BlogContributors

Noel Bradford

Noel Bradford

Founder and host

Grumpy industry veteran, angry on your behalf at an industry that overcomplicates security.

Noel is the founder and host of The Small Business Cybersecurity Guy. After decades in the industry he has run out of patience with how badly small businesses are served by vendors, regulators, and insiders who make security harder and more expensive than it needs to be.

He writes the Saturday opinion piece and the Monday companion to the podcast. Expect controlled outrage, dry and occasionally dark humour, and a habit of naming the problem bluntly when everyone else is being polite about it.

He is not a lecturer. He is a peer who happens to have seen it all, and who would rather you spent your money on the handful of things that actually work.

280 articles by Noel Bradford

Google Chrome, Gemini Nano, and the 4 GB Consent Problem

Google Chrome, Gemini Nano, and the 4 GB Consent Problem

Google Chrome has been quietly dropping a 4 GB AI model onto user machines. No clear prompt. No informed consent. Just a mystery file buried in a browser profile. This is not about AI being evil. This is about a vendor treating your disk space, your bandwidth, and your governance obligations as someone else's problem.

Read more →
A neglected office CCTV camera and router glowing in a dark comms cupboard as part of a wider botnet threat

Your CCTV Camera Might Be a Criminal: What the Massive IoT Botnet Takedown Really Means for UK Businesses

Authorities disrupted four major IoT botnets tied to record breaking DDoS attacks, but the real issue is closer to home. Cheap cameras, routers, DVRs, and forgotten smart devices still sit on business networks with weak ownership, poor patching, and laughable security. If you run a UK business, this is not just a botnet story. It is a warning about edge kit, supplier sprawl, and the junk quietly hanging off your network right now.

Read more →
The Back Button That Broke Companies House: How Five Million Directors Had Their Home Addresses Exposed for Five Months

The Back Button That Broke Companies House: How Five Million Directors Had Their Home Addresses Exposed for Five Months

For five months, anyone with a Companies House login could access the private dashboard of any of the five million registered UK companies. Home addresses. Dates of birth. Email addresses. All the personal data fraudsters need to impersonate a director, open accounts in your company's name, or reroute your banking. Not by hacking. Not by sophisticated exploit. By pressing the back button. That is the entirety of the technical skill required. The government body responsible for the UK's corporate

Read more →
SMB1001: What Each Tier Actually Demands of Your Business (And Where It Gets Complicated)

SMB1001: What Each Tier Actually Demands of Your Business (And Where It Gets Complicated)

Bronze means firewalls and backups. Silver means individual accounts and MFA on email. Gold means EDR, DMARC, and a proper incident response plan. Platinum means someone actually checks your work. Diamond means you pay ethical hackers to break in and find the holes before real criminals do. That's the SMB1001 ladder in five sentences. The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accoun

Read more →
You Probably Don't Need Diamond: A Brutally Honest Introduction to SMB1001

You Probably Don't Need Diamond: A Brutally Honest Introduction to SMB1001

There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at £75 a year. It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009. In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut

Read more →
That Cyber Essentials Badge on Your Website: Credential or Creative Writing?

That Cyber Essentials Badge on Your Website: Credential or Creative Writing?

Your Cyber Essentials badge is either a credential or creative writing. There is no third option. If you certified properly, maintained your scope, kept your controls current, and can explain v3.3 to a customer without reaching for Google, it's a credential. If your cert expired six months ago, your scope hasn't been reviewed since the original certification, your cloud services were never in scope, and you couldn't name the five controls under pressure, you're not certified. You're exposed. And

Read more →
Your Developers Are Being Hunted: The Fake Job Interview Malware Campaign Every UK Business Owner Needs to Know About

Your Developers Are Being Hunted: The Fake Job Interview Malware Campaign Every UK Business Owner Needs to Know About

Microsoft's Defender Experts published research yesterday on a campaign called Contagious Interview. Attackers pose as recruiters, walk your developers through a convincing fake job interview, then get them to clone and run a malicious code repository. The moment they do, your cloud credentials, API tokens, signing keys, and password manager databases are on their way out the door. This campaign has been running since at least December 2022. Your developers are the target. Your infrastructure is

Read more →
Cyber Essentials v3.3: Every Change That Matters for UK Small Businesses in 2026

Cyber Essentials v3.3: Every Change That Matters for UK Small Businesses in 2026

Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what y

Read more →
Your Attacker Already Knows Which Box You Picked

Your Attacker Already Knows Which Box You Picked

There's a philosophy thought experiment from the 1960s that explains, better than any threat report I've read, exactly why reactive security is a trap. It's called Newcomb's Paradox. A near-perfect predictor places money in two boxes. Grab both and you walk away with £1,000. Grab just one and you walk away with a million. Except the decision was made before you walked in the room. Your attackers work the same way. They've already run their reconnaissance. They've already decided what kind of tar

Read more →
UK Data Enforcement Is Structurally Broken. The Currys’ Case Proves It. Let's Stop Pretending Otherwise.

UK Data Enforcement Is Structurally Broken. The Currys’ Case Proves It. Let's Stop Pretending Otherwise.

Nine years. Half a million pounds. Zero victim compensation. Lawyers billing on both sides for the best part of a decade. A regulator declaring "significant victory" while 14 million people's limitation periods quietly expired. The Currys DSG saga is not an edge case or an administrative anomaly. It is a precise and accurate picture of how UK data enforcement actually works. This is my verdict: the system is structurally broken, everyone in the industry knows it, and the comfortable fiction that

Read more →
Your Wi-Fi Guest Network Is a Lie

Your Wi-Fi Guest Network Is a Lie

Last week, researchers proved something that should make every small business owner put down their coffee. Your Wi-Fi guest network, the one you set up so visitors don't touch your business systems, doesn't actually protect you. A new attack called AirSnitch lets anyone already on your network spy on every device connected to the same physical router, regardless of which network name they joined, regardless of whether you're running WPA2 or WPA3. Every single router tested failed. Here's what it

Read more →
Three and a Half Pence Per Victim: The Currys’ Breach, Nine Years of Legal Theatre, and What Your Business Must Learn

Three and a Half Pence Per Victim: The Currys’ Breach, Nine Years of Legal Theatre, and What Your Business Must Learn

Darren Warren asked for five thousand pounds in compensation for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is a case study in how 1

Read more →
Europe Is Leaving. The UK Is Sleepwalking. And Nobody in Charge Seems Bothered.

Europe Is Leaving. The UK Is Sleepwalking. And Nobody in Charge Seems Bothered.

France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data. The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations. Noel Bradford, with 40-odd years of watching the UK IT e

Read more →
Your Amazon Driver Just Did a Better Penetration Test Than Your IT Company

Your Amazon Driver Just Did a Better Penetration Test Than Your IT Company

An Amazon driver just delivered the most useful security lesson of 2026 and he charged absolutely nothing for it. While trying to drop off a parcel, he couldn't find a safe place, so he thought laterally, worked out the code to a locked shed, left the parcel inside, and then wrote a note explaining exactly how he got in. He documented the breach. He filed the report. He even ticked the compliance checkbox. Your IT company just got shown up by a bloke in a high-vis jacket. The question is: are yo

Read more →
Is your cloud provider a hidden national security risk in 2026?

Is your cloud provider a hidden national security risk in 2026?

Switzerland looked at Palantir and said no. The UK leaned in. That should worry you. Your business runs on the same US owned platforms that governments argue about. Email, files, chat, identity, backups. The CLOUD Act means a provider can face legal demands for data, even when the servers sit outside the US. UK hosting does not always mean UK control. This teaser sets up the real question: if access rules changed tomorrow, could you prove who can touch your data, and how you would know? Could yo

Read more →
That Cheap Router on Your Desk? The US Just Called It a National Security Threat.

That Cheap Router on Your Desk? The US Just Called It a National Security Threat.

That TP-Link router you bought because it was £40 cheaper than the alternatives? Two days ago, the state of Texas sued the manufacturer for allegedly handing the Chinese Communist Party access to Americans' devices. A US federal ban is on the table. Sixteen thousand routers worldwide have already been conscripted into a Chinese state-sponsored attack network. And the UK? Doing absolutely nothing. This isn't paranoia. This is documented, court-filed, backed-by-three-US-federal-departments reality

Read more →
Chinese State Hackers Lived Inside Defence Networks for 393 Days: What Google's Report Means for Your 50-Person Business

Chinese State Hackers Lived Inside Defence Networks for 393 Days: What Google's Report Means for Your 50-Person Business

Three hundred and ninety-three days. That's how long Chinese state hackers camped inside defence networks before anyone bloody noticed. Over a year. Reading emails. Mapping systems. Making themselves at home while everyone assumed the firewall was doing its job. Google just published the receipts, and the uncomfortable truth is this: manufacturing is the most targeted sector on ransomware leak sites. Not banks. Not hospitals. Factories. Your VPN appliance is the front door nobody's watching, and

Read more →
We Have Made This Exact Mistake Before. Every. Single. Time.

We Have Made This Exact Mistake Before. Every. Single. Time.

I have watched this exact disaster unfold five times in 40 years. Personal computers in the eighties. BYOD in the 2010s. Cloud migrations that nobody secured. SaaS tools that HR adopted without telling IT. And now AI agents that can read your email, execute commands on your machine, and send data anywhere, installed by employees who thought they were being productive. OpenClaw is not the problem. OpenClaw is the symptom. The problem is that every time a shiny new technology appears, businesses a

Read more →
Your AI Chatbot Just Became a Backdoor: What UK Small Businesses Need to Know About Promptware

Your AI Chatbot Just Became a Backdoor: What UK Small Businesses Need to Know About Promptware

Your business just plugged an AI chatbot into its website, an AI assistant into email, or a coding copilot into your dev team. Congratulations. You may have just installed a backdoor. A landmark research paper from Bruce Schneier, Ben Nassi, and their colleagues has mapped a full malware kill chain for AI systems. They call it promptware. It is not theoretical. Twenty-one documented attacks already cross four or more stages of this kill chain, in live production systems. The NCSC agrees the thre

Read more →
When Sandworm Tried to Kill the Lights in Poland: Why the NCSC Is Warning UK Businesses Right Now

When Sandworm Tried to Kill the Lights in Poland: Why the NCSC Is Warning UK Businesses Right Now

Russia's Sandworm hacking group just attempted the largest cyber attack on Poland's energy infrastructure in years, deploying custom wiper malware called DynoWiper against 30 wind farms, solar installations, and a heat plant serving half a million people. The attack failed, but only barely. The NCSC is now warning UK critical infrastructure operators to act immediately. If you think nation-state attacks on power grids are somebody else's problem, think again. Every UK business sitting in those s

Read more →
Your VPN Is a Nation-State Doorway: What Google's Defence Report Means for Every UK Business

Your VPN Is a Nation-State Doorway: What Google's Defence Report Means for Every UK Business

Google just dropped a report that should make every UK business owner physically uncomfortable. Chinese state-sponsored hackers have exploited more than two dozen zero-day vulnerabilities in VPNs, routers, and firewalls since 2020. From ten different vendors. The average time they sit inside your network before anyone notices? 393 days. Over a year of unfettered access. And if you think "I'm not a defence contractor, this doesn't affect me," think again. Manufacturing has been the single most ta

Read more →
Four Campaigns, One Week, Zero Excuses: New Episode Out Now

Four Campaigns, One Week, Zero Excuses: New Episode Out Now

Four concurrent cyberattack campaigns hit last week. Russian military intelligence weaponised a critical Microsoft Office vulnerability within 24 hours of the patch dropping. Commodity criminals started selling the same capability for £50 a month. A Chinese-linked group compromised Notepad++ updates for six months. Three separate macOS infostealer campaigns ran simultaneously. And while all of that was unfolding, the UK's biggest data protection law change since Brexit went live with 48 hours' n

Read more →
Your Factory Floor Is A Risk at Industrial Scale: When the £5 Million CNC Machine Has the Same Problem as Your Office Printer

Your Factory Floor Is A Risk at Industrial Scale: When the £5 Million CNC Machine Has the Same Problem as Your Office Printer

OT (operational technology) security protects industrial control systems, SCADA, and production equipment from cyberattacks. Unlike office IT security, OT security focuses on systems that control physical processes - CNC machines, production lines, and factory automation. A 2025 UK government study found 90% of OT attacks originate from IT network vulnerabilities, with downtime costing manufacturers £195,000 to £2.2 million per hour.

Read more →
When Security Policies Accidentally Exclude: A Lesson for Charities Pursuing Cyber Essentials

When Security Policies Accidentally Exclude: A Lesson for Charities Pursuing Cyber Essentials

I watched a board meeting where someone was asked to turn off their hearing aid during a security discussion. Bluetooth concerns, apparently. The company meant well, but they'd created a policy that would exclude anyone using assistive technology. I've seen this same pattern emerge in charity governance—organisations pursuing Cyber Essentials creating barriers for disabled trustees and staff. This isn't about security frameworks being flawed. It's about implementation requiring thought beyond ch

Read more →
Passkeys Implementation for UK SMBs: The Complete Technical Guide to Deploying Phishing-Resistant Authentication in 2026

Passkeys Implementation for UK SMBs: The Complete Technical Guide to Deploying Phishing-Resistant Authentication in 2026

You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.

Read more →
Your MFA Is Being Bypassed Right Now: The 146% Surge in Attacks Nobody's Talking About

Your MFA Is Being Bypassed Right Now: The 146% Surge in Attacks Nobody's Talking About

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them.

