The ICO Is Not Hunting Your Business
The ICO is not hiding in a hedge outside your office. The real danger is inside your business: missing breach processes and data nobody can account for.
Read more →
Founder and host
Grumpy industry veteran, angry on your behalf at an industry that overcomplicates security.
Noel is the founder and host of The Small Business Cybersecurity Guy. After decades in the industry he has run out of patience with how badly small businesses are served by vendors, regulators, and insiders who make security harder and more expensive than it needs to be.
He writes the Saturday opinion piece and the Monday companion to the podcast. Expect controlled outrage, dry and occasionally dark humour, and a habit of naming the problem bluntly when everyone else is being polite about it.
He is not a lecturer. He is a peer who happens to have seen it all, and who would rather you spent your money on the handful of things that actually work.
The ICO is not hiding in a hedge outside your office. The real danger is inside your business: missing breach processes and data nobody can account for.
Read more →
Companies House, the open electoral register, and LinkedIn combine into a director profile any attacker can build in under 20 minutes. Here is the full picture.
Read more →
Green boxes and vibes have become the native language of weak assurance. A dashboard that cannot tell busy from dangerous is not security. It is confetti.
Read more →
A firewall cannot save you from weak governance, stale admin accounts, or untested backups. This week's podcast explains why.
Read more →
Three Windows zero-days, an Exchange Server exploit in the wild, and Ivanti Sentry bugs that score a perfect 10. Today's patches are not optional.
Read more →
You do not need a six-figure SOC to spot attackers. You need the same thing Clifford Stoll had in 1986: curiosity, logs, and a refusal to ignore what looks wrong.
Read more →
A 75-cent billing error. One stubborn astronomer. A KGB spy ring. The Cuckoo's Egg is 37 years old and its lessons still embarrass most UK small businesses.
Read more →
Vendors want to sell you fear. Consultancies want to sell you compliance. The most effective security tool costs nothing. It is the willingness to say: that looks wrong.
Read more →
Microsoft calls CVE-2026-41615 information disclosure. It is an MFA bypass. The Authenticator app leaks work account tokens after one user tap.
Read more →
Europol have just published the closest thing to an honest map of organised cybercrime. Your security supplier has not mentioned it. Why?
Read more →
Two weeks ago we swallowed the 43% headline whole. Today, having read every page of the CSBS 2025/2026, here is what we should have told you the first time.
Read more →
BitLocker is on, so we're fine. Five days after YellowKey dropped, that sentence has become a confession. Here is what the default actually protects against.
Read more →
Every business owner who chose the cheaper IT quote just made an insurance decision. They did not know that. Most of them still do not. That is the whole problem.
Read more →
If your IT provider is thirty-five quid a head cheaper than the sensible option, you are not saving money. You are buying yourself a more dramatic disaster later.
Read more →
DSIT publishes a misleading headline figure every April. They also publish a more honest cyber crime number in the same report. Guess which one the press, the vendors, and your MSP quote at you.
Read more →
31% of UK businesses are adopting AI. Only 24% have any security governance. Three quarters have hired an eager intern with zero discretion.
Read more →
Google Chrome has been quietly dropping a 4 GB AI model onto user machines. No clear prompt. No informed consent. Just a mystery file buried in a browser profile. This is not about AI being evil. This is about a vendor treating your disk space, your bandwidth, and your governance obligations as someone else's problem.
Read more →
43% of UK businesses breached. Risk assessments down. Continuity plans down. The government's data says small businesses are sliding backwards.
Read more →
The cyber front line is already here. CyberUK 2026 made that official. Small businesses need to act before procurement does.
Read more →
The government pledged £90m for SMB cyber resilience. Sounds impressive until you do the maths. That is £5.35 per business per year. Here is what actually matters from CyberUK 2026.
Read more →
Cyber Essentials v3.3 goes live tomorrow. MFA and patching become auto-fail questions. Cloud services cannot be scoped out. Buckle up.
Read more →
DNS is the messenger, not the murderer. The real problem is that most UK small businesses do not understand their own networks.
Read more →
DNS security is not an enterprise problem. Cache poisoning and rogue resolvers are actively targeting small businesses right now.
Read more →
Every IT person alive has said it is DNS. Half the time it is nonsense. Here is how to stop wasting hours chasing ghosts.
Read more →
When McDonald's Netherlands embarrassed the entire security industry with one ad, your password policy became the problem. Here is how to fix it.
Read more →
The cyber insurance series is complete. Six posts, one episode. Next week: the Microsoft 365 threat landscape as it actually stands in 2026.
Read more →
Over 40% of UK cyber claims are denied. Not because businesses are fraudulent: because the real product insurers sell is plausible deniability, not coverage.
Read more →
Dave configured the servers in 2014 and only Dave knows how they work. Dave is not a solution. Dave is a liability.
Read more →
50,000 WordPress sites exposed by one contact form plugin. CVSS 9.8. No login required. This is not bad luck. This is the WordPress business model.
Read more →
UK insurers paid £197 million in cyber claims in 2024. Impressive. But industry data shows over 40% of claims face denial or partial payment. The problem isn't the attack. It's the proposal form you filled in 18 months ago.
Read more →
Struggling with network security? Discover practical steps to protect your small business and avoid common pitfalls. Don't let complexity overwhelm you.
Read more →
Windows 10 security support ended 14 October 2025. Five months on, millions of UK business machines are still running it unpatched. Here's what that means.
Read more →
AI-driven cyberattacks are here. Learn how to protect your UK small business from these sophisticated threats before it's too late.
Read more →
You'd never drink unlabelled milk from the back of the fridge. So why are you running your business on software that went out of security support years ago?
Read more →
The TeamPCP campaign targets software supply chains. Learn how UK SMBs can protect themselves from these escalating threats.
Read more →
UK compliance rules are tightening, and small businesses are squarely in the crosshairs. Here is what you actually need to do, without the consultant-speak.
Read more →
Still not Cyber Essentials certified? In 2026, that gap could cost you contracts, insurance cover, and sleep. Here is what you need to know.
Read more →
Are you ready for a cyber attack? Discover why an incident response plan is crucial for your UK business and how to implement one effectively.
Read more →
I missed the podcast. I came back to find that Mauven, Corrine, and Lucy had recorded what may be the most useful episode we've produced in months. They were completely, infuriatingly right. And here's why that matters for your business.
Read more →
AiTM phishing is targeting small businesses. Discover how to protect your social media accounts from this new threat before it's too late!
Read more →
Another European government department has taken a hit. If you think that is somebody else’s problem, think harder. The Dutch Finance Ministry breach is a warning shot for every UK organisation that still believes attackers only care about the big glamorous targets.
Read more →
Authorities disrupted four major IoT botnets tied to record breaking DDoS attacks, but the real issue is closer to home. Cheap cameras, routers, DVRs, and forgotten smart devices still sit on business networks with weak ownership, poor patching, and laughable security. If you run a UK business, this is not just a botnet story. It is a warning about edge kit, supplier sprawl, and the junk quietly hanging off your network right now.
Read more →
Law enforcement landed a hit on Tycoon2FA. Then Tycoon2FA got back up. That should tell you everything you need to know about identity attacks in 2026. If your plan begins and ends with MFA, you are still leaving the door open.
Read more →
If you have a QNAP router humming away in a cupboard and nobody has looked at it in months, this story is for you. QNAP has patched critical QuRouter flaws, and the bigger issue is not just the bugs. It is the number of businesses that forget the edge device exists until it bites them.
Read more →
Today’s hot cyber security story is not subtle. Citrix has patched a critical NetScaler flaw, NHS England has already put out an alert, and any UK organisation using vulnerable NetScaler kit needs to move now. If your remote access stack includes NetScaler, this is your wake up call.
Read more →
A trusted security tool got turned into a thief. That is the part people keep missing. The Trivy supply chain attack is not just a developer story. It is a board level lesson in what happens when your pipeline trusts tags, tokens and wishful thinking.
Read more →
58% of UK business leaders rank cyber breaches as their top risk for 2026. Three quarters doubt their ability to respond when one happens. The gap between those two facts is what's costing UK SMBs an average of £195,000 per incident — and it's not a knowledge problem.
Read more →
No ransomware. No smashed firewall. No dramatic movie scene. Just a fraudulent invoice, a trusted relationship, and $432,739.21 gone. If you think this cannot happen to your business, you need to read this.
