late)

Why Small Businesses Must Rethink Cybersecurity NOW (Before It’s Too Late)

Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis. This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential. Written for directors and leaders, it lays out practical steps to protect your business befo

Read more →
The Psychology of Cyber Essentials: Why Smart People Make Terrible Security Decisions

The Psychology of Cyber Essentials: Why Smart People Make Terrible Security Decisions

Hello, Mauven here. After Monday's podcast and yesterday's technical deep-dive, I want to tackle the elephant in the room: if Cyber Essentials is so brilliant, why do smart business owners avoid it like a tax audit? The answer isn't ignorance or stubbornness - it's human psychology. Our brains evolved to make quick survival decisions, not manage enterprise cybersecurity frameworks. We're fighting millions of years of evolution with documentation requirements and compliance deadlines. Understandi

Read more →
The CVE-2025-53770 Crisis: Why Your SharePoint Response Reveals More About Human Psychology Than Technical Competence

The CVE-2025-53770 Crisis: Why Your SharePoint Response Reveals More About Human Psychology Than Technical Competence

After analyzing the global response to CVE-2025-53770, the critical SharePoint zero-day that's compromised 75+ organizations in 48 hours, I'm convinced this isn't about technical competence. It's about human psychology. Right now, IT administrators who know their systems are vulnerable (CVSS 9.8) are doing nothing because of normalcy bias, sunk cost fallacy, and optimism bias. The organizations getting breached aren't those lacking knowledge - they're the ones whose psychology prevents acting on

Read more →
The Psychology of Technical Debt: Why Smart Teams Make Tomorrow's Security Problems

The Psychology of Technical Debt: Why Smart Teams Make Tomorrow's Security Problems

After this week's podcast on technical debt and supply chain failures, I want to examine why intelligent, well-meaning IT teams consistently create tomorrow's security disasters. Technical debt isn't just a coding problem - it's a psychological trap that 78% of UK businesses fall into repeatedly. We take shortcuts under pressure, defer security updates for stability, and convince ourselves that "temporary" solutions won't become permanent vulnerabilities. Understanding the cognitive biases behin

Read more →
Catwatchful Exposed: When Surveillance Technology Becomes a Weapon

Catwatchful Exposed: When Surveillance Technology Becomes a Weapon

Former UK Government Cyber analyst Mauven MacLeod exposes the disturbing Catwatchful stalkerware operation that suffered a massive breach in June 2025, revealing 62,000 customer accounts and 26,000 monitored victims across seven countries. This isn't just cybersecurity failure - it's weaponised surveillance technology enabling domestic abuse and stalking. The breach exposed plaintext passwords, comprehensive victim data dating to 2018, and the operation's Uruguay-based administrator. From a government security

Read more →
The Psychology of Password Chaos: Why Smart People Make Terrible Choices

The Psychology of Password Chaos: Why Smart People Make Terrible Choices

After Monday's podcast and yesterday's NCSC deep-dive, I want to tackle the elephant in the room: if three random words are so brilliant, why do smart business owners still use "password123"? Why does 78% password reuse persist despite constant breach warnings? The answer isn't technical ignorance - it's human psychology. We're fighting millions of years of evolution with spreadsheets and complexity requirements. Our brains aren't wired for digital security, they're wired for survival shortcuts.

Read more →
Middle East Conflict Escalation Creates Immediate Cyber Threats for UK Small Businesses

Middle East Conflict Escalation Creates Immediate Cyber Threats for UK Small Businesses

Last Friday, it was someone else's war. Over the weekend, Iranian hackers considered your Microsoft 365 account enemy infrastructure. American B-2 bombers dropped 14 bunker-busters on Iranian nuclear facilities over the weekend. The cyber retaliation has already begun, and UK small businesses as we all use US cloud services are the in the firing line primary targets. Remember NotPetya? Ukrainian attack, global devastation. Windows is Windows regardless of location. Your customer database could b

Read more →