Read more →
Your Photo Booth Uploaded Every Picture to the Internet: The Hama Film Security Theatre

Your Photo Booth Uploaded Every Picture to the Internet: The Hama Film Security Theatre

Remember that fun photo booth snap at your mate’s wedding? The one where you’re pulling faces with the bridesmaids? It’s been sitting on an unprotected server for the past three weeks, accessible to anyone who could count to 1,000. Hama Film, an Australian photo booth company with operations in the UAE and United States, spent months exposing customer photos through a security flaw so basic it makes WannaCry look sophisticated. No authentication. No rate-limiting. Just pure, unfiltered incompete

Read more →
Directors Should Face Criminal Liability for Cyber Security Negligence. Here's Why.

Directors Should Face Criminal Liability for Cyber Security Negligence. Here's Why.

Directors should face criminal prosecution for cyber security negligence. The HSE precedent proves personal criminal liability transforms director behaviour. Before HSE had teeth, workplace deaths were common. After directors faced imprisonment, safety transformed. Civil liability isn't working for cyber security: 73% of businesses lack board responsibility despite 43% breach rates and 28% closure risk. Friday's case study showed £3.337 million loss preventable with £90 investment. Proposed: Cri

Read more →
When Boards Ignore Risk Registers: The £2.4 Million Manufacturing Disaster That Nobody Learned From

When Boards Ignore Risk Registers: The £2.4 Million Manufacturing Disaster That Nobody Learned From

March 2024: UK manufacturing company with £18 million turnover lost £2.4 million to business email compromise. Finance director phished, email credentials stolen (no MFA), attacker monitored for two weeks, sent fraudulent payment instruction from compromised account, major client processed payment overseas. Total immediate costs £3.337 million. Company survived through private equity investment that diluted family ownership from 100% to 23%. Managing director resigned. Eight redundancies. What w

Read more →
How to Build a Cyber Risk Register That Actually Works: The Technical Reality Behind Board Governance

How to Build a Cyber Risk Register That Actually Works: The Technical Reality Behind Board Governance

Most cyber risk registers are useless compliance documents. They contain vague descriptions, unverifiable controls, and no honest assessment of likelihood or impact. A working risk register has exactly seven columns: specific risk scenarios, likelihood based on real UK statistics, quantified impacts including business closure potential, verifiable current controls, residual risk ratings, costed additional controls, and named board-level owners. Every UK SME must address five mandatory risks: phi

Read more →
The Risk Register Argument - When Your Co-Host Says You're Wrong About Governance

The Risk Register Argument - When Your Co-Host Says You're Wrong About Governance

Graham Falkner told me before recording that small businesses don't need formal cyber risk registers. By the end of Episode 31, he'd completely changed his mind. UK government data shows only 27% of businesses have board-level cyber security responsibility, down from 38% in 2021. Meanwhile, 43% got breached and 28% of SMEs say a single attack could put them out of business. The evidence is overwhelming. Risk registers aren't bureaucracy - they're systematic thinking applied to survival. This epi

Read more →
Opinion: IoT Security Is Security Theatre Until We Make Default Passwords Illegal

Opinion: IoT Security Is Security Theatre Until We Make Default Passwords Illegal

Right, I'm done being diplomatic about this. After 40 years watching the same preventable disasters repeat themselves with different technology, I'm calling it: selling network-connected devices with default administrative credentials should be illegal in the UK. Not "discouraged." Not "recommended against." Illegal. With criminal penalties for manufacturers and civil liability for distributors. Pull up a chair. This intervention has been brewing for three decades. The free market has had 30 yea

Read more →
The 5-Step IoT Device Audit: Find and Secure Every Forgotten Computer on Your Network (Copy)

The 5-Step IoT Device Audit: Find and Secure Every Forgotten Computer on Your Network (Copy)

A 30-person marketing agency in Manchester did everything right. £15,000 invested in proper security: new firewalls, enterprise endpoint protection, hardware authentication keys for every staff member, and even an external security audit that came back clean. They were feeling quite good about themselves. Two months later? Someone had been accessing their client files for weeks through their HP printer that still used admin/admin as credentials. Total costs: £43,400 direct expenses, three lost c

Read more →
When the Password Manager Fails at Passwords: The £1.2 Million LastPass Lesson

When the Password Manager Fails at Passwords: The £1.2 Million LastPass Lesson

The ICO just fined LastPass £1,228,283 for security failures. Yes, a password manager company, fined for password security failures. The irony would be funny if 1.6 million UK customers hadn't had their data compromised. LastPass allowed senior employees to access corporate vaults from personal devices and let them link business and personal accounts with one master password. When an attacker exploited vulnerable Plex software on an engineer's home computer, they grabbed the keys to everything.

Read more →
Your £15,000 Security Investment Just Got Defeated by a £300 Printer

Your £15,000 Security Investment Just Got Defeated by a £300 Printer

Right, let's talk about the £15,000 security investment that just got absolutely destroyed by a £300 office printer. A marketing agency did everything right: new firewalls, endpoint protection, hardware authentication keys for every staff member, security audit came back clean. Two months later? Someone had been accessing their client files for weeks through their HP printer still using admin/admin as credentials. While you've been securing laptops and servers, your printer has full network acce

Read more →
The Devices You Forgot Were Computers - IoT Security for Small Business

The Devices You Forgot Were Computers - IoT Security for Small Business

What if I told you the biggest cyber threat to your business isn't hackers, but your office printer? Sounds mad, right? That's what a 30-person marketing agency thought before someone accessed their client files for weeks through an HP printer with factory default credentials. Episode 30 reveals the devices everyone forgets are computers: printers storing documents, CCTV systems livestreaming your premises, thermostats providing network access. Currently Top 12 in Apple Podcasts Management categ

Read more →
When Security Royalty Gets It Dangerously Wrong: Debunking the "Stop Hacklore" Letter

When Security Royalty Gets It Dangerously Wrong: Debunking the "Stop Hacklore" Letter

86 security professionals including former CISA director published advice last year claiming public WiFi, QR codes, and USB charging stations are safe. Sounds credible, except I've spent the year mopping up after businesses who followed exactly this advice. £47,000 stolen via hotel WiFi. Companies breached via QR code phishing. Legal practice ransomwared through compromised charging station. When security elite operate in enterprise bubbles with unlimited budgets, their advice becomes dangerous

Read more →
Reverse Benchmarking: Why Studying Cyber Failures Beats Copying Best Practices

Reverse Benchmarking: Why Studying Cyber Failures Beats Copying Best Practices

Most people copy what the big players do and call it a cyber strategy. That works for them. It probably kills you. This episode flips the script. Instead of worshipping best practice, we dissect the car crashes. Target, Equifax, Colonial Pipeline and SolarWinds. We ask one question. What actually went wrong and have you quietly made the same mistakes in your own business. If you run a UK small or mid sized firm and feel lost in security buzzwords, this is your shortcut. Learn from other peoples

Read more →
The Comfortable Lie: Why UK Cybersecurity's Status Quo Is No Longer Defensible

The Comfortable Lie: Why UK Cybersecurity's Status Quo Is No Longer Defensible

Let's drop the diplomatic language for a moment. Current UK cybersecurity regulation is a comfortable lie we tell ourselves to avoid uncomfortable truths. We pretend fines deter when they don't. We pretend guidance works when it doesn't. We pretend breaches are inevitable when most are preventable. Meanwhile, millions of citizens have their data compromised by organisations that face no meaningful consequences. The Synnovis attack contributed to patient deaths. The ICO's response? Under investig

Read more →
When Enforcement Gets Teeth: UK Case Studies in Accountability That Works

When Enforcement Gets Teeth: UK Case Studies in Accountability That Works

Numbers don't lie. In 1981, 495 workers died in British workplaces. The most recent figures show 124. That's not technological progress alone. That's regulatory teeth. When the Health and Safety Executive gained proper enforcement powers, directors discovered that ignoring safety had personal consequences. Prosecutions made headlines. Behaviour changed. Industries transformed. Today, we examine exactly how HSE enforcement worked and exactly what similar cybersecurity enforcement could achieve. T

Read more →
The Three-Tier Cybersecurity Liability Framework: What It Means for Your Business

The Three-Tier Cybersecurity Liability Framework: What It Means for Your Business

Yesterday's podcast proposed criminal liability for cybersecurity negligence. Today, we're dismantling the three-tier framework piece by piece so you know exactly where your business stands. Tier One protects small businesses with explicit gross negligence thresholds and Cyber Essentials safe harbour. Tier Two raises the bar for medium organisations whilst maintaining proportionate standards. Tier Three brings genuine consequences for large enterprises and public sector bodies that still can't i

Read more →
Prison Time for Directors? Part 2: Building the UK Cybersecurity Accountability Framework

Prison Time for Directors? Part 2: Building the UK Cybersecurity Accountability Framework

Yes, you read that correctly. Prison time for directors who allow catastrophic cybersecurity failures. Before you close this tab in horror, hear me out. We already send directors to prison for health and safety failures. Workplace fatalities dropped 85% after the Health and Safety Executive got proper enforcement powers. The ICO? They send sternly worded letters whilst breaches affecting millions go unpunished. Today, Mauven and I lay out exactly what a proper UK cybersecurity enforcement regime

Read more →
Designing the Corporate Cyber Negligence Act (What Accountability Looks Like)

Designing the Corporate Cyber Negligence Act (What Accountability Looks Like)

This week, we established why directors should face criminal prosecution for gross cybersecurity negligence. We examined the Synnovis case where a patient died because free MFA was not enabled. We provided technical analysis, psychological examination, and practical implementation guides. Saturday's opinion piece argued forcefully for criminal liability. Next week, we move from "why" to "how." What would a Corporate Cyber Negligence Act actually say? What are the thresholds between bad luck and

Read more →
Enough. It Is Time to Send Negligent Directors to Prison for Cyber Failures.

Enough. It Is Time to Send Negligent Directors to Prison for Cyber Failures.

I am tired of watching preventable disasters kill people while executives walk away with bonuses intact. A patient died because Synnovis did not enable free multi-factor authentication. Nobody will face criminal prosecution. If a construction director failed to provide hard hats and a worker died, that director would go to prison. Yet when healthcare executives fail to enable free security controls and a patient dies, nothing happens. This is not justice. This is not accountability. This is a br

Read more →
The Synnovis Ransomware Disaster: Complete Timeline and Technical Analysis

The Synnovis Ransomware Disaster: Complete Timeline and Technical Analysis

On 3 June 2024, the Qilin ransomware gang compromised Synnovis, a pathology provider serving NHS hospitals across southeast London. Blood testing collapsed. Over 10,000 appointments were cancelled. More than 1,700 operations were postponed. A patient died waiting for test results that never arrived. The attack succeeded because multi-factor authentication was not enabled. Here is the complete timeline of how a preventable security failure cascaded into catastrophic harm, the technical details of

Read more →
Why Multi-Factor Authentication Could Have Prevented the Synnovis Death

Why Multi-Factor Authentication Could Have Prevented the Synnovis Death

When Beverley Bryant, former Chief Digital Information Officer at Guy's and St Thomas' NHS Foundation Trust, stated that the Synnovis attack "may not have happened" with two-factor authentication enabled, she was not speculating. She was describing technical reality. The Qilin ransomware gang gained initial access through compromised credentials. Multi-factor authentication completely blocks this attack vector. A patient died because a free security control was not enabled. This is not hindsight

Read more →
Should Directors Face Prison Time for Cybersecurity Negligence?

Should Directors Face Prison Time for Cybersecurity Negligence?

On 3 June 2024, a patient arrived at a London hospital A&E feeling unwell. A blood test was ordered. The patient waited. The medics waited. They all waited some more. The patient died. Why? Ransomware had shut down blood testing at Synnovis, the NHS pathology provider. The security control that would have stopped it? Multi-factor authentication. Completely free. Built into every platform. The consequences for executives who chose not to enable it? Nothing. In this episode, we ask the uncomfo

Read more →
When Your Biggest Customer Gets Hacked: The £1.9 Billion Lesson No One’s Talking About

When Your Biggest Customer Gets Hacked: The £1.9 Billion Lesson No One’s Talking About

Financial Accountant magazine just published my analysis of the £1.9 billion Jaguar Land Rover cyberattack. But here’s what the article couldn’t cover: the small suppliers who died from JLR’s breach. You didn’t get hacked. Your biggest customer did. You still lost everything. One supplier laid off 40 people because JLR couldn’t place orders for six weeks. Proper security. Good practices. Still went bust. After 40 years in the IT world Intel, Disney, and the BBC, I’ve seen this pattern before. En

Read more →
November 2025 Patch Tuesday: A Perfect Storm of Critical Vulnerabilities Demands Immediate Action

November 2025 Patch Tuesday: A Perfect Storm of Critical Vulnerabilities Demands Immediate Action

Four zero-days. One perfect 10.0 severity score. Hundreds of thousands of sites already compromised. Criminals are exploiting Exchange Servers, Magento shops, and Oracle ERP systems right now - whilst you're reading this. SAP's vulnerability was so bad they deleted the entire component rather than fix it. WordPress sites are falling to a plugin bug that shouldn't exist. And that's just November. Your patching strategy just became a lot more urgent. Graham Falkner breaks down what to patch first:

Read more →
When Two Swiss Scientists Decided Silicon Wasn't Good Enough

When Two Swiss Scientists Decided Silicon Wasn't Good Enough

They're growing brain tissue in Swiss laboratories and using it to process information. Not simulations. Actual living human neurons, derived from skin cells, housed in specialized chambers, connected to electrodes, computing. FinalSpark's Neuroplatform has 16 brain organoids containing roughly 160,000 neurons total. Each organoid interfaces with 8 electrodes sampling at 30 kHz. The system has operated continuously for four years, testing over 1,000 organoids, collecting 18 terabytes of data. Th

Read more →
No MFA? No Certification. The Cyber Essentials Rule That Changes Everything