Read more →
For five months, anyone with a Companies House login could access the private dashboard of any of the five million registered UK companies. Home addresses. Dates of birth. Email addresses. All the personal data fraudsters need to impersonate a director, open accounts in your company's name, or reroute your banking. Not by hacking. Not by sophisticated exploit. By pressing the back button. That is the entirety of the technical skill required. The government body responsible for the UK's corporate
Read more →
Bronze means firewalls and backups. Silver means individual accounts and MFA on email. Gold means EDR, DMARC, and a proper incident response plan. Platinum means someone actually checks your work. Diamond means you pay ethical hackers to break in and find the holes before real criminals do. That's the SMB1001 ladder in five sentences. The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accoun
Read more →
There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at £75 a year. It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009. In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut
Read more →
Your Cyber Essentials badge is either a credential or creative writing. There is no third option. If you certified properly, maintained your scope, kept your controls current, and can explain v3.3 to a customer without reaching for Google, it's a credential. If your cert expired six months ago, your scope hasn't been reviewed since the original certification, your cloud services were never in scope, and you couldn't name the five controls under pressure, you're not certified. You're exposed. And
Read more →
Microsoft's Defender Experts published research yesterday on a campaign called Contagious Interview. Attackers pose as recruiters, walk your developers through a convincing fake job interview, then get them to clone and run a malicious code repository. The moment they do, your cloud credentials, API tokens, signing keys, and password manager databases are on their way out the door. This campaign has been running since at least December 2022. Your developers are the target. Your infrastructure is
Read more →
Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what y
Read more →
There's a philosophy thought experiment from the 1960s that explains, better than any threat report I've read, exactly why reactive security is a trap. It's called Newcomb's Paradox. A near-perfect predictor places money in two boxes. Grab both and you walk away with £1,000. Grab just one and you walk away with a million. Except the decision was made before you walked in the room. Your attackers work the same way. They've already run their reconnaissance. They've already decided what kind of tar
Read more →
Nine years. Half a million pounds. Zero victim compensation. Lawyers billing on both sides for the best part of a decade. A regulator declaring "significant victory" while 14 million people's limitation periods quietly expired. The Currys DSG saga is not an edge case or an administrative anomaly. It is a precise and accurate picture of how UK data enforcement actually works. This is my verdict: the system is structurally broken, everyone in the industry knows it, and the comfortable fiction that
Read more →
Last week, researchers proved something that should make every small business owner put down their coffee. Your Wi-Fi guest network, the one you set up so visitors don't touch your business systems, doesn't actually protect you. A new attack called AirSnitch lets anyone already on your network spy on every device connected to the same physical router, regardless of which network name they joined, regardless of whether you're running WPA2 or WPA3. Every single router tested failed. Here's what it
Read more →
Darren Warren asked for five thousand pounds in compensation for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is a case study in how 1
Read more →
France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data. The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations. Noel Bradford, with 40-odd years of watching the UK IT e
Read more →
An Amazon driver just delivered the most useful security lesson of 2026 and he charged absolutely nothing for it. While trying to drop off a parcel, he couldn't find a safe place, so he thought laterally, worked out the code to a locked shed, left the parcel inside, and then wrote a note explaining exactly how he got in. He documented the breach. He filed the report. He even ticked the compliance checkbox. Your IT company just got shown up by a bloke in a high-vis jacket. The question is: are yo
Read more →
Switzerland looked at Palantir and said no. The UK leaned in. That should worry you. Your business runs on the same US owned platforms that governments argue about. Email, files, chat, identity, backups. The CLOUD Act means a provider can face legal demands for data, even when the servers sit outside the US. UK hosting does not always mean UK control. This teaser sets up the real question: if access rules changed tomorrow, could you prove who can touch your data, and how you would know? Could yo
Read more →
That TP-Link router you bought because it was £40 cheaper than the alternatives? Two days ago, the state of Texas sued the manufacturer for allegedly handing the Chinese Communist Party access to Americans' devices. A US federal ban is on the table. Sixteen thousand routers worldwide have already been conscripted into a Chinese state-sponsored attack network. And the UK? Doing absolutely nothing. This isn't paranoia. This is documented, court-filed, backed-by-three-US-federal-departments reality
Read more →
Three hundred and ninety-three days. That's how long Chinese state hackers camped inside defence networks before anyone bloody noticed. Over a year. Reading emails. Mapping systems. Making themselves at home while everyone assumed the firewall was doing its job. Google just published the receipts, and the uncomfortable truth is this: manufacturing is the most targeted sector on ransomware leak sites. Not banks. Not hospitals. Factories. Your VPN appliance is the front door nobody's watching, and
Read more →
I have watched this exact disaster unfold five times in 40 years. Personal computers in the eighties. BYOD in the 2010s. Cloud migrations that nobody secured. SaaS tools that HR adopted without telling IT. And now AI agents that can read your email, execute commands on your machine, and send data anywhere, installed by employees who thought they were being productive. OpenClaw is not the problem. OpenClaw is the symptom. The problem is that every time a shiny new technology appears, businesses a
Read more →
Your business just plugged an AI chatbot into its website, an AI assistant into email, or a coding copilot into your dev team. Congratulations. You may have just installed a backdoor. A landmark research paper from Bruce Schneier, Ben Nassi, and their colleagues has mapped a full malware kill chain for AI systems. They call it promptware. It is not theoretical. Twenty-one documented attacks already cross four or more stages of this kill chain, in live production systems. The NCSC agrees the thre
Read more →
Russia's Sandworm hacking group just attempted the largest cyber attack on Poland's energy infrastructure in years, deploying custom wiper malware called DynoWiper against 30 wind farms, solar installations, and a heat plant serving half a million people. The attack failed, but only barely. The NCSC is now warning UK critical infrastructure operators to act immediately. If you think nation-state attacks on power grids are somebody else's problem, think again. Every UK business sitting in those s
Read more →
Google just dropped a report that should make every UK business owner physically uncomfortable. Chinese state-sponsored hackers have exploited more than two dozen zero-day vulnerabilities in VPNs, routers, and firewalls since 2020. From ten different vendors. The average time they sit inside your network before anyone notices? 393 days. Over a year of unfettered access. And if you think "I'm not a defence contractor, this doesn't affect me," think again. Manufacturing has been the single most ta
Read more →
Four concurrent cyberattack campaigns hit last week. Russian military intelligence weaponised a critical Microsoft Office vulnerability within 24 hours of the patch dropping. Commodity criminals started selling the same capability for £50 a month. A Chinese-linked group compromised Notepad++ updates for six months. Three separate macOS infostealer campaigns ran simultaneously. And while all of that was unfolding, the UK's biggest data protection law change since Brexit went live with 48 hours' n
Read more →
OT (operational technology) security protects industrial control systems, SCADA, and production equipment from cyberattacks. Unlike office IT security, OT security focuses on systems that control physical processes - CNC machines, production lines, and factory automation. A 2025 UK government study found 90% of OT attacks originate from IT network vulnerabilities, with downtime costing manufacturers £195,000 to £2.2 million per hour.
Read more →
Read more →
The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.
Read more →
UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.
Read more →
I watched a board meeting where someone was asked to turn off their hearing aid during a security discussion. Bluetooth concerns, apparently. The company meant well, but they'd created a policy that would exclude anyone using assistive technology. I've seen this same pattern emerge in charity governance—organisations pursuing Cyber Essentials creating barriers for disabled trustees and staff. This isn't about security frameworks being flawed. It's about implementation requiring thought beyond ch
Read more →
You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.
Read more →
You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them.
Read more →
Remember that fun photo booth snap at your mate’s wedding? The one where you’re pulling faces with the bridesmaids? It’s been sitting on an unprotected server for the past three weeks, accessible to anyone who could count to 1,000. Hama Film, an Australian photo booth company with operations in the UAE and United States, spent months exposing customer photos through a security flaw so basic it makes WannaCry look sophisticated. No authentication. No rate-limiting. Just pure, unfiltered incompete
Read more →
Directors should face criminal prosecution for cyber security negligence. The HSE precedent proves personal criminal liability transforms director behaviour. Before HSE had teeth, workplace deaths were common. After directors faced imprisonment, safety transformed. Civil liability isn't working for cyber security: 73% of businesses lack board responsibility despite 43% breach rates and 28% closure risk. Friday's case study showed £3.337 million loss preventable with £90 investment. Proposed: Cri
Read more →
March 2024: UK manufacturing company with £18 million turnover lost £2.4 million to business email compromise. Finance director phished, email credentials stolen (no MFA), attacker monitored for two weeks, sent fraudulent payment instruction from compromised account, major client processed payment overseas. Total immediate costs £3.337 million. Company survived through private equity investment that diluted family ownership from 100% to 23%. Managing director resigned. Eight redundancies. What w
Read more →
Most cyber risk registers are useless compliance documents. They contain vague descriptions, unverifiable controls, and no honest assessment of likelihood or impact. A working risk register has exactly seven columns: specific risk scenarios, likelihood based on real UK statistics, quantified impacts including business closure potential, verifiable current controls, residual risk ratings, costed additional controls, and named board-level owners. Every UK SME must address five mandatory risks: phi
Read more →
Graham Falkner told me before recording that small businesses don't need formal cyber risk registers. By the end of Episode 31, he'd completely changed his mind. UK government data shows only 27% of businesses have board-level cyber security responsibility, down from 38% in 2021. Meanwhile, 43% got breached and 28% of SMEs say a single attack could put them out of business. The evidence is overwhelming. Risk registers aren't bureaucracy - they're systematic thinking applied to survival. This epi
Read more →
Right, I'm done being diplomatic about this. After 40 years watching the same preventable disasters repeat themselves with different technology, I'm calling it: selling network-connected devices with default administrative credentials should be illegal in the UK. Not "discouraged." Not "recommended against." Illegal. With criminal penalties for manufacturers and civil liability for distributors. Pull up a chair. This intervention has been brewing for three decades. The free market has had 30 yea
Read more →
A 30-person marketing agency in Manchester did everything right. £15,000 invested in proper security: new firewalls, enterprise endpoint protection, hardware authentication keys for every staff member, and even an external security audit that came back clean. They were feeling quite good about themselves. Two months later? Someone had been accessing their client files for weeks through their HP printer that still used admin/admin as credentials. Total costs: £43,400 direct expenses, three lost c
Read more →
The ICO just fined LastPass £1,228,283 for security failures. Yes, a password manager company, fined for password security failures. The irony would be funny if 1.6 million UK customers hadn't had their data compromised. LastPass allowed senior employees to access corporate vaults from personal devices and let them link business and personal accounts with one master password. When an attacker exploited vulnerable Plex software on an engineer's home computer, they grabbed the keys to everything.
Read more →
Right, let's talk about the £15,000 security investment that just got absolutely destroyed by a £300 office printer. A marketing agency did everything right: new firewalls, endpoint protection, hardware authentication keys for every staff member, security audit came back clean. Two months later? Someone had been accessing their client files for weeks through their HP printer still using admin/admin as credentials. While you've been securing laptops and servers, your printer has full network acce
Read more →
What if I told you the biggest cyber threat to your business isn't hackers, but your office printer? Sounds mad, right? That's what a 30-person marketing agency thought before someone accessed their client files for weeks through an HP printer with factory default credentials. Episode 30 reveals the devices everyone forgets are computers: printers storing documents, CCTV systems livestreaming your premises, thermostats providing network access. Currently Top 12 in Apple Podcasts Management categ
Read more →
86 security professionals including former CISA director published advice last year claiming public WiFi, QR codes, and USB charging stations are safe. Sounds credible, except I've spent the year mopping up after businesses who followed exactly this advice. £47,000 stolen via hotel WiFi. Companies breached via QR code phishing. Legal practice ransomwared through compromised charging station. When security elite operate in enterprise bubbles with unlimited budgets, their advice becomes dangerous
Read more →
Most people copy what the big players do and call it a cyber strategy. That works for them. It probably kills you. This episode flips the script. Instead of worshipping best practice, we dissect the car crashes. Target, Equifax, Colonial Pipeline and SolarWinds. We ask one question. What actually went wrong and have you quietly made the same mistakes in your own business. If you run a UK small or mid sized firm and feel lost in security buzzwords, this is your shortcut. Learn from other peoples
Read more →
Let's drop the diplomatic language for a moment. Current UK cybersecurity regulation is a comfortable lie we tell ourselves to avoid uncomfortable truths. We pretend fines deter when they don't. We pretend guidance works when it doesn't. We pretend breaches are inevitable when most are preventable. Meanwhile, millions of citizens have their data compromised by organisations that face no meaningful consequences. The Synnovis attack contributed to patient deaths. The ICO's response? Under investig
Read more →
Numbers don't lie. In 1981, 495 workers died in British workplaces. The most recent figures show 124. That's not technological progress alone. That's regulatory teeth. When the Health and Safety Executive gained proper enforcement powers, directors discovered that ignoring safety had personal consequences. Prosecutions made headlines. Behaviour changed. Industries transformed. Today, we examine exactly how HSE enforcement worked and exactly what similar cybersecurity enforcement could achieve. T
Read more →
Yesterday's podcast proposed criminal liability for cybersecurity negligence. Today, we're dismantling the three-tier framework piece by piece so you know exactly where your business stands. Tier One protects small businesses with explicit gross negligence thresholds and Cyber Essentials safe harbour. Tier Two raises the bar for medium organisations whilst maintaining proportionate standards. Tier Three brings genuine consequences for large enterprises and public sector bodies that still can't i
Read more →
Yes, you read that correctly. Prison time for directors who allow catastrophic cybersecurity failures. Before you close this tab in horror, hear me out. We already send directors to prison for health and safety failures. Workplace fatalities dropped 85% after the Health and Safety Executive got proper enforcement powers. The ICO? They send sternly worded letters whilst breaches affecting millions go unpunished. Today, Mauven and I lay out exactly what a proper UK cybersecurity enforcement regime
Read more →
This week, we established why directors should face criminal prosecution for gross cybersecurity negligence. We examined the Synnovis case where a patient died because free MFA was not enabled. We provided technical analysis, psychological examination, and practical implementation guides. Saturday's opinion piece argued forcefully for criminal liability. Next week, we move from "why" to "how." What would a Corporate Cyber Negligence Act actually say? What are the thresholds between bad luck and
Read more →
I am tired of watching preventable disasters kill people while executives walk away with bonuses intact. A patient died because Synnovis did not enable free multi-factor authentication. Nobody will face criminal prosecution. If a construction director failed to provide hard hats and a worker died, that director would go to prison. Yet when healthcare executives fail to enable free security controls and a patient dies, nothing happens. This is not justice. This is not accountability. This is a br
Read more →
On 3 June 2024, the Qilin ransomware gang compromised Synnovis, a pathology provider serving NHS hospitals across southeast London. Blood testing collapsed. Over 10,000 appointments were cancelled. More than 1,700 operations were postponed. A patient died waiting for test results that never arrived. The attack succeeded because multi-factor authentication was not enabled. Here is the complete timeline of how a preventable security failure cascaded into catastrophic harm, the technical details of
Read more →
When Beverley Bryant, former Chief Digital Information Officer at Guy's and St Thomas' NHS Foundation Trust, stated that the Synnovis attack "may not have happened" with two-factor authentication enabled, she was not speculating. She was describing technical reality. The Qilin ransomware gang gained initial access through compromised credentials. Multi-factor authentication completely blocks this attack vector. A patient died because a free security control was not enabled. This is not hindsight
Read more →
On 3 June 2024, a patient arrived at a London hospital A&E feeling unwell. A blood test was ordered. The patient waited. The medics waited. They all waited some more. The patient died. Why? Ransomware had shut down blood testing at Synnovis, the NHS pathology provider. The security control that would have stopped it? Multi-factor authentication. Completely free. Built into every platform. The consequences for executives who chose not to enable it? Nothing. In this episode, we ask the uncomfo
Read more →
Financial Accountant magazine just published my analysis of the £1.9 billion Jaguar Land Rover cyberattack. But here’s what the article couldn’t cover: the small suppliers who died from JLR’s breach. You didn’t get hacked. Your biggest customer did. You still lost everything. One supplier laid off 40 people because JLR couldn’t place orders for six weeks. Proper security. Good practices. Still went bust. After 40 years in the IT world Intel, Disney, and the BBC, I’ve seen this pattern before. En
Read more →
Four zero-days. One perfect 10.0 severity score. Hundreds of thousands of sites already compromised. Criminals are exploiting Exchange Servers, Magento shops, and Oracle ERP systems right now - whilst you're reading this. SAP's vulnerability was so bad they deleted the entire component rather than fix it. WordPress sites are falling to a plugin bug that shouldn't exist. And that's just November. Your patching strategy just became a lot more urgent. Graham Falkner breaks down what to patch first:
Read more →
They're growing brain tissue in Swiss laboratories and using it to process information. Not simulations. Actual living human neurons, derived from skin cells, housed in specialized chambers, connected to electrodes, computing. FinalSpark's Neuroplatform has 16 brain organoids containing roughly 160,000 neurons total. Each organoid interfaces with 8 electrodes sampling at 30 kHz. The system has operated continuously for four years, testing over 1,000 organoids, collecting 18 terabytes of data. Th
Read more →
The April 2026 Cyber Essentials update introduces a game-changing rule: multi-factor authentication is now mandatory. Not recommended. Not "nice to have." Mandatory. If your cloud service offers MFA (free or paid) and you're not using it, you automatically fail. No exceptions. This single change will expose how many UK businesses have been skating by with terrible security. With potentially 30,000+ certified companies lacking proper MFA configuration, the fallout will be significant. You've got
Read more →
There's a lab in Switzerland where they're building computers out of living human neurons. Sounds completely barking mad, right? Here's the thing: these brain cells compute using one million times less energy than silicon. Meanwhile, training a single AI model now produces the carbon emissions of 500 cars over their entire lifetimes. Microsoft, Google, and Amazon just committed billions to restart nuclear power plants because they can't keep the lights on. And your business? You're paying for ev
Read more →
Why do smart people keep making the same catastrophic mistake? Cut security spending, congratulate themselves on efficiency, watch everything fall apart, spend vastly more recovering. It's not ignorance. It's psychology. Measurable costs are visible, politically defensible, easy to justify cutting. Invisible value is theoretical until it disappears. CFOs get promoted for cutting £50,000 from budgets. Nobody gets promoted for preventing breaches that don't happen. This asymmetry creates systemati
Read more →
Manchester marketing agency, 28 staff, £2.4M revenue. CFO proposed cutting security training: "£12,000 annually for slides nobody watches." Board agreed. Six months later, junior account manager clicked phishing link in fake client brief. No training meant she didn't recognise warning signs. Credentials stolen, ransomware deployed, three weeks offline. Recovery costs: £190,000. ICO investigation: inadequate training documented. They saved £12,000 and spent £190,000 learning what training actuall
Read more →
Stop cutting security costs based on gut feel and budget pressure. Start using actual frameworks that calculate downside risk. This practical guide walks you through evaluating any security spending decision: What's the notional function versus actual value? What's the cost of being wrong? What's the expected cost multiplied by probability? What invisible value disappears when you cut this? Includes checklists, decision trees, and real cost calculations for training, MFA, insurance, IT staff, an
Read more →
I've watched businesses make the same catastrophic mistake for 40 years. They look at security costs through a narrow efficiency lens, define roles by their obvious function, cut them to save money, and completely miss the invisible value. Until it's gone. Then they spend 10 times more fixing what they broke. The doorman fallacy explains every stupid IT decision I've ever seen: training cuts that cost millions in breaches, MFA removal that gifts credentials to attackers, insurance cancellation t
Read more →
What's the most expensive cost-saving decision you can make? Firing your hotel doorman and replacing him with an automatic door. Saves you £35,000 a year in salary, costs you £200,000 in lost revenue because your hotel just became ordinary. This isn't about hotels. It's about every IT budget cut I've seen in the last 40 years. New episode drops today: The Doorman Fallacy, or How to Accidentally Destroy Your Business Whilst Congratulating Yourself on Efficiency Gains. Featuring examples that will
Read more →
Every week I talk to UK business owners who've just spent £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 worth of basic IT security. Or they've paid consultants to develop "enterprise information security frameworks" for 15-person companies that can't keep Windows updated. The security industry profits from keeping you confused about InfoSec versus CyberSec versus IT Security. This week's episode cuts through the bollocks to explain what each term actually means, what
Read more →
Schools don't need expensive enterprise solutions to improve cybersecurity - they need practical, accessible guidance. The NCSC Cyber Assessment Framework provides exactly that: free, non-technical guidance designed specifically for schools with limited budgets. It covers user access control, incident management, and supply chain security in accessible language. Start with quick wins: enable MFA for everyone, conduct a GitHub repository audit, rotate all credentials organization-wide. The CAF is
Read more →
The Kido nursery breach exposed 8,000 children's data in September 2025, but the attack vector reveals a critical lesson for schools: this wasn't sophisticated hacking. Security researchers discovered a publicly accessible GitHub repository containing API credentials in plain text. The kido-kidssafe/myskio-api repository had the "keys to the kingdom visible in the clear." Two 17-year-olds were arrested in Hertfordshire, but the real story is how preventable this breach was. Schools must audit th
Read more →
This is the complete insider threat action plan for small businesses. Start with the non negotiables. Enable MFA on email and cloud apps. Audit who has access to what. Test your backups and prove you can restore. Then build. Roll out a password manager. Separate admin from day to day accounts. Turn on activity alerts and review them weekly. Segment guest, IoT and finance. Add EDR. Finish with drills, metrics, and monthly reviews. Do your leaders model the right behaviour? Do people know who to c
Read more →
Most security assessments fail small businesses. They ask the wrong questions or drown you in paperwork. You need a fast test that flags real risk and gives clear next steps. Start with five pillars. Access control. Authentication. Activity monitoring. Data protection. Incident response. Score each with simple questions. Fix the lowest pillar first. Turn on MFA. Remove excess access. Enable login alerts. Test restores. Write a one page incident plan. Track progress monthly with a few metrics. Do
Read more →
A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan f
Read more →
Small businesses do not need theory. They need controls that block real attacks without new headcount. Start with MFA. It is included in Microsoft 365 and Google Workspace. It kills password reuse and shoulder surfing. Apply least privilege. Split admin from day to day use. Roll out a business password manager. Turn on sign in alerts that flag odd times and places. Test backups with the 3 2 1 rule and keep one copy offline. Segment guest, IoT and finance. These steps are cheap and proven. Will y
Read more →
The Kido International ransomware attack represents cybersecurity's darkest moment. Eight thousand children's photos, addresses, medical records, and safeguarding notes were stolen and posted online by the Radiant gang. Hackers then called parents directly, demanding they pressure the nursery to pay. This wasn't just a data breach, it was a calculated attack on the most vulnerable data imaginable. After 40 years in cybersecurity, this crosses every line. But here's the terrifying truth: the same
Read more →
Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If
Read more →
Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curios
Read more →
Enough theory. Time for action. Here's your step-by-step plan to move from "Dave does everything" to sustainable IT support that won't collapse when Dave finally reaches breaking point. Start tomorrow.
Read more →
You don't need to choose between Dave and professional IT support. The best approach? Dave becomes your strategic IT leader while specialist MSPs handle the complex stuff Dave shouldn't have to figure out alone.
Read more →
Dave's the only one who knows the admin passwords. Dave's the only one who understands the custom configurations. Dave's the only one who knows which cables do what. When Dave goes, that knowledge disappears. Forever.
Read more →
After yesterday's Kido International ransomware attack, I've spent the night reading through the technical details and regulatory implications. What I'm seeing isn't just disturbing. It's a fundamental shift in how we need to think about protecting sensitive data in British small businesses. Yesterday morning, 18 UK nursery locations woke up to a ransomware attack. The attackers didn't just encrypt systems. They stole the entire database. Names of 8,000 children. Home addresses. Photos. Safeguar
Read more →
Co-op's CEO has officially confirmed their April 2024 cyberattack cost £80 million in earnings impact. The perpetrators? Teenagers using basic social engineering to steal personal data from all 6.5 million members. No sophisticated nation-state attack, just "Can you reset my password, mate?" targeting the right employee. With zero cyber insurance coverage, Co-op absorbed every penny while 2,300 stores suffered empty shelves and 800 funeral homes reverted to paper-based systems. But £80 million m
Read more →
Dave's first in, last out every day. Dave hasn't taken a proper lunch break in months. Dave gets defensive when you ask about the systems. Sound familiar? Your IT manager is drowning, and you've been pretending not to notice
Read more →
You want a network admin, security expert, help desk manager, systems architect, IT consultant, cloud specialist, compliance officer, and data protection expert. For £50k. Are you having a laugh? Here's what you're actually asking for.
Read more →
It's Monday morning. Your server's having a wobble. Your email's down. Half your team can't access the customer database. And where's Dave? Probably fixing Janet's printer. Again. Welcome to the single point of failure that's about to snap and take your business with it.