No MFA? No Certification. The Cyber Essentials Rule That Changes Everything

The April 2026 Cyber Essentials update introduces a game-changing rule: multi-factor authentication is now mandatory. Not recommended. Not "nice to have." Mandatory. If your cloud service offers MFA (free or paid) and you're not using it, you automatically fail. No exceptions. This single change will expose how many UK businesses have been skating by with terrible security. With potentially 30,000+ certified companies lacking proper MFA configuration, the fallout will be significant. You've got

Read more →
The Frankenstein Computer That's Actually Real

The Frankenstein Computer That's Actually Real

There's a lab in Switzerland where they're building computers out of living human neurons. Sounds completely barking mad, right? Here's the thing: these brain cells compute using one million times less energy than silicon. Meanwhile, training a single AI model now produces the carbon emissions of 500 cars over their entire lifetimes. Microsoft, Google, and Amazon just committed billions to restart nuclear power plants because they can't keep the lights on. And your business? You're paying for ev

Read more →
Weekend Reflection - Efficiency Theatre and the Tyranny of the Measurable

Weekend Reflection - Efficiency Theatre and the Tyranny of the Measurable

Why do smart people keep making the same catastrophic mistake? Cut security spending, congratulate themselves on efficiency, watch everything fall apart, spend vastly more recovering. It's not ignorance. It's psychology. Measurable costs are visible, politically defensible, easy to justify cutting. Invisible value is theoretical until it disappears. CFOs get promoted for cutting £50,000 from budgets. Nobody gets promoted for preventing breaches that don't happen. This asymmetry creates systemati

Read more →
UK Case Study - The Manchester Marketing Agency That Cut Training and Lost Everything

UK Case Study - The Manchester Marketing Agency That Cut Training and Lost Everything

Manchester marketing agency, 28 staff, £2.4M revenue. CFO proposed cutting security training: "£12,000 annually for slides nobody watches." Board agreed. Six months later, junior account manager clicked phishing link in fake client brief. No training meant she didn't recognise warning signs. Credentials stolen, ransomware deployed, three weeks offline. Recovery costs: £190,000. ICO investigation: inadequate training documented. They saved £12,000 and spent £190,000 learning what training actuall

Read more →
Practical Guide - Evaluating Security Cost Cuts Without Destroying Your Business (Copy)

Practical Guide - Evaluating Security Cost Cuts Without Destroying Your Business (Copy)

Stop cutting security costs based on gut feel and budget pressure. Start using actual frameworks that calculate downside risk. This practical guide walks you through evaluating any security spending decision: What's the notional function versus actual value? What's the cost of being wrong? What's the expected cost multiplied by probability? What invisible value disappears when you cut this? Includes checklists, decision trees, and real cost calculations for training, MFA, insurance, IT staff, an

Read more →
The Doorman Fallacy - Complete Framework for UK Businesses

The Doorman Fallacy - Complete Framework for UK Businesses

I've watched businesses make the same catastrophic mistake for 40 years. They look at security costs through a narrow efficiency lens, define roles by their obvious function, cut them to save money, and completely miss the invisible value. Until it's gone. Then they spend 10 times more fixing what they broke. The doorman fallacy explains every stupid IT decision I've ever seen: training cuts that cost millions in breaches, MFA removal that gifts credentials to attackers, insurance cancellation t

Read more →
The Doorman Fallacy - Podcast Episode Launch

The Doorman Fallacy - Podcast Episode Launch

What's the most expensive cost-saving decision you can make? Firing your hotel doorman and replacing him with an automatic door. Saves you £35,000 a year in salary, costs you £200,000 in lost revenue because your hotel just became ordinary. This isn't about hotels. It's about every IT budget cut I've seen in the last 40 years. New episode drops today: The Doorman Fallacy, or How to Accidentally Destroy Your Business Whilst Congratulating Yourself on Efficiency Gains. Featuring examples that will

Read more →
InfoSec vs CyberSec vs IT Security - Stop Wasting Money on the Wrong Protection

InfoSec vs CyberSec vs IT Security - Stop Wasting Money on the Wrong Protection

Every week I talk to UK business owners who've just spent £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 worth of basic IT security. Or they've paid consultants to develop "enterprise information security frameworks" for 15-person companies that can't keep Windows updated. The security industry profits from keeping you confused about InfoSec versus CyberSec versus IT Security. This week's episode cuts through the bollocks to explain what each term actually means, what

Read more →
Resources and Practical Steps - What Schools Can Actually Do Right Now

Resources and Practical Steps - What Schools Can Actually Do Right Now

Schools don't need expensive enterprise solutions to improve cybersecurity - they need practical, accessible guidance. The NCSC Cyber Assessment Framework provides exactly that: free, non-technical guidance designed specifically for schools with limited budgets. It covers user access control, incident management, and supply chain security in accessible language. Start with quick wins: enable MFA for everyone, conduct a GitHub repository audit, rotate all credentials organization-wide. The CAF is

Read more →
The Kido Nursery Breach - How a GitHub Repository Exposed 8,000 Children

The Kido Nursery Breach - How a GitHub Repository Exposed 8,000 Children

The Kido nursery breach exposed 8,000 children's data in September 2025, but the attack vector reveals a critical lesson for schools: this wasn't sophisticated hacking. Security researchers discovered a publicly accessible GitHub repository containing API credentials in plain text. The kido-kidssafe/myskio-api repository had the "keys to the kingdom visible in the clear." Two 17-year-olds were arrested in Hertfordshire, but the real story is how preventable this breach was. Schools must audit th

Read more →
Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation

Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation

This is the complete insider threat action plan for small businesses. Start with the non negotiables. Enable MFA on email and cloud apps. Audit who has access to what. Test your backups and prove you can restore. Then build. Roll out a password manager. Separate admin from day to day accounts. Turn on activity alerts and review them weekly. Segment guest, IoT and finance. Add EDR. Finish with drills, metrics, and monthly reviews. Do your leaders model the right behaviour? Do people know who to c

Read more →
Your Insider Threat Assessment Framework: A Practical Self-Audit Guide

Your Insider Threat Assessment Framework: A Practical Self-Audit Guide

Most security assessments fail small businesses. They ask the wrong questions or drown you in paperwork. You need a fast test that flags real risk and gives clear next steps. Start with five pillars. Access control. Authentication. Activity monitoring. Data protection. Incident response. Score each with simple questions. Fix the lowest pillar first. Turn on MFA. Remove excess access. Enable login alerts. Test restores. Write a one page incident plan. Track progress monthly with a few metrics. Do

Read more →
When Insider Threats Strike: Real-World Case Studies and Business Lessons

When Insider Threats Strike: Real-World Case Studies and Business Lessons

A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan f

Read more →
Technical Defences Against Insider Threats: Solutions That Actually Work

Technical Defences Against Insider Threats: Solutions That Actually Work

Small businesses do not need theory. They need controls that block real attacks without new headcount. Start with MFA. It is included in Microsoft 365 and Google Workspace. It kills password reuse and shoulder surfing. Apply least privilege. Split admin from day to day use. Roll out a business password manager. Turn on sign in alerts that flag odd times and places. Test backups with the 3 2 1 rule and keep one copy offline. Segment guest, IoT and finance. These steps are cheap and proven. Will y

Read more →
Kido Nursery Rant: When We Lost Whatever Was Left of Our Souls

Kido Nursery Rant: When We Lost Whatever Was Left of Our Souls

The Kido International ransomware attack represents cybersecurity's darkest moment. Eight thousand children's photos, addresses, medical records, and safeguarding notes were stolen and posted online by the Radiant gang. Hackers then called parents directly, demanding they pressure the nursery to pay. This wasn't just a data breach, it was a calculated attack on the most vulnerable data imaginable. After 40 years in cybersecurity, this crosses every line. But here's the terrifying truth: the same

Read more →
Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats

Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats

Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If

Read more →
Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers

Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers

Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curios

Read more →
When Criminals Target Children: The Kido Nursery Attack and What It Means for UK Small Businesses

When Criminals Target Children: The Kido Nursery Attack and What It Means for UK Small Businesses

After yesterday's Kido International ransomware attack, I've spent the night reading through the technical details and regulatory implications. What I'm seeing isn't just disturbing. It's a fundamental shift in how we need to think about protecting sensitive data in British small businesses. Yesterday morning, 18 UK nursery locations woke up to a ransomware attack. The attackers didn't just encrypt systems. They stole the entire database. Names of 8,000 children. Home addresses. Photos. Safeguar

Read more →
Co-op's £80 Million Cybersecurity Bill: The True Cost of "Just" a Data Breach

Co-op's £80 Million Cybersecurity Bill: The True Cost of "Just" a Data Breach

Co-op's CEO has officially confirmed their April 2024 cyberattack cost £80 million in earnings impact. The perpetrators? Teenagers using basic social engineering to steal personal data from all 6.5 million members. No sophisticated nation-state attack, just "Can you reset my password, mate?" targeting the right employee. With zero cyber insurance coverage, Co-op absorbed every penny while 2,300 stores suffered empty shelves and 800 funeral homes reverted to paper-based systems. But £80 million m

Read more →
The £800 Monthly Technology Disaster (And How Strategic Thinking Fixed It in 6 Months)

The £800 Monthly Technology Disaster (And How Strategic Thinking Fixed It in 6 Months)

Manchester marketing agency hemorrhaged £800 monthly on cloud storage chaos. Four different platforms, zero coordination, Dave from IT drowning in strategic decisions while fixing printers. Classic small business approach: solve today's problem with today's solution. Six months after engaging fractional CIO services: single integrated platform costing £450 monthly, unified data governance, actual strategic roadmap. Annual savings of £4,200 paid for strategic guidance while delivering competitive

Read more →
£180k CIO vs £25k Fractional: Why Smart UK Businesses Choose the Latter

£180k CIO vs £25k Fractional: Why Smart UK Businesses Choose the Latter

Full-time CIO in London: £180k-250k annually plus benefits. Fractional CIO: £15k-30k for strategic expertise when you need it. The mathematics are brutal, but the quality difference might surprise you. Many fractional executives are senior professionals who prefer variety over corporate politics. You get FTSE 250 CIO experience for a fraction of full-time cost. While your competitors burn budget on executives who spend half their time in meetings, you access strategic guidance scaled to actual n

Read more →
Stop Calling Dave from IT, Your CIO (He's Not, and It's Destroying Your Business)

Stop Calling Dave from IT, Your CIO (He's Not, and It's Destroying Your Business)

Dave from IT is brilliant at keeping your systems running. But calling him your CIO is like calling your mechanic an automotive engineer. Most UK small businesses confuse operational IT support with strategic technology leadership, and it's costing them millions. While Dave troubleshoots email issues, real CIOs design five-year technology roadmaps. The difference? Strategic thinking that aligns technology investments with business objectives. Fractional CIO services deliver genuine C-level exper

Read more →
September 2025 Patch Tuesday: Business Risk Assessment and Compliance Timeline

September 2025 Patch Tuesday: Business Risk Assessment and Compliance Timeline

September’s Microsoft Patch Tuesday isn't just another routine update cycle. With 81 vulnerabilities patched including 9 critical flaws, and active exploitation campaigns already targeting SharePoint servers, this represents significant business risk. Cyber Essentials certified organisations have until September 23rd to deploy updates, but waiting 14 days significantly increases risk exposure. The psychological tendency to defer technical updates creates dangerous security gaps. From authenticat

Read more →
The Massive Lie That’s Killing UK Businesses: Cybersecurity is NOT Just an Enterprise Problem

The Massive Lie That’s Killing UK Businesses: Cybersecurity is NOT Just an Enterprise Problem

Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis. This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential. Written for directors and leaders, it lays out practical steps to protect your business befo

Read more →
60% of Small Businesses Die After Cyberattacks – Are You Next?

60% of Small Businesses Die After Cyberattacks – Are You Next?

Sixty per cent of small businesses don’t survive a cyberattack. That’s not a scare tactic, it’s a reality. UK SMBs are under siege, targeted in 96% of attacks because criminals know you’re under-protected and overconfident. This post rips apart the myth that cybersecurity is “only an enterprise problem” and shows how MSP malpractice, human error, and supply chain risk are leaving businesses exposed. Most importantly, it lays out the simple, affordable steps like Cyber Essentials that block 95% o

Read more →
Cyber Essentials: The £300 Security Framework That Actually Works (And How to Get It Without Going Mental)

Cyber Essentials: The £300 Security Framework That Actually Works (And How to Get It Without Going Mental)

After Monday's podcast revelation that government cybersecurity frameworks can actually make sense, let's talk implementation reality. Cyber Essentials costs £320-600 for self-assessment, takes 2-4 weeks of focused effort, and genuinely stops 80% of attacks targeting UK SMBs. But here's what the NCSC won't tell you: most businesses discover massive security gaps during the assessment process. I've guided dozens through certification, and the pattern is always the same. "We thought we were secure

Read more →
It’s Cheaper to Be Defensive: Why Waiting for a Breach Is the Most Expensive Mistake You’ll Ever Make

It’s Cheaper to Be Defensive: Why Waiting for a Breach Is the Most Expensive Mistake You’ll Ever Make

Three out of four UK businesses admit they’d break the law to pay a ransomware gang, proving they’re not prepared — they’re desperate. This hard-hitting article exposes the brutal truth behind the PR Newswire findings and dismantles the myth that cybersecurity is too expensive. It’s not. What’s expensive is losing your business, your data, and your reputation. We break down why defensive investment is always cheaper than recovery, what leaders are doing wrong, and how to fix it before disaster s

Read more →
Still Letting Your Help Desk Reset MFA? Scattered Spider Says Thanks

Still Letting Your Help Desk Reset MFA? Scattered Spider Says Thanks

Your help desk just became your biggest security liability. Scattered Spider criminals are ringing UK support teams, impersonating executives, and convincing staff to reset multi-factor authentication. Within hours, they're inside your network deploying DragonForce ransomware. The July 2025 IC3/CISA advisory exposes how these English-speaking social engineers are systematically destroying businesses through basic phone manipulation. If your Tier 1 support can reset MFA without proper verificatio

Read more →
Cyber Essentials Deep Dive: Five Controls That Actually Work

Cyber Essentials Deep Dive: Five Controls That Actually Work

After Monday's podcast revelation that government frameworks can actually make sense, let's dive deep into the five Cyber Essentials controls that provide enterprise-level protection without enterprise-level budgets. Boundary firewalls, secure configuration, access control, malware protection, and patch management. Five areas that stop 80% of attacks against 80% of small businesses 80% of the time. That's a lot of eighties, but the maths works. These aren't theoretical controls dreamed up by bur

Read more →
The Online Safety Act: Digital Dictatorship Disguised as Child Protection

The Online Safety Act: Digital Dictatorship Disguised as Child Protection

The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely. We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protectio

Read more →
Cyber Essentials: When Government Frameworks Actually Make Sense

Cyber Essentials: When Government Frameworks Actually Make Sense

Right, let's address the elephant in every small business owner's mind after last week's White House security episode: if we're facing enterprise-level threats, do we need enterprise-level budgets? The answer is a resounding no. The UK's Cyber Essentials framework takes everything we learned about systematic security thinking and distills it into five achievable controls that cost less than most businesses spend on coffee. Insurance companies love it (lower claims), government contracts require

Read more →
How Corner Shops Can Get White House Security

How Corner Shops Can Get White House Security

After last week's mind-bending dive into White House security with Theresa Payton's insights, you're probably wondering if protecting your business requires government-sized budgets and ex-GCHQ analysts. The answer will surprise you. Monday's episode reveals how the UK's Cyber Essentials framework takes everything we learned about systematic security thinking and makes it achievable for businesses that can't hire situation room experts. Five controls, 80% protection against real threats, costs l

Read more →
Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security

Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security

When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer b

Read more →
What the White House CIO Sees That UK SMBs Don't: The Threat Landscape Reality Check

What the White House CIO Sees That UK SMBs Don't: The Threat Landscape Reality Check

The White House CIO has access to threat intelligence that would make UK SMB owners lose sleep for weeks. While British businesses worry about basic phishing, US government analysts are tracking systematic campaigns targeting supply chains, MSPs, and small businesses as stepping stones to bigger targets. They're seeing patterns you've never heard of: criminal groups spending months mapping your vendor relationships, state actors using SMBs to access critical infrastructure, and ransomware cartel

Read more →
Technical Debt Is Economic Suicide: Why Britain Is Building Its Own Digital Downfall

Technical Debt Is Economic Suicide: Why Britain Is Building Its Own Digital Downfall

After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse. This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.

Read more →
The Midlands Manufacturing Firm That Technical Debt Murdered

The Midlands Manufacturing Firm That Technical Debt Murdered

Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019. Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025. £2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented,

Read more →
Stop Bleeding Money on Yesterday's Shortcuts

Stop Bleeding Money on Yesterday's Shortcuts

After this week's deep-dive into technical debt psychology, let's talk about actually fixing the bloody mess. Your "temporary" solutions from 2019 are now permanent vulnerabilities that criminals are actively exploiting. Every day you delay proper technical debt management, you're bleeding money on maintenance, security patches, and the inevitable breach costs. I've seen £50 million companies destroyed by technical debt they knew existed but couldn't prioritize properly. Here's your framework fo

Read more →
M&S vs Co-op: When Technical Debt Meets Operational Agility

M&S vs Co-op: When Technical Debt Meets Operational Agility

Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption. The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them. This isn't about having perfect systems, it's about building resilience. Wednesd

Read more →
Podcast Ep7: Technical Debt - The Digital Quicksand Drowning UK Businesses

Podcast Ep7: Technical Debt - The Digital Quicksand Drowning UK Businesses

M&S lost £300 million because decades of technical debt left them unable to respond to basic social engineering. Co-op faced identical DragonForce attacks but recovered quickly through operational agility. The difference? M&S accumulated digital debt like a hoarder accumulates rubbish, whilst Co-op invested in resilience. Technical debt isn't just old software - it's every deferred security decision, every "temporary" workaround, every vendor relationship without oversight. Podcast Episo

Read more →
When Supply Chain Incompetence Meets Parliamentary Scrutiny (And Why Technical Debt Will Finish the Job)

When Supply Chain Incompetence Meets Parliamentary Scrutiny (And Why Technical Debt Will Finish the Job)

Wednesday's parliamentary hearing was brutal. M&S Chairman Archie Norman squirming whilst explaining how criminals cost his company £300 million through basic social engineering. McDonald's serving up 64 million job seekers to potential identity thieves. Both disasters show the same pattern: years of deferred security investments creating systematic vulnerabilities. This isn't sophisticated hacking, it's criminal exploitation of corporate incompetence. M&S had no cyber attack plan despit

Read more →
Shadow IT Isn't the Problem - It's the Symptom of Everything Wrong with Business Technology

Shadow IT Isn't the Problem - It's the Symptom of Everything Wrong with Business Technology

After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication

Read more →
The SME That Discovered 247 Unauthorized Cloud Services in One Week

The SME That Discovered 247 Unauthorized Cloud Services in One Week

Buckinghamshire engineering firm thought they had "pretty good visibility" into their IT environment. DNS monitoring revealed 247 unauthorized cloud services, 43 different communication platforms, and £127,000 annual Shadow IT spending they didn't know existed. Dropbox, Google Drive, OneDrive, iCloud, plus dozens of project management tools, design software subscriptions, and messaging platforms. One week of DNS logs exposed six years of unauthorized software proliferation. The technical impleme

Read more →
VPNs are Critical in a Hybrid Working World - But Without MFA They Are Almost Pointless

VPNs are Critical in a Hybrid Working World - But Without MFA They Are Almost Pointless

Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed. While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook. Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's alrea

Read more →
From 17 Project Management Tools to Zero Productivity: The Communication Chaos Epidemic

From 17 Project Management Tools to Zero Productivity: The Communication Chaos Epidemic

Seven communication platforms. Fifteen employees. £23,000 legal discovery bill when employment tribunal demanded complete records. WhatsApp Business for customers, Slack for projects, Discord for "team building," Signal for "confidential" talks, Telegram for contractors. When they needed to reconstruct one client relationship, conversations were scattered across platforms they couldn't control. Customer satisfaction dropped 40% because every interaction started from zero knowledge. The legal pen

Read more →
When Basics Break: How Simple Security Failures Cripple Big Brands

When Basics Break: How Simple Security Failures Cripple Big Brands

A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives. Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches. While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate j

Read more →
When Britain's Biggest Retailers Get Absolutely Destroyed by a Phone Call

When Britain's Biggest Retailers Get Absolutely Destroyed by a Phone Call

M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call. The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop. When Archie Norman admits they had "no cyber attack plan" and describ

Read more →
Patch Tuesday July 2025: When Shadow IT Makes Security Updates a Nightmare

Patch Tuesday July 2025: When Shadow IT Makes Security Updates a Nightmare

Microsoft's July 2025 Patch Tuesday just dropped 130 security fixes while most UK SMBs remain blind to 42% of applications running on their networks. From my government cyber experience, this represents a systematic organizational failure: you cannot patch what you cannot see. Critical vulnerabilities in Windows Kernel, BitLocker, and authentication systems require immediate deployment, but Shadow IT applications will break unpredictably. Worse, the buried Secure Boot certificate expiration warning affects

Read more →
The Hidden Apps Undermining Your Business Security

The Hidden Apps Undermining Your Business Security

Yesterday's Episode 6 dropped the bombshell: 42% of business applications are unauthorized. Today we're diving deeper into the hidden app epidemic destroying UK SMB security. Karen's Dropbox backup strategy with password "Password" shared via email. Marketing teams feeding confidential data to AI platforms. Customer service operations running through WhatsApp Business storing financial information in chat logs. DNS monitoring revealing 200+ cloud connections in a single week. This isn't isolated

Read more →
The VPN Security Crisis: A perspective on Why Traditional Remote Access Is Failing

The VPN Security Crisis: A perspective on Why Traditional Remote Access Is Failing

After analyzing the Ingram Micro ransomware attack and reviewing the latest threat intelligence, I need to be brutally honest about VPN security. We're facing a 56% increase in VPN-related attacks, an 8-fold surge in edge device exploitation, and zero-day VPN exploits jumping from 3% to 22% of all incidents. The SafePay group's destruction of a $48 billion distributor through basic VPN misconfiguration isn't an anomaly. It's the new normal. From my civil serice career experience, I can tell you

Read more →
When a $48 Billion Giant Falls to Basic Password Bollocks: The Ingram Micro Disaster That Should Terrify Every UK Business

When a $48 Billion Giant Falls to Basic Password Bollocks: The Ingram Micro Disaster That Should Terrify Every UK Business

A $48 billion global technology giant just got destroyed by criminals who exploited a basic firewall misconfiguration. Ingram Micro, the backbone of every MSP and reseller on the planet, is bleeding £136 million daily because someone forgot to tick a checkbox properly. SafePay ransomware walked through their VPN like it was an open door, bringing down the entire global IT supply chain. If you're an MSP depending on single vendors, you're about to learn the brutal cost of trusting other people's

Read more →
Your EV Charger Is a 47-Meter Security Disaster: The Brokenwire Wake-Up Call

Your EV Charger Is a 47-Meter Security Disaster: The Brokenwire Wake-Up Call

Right, pull up a chair. We need to have a bloody serious conversation about the EV charging disaster that's been hiding in plain sight. Oxford researchers just confirmed what should terrify every electric vehicle owner: your charging cable is a 47-meter antenna broadcasting your vulnerability to anyone with £200 worth of kit from eBay. The "Brokenwire" attack can kill charging sessions wirelessly, and it's built into the bloody standards that govern 12 million EVs worldwide. Known since 2019, st

Read more →
When Janet Jackson Accidentally Became a Cyber Weapon: The Pop Song That Crashed Laptops

When Janet Jackson Accidentally Became a Cyber Weapon: The Pop Song That Crashed Laptops

Janet Jackson's "Rhythm Nation" music video could crash laptops just by playing the audio. Not through software exploits or malware, but because the bloody song contained the exact resonant frequency that turned 5400 RPM hard drives into expensive paperweights. Even better: playing the video on one laptop could crash OTHER laptops sitting nearby through pure acoustic warfare. Microsoft engineers had to add secret audio filters to prevent pop music from destroying computers. If a 1989 dance track

Read more →
Passkeys, Passwordless, and the End of Excuses: Why This Time It's Actually a Good Thing

Passkeys, Passwordless, and the End of Excuses: Why This Time It's Actually a Good Thing

Passwords are circling the drain, and this time it’s for real. Microsoft, Apple, and Google are killing off passwords and pushing passkeys by default across their platforms. Microsoft is going passwordless by force, Apple is making it seamless, and Google is syncing passkeys everywhere. The UK government is onboard too, rolling out passkeys across public services. This isn’t future talk, it’s happening now. If your IT provider is still clinging to complex password policies and SMS MFA, you’re be

Read more →
Three Random Words: The NCSC Solution That Actually Works

Three Random Words: The NCSC Solution That Actually Works

After last night's podcast revelation about our collective digital archaeology disaster, let's talk about the solution hiding in plain sight. The UK's National Cyber Security Centre dropped wisdom that sounds too simple to work: pick three random words for your passwords. "Coffee train fish." "Wall tin shirt." "CabbagePianoBucket." Easy to remember, nightmare to crack, and unlike "password123," not on every hacker's greatest hits list. While we're mashing together words and numbers in barely inv

Read more →
Patch Tuesday Is Microsoft's Security Theatre

Patch Tuesday Is Microsoft's Security Theatre

Microsoft's Patch Tuesday is security theatre masquerading as systematic protection. Every second Tuesday, they dump 30-80 vulnerabilities on businesses and expect immediate deployment while providing minimal testing guidance. It's a monthly game of Russian roulette disguised as responsible disclosure. SMBs get caught between "patch immediately or die" hysteria and "test everything or break the business" paralysis. Meanwhile, Microsoft profits from both the problems and the solutions. Here's why

Read more →
The Sheffield SME That Learned to Love Patch Tuesday

The Sheffield SME That Learned to Love Patch Tuesday

Meet the Sheffield manufacturing firm that turned patch management from monthly panic into competitive advantage. Thirty-five employees, fifteen-year-old custom software, and an MD who thought "cybersecurity" was just expensive insurance. Then a supplier breach nearly destroyed their government contracts. Fast-forward eighteen months: they're winning contracts specifically because of their security posture, staff morale is up, and they haven't had a single security incident. Their secret? They s

Read more →
Patch Management That Won't Break Your Business

Patch Management That Won't Break Your Business

Stop treating patch management like Russian roulette. You don't need enterprise-grade test labs to deploy patches safely. You need a structured approach that balances speed with stability. I've managed patches across everything from 50-seat SMBs to global enterprises with 100,000+ endpoints. The principles are identical: test smart, deploy fast, have a rollback plan. Most SMBs get this backwards - they test forever and deploy never, leaving themselves exposed to known vulnerabilities while perfe

Read more →
Patch Tuesday: Critical Fixes SMBs Are Ignoring

Patch Tuesday: Critical Fixes SMBs Are Ignoring

Microsoft just dropped 51 vulnerabilities in June's Patch Tuesday, including 18 rated critical. And I guarantee you, most UK SMBs will ignore the lot. CVE-2025-34567 allows remote code execution through a simple email attachment. CVE-2025-34701 lets attackers escalate privileges with ba sic user credentials. These aren't theoretical risks but active attack vectors that criminals already exploit. Yet I'll bet half the businesses reading this still haven't patched last month's critical fixes. This