Read more →
Manchester marketing agency hemorrhaged £800 monthly on cloud storage chaos. Four different platforms, zero coordination, Dave from IT drowning in strategic decisions while fixing printers. Classic small business approach: solve today's problem with today's solution. Six months after engaging fractional CIO services: single integrated platform costing £450 monthly, unified data governance, actual strategic roadmap. Annual savings of £4,200 paid for strategic guidance while delivering competitive
Read more →
Full-time CIO in London: £180k-250k annually plus benefits. Fractional CIO: £15k-30k for strategic expertise when you need it. The mathematics are brutal, but the quality difference might surprise you. Many fractional executives are senior professionals who prefer variety over corporate politics. You get FTSE 250 CIO experience for a fraction of full-time cost. While your competitors burn budget on executives who spend half their time in meetings, you access strategic guidance scaled to actual n
Read more →
Dave from IT is brilliant at keeping your systems running. But calling him your CIO is like calling your mechanic an automotive engineer. Most UK small businesses confuse operational IT support with strategic technology leadership, and it's costing them millions. While Dave troubleshoots email issues, real CIOs design five-year technology roadmaps. The difference? Strategic thinking that aligns technology investments with business objectives. Fractional CIO services deliver genuine C-level exper
Read more →
September’s Microsoft Patch Tuesday isn't just another routine update cycle. With 81 vulnerabilities patched including 9 critical flaws, and active exploitation campaigns already targeting SharePoint servers, this represents significant business risk. Cyber Essentials certified organisations have until September 23rd to deploy updates, but waiting 14 days significantly increases risk exposure. The psychological tendency to defer technical updates creates dangerous security gaps. From authenticat
Read more →
Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis. This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential. Written for directors and leaders, it lays out practical steps to protect your business befo
Read more →
Sixty per cent of small businesses don’t survive a cyberattack. That’s not a scare tactic, it’s a reality. UK SMBs are under siege, targeted in 96% of attacks because criminals know you’re under-protected and overconfident. This post rips apart the myth that cybersecurity is “only an enterprise problem” and shows how MSP malpractice, human error, and supply chain risk are leaving businesses exposed. Most importantly, it lays out the simple, affordable steps like Cyber Essentials that block 95% o
Read more →
After Monday's podcast revelation that government cybersecurity frameworks can actually make sense, let's talk implementation reality. Cyber Essentials costs £320-600 for self-assessment, takes 2-4 weeks of focused effort, and genuinely stops 80% of attacks targeting UK SMBs. But here's what the NCSC won't tell you: most businesses discover massive security gaps during the assessment process. I've guided dozens through certification, and the pattern is always the same. "We thought we were secure
Read more →
Three out of four UK businesses admit they’d break the law to pay a ransomware gang, proving they’re not prepared — they’re desperate. This hard-hitting article exposes the brutal truth behind the PR Newswire findings and dismantles the myth that cybersecurity is too expensive. It’s not. What’s expensive is losing your business, your data, and your reputation. We break down why defensive investment is always cheaper than recovery, what leaders are doing wrong, and how to fix it before disaster s
Read more →
Your help desk just became your biggest security liability. Scattered Spider criminals are ringing UK support teams, impersonating executives, and convincing staff to reset multi-factor authentication. Within hours, they're inside your network deploying DragonForce ransomware. The July 2025 IC3/CISA advisory exposes how these English-speaking social engineers are systematically destroying businesses through basic phone manipulation. If your Tier 1 support can reset MFA without proper verificatio
Read more →
After Monday's podcast revelation that government frameworks can actually make sense, let's dive deep into the five Cyber Essentials controls that provide enterprise-level protection without enterprise-level budgets. Boundary firewalls, secure configuration, access control, malware protection, and patch management. Five areas that stop 80% of attacks against 80% of small businesses 80% of the time. That's a lot of eighties, but the maths works. These aren't theoretical controls dreamed up by bur
Read more →
The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely. We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protectio
Read more →
Right, let's address the elephant in every small business owner's mind after last week's White House security episode: if we're facing enterprise-level threats, do we need enterprise-level budgets? The answer is a resounding no. The UK's Cyber Essentials framework takes everything we learned about systematic security thinking and distills it into five achievable controls that cost less than most businesses spend on coffee. Insurance companies love it (lower claims), government contracts require
Read more →
After last week's mind-bending dive into White House security with Theresa Payton's insights, you're probably wondering if protecting your business requires government-sized budgets and ex-GCHQ analysts. The answer will surprise you. Monday's episode reveals how the UK's Cyber Essentials framework takes everything we learned about systematic security thinking and makes it achievable for businesses that can't hire situation room experts. Five controls, 80% protection against real threats, costs l
Read more →
When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer b
Read more →
The White House CIO has access to threat intelligence that would make UK SMB owners lose sleep for weeks. While British businesses worry about basic phishing, US government analysts are tracking systematic campaigns targeting supply chains, MSPs, and small businesses as stepping stones to bigger targets. They're seeing patterns you've never heard of: criminal groups spending months mapping your vendor relationships, state actors using SMBs to access critical infrastructure, and ransomware cartel
Read more →
After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse. This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.
Read more →
Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019. Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025. £2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented,
Read more →
After this week's deep-dive into technical debt psychology, let's talk about actually fixing the bloody mess. Your "temporary" solutions from 2019 are now permanent vulnerabilities that criminals are actively exploiting. Every day you delay proper technical debt management, you're bleeding money on maintenance, security patches, and the inevitable breach costs. I've seen £50 million companies destroyed by technical debt they knew existed but couldn't prioritize properly. Here's your framework fo
Read more →
Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption. The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them. This isn't about having perfect systems, it's about building resilience. Wednesd
Read more →
M&S lost £300 million because decades of technical debt left them unable to respond to basic social engineering. Co-op faced identical DragonForce attacks but recovered quickly through operational agility. The difference? M&S accumulated digital debt like a hoarder accumulates rubbish, whilst Co-op invested in resilience. Technical debt isn't just old software - it's every deferred security decision, every "temporary" workaround, every vendor relationship without oversight. Podcast Episo
Read more →
Wednesday's parliamentary hearing was brutal. M&S Chairman Archie Norman squirming whilst explaining how criminals cost his company £300 million through basic social engineering. McDonald's serving up 64 million job seekers to potential identity thieves. Both disasters show the same pattern: years of deferred security investments creating systematic vulnerabilities. This isn't sophisticated hacking, it's criminal exploitation of corporate incompetence. M&S had no cyber attack plan despit
Read more →
After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication
Read more →
Buckinghamshire engineering firm thought they had "pretty good visibility" into their IT environment. DNS monitoring revealed 247 unauthorized cloud services, 43 different communication platforms, and £127,000 annual Shadow IT spending they didn't know existed. Dropbox, Google Drive, OneDrive, iCloud, plus dozens of project management tools, design software subscriptions, and messaging platforms. One week of DNS logs exposed six years of unauthorized software proliferation. The technical impleme
Read more →
Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed. While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook. Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's alrea
Read more →
Seven communication platforms. Fifteen employees. £23,000 legal discovery bill when employment tribunal demanded complete records. WhatsApp Business for customers, Slack for projects, Discord for "team building," Signal for "confidential" talks, Telegram for contractors. When they needed to reconstruct one client relationship, conversations were scattered across platforms they couldn't control. Customer satisfaction dropped 40% because every interaction started from zero knowledge. The legal pen
Read more →
A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives. Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches. While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate j
Read more →
M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call. The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop. When Archie Norman admits they had "no cyber attack plan" and describ
Read more →
Microsoft's July 2025 Patch Tuesday just dropped 130 security fixes while most UK SMBs remain blind to 42% of applications running on their networks. From my government cyber experience, this represents a systematic organizational failure: you cannot patch what you cannot see. Critical vulnerabilities in Windows Kernel, BitLocker, and authentication systems require immediate deployment, but Shadow IT applications will break unpredictably. Worse, the buried Secure Boot certificate expiration warning affects
Read more →
Yesterday's Episode 6 dropped the bombshell: 42% of business applications are unauthorized. Today we're diving deeper into the hidden app epidemic destroying UK SMB security. Karen's Dropbox backup strategy with password "Password" shared via email. Marketing teams feeding confidential data to AI platforms. Customer service operations running through WhatsApp Business storing financial information in chat logs. DNS monitoring revealing 200+ cloud connections in a single week. This isn't isolated
Read more →
After analyzing the Ingram Micro ransomware attack and reviewing the latest threat intelligence, I need to be brutally honest about VPN security. We're facing a 56% increase in VPN-related attacks, an 8-fold surge in edge device exploitation, and zero-day VPN exploits jumping from 3% to 22% of all incidents. The SafePay group's destruction of a $48 billion distributor through basic VPN misconfiguration isn't an anomaly. It's the new normal. From my civil serice career experience, I can tell you
Read more →
A $48 billion global technology giant just got destroyed by criminals who exploited a basic firewall misconfiguration. Ingram Micro, the backbone of every MSP and reseller on the planet, is bleeding £136 million daily because someone forgot to tick a checkbox properly. SafePay ransomware walked through their VPN like it was an open door, bringing down the entire global IT supply chain. If you're an MSP depending on single vendors, you're about to learn the brutal cost of trusting other people's
Read more →
Right, pull up a chair. We need to have a bloody serious conversation about the EV charging disaster that's been hiding in plain sight. Oxford researchers just confirmed what should terrify every electric vehicle owner: your charging cable is a 47-meter antenna broadcasting your vulnerability to anyone with £200 worth of kit from eBay. The "Brokenwire" attack can kill charging sessions wirelessly, and it's built into the bloody standards that govern 12 million EVs worldwide. Known since 2019, st
Read more →
Janet Jackson's "Rhythm Nation" music video could crash laptops just by playing the audio. Not through software exploits or malware, but because the bloody song contained the exact resonant frequency that turned 5400 RPM hard drives into expensive paperweights. Even better: playing the video on one laptop could crash OTHER laptops sitting nearby through pure acoustic warfare. Microsoft engineers had to add secret audio filters to prevent pop music from destroying computers. If a 1989 dance track
Read more →
Passwords are circling the drain, and this time it’s for real. Microsoft, Apple, and Google are killing off passwords and pushing passkeys by default across their platforms. Microsoft is going passwordless by force, Apple is making it seamless, and Google is syncing passkeys everywhere. The UK government is onboard too, rolling out passkeys across public services. This isn’t future talk, it’s happening now. If your IT provider is still clinging to complex password policies and SMS MFA, you’re be
Read more →
After last night's podcast revelation about our collective digital archaeology disaster, let's talk about the solution hiding in plain sight. The UK's National Cyber Security Centre dropped wisdom that sounds too simple to work: pick three random words for your passwords. "Coffee train fish." "Wall tin shirt." "CabbagePianoBucket." Easy to remember, nightmare to crack, and unlike "password123," not on every hacker's greatest hits list. While we're mashing together words and numbers in barely inv
Read more →
Microsoft's Patch Tuesday is security theatre masquerading as systematic protection. Every second Tuesday, they dump 30-80 vulnerabilities on businesses and expect immediate deployment while providing minimal testing guidance. It's a monthly game of Russian roulette disguised as responsible disclosure. SMBs get caught between "patch immediately or die" hysteria and "test everything or break the business" paralysis. Meanwhile, Microsoft profits from both the problems and the solutions. Here's why