Read more →
Patch Tuesday Survival Guide: Why UK SMBs Get It Wrong

Patch Tuesday Survival Guide: Why UK SMBs Get It Wrong

It's 6 PM on the second Tuesday of the month. While normal people are heading home, UK IT teams are just starting their monthly nightmare. Microsoft has dumped 150 security fixes with zero consideration for how real businesses operate. No test environments, no staging procedures, no time to breathe. Just impossible choices: patch immediately and risk breaking everything, or wait and become sitting ducks for "Exploit Wednesday" when criminals reverse-engineer the fixes. After decades of watching

Read more →
Week Ahead Preview: Microsoft's Monthly Security Roulette

Week Ahead Preview: Microsoft's Monthly Security Roulette

This week we explored compliance theatre vs real security. Next week, we're diving into the monthly war zone that every IT team knows: Microsoft's Patch Tuesday roulette where one wrong decision can sink your business. Monday's podcast takes you inside the 6 PM chaos when UK teams scramble with late-breaking updates, and Tuesday's deep-dive exposes why traditional patch management advice is built for enterprises that don't exist. Plus, practical survival strategies for when you're fighting attac

Read more →
Compliance Alone Is Digital Security Theatre

Compliance Alone Is Digital Security Theatre

After decades of watching government departments wave certificates while getting breached, I'm done pretending compliance equals security. Yes, you need SOC 2 for some contracts. Yes, ISO27001 impresses procurement teams. But if you think those certificates will stop ransomware, you're living in a dangerous fantasy. I've seen FTSE 100 companies with pristine audit reports get absolutely destroyed by basic phishing attacks. It's time for some brutal honesty about what compliance actually protects

Read more →
The Midlands SME That Trusted ISO & Lost £50k Anyway

The Midlands SME That Trusted ISO & Lost £50k Anyway

CASE STUDY: Midlands manufacturing SMB spent 18 months and £45,000 getting ISO27001 certified. Six months later: ransomware attack, £50k losses, customer data exposed. They had perfect documentation for email security but forgot to actually secure their email. This is compliance theatre in its purest form - expensive certificates that impress auditors but don't stop criminals. Today's case study exposes the brutal reality of governance vs protection and what UK SMBs should learn from this expens

Read more →
When Horse Racing's Regulator Can't Secure Their Own Stable

When Horse Racing's Regulator Can't Secure Their Own Stable

The British Horseracing Authority just got absolutely hammered by ransomware, and frankly, I'm not surprised. Here's an organization that regulates a £1 billion industry, handles medical records for hundreds of jockeys, and oversees one of Britain's most prestigious sporting events. And they fell for the oldest trick in the book: some criminal rang their IT helpdesk, pretended to be an employee, and walked away with the keys to the kingdom. If the people who regulate horse racing can't secure th

Read more →
Implementing Cyber Essentials: Your 5-Step Action Plan

Implementing Cyber Essentials: Your 5-Step Action Plan

Tired of consultants charging £10,000 for Cyber Essentials implementation that you can do yourself in six weeks? This step-by-step guide cuts through the consultant bollocks and shows you exactly how to implement CE yourself. Real timelines (6 weeks max), real costs (under £4,000), real templates you can actually use. No consultant dependency, no ongoing fees, no compliance theatre. Just practical security that actually protects your UK SMB while meeting NCSC requirements. Stop funding consultan

Read more →
Why Another SOC 2 Certified Company Just Got Breached

Why Another SOC 2 Certified Company Just Got Breached

BREAKING: Another SOC 2 certified company just suffered a massive data breach. Shocked? You shouldn't be. While they were busy documenting their security procedures in triplicate, hackers walked through the front door they forgot to lock. This is compliance theatre in action: expensive certificates that impress auditors but don't stop criminals. Today's reality check exposes why governance frameworks fail against real threats and what UK SMBs should learn from this latest security disaster

Read more →
ISO27001 vs Cyber Essentials: Real Defence vs Checkbox Theatre

ISO27001 vs Cyber Essentials: Real Defence vs Checkbox Theatre

Another UK SMB just spent £40,000 on ISO27001 certification. Three months later: ransomware. The compliance industry has convinced every 15-person company they need enterprise-grade paperwork to survive. Bollocks. While you're documenting your password policy in 47 formats, criminals are walking through the digital front door you forgot to lock. Today's deep-dive exposes the real cost of compliance theatre vs actual security. Spoiler: Cyber Essentials might actually protect you, ISO27001 will de

Read more →
Your Smart Home Is a Corporate Surveillance State: How Families Have Become Products in Their Own Living Rooms

Your Smart Home Is a Corporate Surveillance State: How Families Have Become Products in Their Own Living Rooms

Your smart home isn't smart: it's a corporate surveillance network that makes the Stasi look like amateurs. While you're asking Alexa about the weather, Amazon's recording everything and building psychological profiles to flog to advertisers. Your Samsung TV captures 30 screenshots per minute, Google Home logs every conversation, and data brokers are making millions from your family's most intimate moments. The FBI warns these devices can be hijacked, yet homes everywhere are stuffed with always

Read more →
Stolen Credentials Are the New Normal: Why Your Authentication Is Already Broken (And What This Means for Your Business)

Stolen Credentials Are the New Normal: Why Your Authentication Is Already Broken (And What This Means for Your Business)

Your passwords are already for sale. The only question is whether you know it yet. Stolen credentials jumped from 10% to 16% of all cyberattacks in just one year, making it the second most common attack vector behind exploits. With 3.9 billion passwords compromised by infostealer malware and 94% of people reusing the same credentials across multiple sites, your business authentication isn't just vulnerable; it's already broken. While you're investing in firewalls and endpoint protection, crimina

Read more →
ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked (And Why Your IT Provider Won't Tell You)

ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked (And Why Your IT Provider Won't Tell You)

Your MSP's favourite remote access tool just got breached. Again. ConnectWise ScreenConnect, the software thousands of managed service providers use to "protect" small businesses, has been hit by yet another cyberattack—this time by suspected state-sponsored hackers. But here's the real scandal: this is the same platform that suffered critical vulnerabilities in 2024, enabling ransomware gangs to turn MSP networks into criminal infrastructure. If your IT provider is still using repeatedly compro

Read more →
Your Fancy New Printer Just Joined a Botnet: How Procolored Shipped Malware for Six Months

Your Fancy New Printer Just Joined a Botnet: How Procolored Shipped Malware for Six Months

Your £6,000 professional printer just joined a criminal botnet. For six months, Procolored shipped malware-infected drivers that turned customer systems into cryptocurrency theft machines, netting criminals nearly $1 million in stolen Bitcoin. When YouTuber Cameron Coward tried to install the "legitimate" software, his antivirus screamed warnings. Procolored's response? "False positive." Even after researchers found 39 infected files containing backdoors and Bitcoin stealers, the company kept de

Read more →
US Spy Chief Can't Even Secure a Gmail Account: The Bloody Disgraceful Password Habits That Should Terrify Every Business Owner

US Spy Chief Can't Even Secure a Gmail Account: The Bloody Disgraceful Password Habits That Should Terrify Every Business Owner

The woman who oversees America's spies used the same piss-weak password across multiple accounts for years. If Tulsi Gabbard, the bloody Director of National Intelligence, can't manage basic password security, what hope do the rest of us have? This isn't just government incompetence, it's a wake-up call. When the person responsible for protecting national secrets treats cybersecurity like a Sunday crossword, every business owner needs to ask themselves: are my security practices any better? The

Read more →
Your Cloud Migration Just Handed Hackers the Keys to Everything You Own

Your Cloud Migration Just Handed Hackers the Keys to Everything You Own

Your board meeting was spectacular. "Cloud transformation complete! 40% cost reduction!" The CEO used "digital excellence" without irony. Three days later, 590 million Ticketmaster records were for sale. The Snowflake breach wasn't sophisticated hacking—attackers used 2020 passwords from contractor gaming PCs that nobody changed. AT&T lost "nearly all" wireless customer data. Santander: 30 million records including account balances. None had basic multifactor authentication. While executives

Read more →
North Korean IT Workers Are Already Inside Your Company (And HR Just Gave Them Admin Access)

North Korean IT Workers Are Already Inside Your Company (And HR Just Gave Them Admin Access)

It's 2025. You're reviewing quarterly security metrics, feeling pleased with zero phishing attempts. Meanwhile, the developer who pushed code yesterday is funnelling his salary to Kim Jong Un's nuclear programme. One facilitator helped infiltrate 300+ US companies, generating $6.8 million for weapons development. Google found them applying to Google. Cybersecurity vendors accidentally hired them. If the experts are getting played, your HR department doesn't stand a chance. They're not just colle

Read more →
Why Iranian Hackers Are Better at Social Engineering Than Your Sales Team

Why Iranian Hackers Are Better at Social Engineering Than Your Sales Team

Pull up a chair. We need to talk about something that's going to make your skin crawl. While your sales team struggles to get prospects to return a bloody phone call, Iranian threat actors are convincing your employees to hand over the keys to your digital kingdom with the kind of charm and persistence that would make a used car salesman weep with envy. These aren't basement dwellers sending "Nigerian prince" emails—they're sophisticated operations turning social engineering into an art form whi

Read more →
Lawyers, Judges, and a Bloody SharePoint Backup: When Legal Privilege Meets Cyber Incompetence

Lawyers, Judges, and a Bloody SharePoint Backup: When Legal Privilege Meets Cyber Incompetence

In one of 2025’s most disgraceful breaches, Lawcover — the indemnity insurer for thousands of lawyers — exposed the personal and financial data of judges and solicitors through an unencrypted SharePoint backup. It’s not a sophisticated hack; it’s old-school negligence. Five-year-old legal records, sensitive case data, and passport numbers were all left to rot in the cloud. The incident highlights just how dangerously out of touch the legal sector is when it comes to basic cyber hygiene. In this

Read more →
The RMM Nightmare: How DragonForce Just Showed Us We're All Sitting Ducks

The RMM Nightmare: How DragonForce Just Showed Us We're All Sitting Ducks

Your IT provider just became your biggest security threat. The DragonForce ransomware gang didn't break down your front door – they got handed the keys by exploiting the very tools meant to protect you. While you've been worrying about suspicious emails, criminals turned SimpleHelp and other RMM software into weapons of mass destruction. One compromised MSP means hundreds of businesses infected in minutes. The attack already happened. The vulnerabilities were known. The warnings were ignored. An

Read more →
Why Ransomware Will Keep Winning Until Cybersecurity Becomes a Business Risk – Not a Tech Problem (Part 3/3)

Why Ransomware Will Keep Winning Until Cybersecurity Becomes a Business Risk – Not a Tech Problem (Part 3/3)

Cybersecurity isn’t IT’s job anymore, it’s yours. Ransomware doesn’t spread because hackers are clever. It spreads because leadership keeps treating security like plumbing: fix it when it breaks. This final part in our trilogy calls out the boardroom silence, the risk registers no one updates, and the plans that never get tested. If your business is still relying on hope, luck, or “that one guy in IT,” you’re not secure you’re surviving on borrowed time. This isn’t fear-mongering. It’s your fina

Read more →
Cyber Insurance Claims Are Being Denied – And It's Your Fault

Cyber Insurance Claims Are Being Denied – And It's Your Fault

Cyber insurance isn’t a silver bullet and claim denials are rising fast across the UK. Whether it’s poor security hygiene, policy exclusions, or failure to meet basic requirements, many businesses are learning the hard way that they’re not actually covered when disaster strikes. This guide breaks down why insurers are rejecting claims, what Cyber Essentials (and Plus) have to do with your insurability, and why your MSP might be part of the problem. If you’re relying on a policy you haven’t read,

Read more →
You’ve Got a Flood Plan, But No Cyber Plan? Here’s Why That’s a Business Killer

You’ve Got a Flood Plan, But No Cyber Plan? Here’s Why That’s a Business Killer

Every UK business has a fire plan. Most have flood plans. Some even worry about theft. But ask what happens when ransomware encrypts every file and locks you out of your own systems? Silence. No plan. I just crossed my fingers and am praying to the cyber gods. While you’ve invested in fire extinguishers and insurance policies, attackers have invested in your network. Your business isn't ready without a tested, documented, and rehearsed cyber recovery plan. You’re vulnerable. And no, your MSP’s v

Read more →
Still Using RDP Instead of a VPN in 2025? What the F*!k Are You Thinking?

Still Using RDP Instead of a VPN in 2025? What the F*!k Are You Thinking?

Yes, this is real. Yes, it’s still happening. Businesses in 2025 are still exposing Remote Desktop Protocol (RDP) to the open internet like it’s a perfectly normal thing to do. It’s not. It’s deranged. It’s like licking a petrol pump and being surprised you got sick. If you’re still running RDP with no VPN, no access controls, no MFA, and no clue , buckle up. This isn’t just a best practice failure. This is IT malpractice. And if you’re an MSP still recommending it? You should probably stop call

Read more →
Microsoft Teams: Now Available in Phish-Flavoured

Microsoft Teams: Now Available in Phish-Flavoured

Microsoft Teams is the new darling of UK business. It’s chat, calls, meetings, file sharing and productivity all in one app. Unfortunately, it’s also a goldmine for attackers, and they know it. With the Tycoon 2FA phishing kit now targeting Microsoft 365 users through fake Teams login prompts, criminals are bypassing multifactor authentication in real time. It’s slick. It’s scary. And worst of all, it works. If your business still believes Teams is “safe because it’s Microsoft,” you’re dangerous

Read more →
Still Faxing in 2025? The UK Councils Stuck in a Time Warp

Still Faxing in 2025? The UK Councils Stuck in a Time Warp

It’s 2025, but some UK councils and NHS departments are still sending confidential data via fax machines. That’s right. No encryption, no audit trail, just a shrieking relic from the 1980s spewing out safeguarding case notes or your latest blood test results from the GUM clinic into a shared office tray. With the analogue switch-off looming, this isn’t just old-fashioned, or quaint, it’s reckless. Why the hell are printer manufacturers are still enabling this madness - Looking at you HP, Epson,

Read more →
How Crap MSPs, Slack Vendors, and a Culture of Complacency Are Fueling the Ransomware Epidemic

How Crap MSPs, Slack Vendors, and a Culture of Complacency Are Fueling the Ransomware Epidemic

Think the hackers are your biggest threat? Think again. That smiling MSP rep who promised “complete protection” might just be the reason your business is on its knees. Ransomware rarely walks in the front door it’s invited through by lazy patching, crap backups, and a culture of "just enough" IT. From misconfigured firewalls to fake dashboards and vendors more interested in sales than security, this is the real story of how ransomware thrives, enabled by the very people paid to stop it. If you t

Read more →
Root Canal or Rootkit? Why Your Dentist’s PC Might Be More Dangerous Than the Drill

Root Canal or Rootkit? Why Your Dentist’s PC Might Be More Dangerous Than the Drill

It’s 2025. You’re in a sterile, brightly lit dental surgery — and there it is. A screen glowing with the unmistakable Windows 7 login. The same OS that went end-of-life in 2020. What the actual hell? That PC isn't just a relic — it’s a walking GDPR violation and a ransomware welcome mat. If your dentist is still running patient records on Windows 7 or even XP, you’re not just risking plaque you’re risking identity theft. Please for the love of all things secure STOP THIS NOW. Before a root canal

Read more →
The Meat Rots While the Firewalls Fail: How a Hack Took Out the Backbone of UK Chilled Logistics

The Meat Rots While the Firewalls Fail: How a Hack Took Out the Backbone of UK Chilled Logistics

A ransomware attack just crippled one of the UK’s key cold chain hauliers, leaving thousands of pounds’ worth of meat to rot before it ever reached supermarket shelves. Peter Green Chilled, who proudly promote their “bespoke IT systems,” couldn’t even keep order processing online. The result? Spoiled stock, supply chain chaos, and radio silence from a company with £25 million in turnover and not a single cybersecurity certification. This isn’t just an embarrassing IT failure. It’s a wake-up call

Read more →
Cyber Essentials 2025: The End of Checkbox Theatre

Cyber Essentials 2025: The End of Checkbox Theatre

On 28 April 2025, the UK’s beloved Cyber Essentials scheme quietly lobbed a compliance grenade into your IT department. The Willow question set has arrived, and with it comes a new standard for audits, especially for Cyber Essentials Plus. The big twist? You no longer get to pick the test machines. That’s right , your favourite “show laptop” patched 20 minutes before the audit isn’t going to save you. The auditor picks now ,and gives you just three working days' notice . Smoke, meet exit. This a

Read more →
ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change  For Real

ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real

Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene. Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster. This article lays out the real problem and preaches the blunt truth: no ISO, no SO

Read more →
ISO27001 vs Cyber Essentials (Part 2/3):Big Names, Big Certs, Big Breaches: The Truth Behind the Logos

ISO27001 vs Cyber Essentials (Part 2/3):Big Names, Big Certs, Big Breaches: The Truth Behind the Logos

You’d think ISO27001 and SOC 2 certifications mean a business is secure. But if 2023 and 2025 have shown us anything, it’s that those badges don’t stop breaches. From Capita’s data leaks to Harrods’ containment chaos, and Co-op’s app disruption to the MOVEit dominoes, governance frameworks have failed where basic cyber hygiene would have succeeded. Cyber Essentials, often dismissed as small business fluff, turns out to be the missing frontline control in all of these high-profile failures. This

Read more →
ISO27001 vs Cyber Essentials (Part 1/3): Why They’re Not the Same and Why That Matters More Than Ever

ISO27001 vs Cyber Essentials (Part 1/3): Why They’re Not the Same and Why That Matters More Than Ever

Think Cyber Essentials and ISO27001 are just different flavours of the same thing? Think again. One’s a tactical shield against everyday threats, the other’s a strategic blueprint for governance. Mistake one for the other, and you’ll either overspend or leave the door wide open. This article rips into the dangerous misconception that they’re interchangeable, explores how Cyber Essentials is built for every organisation, from startups to schools, and why it remains your frontline defence while IS

Read more →
Ransomware Isn’t the Disease. It’s Just the Symptom.

Ransomware Isn’t the Disease. It’s Just the Symptom.

Ransomware isn’t your biggest problem—it’s just the one that finally made you look. Behind every cyberattack sits a decade of crap decisions, from budget-stretched IT to untrained staff, weak passwords, and clueless suppliers. You didn’t get hit because you were unlucky. You got hit because your house was already on fire. This is part one of a blistering three-part series breaking down the disease beneath the ransomware epidemic ripping through the UK’s small business sector. If you think you’re

Read more →
May 2025 Patch Tuesday: Microsoft Preps Fixes for Broken Logins, Missed Patches, and Security Chaos

May 2025 Patch Tuesday: Microsoft Preps Fixes for Broken Logins, Missed Patches, and Security Chaos

May’s Patch Tuesday is coming in hot—and if April’s mess left your domain logins broken, WSUS deployments in meltdown, or your Hello PIN sulking in the corner, you’ll want this one. Microsoft is set to mop up its authentication chaos, plug lingering Windows 10 holes, and squash a few zero-days while it’s at it. But that’s not all. Adobe, Intel, and SAP are sneaking in updates too. This month’s patch drop might not be as noisy as April, but it’s arguably more important. Brace yourself for impact

Read more →
Breached (Part 4)

Breached (Part 4)

Think your MSP has your back? Think again. In Part 4 of Breached , we unpack the brutal truths most businesses only learn after the worst happens. From useless logs to skyrocketing insurance, and a support ticket that nearly destroyed everything, this is the roadmap you wish you had before the call came. Ten hard lessons, zero fluff. Why your MSP is there to sell, not protect. Why a good fractional CIO is worth their weight in gold. And why silence from your IT provider isn’t just dangerous—it m

Read more →
The Soft Underbelly: How UK SMBs Are Screwing the Nation on Cybersecurity

The Soft Underbelly: How UK SMBs Are Screwing the Nation on Cybersecurity

Think you're too small to be a target? Think again. UK small businesses are now the top attack vector for state-backed hackers from Russia and China, and your half-baked cybersecurity is a red carpet to our critical infrastructure. M&S, Harrods, and the Co-op didn’t get hit by chance, they got hit through you. If you’re in the supply chain without Cyber Essentials Plus, real EDR, or even basic patching, you’re not just vulnerable — you’re a national liability. Time to grow up or get out of t

Read more →
Breached (Part 3)

Breached (Part 3)

The breach was just the beginning. In Part 3 of Breached , the truth is out—and now come the consequences. The MSP tried to hide a misconfiguration. They failed. Now the clients are calling, the regulators want answers, and the business owner is left holding the fallout. From a quiet boardroom to sleepless nights and rising insurance premiums, this is what happens when a cover-up gets exposed. Contracts are cancelled. Trust evaporates. And the worst part? It all could have been prevented. If you

Read more →
Breached (Part 2)

Breached (Part 2)

What happens when your IT provider makes a mistake—and then tries to hide it? In Part 2 of Breached , a hidden support ticket, a missing firewall log, and over 400 unpatched vulnerabilities unravel a small business’s trust in the team meant to protect them. The MSP said, “Don’t tell the client.” But she was accidentally copied in. What followed was seven days of denial, silence, and mounting pressure—until the truth was read aloud, word for word, in a boardroom gone cold. This isn’t about poor s

Read more →
Breached (Part 1)

Breached (Part 1)

Katie Roberts thought it was just another Tuesday—until her personal phone rang at 11:27 a.m. The voice on the other end wasn’t a client. It was the National Crime Agency. Within minutes, her calm, structured world tilted on its axis. A cyber breach. Live. Real. Observed. And her business—the one she’d built from scratch—was now under threat. No plan. No warnings. Just a quiet office and a slow, sinking realisation that everything was about to change. What do you do when your worst-case scenario

Read more →
Co-op’s Data Breach: Another Day, Another Cyberattack in UK Retail

Co-op’s Data Breach: Another Day, Another Cyberattack in UK Retail

Co-op just confirmed a major data breach— but only after the hackers got sick of waiting and contacted the BBC themselves . Yes, really. It turns out customer data wasn’t just mishandled, it was gift-wrapped and forgotten like an expired loyalty card. With Zellis—the same payroll firm linked to the BBC and BA MOVEit fiascos—once again in the mix, this breach isn’t just another blip. It’s part of a growing pattern of retail cybersecurity disasters. And with legal and funeralcare data involved, th

Read more →
Samsung's Galaxy Wormhole: Yet Another Lesson in 'Trust But Verify'

Samsung's Galaxy Wormhole: Yet Another Lesson in 'Trust But Verify'

Samsung has once again reminded us why blind trust is a cybersecurity death sentence. Researchers discovered a massive vulnerability in Galaxy devices' Secure Element — the hardware vault meant to protect your biometrics and encryption keys. Attackers could exploit this “inadvertent” flaw remotely, with Samsung quietly patching it months later and offering zero transparency. No warnings. No device list. Just a silent fix and crossed fingers. If you own a Galaxy, you're now part of a grand experi

Read more →
The Largest DDoS Attack of 2025 Hit an Online Betting Site With 1Tbps. Shocked? You Shouldn't Be.

The Largest DDoS Attack of 2025 Hit an Online Betting Site With 1Tbps. Shocked? You Shouldn't Be.

Think 2025 would be the year we finally nailed DDoS protection? Think again. Some poor online betting site just got steamrolled by a 1Tbps brute-force attack — and the industry is clutching its pearls like it’s 2005. Guess what? If you’re running a high-value, downtime-sensitive business without bulletproof DDoS mitigation, you’re basically waving a “please fuck up my day” flag at the internet. This wasn’t a sophisticated hack; it was raw, stupid power. And it still worked. If your master plan i

Read more →
The UK's Cyber Security and Resilience Bill: Protecting Our Digital Future – But Is It Enough?

The UK's Cyber Security and Resilience Bill: Protecting Our Digital Future – But Is It Enough?

The UK’s new Cyber Security and Resilience Bill is about to shake things up – hard. With fines of up to £100,000 per day for failing to report serious cyber incidents, the days of shrugging off IT failures are officially over. Critical suppliers like MSPs are firmly in the government’s sights, and mandatory reporting within 24 hours means businesses must be ready to move fast. But is it enough? Will this finally close the gaps attackers have exploited for years, or will it pile more pressure on

Read more →
Paper Password Managers: Because What Could Possibly Go Wrong?

Paper Password Managers: Because What Could Possibly Go Wrong?

Paper password managers. Charming relics of a simpler time... or a catastrophically bad idea in 2025? At home? Fine. Lock it up tighter than your secret stash of biscuits. At work? Absolutely fucking not. Unless your business strategy includes "hoping Karen does not spill coffee on the master admin password" – get a proper password manager. Maybe, maybe a sealed "break glass" password for your CRM or M365 admin account. And I mean sealed like you are guarding the Crown Jewels. Want the full sarc

Read more →
How Legacy Systems Are Quietly Killing Small Business Cybersecurity

How Legacy Systems Are Quietly Killing Small Business Cybersecurity

Still clinging to that dusty old server from 2012? So are the hackers. Legacy systems are not just outdated — they are a neon sign flashing “easy target” above your business. Whether you run a small law firm, an accountancy practice, or any small business handling client data, ignoring your ageing IT is a fast track to fines, breaches, and reputational disaster. DPP Law learned this the hard way with a £60,000 fine. Will you be next? Find out why modernising your systems is no longer optional —

Read more →
CVE and CVSS: The Rotten Heart of Cybersecurity We Almost Let Die (and Maybe Should Have)

CVE and CVSS: The Rotten Heart of Cybersecurity We Almost Let Die (and Maybe Should Have)

In April 2025, the global cybersecurity world almost lost CVE — the bedrock of vulnerability tracking — not to hackers, but to sheer bureaucratic incompetence. While politicians played games and cyber defenders were told to look the other way, the fragile, outdated systems of CVE and CVSS staggered toward collapse. We didn’t fix them. We barely taped them back together. This isn’t just a story of near-miss disaster — it’s a full-blown indictment of cybersecurity's rotting foundations. If we do n

Read more →
Cybersecurity Is Not Optional: How a £60K Fine Just Woke Up Small Law Firms

Cybersecurity Is Not Optional: How a £60K Fine Just Woke Up Small Law Firms

Think your law firm is too small for hackers to bother with? DPP Law thought so too—right up until they faced a £60,000 fine and a public shaming after a catastrophic cyber attack. A single unsecured admin account was all it took to unleash chaos. No MFA, no breach reporting, no chance. If you are still relying on luck instead of basic cyber hygiene, you are playing a dangerous game with your clients’ trust—and your firm’s future. Cyber Essentials is the starting line, not the victory lap. How m

Read more →
Windows 11 Let Hackers Gain Admin in 300ms.

Windows 11 Let Hackers Gain Admin in 300ms.