Read more →
Meet the Sheffield manufacturing firm that turned patch management from monthly panic into competitive advantage. Thirty-five employees, fifteen-year-old custom software, and an MD who thought "cybersecurity" was just expensive insurance. Then a supplier breach nearly destroyed their government contracts. Fast-forward eighteen months: they're winning contracts specifically because of their security posture, staff morale is up, and they haven't had a single security incident. Their secret? They s
Read more →
Stop treating patch management like Russian roulette. You don't need enterprise-grade test labs to deploy patches safely. You need a structured approach that balances speed with stability. I've managed patches across everything from 50-seat SMBs to global enterprises with 100,000+ endpoints. The principles are identical: test smart, deploy fast, have a rollback plan. Most SMBs get this backwards - they test forever and deploy never, leaving themselves exposed to known vulnerabilities while perfe
Read more →
Microsoft just dropped 51 vulnerabilities in June's Patch Tuesday, including 18 rated critical. And I guarantee you, most UK SMBs will ignore the lot. CVE-2025-34567 allows remote code execution through a simple email attachment. CVE-2025-34701 lets attackers escalate privileges with ba sic user credentials. These aren't theoretical risks but active attack vectors that criminals already exploit. Yet I'll bet half the businesses reading this still haven't patched last month's critical fixes. This
Read more →
It's 6 PM on the second Tuesday of the month. While normal people are heading home, UK IT teams are just starting their monthly nightmare. Microsoft has dumped 150 security fixes with zero consideration for how real businesses operate. No test environments, no staging procedures, no time to breathe. Just impossible choices: patch immediately and risk breaking everything, or wait and become sitting ducks for "Exploit Wednesday" when criminals reverse-engineer the fixes. After decades of watching
Read more →
This week we explored compliance theatre vs real security. Next week, we're diving into the monthly war zone that every IT team knows: Microsoft's Patch Tuesday roulette where one wrong decision can sink your business. Monday's podcast takes you inside the 6 PM chaos when UK teams scramble with late-breaking updates, and Tuesday's deep-dive exposes why traditional patch management advice is built for enterprises that don't exist. Plus, practical survival strategies for when you're fighting attac
Read more →
After decades of watching government departments wave certificates while getting breached, I'm done pretending compliance equals security. Yes, you need SOC 2 for some contracts. Yes, ISO27001 impresses procurement teams. But if you think those certificates will stop ransomware, you're living in a dangerous fantasy. I've seen FTSE 100 companies with pristine audit reports get absolutely destroyed by basic phishing attacks. It's time for some brutal honesty about what compliance actually protects
Read more →
CASE STUDY: Midlands manufacturing SMB spent 18 months and £45,000 getting ISO27001 certified. Six months later: ransomware attack, £50k losses, customer data exposed. They had perfect documentation for email security but forgot to actually secure their email. This is compliance theatre in its purest form - expensive certificates that impress auditors but don't stop criminals. Today's case study exposes the brutal reality of governance vs protection and what UK SMBs should learn from this expens
Read more →
The British Horseracing Authority just got absolutely hammered by ransomware, and frankly, I'm not surprised. Here's an organization that regulates a £1 billion industry, handles medical records for hundreds of jockeys, and oversees one of Britain's most prestigious sporting events. And they fell for the oldest trick in the book: some criminal rang their IT helpdesk, pretended to be an employee, and walked away with the keys to the kingdom. If the people who regulate horse racing can't secure th
Read more →
Tired of consultants charging £10,000 for Cyber Essentials implementation that you can do yourself in six weeks? This step-by-step guide cuts through the consultant bollocks and shows you exactly how to implement CE yourself. Real timelines (6 weeks max), real costs (under £4,000), real templates you can actually use. No consultant dependency, no ongoing fees, no compliance theatre. Just practical security that actually protects your UK SMB while meeting NCSC requirements. Stop funding consultan
Read more →
BREAKING: Another SOC 2 certified company just suffered a massive data breach. Shocked? You shouldn't be. While they were busy documenting their security procedures in triplicate, hackers walked through the front door they forgot to lock. This is compliance theatre in action: expensive certificates that impress auditors but don't stop criminals. Today's reality check exposes why governance frameworks fail against real threats and what UK SMBs should learn from this latest security disaster
Read more →
Another UK SMB just spent £40,000 on ISO27001 certification. Three months later: ransomware. The compliance industry has convinced every 15-person company they need enterprise-grade paperwork to survive. Bollocks. While you're documenting your password policy in 47 formats, criminals are walking through the digital front door you forgot to lock. Today's deep-dive exposes the real cost of compliance theatre vs actual security. Spoiler: Cyber Essentials might actually protect you, ISO27001 will de
Read more →
Your smart speaker isn't just listening for 'Hey Alexa.' British Security veteran dares you to try this simple experiment tonight. Fair warning: you might not sleep well afterwards. What you discover about your connected home will shock you into action.
Read more →
Your smart home isn't smart: it's a corporate surveillance network that makes the Stasi look like amateurs. While you're asking Alexa about the weather, Amazon's recording everything and building psychological profiles to flog to advertisers. Your Samsung TV captures 30 screenshots per minute, Google Home logs every conversation, and data brokers are making millions from your family's most intimate moments. The FBI warns these devices can be hijacked, yet homes everywhere are stuffed with always
Read more →
Your passwords are already for sale. The only question is whether you know it yet. Stolen credentials jumped from 10% to 16% of all cyberattacks in just one year, making it the second most common attack vector behind exploits. With 3.9 billion passwords compromised by infostealer malware and 94% of people reusing the same credentials across multiple sites, your business authentication isn't just vulnerable; it's already broken. While you're investing in firewalls and endpoint protection, crimina
Read more →
Your MSP's favourite remote access tool just got breached. Again. ConnectWise ScreenConnect, the software thousands of managed service providers use to "protect" small businesses, has been hit by yet another cyberattack—this time by suspected state-sponsored hackers. But here's the real scandal: this is the same platform that suffered critical vulnerabilities in 2024, enabling ransomware gangs to turn MSP networks into criminal infrastructure. If your IT provider is still using repeatedly compro
Read more →
Your £6,000 professional printer just joined a criminal botnet. For six months, Procolored shipped malware-infected drivers that turned customer systems into cryptocurrency theft machines, netting criminals nearly $1 million in stolen Bitcoin. When YouTuber Cameron Coward tried to install the "legitimate" software, his antivirus screamed warnings. Procolored's response? "False positive." Even after researchers found 39 infected files containing backdoors and Bitcoin stealers, the company kept de
Read more →
The woman who oversees America's spies used the same piss-weak password across multiple accounts for years. If Tulsi Gabbard, the bloody Director of National Intelligence, can't manage basic password security, what hope do the rest of us have? This isn't just government incompetence, it's a wake-up call. When the person responsible for protecting national secrets treats cybersecurity like a Sunday crossword, every business owner needs to ask themselves: are my security practices any better? The
Read more →
Your board meeting was spectacular. "Cloud transformation complete! 40% cost reduction!" The CEO used "digital excellence" without irony. Three days later, 590 million Ticketmaster records were for sale. The Snowflake breach wasn't sophisticated hacking—attackers used 2020 passwords from contractor gaming PCs that nobody changed. AT&T lost "nearly all" wireless customer data. Santander: 30 million records including account balances. None had basic multifactor authentication. While executives
Read more →
It's 2025. You're reviewing quarterly security metrics, feeling pleased with zero phishing attempts. Meanwhile, the developer who pushed code yesterday is funnelling his salary to Kim Jong Un's nuclear programme. One facilitator helped infiltrate 300+ US companies, generating $6.8 million for weapons development. Google found them applying to Google. Cybersecurity vendors accidentally hired them. If the experts are getting played, your HR department doesn't stand a chance. They're not just colle
Read more →
Pull up a chair. We need to talk about something that's going to make your skin crawl. While your sales team struggles to get prospects to return a bloody phone call, Iranian threat actors are convincing your employees to hand over the keys to your digital kingdom with the kind of charm and persistence that would make a used car salesman weep with envy. These aren't basement dwellers sending "Nigerian prince" emails—they're sophisticated operations turning social engineering into an art form whi
Read more →
In one of 2025’s most disgraceful breaches, Lawcover — the indemnity insurer for thousands of lawyers — exposed the personal and financial data of judges and solicitors through an unencrypted SharePoint backup. It’s not a sophisticated hack; it’s old-school negligence. Five-year-old legal records, sensitive case data, and passport numbers were all left to rot in the cloud. The incident highlights just how dangerously out of touch the legal sector is when it comes to basic cyber hygiene. In this
Read more →
Your IT provider just became your biggest security threat. The DragonForce ransomware gang didn't break down your front door – they got handed the keys by exploiting the very tools meant to protect you. While you've been worrying about suspicious emails, criminals turned SimpleHelp and other RMM software into weapons of mass destruction. One compromised MSP means hundreds of businesses infected in minutes. The attack already happened. The vulnerabilities were known. The warnings were ignored. An
Read more →
Cybersecurity isn’t IT’s job anymore, it’s yours. Ransomware doesn’t spread because hackers are clever. It spreads because leadership keeps treating security like plumbing: fix it when it breaks. This final part in our trilogy calls out the boardroom silence, the risk registers no one updates, and the plans that never get tested. If your business is still relying on hope, luck, or “that one guy in IT,” you’re not secure you’re surviving on borrowed time. This isn’t fear-mongering. It’s your fina
Read more →
Cyber insurance isn’t a silver bullet and claim denials are rising fast across the UK. Whether it’s poor security hygiene, policy exclusions, or failure to meet basic requirements, many businesses are learning the hard way that they’re not actually covered when disaster strikes. This guide breaks down why insurers are rejecting claims, what Cyber Essentials (and Plus) have to do with your insurability, and why your MSP might be part of the problem. If you’re relying on a policy you haven’t read,
Read more →
Every UK business has a fire plan. Most have flood plans. Some even worry about theft. But ask what happens when ransomware encrypts every file and locks you out of your own systems? Silence. No plan. I just crossed my fingers and am praying to the cyber gods. While you’ve invested in fire extinguishers and insurance policies, attackers have invested in your network. Your business isn't ready without a tested, documented, and rehearsed cyber recovery plan. You’re vulnerable. And no, your MSP’s v
Read more →
Yes, this is real. Yes, it’s still happening. Businesses in 2025 are still exposing Remote Desktop Protocol (RDP) to the open internet like it’s a perfectly normal thing to do. It’s not. It’s deranged. It’s like licking a petrol pump and being surprised you got sick. If you’re still running RDP with no VPN, no access controls, no MFA, and no clue , buckle up. This isn’t just a best practice failure. This is IT malpractice. And if you’re an MSP still recommending it? You should probably stop call
Read more →
Microsoft Teams is the new darling of UK business. It’s chat, calls, meetings, file sharing and productivity all in one app. Unfortunately, it’s also a goldmine for attackers, and they know it. With the Tycoon 2FA phishing kit now targeting Microsoft 365 users through fake Teams login prompts, criminals are bypassing multifactor authentication in real time. It’s slick. It’s scary. And worst of all, it works. If your business still believes Teams is “safe because it’s Microsoft,” you’re dangerous
Read more →
It’s 2025, but some UK councils and NHS departments are still sending confidential data via fax machines. That’s right. No encryption, no audit trail, just a shrieking relic from the 1980s spewing out safeguarding case notes or your latest blood test results from the GUM clinic into a shared office tray. With the analogue switch-off looming, this isn’t just old-fashioned, or quaint, it’s reckless. Why the hell are printer manufacturers are still enabling this madness - Looking at you HP, Epson,
Read more →
Think the hackers are your biggest threat? Think again. That smiling MSP rep who promised “complete protection” might just be the reason your business is on its knees. Ransomware rarely walks in the front door it’s invited through by lazy patching, crap backups, and a culture of "just enough" IT. From misconfigured firewalls to fake dashboards and vendors more interested in sales than security, this is the real story of how ransomware thrives, enabled by the very people paid to stop it. If you t
Read more →
It’s 2025. You’re in a sterile, brightly lit dental surgery — and there it is. A screen glowing with the unmistakable Windows 7 login. The same OS that went end-of-life in 2020. What the actual hell? That PC isn't just a relic — it’s a walking GDPR violation and a ransomware welcome mat. If your dentist is still running patient records on Windows 7 or even XP, you’re not just risking plaque you’re risking identity theft. Please for the love of all things secure STOP THIS NOW. Before a root canal
Read more →
A ransomware attack just crippled one of the UK’s key cold chain hauliers, leaving thousands of pounds’ worth of meat to rot before it ever reached supermarket shelves. Peter Green Chilled, who proudly promote their “bespoke IT systems,” couldn’t even keep order processing online. The result? Spoiled stock, supply chain chaos, and radio silence from a company with £25 million in turnover and not a single cybersecurity certification. This isn’t just an embarrassing IT failure. It’s a wake-up call
Read more →
On 28 April 2025, the UK’s beloved Cyber Essentials scheme quietly lobbed a compliance grenade into your IT department. The Willow question set has arrived, and with it comes a new standard for audits, especially for Cyber Essentials Plus. The big twist? You no longer get to pick the test machines. That’s right , your favourite “show laptop” patched 20 minutes before the audit isn’t going to save you. The auditor picks now ,and gives you just three working days' notice . Smoke, meet exit. This a
Read more →
Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene. Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster. This article lays out the real problem and preaches the blunt truth: no ISO, no SO
Read more →
You’d think ISO27001 and SOC 2 certifications mean a business is secure. But if 2023 and 2025 have shown us anything, it’s that those badges don’t stop breaches. From Capita’s data leaks to Harrods’ containment chaos, and Co-op’s app disruption to the MOVEit dominoes, governance frameworks have failed where basic cyber hygiene would have succeeded. Cyber Essentials, often dismissed as small business fluff, turns out to be the missing frontline control in all of these high-profile failures. This
Read more →
Think Cyber Essentials and ISO27001 are just different flavours of the same thing? Think again. One’s a tactical shield against everyday threats, the other’s a strategic blueprint for governance. Mistake one for the other, and you’ll either overspend or leave the door wide open. This article rips into the dangerous misconception that they’re interchangeable, explores how Cyber Essentials is built for every organisation, from startups to schools, and why it remains your frontline defence while IS
Read more →
Ransomware isn’t your biggest problem—it’s just the one that finally made you look. Behind every cyberattack sits a decade of crap decisions, from budget-stretched IT to untrained staff, weak passwords, and clueless suppliers. You didn’t get hit because you were unlucky. You got hit because your house was already on fire. This is part one of a blistering three-part series breaking down the disease beneath the ransomware epidemic ripping through the UK’s small business sector. If you think you’re
Read more →
May’s Patch Tuesday is coming in hot—and if April’s mess left your domain logins broken, WSUS deployments in meltdown, or your Hello PIN sulking in the corner, you’ll want this one. Microsoft is set to mop up its authentication chaos, plug lingering Windows 10 holes, and squash a few zero-days while it’s at it. But that’s not all. Adobe, Intel, and SAP are sneaking in updates too. This month’s patch drop might not be as noisy as April, but it’s arguably more important. Brace yourself for impact
Read more →
Read more →
Think your MSP has your back? Think again. In Part 4 of Breached , we unpack the brutal truths most businesses only learn after the worst happens. From useless logs to skyrocketing insurance, and a support ticket that nearly destroyed everything, this is the roadmap you wish you had before the call came. Ten hard lessons, zero fluff. Why your MSP is there to sell, not protect. Why a good fractional CIO is worth their weight in gold. And why silence from your IT provider isn’t just dangerous—it m
Read more →
Think you're too small to be a target? Think again. UK small businesses are now the top attack vector for state-backed hackers from Russia and China, and your half-baked cybersecurity is a red carpet to our critical infrastructure. M&S, Harrods, and the Co-op didn’t get hit by chance, they got hit through you. If you’re in the supply chain without Cyber Essentials Plus, real EDR, or even basic patching, you’re not just vulnerable — you’re a national liability. Time to grow up or get out of t
Read more →
The breach was just the beginning. In Part 3 of Breached , the truth is out—and now come the consequences. The MSP tried to hide a misconfiguration. They failed. Now the clients are calling, the regulators want answers, and the business owner is left holding the fallout. From a quiet boardroom to sleepless nights and rising insurance premiums, this is what happens when a cover-up gets exposed. Contracts are cancelled. Trust evaporates. And the worst part? It all could have been prevented. If you
Read more →
What happens when your IT provider makes a mistake—and then tries to hide it? In Part 2 of Breached , a hidden support ticket, a missing firewall log, and over 400 unpatched vulnerabilities unravel a small business’s trust in the team meant to protect them. The MSP said, “Don’t tell the client.” But she was accidentally copied in. What followed was seven days of denial, silence, and mounting pressure—until the truth was read aloud, word for word, in a boardroom gone cold. This isn’t about poor s
Read more →
Katie Roberts thought it was just another Tuesday—until her personal phone rang at 11:27 a.m. The voice on the other end wasn’t a client. It was the National Crime Agency. Within minutes, her calm, structured world tilted on its axis. A cyber breach. Live. Real. Observed. And her business—the one she’d built from scratch—was now under threat. No plan. No warnings. Just a quiet office and a slow, sinking realisation that everything was about to change. What do you do when your worst-case scenario
Read more →
Co-op just confirmed a major data breach— but only after the hackers got sick of waiting and contacted the BBC themselves . Yes, really. It turns out customer data wasn’t just mishandled, it was gift-wrapped and forgotten like an expired loyalty card. With Zellis—the same payroll firm linked to the BBC and BA MOVEit fiascos—once again in the mix, this breach isn’t just another blip. It’s part of a growing pattern of retail cybersecurity disasters. And with legal and funeralcare data involved, th
Read more →
Samsung has once again reminded us why blind trust is a cybersecurity death sentence. Researchers discovered a massive vulnerability in Galaxy devices' Secure Element — the hardware vault meant to protect your biometrics and encryption keys. Attackers could exploit this “inadvertent” flaw remotely, with Samsung quietly patching it months later and offering zero transparency. No warnings. No device list. Just a silent fix and crossed fingers. If you own a Galaxy, you're now part of a grand experi
Read more →
Think 2025 would be the year we finally nailed DDoS protection? Think again. Some poor online betting site just got steamrolled by a 1Tbps brute-force attack — and the industry is clutching its pearls like it’s 2005. Guess what? If you’re running a high-value, downtime-sensitive business without bulletproof DDoS mitigation, you’re basically waving a “please fuck up my day” flag at the internet. This wasn’t a sophisticated hack; it was raw, stupid power. And it still worked. If your master plan i
Read more →
The UK’s new Cyber Security and Resilience Bill is about to shake things up – hard. With fines of up to £100,000 per day for failing to report serious cyber incidents, the days of shrugging off IT failures are officially over. Critical suppliers like MSPs are firmly in the government’s sights, and mandatory reporting within 24 hours means businesses must be ready to move fast. But is it enough? Will this finally close the gaps attackers have exploited for years, or will it pile more pressure on
Read more →
Paper password managers. Charming relics of a simpler time... or a catastrophically bad idea in 2025? At home? Fine. Lock it up tighter than your secret stash of biscuits. At work? Absolutely fucking not. Unless your business strategy includes "hoping Karen does not spill coffee on the master admin password" – get a proper password manager. Maybe, maybe a sealed "break glass" password for your CRM or M365 admin account. And I mean sealed like you are guarding the Crown Jewels. Want the full sarc
Read more →
Still clinging to that dusty old server from 2012? So are the hackers. Legacy systems are not just outdated — they are a neon sign flashing “easy target” above your business. Whether you run a small law firm, an accountancy practice, or any small business handling client data, ignoring your ageing IT is a fast track to fines, breaches, and reputational disaster. DPP Law learned this the hard way with a £60,000 fine. Will you be next? Find out why modernising your systems is no longer optional —
Read more →
In April 2025, the global cybersecurity world almost lost CVE — the bedrock of vulnerability tracking — not to hackers, but to sheer bureaucratic incompetence. While politicians played games and cyber defenders were told to look the other way, the fragile, outdated systems of CVE and CVSS staggered toward collapse. We didn’t fix them. We barely taped them back together. This isn’t just a story of near-miss disaster — it’s a full-blown indictment of cybersecurity's rotting foundations. If we do n
Read more →
Think your law firm is too small for hackers to bother with? DPP Law thought so too—right up until they faced a £60,000 fine and a public shaming after a catastrophic cyber attack. A single unsecured admin account was all it took to unleash chaos. No MFA, no breach reporting, no chance. If you are still relying on luck instead of basic cyber hygiene, you are playing a dangerous game with your clients’ trust—and your firm’s future. Cyber Essentials is the starting line, not the victory lap. How m
Read more →
Think Windows 11 was secure? Think again. A critical flaw let attackers hijack full admin control in just 300 milliseconds using a tired old trick – DLL hijacking. Microsoft called it “Important” (because, sure, SYSTEM access is casual now), but for the rest of us, it was a neon sign saying “Hack me.” Find out how your phone link feature became a hacker’s dream, why millions were left exposed for six months, and why patching yesterday might still not save you. How many ticking time bombs are hid
Read more →
Google is stepping up Android security by introducing an automatic reboot feature. If your phone remains idle for three days after a critical update, it will now reboot itself to apply the patch and enhance your protection. This smart move helps close the vulnerability window users often leave open by ignoring reboot prompts. Designed to be seamless and non-intrusive, the feature ensures devices are updated without disrupting daily use. While not mandatory across all manufacturers yet, it signal
Read more →
In April 2025, 4chan – the internet’s digital back alley – got thoroughly rinsed. A full-scale hack exposed moderators, leaked source code, and proved even the web’s most chaotic platforms aren’t immune to catastrophic failure. But here’s the twist: the real story isn’t the leak, it’s what it reveals about your own business. If outdated software, poor access control, or silence-in-a-crisis sounds familiar, you’re already on thin ice. This isn’t just drama for meme lords – it’s a neon-lit warning
Read more →
The Samsung Galaxy S24 was meant to be the crown jewel of Android. Instead, it shipped with a gaping security hole—thanks to a preinstalled app no one asked for. Researchers found that this app allowed remote attackers to hijack your device, steal your data, and generally wreck your digital life. This isn’t just sloppy—it’s a disgrace. Samsung pushed out a flagship phone with built-in vulnerabilities, proving once again that shiny hardware means nothing if the software is a ticking time bomb. If
Read more →
People used to think Macs couldn’t get viruses. That’s no longer true. New malware kits called JokRAT and XenoRAT can give hackers full control of a Mac computer. These tools are easy to rent online, even for people with no tech skills. Hackers can use them to spy on you, steal files, and stay hidden on your computer. Mac users should use security software, update their systems often, and be careful about what they click on. If your Mac is part of a company network, a single infected device can
Read more →
Not all firewalls are created equal—some vendors make patching painless, others seem to actively hide the fixes. We evaluated SonicWall, Fortinet, UniFi, DrayTek, Zyxel, WatchGuard, Sophos, Meraki and more using a realistic UK small business setup: one firewall, one switch, two access points. Then we scored them out of 50 on cost, usability, licensing, and update handling. Spoiler: UniFi smashed it. SonicWall? Not so much. If you want to know which vendor respects your time and budget—and which
Read more →
More than 4,000 WordPress websites have been hacked thanks to a critical vulnerability in the WP-Automatic plugin. The flaw (CVE-2024-27956) allows unauthenticated attackers to inject malicious code, redirect users, and install backdoors—all without logging in. Despite a patch being available, thousands of sites remain vulnerable due to poor update practices and weak plugin hygiene. This isn't just another WordPress scare story—it's a glaring example of why unmanaged, unmonitored websites are a
Read more →
Oracle just got hacked—badly—and their excuse? “It was just a legacy system.” That’s corporate-speak for we left the door wide open for four years and hoped no one would notice . Millions of records stolen, a $20 million ransom, and Oracle’s response was to shrug and point at the old kit. If you’re running ancient servers and thinking it won’t happen to us , think again. This isn’t just Oracle’s disaster—it’s a wake-up call for every UK business still clinging to outdated tech. Want to know how
Read more →
Still running Windows Server 2012 in 2025? You might as well leave your doors unlocked and shout “come on in” to attackers. End of life means no patches, no protection, and no excuse. This article explains why sticking with outdated infrastructure is a reckless liability, not a cost-saving strategy. From cyber insurance exclusions to ICO scrutiny and NCSC guidance, we break down the real-world risks UK businesses face. You’ve been warned: unsupported systems aren’t just old — they’re dangerous.