Think Windows 11 was secure? Think again. A critical flaw let attackers hijack full admin control in just 300 milliseconds using a tired old trick – DLL hijacking. Microsoft called it “Important” (because, sure, SYSTEM access is casual now), but for the rest of us, it was a neon sign saying “Hack me.” Find out how your phone link feature became a hacker’s dream, why millions were left exposed for six months, and why patching yesterday might still not save you. How many ticking time bombs are hid

Read more →
Why Your Android Phone Will Now Reboot Itself Every 3 Days (And Why That’s a Good Thing)

Why Your Android Phone Will Now Reboot Itself Every 3 Days (And Why That’s a Good Thing)

Google is stepping up Android security by introducing an automatic reboot feature. If your phone remains idle for three days after a critical update, it will now reboot itself to apply the patch and enhance your protection. This smart move helps close the vulnerability window users often leave open by ignoring reboot prompts. Designed to be seamless and non-intrusive, the feature ensures devices are updated without disrupting daily use. While not mandatory across all manufacturers yet, it signal

Read more →
The 4chan Hack: When the Internet's Toilet Got Flooded – And What That Means for Your Business

The 4chan Hack: When the Internet's Toilet Got Flooded – And What That Means for Your Business

In April 2025, 4chan – the internet’s digital back alley – got thoroughly rinsed. A full-scale hack exposed moderators, leaked source code, and proved even the web’s most chaotic platforms aren’t immune to catastrophic failure. But here’s the twist: the real story isn’t the leak, it’s what it reveals about your own business. If outdated software, poor access control, or silence-in-a-crisis sounds familiar, you’re already on thin ice. This isn’t just drama for meme lords – it’s a neon-lit warning

Read more →
Samsung Galaxy S24 Security Disaster: How a Built-In App Left Millions at Risk

Samsung Galaxy S24 Security Disaster: How a Built-In App Left Millions at Risk

The Samsung Galaxy S24 was meant to be the crown jewel of Android. Instead, it shipped with a gaping security hole—thanks to a preinstalled app no one asked for. Researchers found that this app allowed remote attackers to hijack your device, steal your data, and generally wreck your digital life. This isn’t just sloppy—it’s a disgrace. Samsung pushed out a flagship phone with built-in vulnerabilities, proving once again that shiny hardware means nothing if the software is a ticking time bomb. If

Read more →
Rent-a-Malware: Hackers Now Offering Full macOS Control for Hire

Rent-a-Malware: Hackers Now Offering Full macOS Control for Hire

People used to think Macs couldn’t get viruses. That’s no longer true. New malware kits called JokRAT and XenoRAT can give hackers full control of a Mac computer. These tools are easy to rent online, even for people with no tech skills. Hackers can use them to spy on you, steal files, and stay hidden on your computer. Mac users should use security software, update their systems often, and be careful about what they click on. If your Mac is part of a company network, a single infected device can

Read more →
Patch Me If You Can: Firewall Vendors Ranked by How Much They Care About Your Security

Patch Me If You Can: Firewall Vendors Ranked by How Much They Care About Your Security

Not all firewalls are created equal—some vendors make patching painless, others seem to actively hide the fixes. We evaluated SonicWall, Fortinet, UniFi, DrayTek, Zyxel, WatchGuard, Sophos, Meraki and more using a realistic UK small business setup: one firewall, one switch, two access points. Then we scored them out of 50 on cost, usability, licensing, and update handling. Spoiler: UniFi smashed it. SonicWall? Not so much. If you want to know which vendor respects your time and budget—and which

Read more →
Over 4,000 WordPress Sites Hacked – All Thanks to Yet Another Plugin Flaw

Over 4,000 WordPress Sites Hacked – All Thanks to Yet Another Plugin Flaw

More than 4,000 WordPress websites have been hacked thanks to a critical vulnerability in the WP-Automatic plugin. The flaw (CVE-2024-27956) allows unauthenticated attackers to inject malicious code, redirect users, and install backdoors—all without logging in. Despite a patch being available, thousands of sites remain vulnerable due to poor update practices and weak plugin hygiene. This isn't just another WordPress scare story—it's a glaring example of why unmanaged, unmonitored websites are a

Read more →
Oracle’s Legacy Patching Fiasco: A Masterclass in How Not to Handle a Breach

Oracle’s Legacy Patching Fiasco: A Masterclass in How Not to Handle a Breach

Oracle just got hacked—badly—and their excuse? “It was just a legacy system.” That’s corporate-speak for we left the door wide open for four years and hoped no one would notice . Millions of records stolen, a $20 million ransom, and Oracle’s response was to shrug and point at the old kit. If you’re running ancient servers and thinking it won’t happen to us , think again. This isn’t just Oracle’s disaster—it’s a wake-up call for every UK business still clinging to outdated tech. Want to know how

Read more →
Still Using Windows Server 2012? You Might As Well Leave the Door Wide Open

Still Using Windows Server 2012? You Might As Well Leave the Door Wide Open

Still running Windows Server 2012 in 2025? You might as well leave your doors unlocked and shout “come on in” to attackers. End of life means no patches, no protection, and no excuse. This article explains why sticking with outdated infrastructure is a reckless liability, not a cost-saving strategy. From cyber insurance exclusions to ICO scrutiny and NCSC guidance, we break down the real-world risks UK businesses face. You’ve been warned: unsupported systems aren’t just old — they’re dangerous.

Read more →
Your Supplier Got Hacked! Now What? A Step-by-Step Guide for UK SMBs

Your Supplier Got Hacked! Now What? A Step-by-Step Guide for UK SMBs

When your supplier suffers a cyber attack, it’s not just their mess to clean up — it can quickly become your problem too. This guide walks UK SMBs through exactly what to do if a supplier breach threatens your data, operations, or reputation. From securing your systems and understanding GDPR obligations, to involving the right experts and tightening up contracts, you’ll learn how to stay one step ahead when the blast radius includes you. Because in today's interconnected world, your security is

Read more →
Google Chrome Hit by Critical ‘Use After Free’ Flaw: CVE-2025-3066 Explained

Google Chrome Hit by Critical ‘Use After Free’ Flaw: CVE-2025-3066 Explained

Google has patched a critical "Use After Free" vulnerability in Chrome, tracked as CVE-2025-3066, which could allow remote code execution via malicious web pages. The flaw was found in Chrome's Site Isolation feature—meant to protect users—ironically making it a prime attack vector. Users on versions prior to 135.0.7049.84/.85 (Windows/Mac) or 135.0.7049.84 (Linux) are urged to update immediately. Left unpatched, this bug could let attackers install malware, steal data, or worse. This is yet ano

Read more →
The Bigger They Are, the Harder You Fall

The Bigger They Are, the Harder You Fall

They had the infrastructure. They had the trust. And they had the gall to cover up the very breach they caused. This isn’t fiction—it’s a real-world cybersecurity disaster involving a big-name MSP, a firewall misconfiguration, and a damning internal email that said “don’t tell the customer.” Weeks later, the logs were useless, the excuses piled up, and the recovery bill is heading for six figures. If you think your MSP would never… think again. Here’s what went wrong, how it got exposed, and why

Read more →
Your Suppliers Are a Massive Cyber Risk (And You're Probably Letting Them In the Front Door)

Your Suppliers Are a Massive Cyber Risk (And You're Probably Letting Them In the Front Door)

Think your cyber security is airtight? Doesn’t matter — your suppliers might be the ones getting you hacked. One dodgy vendor, one reused password, and suddenly your business is in the headlines for all the wrong reasons. Supply chain attacks are exploding, and most businesses have no idea who actually has access to their systems. If you’re blindly trusting every outsourced service, freelancer, or cloud tool without asking hard questions, you’re basically inviting cybercriminals in for tea. Want

Read more →
How to Stay Safe Online if You're at High Risk: NCSC's New Surveillance Guidance Explained

How to Stay Safe Online if You're at High Risk: NCSC's New Surveillance Guidance Explained

The internet isn’t a safe space for everyone — especially if you’re a journalist, activist, or survivor of abuse. The UK’s National Cyber Security Centre (NCSC) has released new guidance for people and communities at high risk of digital surveillance. And unlike most government advice, this is actually worth reading. It’s direct, useful, and designed for the real world — covering everything from encrypted messaging to avoiding spyware. Whether you're at risk or supporting someone who is, this gu

Read more →
Breach of the Month Club: March 2025 Edition

Breach of the Month Club: March 2025 Edition

Welcome to the inaugural edition of Breach of the Month Club™ , your monthly tour of reputational disaster. March 2025 was a banner month for avoidable breaches, from Lloyds accidentally mailing out million-pound statements, to Jaguar Land Rover getting wrecked by leaked JIRA credentials. Reform UK ignored GDPR completely, Morrisons got battered by a supplier breach, and 23andMe? Well, they lost your DNA and filed for bankruptcy. We break it all down with just the right amount of sarcasm—and a r

Read more →
Apple’s 3 Zero-Days: If You Haven’t Updated Yet, What Are You Even Doing With Your Life?

Apple’s 3 Zero-Days: If You Haven’t Updated Yet, What Are You Even Doing With Your Life?

Apple has dropped emergency updates to fix three zero-day vulnerabilities —and yes, they’re already being exploited. These flaws affect iPhones, iPads, Macs, and more, letting attackers bypass USB protections, escape Safari’s sandbox, and escalate privileges through CoreMedia. If you’re not updating your devices right now, you’re basically rolling out the red carpet for hackers. This isn’t just another patch Tuesday. It’s a loud, flashing red warning. Your move.

Read more →
"We’ve Been Breached!" – What UK SMBs Must Do in the First 24 Hours (and Why Most Get It Wrong)

"We’ve Been Breached!" – What UK SMBs Must Do in the First 24 Hours (and Why Most Get It Wrong)

A cyber breach isn’t just an IT headache—it’s a full-blown business crisis. If you run a small UK business and your systems are compromised, your next 24 hours are critical. This guide walks you through what to do and why—from shutting the breach down without wiping forensic evidence, to dealing with regulators, staff, and customers. Most importantly, it makes clear that your MSP or IT team should not be leading the response. You need an independent Incident Manager and a solid plan. No fluff. N

Read more →
How Long Has a Hacker Been Living Rent-Free in Your Business? IBM's Dwell Time Report Explained for UK SMBs

How Long Has a Hacker Been Living Rent-Free in Your Business? IBM's Dwell Time Report Explained for UK SMBs

A hacker could be hiding in your business for over nine months before you even notice—and IBM has the stats to prove it. Their latest report shows UK small businesses are dangerously exposed to long dwell times, where cybercriminals quietly steal data, cause chaos, and vanish before anyone sounds the alarm. If you're not actively looking for threats, you're practically inviting them in. Here's what dwell time means for your business—and how to slam the door shut.

Read more →
UK Businesses Under Siege: Over Half Hit by Cyberattacks in 2024—Are You Next?

UK Businesses Under Siege: Over Half Hit by Cyberattacks in 2024—Are You Next?

Over half of UK businesses got digitally f**ked last year—and most didn’t even realise until it was too late. While leadership played buzzword bingo, ransomware crews strolled in through weak passwords and forgotten patches. Attacks hit every 44 seconds. Still think “we’re too small to be a target” holds up? It doesn’t. Hope isn’t a strategy. Luck isn’t resilience. And if you’ve got no plan, you’re just waiting to be the next headline.

Read more →
NHS Software Supplier Ransomwared – Gets a £3M Discount for Being Helpful?

NHS Software Supplier Ransomwared – Gets a £3M Discount for Being Helpful?

So naturally… the ICO fined them £4.4 million. And then knocked £3 million off for being helpful afterwards . Yes, really. That’s the cybersecurity equivalent of “you crashed the car but said sorry nicely—so we’ll waive the repair bill.” I’ve written a new piece on this absolute masterclass in weak governance, supplier accountability theatre, and the dangerous precedent it sets.

Read more →
Microsoft Breaks Remote Desktop (Again): What SMBs and IT Pros Need to Know

Microsoft Breaks Remote Desktop (Again): What SMBs and IT Pros Need to Know

Microsoft’s at it again—this time breaking Remote Desktop for Windows 11 users with their latest round of updates. If your helpdesk tickets are piling up with RDP disconnects and login weirdness, you’re not alone. From silent session drops to broken smart card authentication, this bug is hitting SMBs and IT pros where it hurts. We unpack what’s going wrong, who’s affected, and how to survive it—while Microsoft casually promises a fix “at some point.” Spoiler: rollback might be your only friend.

Read more →
Why London's 5G is the Worst in Europe (But It Doesn’t Have to Be)

Why London's 5G is the Worst in Europe (But It Doesn’t Have to Be)

London ranks dead last for 5G performance in Europe – but it’s not just the capital struggling. Across the UK, coverage is patchy, motorway connectivity is unreliable, and performance wildly varies between networks. Yet where it’s deployed properly, UK 5G can rival the best on the continent. The problem? Not the tech – the execution. Less hype, more follow-through, and a proper plan could turn the UK’s 5G fortunes around.

Read more →
Your Office Spends More on Coffee Than Cybersecurity Training—and That’s How You Get Hacked

Your Office Spends More on Coffee Than Cybersecurity Training—and That’s How You Get Hacked

Most UK businesses spend more on coffee than on Cyber Security Awareness Training—and that’s exactly how breaches happen. Your biggest threat isn’t a hacker in a hoodie; it’s Dave in Sales clicking a dodgy email. The good news? Quality training is cheap, effective, and actually enjoyable. For less than the cost of your weekly latte run, you can turn your staff from cyber risks into cyber defenders. Still think you can’t afford it? Think again.

Read more →
Fake CAPTCHAs Are Now Malware Traps – Because Of Course They Are!

Fake CAPTCHAs Are Now Malware Traps – Because Of Course They Are!

Think you’re safe clicking through a CAPTCHA? Think again. Cybercriminals are hijacking your trust with fake CAPTCHA pop-ups that trick you into downloading malware—by following simple keyboard instructions you’d never question. One click and boom—your passwords, wallets, and entire digital life are up for grabs. This isn’t just clever, it’s terrifyingly effective. If you’ve ever hit "I’m not a robot," you need to read this before you hand your system over to hackers.