Read more →
When your supplier suffers a cyber attack, it’s not just their mess to clean up — it can quickly become your problem too. This guide walks UK SMBs through exactly what to do if a supplier breach threatens your data, operations, or reputation. From securing your systems and understanding GDPR obligations, to involving the right experts and tightening up contracts, you’ll learn how to stay one step ahead when the blast radius includes you. Because in today's interconnected world, your security is
Read more →
Google has patched a critical "Use After Free" vulnerability in Chrome, tracked as CVE-2025-3066, which could allow remote code execution via malicious web pages. The flaw was found in Chrome's Site Isolation feature—meant to protect users—ironically making it a prime attack vector. Users on versions prior to 135.0.7049.84/.85 (Windows/Mac) or 135.0.7049.84 (Linux) are urged to update immediately. Left unpatched, this bug could let attackers install malware, steal data, or worse. This is yet ano
Read more →
They had the infrastructure. They had the trust. And they had the gall to cover up the very breach they caused. This isn’t fiction—it’s a real-world cybersecurity disaster involving a big-name MSP, a firewall misconfiguration, and a damning internal email that said “don’t tell the customer.” Weeks later, the logs were useless, the excuses piled up, and the recovery bill is heading for six figures. If you think your MSP would never… think again. Here’s what went wrong, how it got exposed, and why
Read more →
Think your cyber security is airtight? Doesn’t matter — your suppliers might be the ones getting you hacked. One dodgy vendor, one reused password, and suddenly your business is in the headlines for all the wrong reasons. Supply chain attacks are exploding, and most businesses have no idea who actually has access to their systems. If you’re blindly trusting every outsourced service, freelancer, or cloud tool without asking hard questions, you’re basically inviting cybercriminals in for tea. Want
Read more →
The internet isn’t a safe space for everyone — especially if you’re a journalist, activist, or survivor of abuse. The UK’s National Cyber Security Centre (NCSC) has released new guidance for people and communities at high risk of digital surveillance. And unlike most government advice, this is actually worth reading. It’s direct, useful, and designed for the real world — covering everything from encrypted messaging to avoiding spyware. Whether you're at risk or supporting someone who is, this gu
Read more →
Welcome to the inaugural edition of Breach of the Month Club™ , your monthly tour of reputational disaster. March 2025 was a banner month for avoidable breaches, from Lloyds accidentally mailing out million-pound statements, to Jaguar Land Rover getting wrecked by leaked JIRA credentials. Reform UK ignored GDPR completely, Morrisons got battered by a supplier breach, and 23andMe? Well, they lost your DNA and filed for bankruptcy. We break it all down with just the right amount of sarcasm—and a r
Read more →
Apple has dropped emergency updates to fix three zero-day vulnerabilities —and yes, they’re already being exploited. These flaws affect iPhones, iPads, Macs, and more, letting attackers bypass USB protections, escape Safari’s sandbox, and escalate privileges through CoreMedia. If you’re not updating your devices right now, you’re basically rolling out the red carpet for hackers. This isn’t just another patch Tuesday. It’s a loud, flashing red warning. Your move.
Read more →
Think you can handle a cyber attack without an Incident Manager? Think again. Here's what a good IM does, why they're not a luxury, and how they help UK businesses survive the worst day of their digital lives.
Read more →
A cyber breach isn’t just an IT headache—it’s a full-blown business crisis. If you run a small UK business and your systems are compromised, your next 24 hours are critical. This guide walks you through what to do and why—from shutting the breach down without wiping forensic evidence, to dealing with regulators, staff, and customers. Most importantly, it makes clear that your MSP or IT team should not be leading the response. You need an independent Incident Manager and a solid plan. No fluff. N
Read more →
A hacker could be hiding in your business for over nine months before you even notice—and IBM has the stats to prove it. Their latest report shows UK small businesses are dangerously exposed to long dwell times, where cybercriminals quietly steal data, cause chaos, and vanish before anyone sounds the alarm. If you're not actively looking for threats, you're practically inviting them in. Here's what dwell time means for your business—and how to slam the door shut.
Read more →
Over half of UK businesses got digitally f**ked last year—and most didn’t even realise until it was too late. While leadership played buzzword bingo, ransomware crews strolled in through weak passwords and forgotten patches. Attacks hit every 44 seconds. Still think “we’re too small to be a target” holds up? It doesn’t. Hope isn’t a strategy. Luck isn’t resilience. And if you’ve got no plan, you’re just waiting to be the next headline.
Read more →
So naturally… the ICO fined them £4.4 million. And then knocked £3 million off for being helpful afterwards . Yes, really. That’s the cybersecurity equivalent of “you crashed the car but said sorry nicely—so we’ll waive the repair bill.” I’ve written a new piece on this absolute masterclass in weak governance, supplier accountability theatre, and the dangerous precedent it sets.
Read more →
Microsoft’s at it again—this time breaking Remote Desktop for Windows 11 users with their latest round of updates. If your helpdesk tickets are piling up with RDP disconnects and login weirdness, you’re not alone. From silent session drops to broken smart card authentication, this bug is hitting SMBs and IT pros where it hurts. We unpack what’s going wrong, who’s affected, and how to survive it—while Microsoft casually promises a fix “at some point.” Spoiler: rollback might be your only friend.
Read more →
London ranks dead last for 5G performance in Europe – but it’s not just the capital struggling. Across the UK, coverage is patchy, motorway connectivity is unreliable, and performance wildly varies between networks. Yet where it’s deployed properly, UK 5G can rival the best on the continent. The problem? Not the tech – the execution. Less hype, more follow-through, and a proper plan could turn the UK’s 5G fortunes around.
Read more →
Most UK businesses spend more on coffee than on Cyber Security Awareness Training—and that’s exactly how breaches happen. Your biggest threat isn’t a hacker in a hoodie; it’s Dave in Sales clicking a dodgy email. The good news? Quality training is cheap, effective, and actually enjoyable. For less than the cost of your weekly latte run, you can turn your staff from cyber risks into cyber defenders. Still think you can’t afford it? Think again.
Read more →
Think you’re safe clicking through a CAPTCHA? Think again. Cybercriminals are hijacking your trust with fake CAPTCHA pop-ups that trick you into downloading malware—by following simple keyboard instructions you’d never question. One click and boom—your passwords, wallets, and entire digital life are up for grabs. This isn’t just clever, it’s terrifyingly effective. If you’ve ever hit "I’m not a robot," you need to read this before you hand your system over to hackers.
Read more →
Think your Bluetooth devices are safe? Think again. Security researchers just found hidden, undocumented commands in the ESP32 chip—used in over a billion devices worldwide. This means hackers could exploit your smart gadgets, from speakers to security cameras, without you ever knowing. And the best part? Manufacturers didn’t tell anyone. Is your tech spying on you? Maybe. Here’s what you need to know—and how to protect yourself before it’s too late. 🚨
Read more →
A critical flaw in DrayTek routers is wreaking havoc on UK broadband connections — and no, this isn’t just a “techie problem.” Businesses across the country are unknowingly running vulnerable, outdated routers that are now being blocked by ISPs for good reason. DNS hijacks, remote code execution, and silent compromises are all in play. If you're still clinging to your 2018 networking gear like it’s a family heirloom, it’s time to wake up. This isn’t about cost — it’s about negligence. Here’s wha
Read more →
If you're still not using 2-Step Verification (2SV), you might as well leave your front door wide open, bake some cookies for the burglars, and leave a note that says, "Take what you like, I clearly don’t give a shit." Sounds ridiculous? So does ignoring the absolute bare minimum of online security. Passwords alone are about as effective as a chocolate teapot, and cybercriminals love people who think 2SV is “too much hassle.” If typing in a short code now and then feels like a chore, maybe the i
Read more →
North Korea's Lazarus hackers are back, gleefully slipping malicious code into popular NPM packages—think razor blades hidden in your Halloween sweets. Hundreds of developers unwittingly invited cybercriminals into their digital lives, losing sensitive data and perhaps some self-respect. This latest supply-chain fiasco underscores a crucial lesson: trust no package blindly. Treat your code dependencies like milk—check regularly, or risk finding something unpleasantly chunky in your morning coffe
Read more →
Discover why sharing your password is just as gross—and risky—as sharing your toothbrush. Learn practical tips like the three-random-words method and how password managers keep your digital hygiene squeaky clean!
Read more →
Thinking of hiring an MSP? Don’t swipe right just yet! 🚩 From laughably cheap pricing to alarming shared tenants and MSPs holding your admin access hostage, we're exposing the worst IT provider red flags. Learn how to dodge the charm, avoid costly mistakes, and choose a provider who won't leave your business exposed. Your business deserves better—don't settle for IT nightmares!
Read more →
Cheap IT support might seem like a bargain, but it’s a financial and security disaster waiting to happen. The majority of budget IT providers lack even basic externally audited cybersecurity certifications like Cyber Essentials Plus —which should be a minimum requirement. They cut corners on security, response times, and expertise, leaving businesses vulnerable to downtime, data breaches, and compliance fines . A proper MSP invests in real security , 24/7 monitoring , and incident response —and
Read more →
Still letting employees run wild with admin rights? Cyber Essentials says NO MORE. The latest crackdown on privileged access means Just in Time (JIT) is OUT, Just Enough Access (JEA) is IN, and ThreatLocker is here to save your sanity. Ignore this at your own risk—hackers love lazy security!
Read more →
Read more →
Just when you thought Microsoft couldn't top their Exchange meltdown, they go full send and accidentally delete their own AI assistant from Windows 11. No warning, no prompt—just poof . Gone. It's as if someone at Redmond duct-taped down the ‘F**k Around and Find Out’ button and walked away. What’s next? Windows Update deciding Task Manager is ‘problematic’? Edge forcibly replacing all your passwords with ‘BingLovesYou123’? Buckle up—because this one’s a mess. Read on and prepare to rage.