Read more →
Your Bluetooth Devices Might Be Spying on You – And It’s Not Even Your Fault

Your Bluetooth Devices Might Be Spying on You – And It’s Not Even Your Fault

Think your Bluetooth devices are safe? Think again. Security researchers just found hidden, undocumented commands in the ESP32 chip—used in over a billion devices worldwide. This means hackers could exploit your smart gadgets, from speakers to security cameras, without you ever knowing. And the best part? Manufacturers didn’t tell anyone. Is your tech spying on you? Maybe. Here’s what you need to know—and how to protect yourself before it’s too late. 🚨

Read more →
DrayTek Disaster: Why Your Business Wi-Fi Just Became a Cybersecurity Liability

DrayTek Disaster: Why Your Business Wi-Fi Just Became a Cybersecurity Liability

A critical flaw in DrayTek routers is wreaking havoc on UK broadband connections — and no, this isn’t just a “techie problem.” Businesses across the country are unknowingly running vulnerable, outdated routers that are now being blocked by ISPs for good reason. DNS hijacks, remote code execution, and silent compromises are all in play. If you're still clinging to your 2018 networking gear like it’s a family heirloom, it’s time to wake up. This isn’t about cost — it’s about negligence. Here’s wha

Read more →
2-Step Verification: The Absolute Bare Minimum for People Who Actually Give a Damn

2-Step Verification: The Absolute Bare Minimum for People Who Actually Give a Damn

If you're still not using 2-Step Verification (2SV), you might as well leave your front door wide open, bake some cookies for the burglars, and leave a note that says, "Take what you like, I clearly don’t give a shit." Sounds ridiculous? So does ignoring the absolute bare minimum of online security. Passwords alone are about as effective as a chocolate teapot, and cybercriminals love people who think 2SV is “too much hassle.” If typing in a short code now and then feels like a chore, maybe the i

Read more →
Lazarus Strikes Again: North Korean Hackers Crash the NPM Party

Lazarus Strikes Again: North Korean Hackers Crash the NPM Party

North Korea's Lazarus hackers are back, gleefully slipping malicious code into popular NPM packages—think razor blades hidden in your Halloween sweets. Hundreds of developers unwittingly invited cybercriminals into their digital lives, losing sensitive data and perhaps some self-respect. This latest supply-chain fiasco underscores a crucial lesson: trust no package blindly. Treat your code dependencies like milk—check regularly, or risk finding something unpleasantly chunky in your morning coffe

Read more →
Choosing an MSP: Swipe Left on These IT Horror Stories

Choosing an MSP: Swipe Left on These IT Horror Stories

Thinking of hiring an MSP? Don’t swipe right just yet! 🚩 From laughably cheap pricing to alarming shared tenants and MSPs holding your admin access hostage, we're exposing the worst IT provider red flags. Learn how to dodge the charm, avoid costly mistakes, and choose a provider who won't leave your business exposed. Your business deserves better—don't settle for IT nightmares!

Read more →
The Great Bargain of Cheap IT Support: A False Economy That’ll Cost You Dearly

The Great Bargain of Cheap IT Support: A False Economy That’ll Cost You Dearly

Cheap IT support might seem like a bargain, but it’s a financial and security disaster waiting to happen. The majority of budget IT providers lack even basic externally audited cybersecurity certifications like Cyber Essentials Plus —which should be a minimum requirement. They cut corners on security, response times, and expertise, leaving businesses vulnerable to downtime, data breaches, and compliance fines . A proper MSP invests in real security , 24/7 monitoring , and incident response —and

Read more →
Microsoft Accidentally Nukes Copilot – Because Of Course They Did

Microsoft Accidentally Nukes Copilot – Because Of Course They Did

Just when you thought Microsoft couldn't top their Exchange meltdown, they go full send and accidentally delete their own AI assistant from Windows 11. No warning, no prompt—just poof . Gone. It's as if someone at Redmond duct-taped down the ‘F**k Around and Find Out’ button and walked away. What’s next? Windows Update deciding Task Manager is ‘problematic’? Edge forcibly replacing all your passwords with ‘BingLovesYou123’? Buckle up—because this one’s a mess. Read on and prepare to rage.

Read more →
WTF Happened to X? Is It Even Relevant Anymore?

WTF Happened to X? Is It Even Relevant Anymore?

Elon Musk took Twitter, rebranded it as X, and somehow made it an even bigger dumpster fire. Outages, bots, advertisers bailing—has X become the digital ghost town we all expected? Or is it just the billionaire’s latest expensive toy gone rogue? Let’s break down this glorious trainwreck

Read more →
In-House IT vs. MSP: The Real Cost of IT Support for Businesses

In-House IT vs. MSP: The Real Cost of IT Support for Businesses

Should your business handle IT in-house or outsource to a Managed Service Provider (MSP)? On paper, an in-house IT team might sound ideal—until you see the real costs. A single IT manager can set you back £80K+ a year, and that’s before factoring in security tools, compliance, and the inevitable sick days. Meanwhile, a properly managed MSP delivers 24/7 support, robust cybersecurity, and compliance-ready solutions—at a fraction of the price. If your IT plan is to rely on “Dave from accounts” to

Read more →
Microsoft Exchange Online: How the Actual F*!# Do You Break Email for a Week?

Microsoft Exchange Online: How the Actual F*!# Do You Break Email for a Week?

For seven excruciating days , Microsoft completely broke email transport , crippling businesses worldwide. A botched update turned the simplest, most stable IT function into a flaming dumpster fire , leaving users helpless while Microsoft sat in silence for three days before admitting anything was wrong. How do you screw up SMTP, MAPI, and basic email delivery in 2025? How does a trillion-dollar company make email less reliable than it was in the 1980s? And more importantly— why should you still

Read more →
Jaguar Land Rover Cyber Breach: Hackers Drive Off with Luxury Brand's Secrets!

Jaguar Land Rover Cyber Breach: Hackers Drive Off with Luxury Brand's Secrets!

Jaguar Land Rover—known for luxury, performance, and now, apparently, spectacular cybersecurity fails—has become the latest high-profile victim of a cyberattack. Hackers allegedly snatched critical internal documents, sensitive employee data, and the company's precious source code, then dumped it all online like yesterday's leftovers. As connected cars transform into rolling computers, cybercriminals are clearly buckling up for joyrides through corporate data. Is your business ready, or are you

Read more →
Silk Typhoon Supply Chain Attack: How Crap MSPs Sell You Out for £20 a Month

Silk Typhoon Supply Chain Attack: How Crap MSPs Sell You Out for £20 a Month

If your MSP isn’t certified to Cyber Essentials Plus (CE+) and charges less than £60 per user per month (excluding productivity licensing), you’re not getting a bargain — you’re buying a front-row seat to the next supply chain breach. China-backed hackers, Silk Typhoon , are targeting crap MSPs who cut corners on security, using their remote management tools to compromise every customer they support . This isn’t theory — it’s happening right now , and businesses who blindly trust their providers

Read more →
Eleven11 Botnet: The Newborn Monster That Can DDoS You Into Next Week

Eleven11 Botnet: The Newborn Monster That Can DDoS You Into Next Week

Meet Eleven11, the brand-new botnet responsible for record-shattering DDoS attacks peaking at 3.6 Tbps. This fast-growing menace, built from 30,000 compromised devices, can cripple networks, wipe out online businesses, and expose weak cybersecurity in minutes . Find out how it works, why it’s terrifying, and what every business should do right now to avoid becoming the next victim .

Read more →
Artificial Intelligence in Cybersecurity: The Digital Arms Race No One Asked For

Artificial Intelligence in Cybersecurity: The Digital Arms Race No One Asked For

Cybersecurity has become an AI-driven arms race. Attackers now use AI to automate phishing, bypass security, and mimic human behavior to slip past defences. Meanwhile, AI-powered security tools fight back, detecting threats in real-time. But most businesses are unprepared. If your security relies on outdated defences, you’re already losing. AI isn’t just changing cybersecurity—it’s redefining it. The only way to stay ahead? Cyber Essentials Plus as your baseline. Anything less, and you’re gambli

Read more →
Microsoft Signed a Shit Driver, Now Hackers Have the Keys to Your Entire F’ing Network

Microsoft Signed a Shit Driver, Now Hackers Have the Keys to Your Entire F’ing Network

Microsoft signed a vulnerable driver, and ransomware gangs couldn’t believe their fucking luck. With SYSTEM access gifted on a plate, malware could disable your antivirus, wipe your backups, and redecorate your operating system. This is what happens when you trust Microsoft to check their own homework. Learn how it happened, why BYOVD is back, and what you need to do before your network becomes the next crime scene.

Read more →
Cyber Essentials: Does It Work and Is It Worth the Effort for Small Businesses?

Cyber Essentials: Does It Work and Is It Worth the Effort for Small Businesses?

Cyber Essentials is a government-backed certification that helps small businesses get basic cybersecurity right. But does it actually work, and is it worth the time and money? In this article, we look at what Cyber Essentials involves, how much it costs, and whether it genuinely protects your business from cyber threats. With fresh insights from the UK government’s 2024 evaluation, we uncover the real-world benefits for small businesses.

Read more →
Why Small Businesses Are a Hacker’s Favourite Snack (And How Not to Be One)

Why Small Businesses Are a Hacker’s Favourite Snack (And How Not to Be One)

Small businesses love to think they’re “too small” for hackers to bother with. Reality check: that’s exactly why cybercriminals love you. No security team. No proper defences. Just an unlocked digital front door and a password that might as well be ‘password123’. If you’re not taking cybersecurity seriously, you’re practically begging to be hacked. In this post, we break down why small businesses are an easy target, the biggest security mistakes they make, and how Cyber Essentials can stop your

Read more →
Teams & Quick Assist: Microsoft’s New Gift to Cybercriminals Everywhere

Teams & Quick Assist: Microsoft’s New Gift to Cybercriminals Everywhere

In one of the most embarrassing cyber trends of 2025, hackers are using Microsoft Teams to impersonate IT support, then tricking employees into launching Windows Quick Assist , effectively handing remote control of their computers to criminals. Once inside, attackers install malware, steal credentials, and deploy persistent backdoors — all thanks to tools Microsoft built and businesses blindly trust. If your staff still believe every Teams message with ‘IT’ in the name is legitimate, congratulat

Read more →
Top Cyber Security Certifications in 2025: Boost Your Career and Your Sanity

Top Cyber Security Certifications in 2025: Boost Your Career and Your Sanity

In the chaotic world of cyber security certifications, 2025 offers more choices than ever; but not all of them are worth your time (or sanity). From the gold-standard CISSP to the controversial CompTIA Security+, this guide cuts through the marketing fluff to reveal which certifications actually boost your career and which ones just boost someone’s profit margins. Whether you’re aiming to become a penetration tester, security manager, or cloud security expert, this brutally honest review will he

Read more →
The Impact of 5G on Cyber Security: What Small Businesses Need to Know

The Impact of 5G on Cyber Security: What Small Businesses Need to Know

5G promises faster speeds and endless connectivity, but for small businesses, it’s also a cyber security minefield. More connected devices means more targets for hackers, and 5G’s speed amplifies every attack. This article explores how 5G is rewriting the cyber risk playbook — and what small businesses need to do to avoid becoming easy prey.

Read more →
Over 4,000 ISP Networks Hacked Because People Still Use ‘admin123’ as a Password — WTF?

Over 4,000 ISP Networks Hacked Because People Still Use ‘admin123’ as a Password — WTF?

More than 4,000 ISP networks got hacked because they left their admin passwords set to 'password123' — and shockingly, that didn’t work out well. Cybercriminals brute-forced their way into routers, servers, and management systems, planting infostealers, cryptominers, and enough malware to make an antivirus cry . This wasn’t some elite state-sponsored operation; it was basic-level script kiddie shit that worked because ISPs still treat security like a hobby . Find out how it happened, why your br

Read more →
YouTube Phishing Scam – Deepfake CEO Videos Hijacking Creators’ Accounts

YouTube Phishing Scam – Deepfake CEO Videos Hijacking Creators’ Accounts

Hackers are using deepfake videos of YouTube’s CEO to phish creators into handing over their accounts. In this absurd cybercrime twist, scammers send fake YouTube monetization emails featuring a realistic AI-generated video of Neal Mohan, urging creators to “confirm policy updates” via a phishing link disguised as YouTube Studio . The result? Stolen credentials, hijacked channels, and another WTF moment in cybersecurity. This scam is shockingly effective because it uses YouTube’s own private vid

Read more →
Cyber Essentials Is Changing in April 2025 — Here’s What You Need to Know (Before It Bites You)

Cyber Essentials Is Changing in April 2025 — Here’s What You Need to Know (Before It Bites You)

Big changes are coming to Cyber Essentials from April 2025 , and they are not just cosmetic. From embracing passwordless logins to treating remote workers' devices like company kit , the new rules mean businesses need to sharpen up their security game — fast. Whether you are managing firewalls, updating browser extensions, or figuring out how to patch a vulnerability with no patch, this update raises the bar. Ignore it at your peril.

Read more →
Data Theft: Why Hackers Don’t Bother Locking Your Files Anymore – They Just Steal Them

Data Theft: Why Hackers Don’t Bother Locking Your Files Anymore – They Just Steal Them

Ransomware attacks have changed — and the price for protecting your stolen data now averages £475,000. Hackers are skipping the hassle of file encryption and instead stealing data directly, then demanding payment to keep it private. This shift makes it even clearer that prevention, through schemes like Cyber Essentials, is far cheaper than paying criminals after the fact . In this article, we explore why data theft is the new normal, why small businesses are at risk, and what every company shoul

Read more →
Apple vs. The UK Government: A Petty Breakup Over Encryption

Apple vs. The UK Government: A Petty Breakup Over Encryption

The UK government and Apple are in a messy breakup, and—spoiler alert—it’s not mutual. Apple has yanked Advanced Data Protection (ADP) from the UK faster than a politician dodging accountability, all because the government wants a sneaky backdoor into everyone’s iCloud. Apple’s response? “Yeah, no.” The Investigatory Powers Act (IPA) 2016 —affectionately nicknamed the Snooper’s Charter —gives the UK authorities the power to demand weaker encryption, which, as every cybersecurity expert knows, is

Read more →