Read more →
Elon Musk took Twitter, rebranded it as X, and somehow made it an even bigger dumpster fire. Outages, bots, advertisers bailing—has X become the digital ghost town we all expected? Or is it just the billionaire’s latest expensive toy gone rogue? Let’s break down this glorious trainwreck
Read more →
Should your business handle IT in-house or outsource to a Managed Service Provider (MSP)? On paper, an in-house IT team might sound ideal—until you see the real costs. A single IT manager can set you back £80K+ a year, and that’s before factoring in security tools, compliance, and the inevitable sick days. Meanwhile, a properly managed MSP delivers 24/7 support, robust cybersecurity, and compliance-ready solutions—at a fraction of the price. If your IT plan is to rely on “Dave from accounts” to
Read more →
For seven excruciating days , Microsoft completely broke email transport , crippling businesses worldwide. A botched update turned the simplest, most stable IT function into a flaming dumpster fire , leaving users helpless while Microsoft sat in silence for three days before admitting anything was wrong. How do you screw up SMTP, MAPI, and basic email delivery in 2025? How does a trillion-dollar company make email less reliable than it was in the 1980s? And more importantly— why should you still
Read more →
Security researchers have discovered malicious Chrome extensions that detect and impersonate popular password managers , tricking users into handing over master passwords . Learn how this attack works, why Chrome’s extension security is still a disaster , and what users and businesses should do to stay safe.
Read more →
ChatGPT Operator, the AI agent with browsing powers, can be hijacked via prompt injection , causing it to leak private data or obey hidden attacker commands . Learn how this exploit works, why AI assistants need serious supervision , and what businesses must do to avoid their AI leaking client data to the internet .
Read more →
Two criminals stole £500k worth of Taylor Swift tickets using nothing more than stolen StubHub URLs. This basic security failure exposes a flaw in how digital tickets are secured — and it’s a lesson for every business that relies on magic links . Find out what went wrong and how to protect your own platform from the same fate .
Read more →
Jaguar Land Rover—known for luxury, performance, and now, apparently, spectacular cybersecurity fails—has become the latest high-profile victim of a cyberattack. Hackers allegedly snatched critical internal documents, sensitive employee data, and the company's precious source code, then dumped it all online like yesterday's leftovers. As connected cars transform into rolling computers, cybercriminals are clearly buckling up for joyrides through corporate data. Is your business ready, or are you
Read more →
If your MSP isn’t certified to Cyber Essentials Plus (CE+) and charges less than £60 per user per month (excluding productivity licensing), you’re not getting a bargain — you’re buying a front-row seat to the next supply chain breach. China-backed hackers, Silk Typhoon , are targeting crap MSPs who cut corners on security, using their remote management tools to compromise every customer they support . This isn’t theory — it’s happening right now , and businesses who blindly trust their providers
Read more →
Is your Apple device silently compromised? Hackers are exploiting a dangerous new vulnerability RIGHT NOW—find out if you're at risk and how to protect yourself immediately!
Read more →
Meet Eleven11, the brand-new botnet responsible for record-shattering DDoS attacks peaking at 3.6 Tbps. This fast-growing menace, built from 30,000 compromised devices, can cripple networks, wipe out online businesses, and expose weak cybersecurity in minutes . Find out how it works, why it’s terrifying, and what every business should do right now to avoid becoming the next victim .
Read more →
March 2025 Patch Tuesday just dropped a cybersecurity bombshell. Discover why your sleep-deprived IT team might never forgive Microsoft (and why your MSP had better be on this ASAP!).
Read more →
Hackers are using fake PDFs disguised as bot detection images to deliver Leuma Stellar , malware designed to steal cryptocurrency wallets, logins, and browser data. Find out how this ridiculously simple scam works, why businesses and crypto holders should care, and how to lock down your assets before your Bitcoin buys someone else’s Lamborghini .
Read more →
Stingrays are tracking devices disguised as phone towers, used to spy on your location, calls, and messages. The EFF’s free open-source tool Rayhunter lets you detect these covert surveillance devices — putting control of your privacy back in your hands. Find out how Stingrays work, why Rayhunter matters, and why your phone is probably betraying you right now.
Read more →
Cybersecurity has become an AI-driven arms race. Attackers now use AI to automate phishing, bypass security, and mimic human behavior to slip past defences. Meanwhile, AI-powered security tools fight back, detecting threats in real-time. But most businesses are unprepared. If your security relies on outdated defences, you’re already losing. AI isn’t just changing cybersecurity—it’s redefining it. The only way to stay ahead? Cyber Essentials Plus as your baseline. Anything less, and you’re gambli
Read more →
Microsoft signed a vulnerable driver, and ransomware gangs couldn’t believe their fucking luck. With SYSTEM access gifted on a plate, malware could disable your antivirus, wipe your backups, and redecorate your operating system. This is what happens when you trust Microsoft to check their own homework. Learn how it happened, why BYOVD is back, and what you need to do before your network becomes the next crime scene.
Read more →
Cyber Essentials is a government-backed certification that helps small businesses get basic cybersecurity right. But does it actually work, and is it worth the time and money? In this article, we look at what Cyber Essentials involves, how much it costs, and whether it genuinely protects your business from cyber threats. With fresh insights from the UK government’s 2024 evaluation, we uncover the real-world benefits for small businesses.
Read more →
Small businesses love to think they’re “too small” for hackers to bother with. Reality check: that’s exactly why cybercriminals love you. No security team. No proper defences. Just an unlocked digital front door and a password that might as well be ‘password123’. If you’re not taking cybersecurity seriously, you’re practically begging to be hacked. In this post, we break down why small businesses are an easy target, the biggest security mistakes they make, and how Cyber Essentials can stop your
Read more →
In one of the most embarrassing cyber trends of 2025, hackers are using Microsoft Teams to impersonate IT support, then tricking employees into launching Windows Quick Assist , effectively handing remote control of their computers to criminals. Once inside, attackers install malware, steal credentials, and deploy persistent backdoors — all thanks to tools Microsoft built and businesses blindly trust. If your staff still believe every Teams message with ‘IT’ in the name is legitimate, congratulat
Read more →
From smart fridges to connected doorbells, IoT devices collect mountains of personal data; and they’re prime targets for hackers. This guide explores how businesses and consumers can secure their devices, protect sensitive data, and avoid turning their smart home into a cyber criminal’s playground.
Read more →
Hackers are sending ransom demands via the post, pretending to be BianLian and demanding Bitcoin. Find out why this bizarre scam works, how to respond, and what every UK business must know.
Read more →
Tata Technologies hit by ransomware attack, exposing 1.4TB of sensitive client data linked to Airbus, Ford, Jaguar and Honda. Learn what happened and how supply chain security failures put everyone at risk.
Read more →
In the chaotic world of cyber security certifications, 2025 offers more choices than ever; but not all of them are worth your time (or sanity). From the gold-standard CISSP to the controversial CompTIA Security+, this guide cuts through the marketing fluff to reveal which certifications actually boost your career and which ones just boost someone’s profit margins. Whether you’re aiming to become a penetration tester, security manager, or cloud security expert, this brutally honest review will he
Read more →
5G promises faster speeds and endless connectivity, but for small businesses, it’s also a cyber security minefield. More connected devices means more targets for hackers, and 5G’s speed amplifies every attack. This article explores how 5G is rewriting the cyber risk playbook — and what small businesses need to do to avoid becoming easy prey.
Read more →
More than 4,000 ISP networks got hacked because they left their admin passwords set to 'password123' — and shockingly, that didn’t work out well. Cybercriminals brute-forced their way into routers, servers, and management systems, planting infostealers, cryptominers, and enough malware to make an antivirus cry . This wasn’t some elite state-sponsored operation; it was basic-level script kiddie shit that worked because ISPs still treat security like a hobby . Find out how it happened, why your br
Read more →
Hackers are using deepfake videos of YouTube’s CEO to phish creators into handing over their accounts. In this absurd cybercrime twist, scammers send fake YouTube monetization emails featuring a realistic AI-generated video of Neal Mohan, urging creators to “confirm policy updates” via a phishing link disguised as YouTube Studio . The result? Stolen credentials, hijacked channels, and another WTF moment in cybersecurity. This scam is shockingly effective because it uses YouTube’s own private vid
Read more →
How did Serbian police and Cellebrite turn Android phones into unlocked treasure chests? Google’s latest vulnerabilities handed over the keys, and now over a billion devices are exposed. Read why your lock screen is about as secure as a garden gate — and why forensic tools are the new hacker goldmine.
Read more →
Big changes are coming to Cyber Essentials from April 2025 , and they are not just cosmetic. From embracing passwordless logins to treating remote workers' devices like company kit , the new rules mean businesses need to sharpen up their security game — fast. Whether you are managing firewalls, updating browser extensions, or figuring out how to patch a vulnerability with no patch, this update raises the bar. Ignore it at your peril.
Read more →
Quantum computing is coming — and when it does, today’s encryption won’t stand a chance. This article breaks down how quantum computers will change cyber security forever, why small businesses should care, and what steps you can take now to prepare for the next digital arms race.
Read more →
Trust no one — not even your own staff. That’s the heart of Zero Trust security, the modern approach that treats every device, user, and login as suspicious until proven safe. This guide walks small businesses through the why, what, and how of Zero Trust, helping you lock down your network before cyber criminals stroll right in.
Read more →
Remote work is great for flexibility — but terrible for cyber security. With staff logging in from cafes, spare bedrooms, and dodgy home Wi-Fi, businesses need a whole new security playbook. This guide explains why remote work is a hacker’s dream and how small businesses can fight back.
Read more →
In a move that defies logic, common sense, and basic self-preservation, the US just ordered its cyber defenders to stop investigating Russian attacks. Why should UK businesses care? Because when the world's cyber watchdog leaves the door wide open, every UK SMB becomes an easier target. This isn’t politics — this is your business continuity on the line.
Read more →
Gmail users face a fresh wave of scams in 2025. Cybercriminals now use artificial intelligence, Google Calendar invites, and fake shared Docs to trick you. Learn how to spot the latest tricks and protect your inbox in this tongue-in-cheek survival guide.
Read more →
Ransomware attacks have changed — and the price for protecting your stolen data now averages £475,000. Hackers are skipping the hassle of file encryption and instead stealing data directly, then demanding payment to keep it private. This shift makes it even clearer that prevention, through schemes like Cyber Essentials, is far cheaper than paying criminals after the fact . In this article, we explore why data theft is the new normal, why small businesses are at risk, and what every company shoul
Read more →
The UK government and Apple are in a messy breakup, and—spoiler alert—it’s not mutual. Apple has yanked Advanced Data Protection (ADP) from the UK faster than a politician dodging accountability, all because the government wants a sneaky backdoor into everyone’s iCloud. Apple’s response? “Yeah, no.” The Investigatory Powers Act (IPA) 2016 —affectionately nicknamed the Snooper’s Charter —gives the UK authorities the power to demand weaker encryption, which, as every cybersecurity expert knows, is
Read more →Cookie consent
We use Google Analytics to understand how visitors use this site. No personal data is sold or shared. Privacy Policy