The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger Target
The UK Government's July 2025 consultation response commits to implementing world-leading ransomware legislation by late 2026.
Three key proposals include payment bans for public sector/CNI, universal 72-hour incident reporting, and government pre-approval for private sector payments.
This will dramatically increase ransomware targeting of SMBs as criminals pivot from restricted sectors to easier private targets.
Cyber Essentials: The £300 Security Framework That Actually Works (And How to Get It Without Going Mental)
After Monday's podcast revelation that government cybersecurity frameworks can actually make sense, let's talk implementation reality. Cyber Essentials costs £320-600 for self-assessment, takes 2-4 weeks of focused effort, and genuinely stops 80% of attacks targeting UK SMBs.
But here's what the NCSC won't tell you: most businesses discover massive security gaps during the assessment process. I've guided dozens through certification, and the pattern is always the same.
"We thought we were secure" becomes "bloody hell, how were we not breached already?" Pull up a chair, this is going to be educational.
Still Letting Your Help Desk Reset MFA? Scattered Spider Says Thanks
Your help desk just became your biggest security liability. Scattered Spider criminals are ringing UK support teams, impersonating executives, and convincing staff to reset multi-factor authentication. Within hours, they're inside your network deploying DragonForce ransomware.
The July 2025 IC3/CISA advisory exposes how these English-speaking social engineers are systematically destroying businesses through basic phone manipulation.
If your Tier 1 support can reset MFA without proper verification, you've built a fortress with no gate. Time to wake up before the 2:47am call telling you everything's encrypted.
It’s Cheaper to Be Defensive: Why Waiting for a Breach Is the Most Expensive Mistake You’ll Ever Make
Three out of four UK businesses admit they’d break the law to pay a ransomware gang, proving they’re not prepared — they’re desperate.
This hard-hitting article exposes the brutal truth behind the PR Newswire findings and dismantles the myth that cybersecurity is too expensive. It’s not. What’s expensive is losing your business, your data, and your reputation.
We break down why defensive investment is always cheaper than recovery, what leaders are doing wrong, and how to fix it before disaster strikes.
If you're gambling on hope instead of hard controls, this is your wake-up call. Prevention isn’t optional. It’s survival.
The Psychology of Cyber Essentials: Why Smart People Make Terrible Security Decisions
Hello, Mauven here. After Monday's podcast and yesterday's technical deep-dive, I want to tackle the elephant in the room: if Cyber Essentials is so brilliant, why do smart business owners avoid it like a tax audit?
The answer isn't ignorance or stubbornness - it's human psychology. Our brains evolved to make quick survival decisions, not manage enterprise cybersecurity frameworks.
We're fighting millions of years of evolution with documentation requirements and compliance deadlines.
Understanding this psychology is the key to implementing security that actually works in the real world, not just in government guidance documents.
Cyber Essentials Deep Dive: Five Controls That Actually Work
After Monday's podcast revelation that government frameworks can actually make sense, let's dive deep into the five Cyber Essentials controls that provide enterprise-level protection without enterprise-level budgets. Boundary firewalls, secure configuration, access control, malware protection, and patch management.
Five areas that stop 80% of attacks against 80% of small businesses 80% of the time. That's a lot of eighties, but the maths works.
These aren't theoretical controls dreamed up by bureaucrats who think cybersecurity means installing antivirus and hoping for the best. They're battle-tested defences based on actual attack analysis.
The Online Safety Act: Digital Dictatorship Disguised as Child Protection
The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely.
We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protection - it's digital authoritarianism disguised as safety theatre. Pull up a chair to the circumvention party.
Cyber Essentials: When Government Frameworks Actually Make Sense
Right, let's address the elephant in every small business owner's mind after last week's White House security episode: if we're facing enterprise-level threats, do we need enterprise-level budgets? The answer is a resounding no.
The UK's Cyber Essentials framework takes everything we learned about systematic security thinking and distills it into five achievable controls that cost less than most businesses spend on coffee.
Insurance companies love it (lower claims), government contracts require it, and it stops 80% of attacks cold.
Enterprise thinking, small business budget. Pull up a chair.
How Corner Shops Can Get White House Security
After last week's mind-bending dive into White House security with Theresa Payton's insights, you're probably wondering if protecting your business requires government-sized budgets and ex-GCHQ analysts. The answer will surprise you. Monday's episode reveals how the UK's Cyber Essentials framework takes everything we learned about systematic security thinking and makes it achievable for businesses that can't hire situation room experts.
Five controls, 80% protection against real threats, costs less than your monthly coffee budget. From presidential protection to practical implementation. Episode drops Monday morning.
Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security
When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer believing, systematic verification becomes your primary defense. Here's your step-by-step guide to implementing enterprise-level verification procedures without enterprise-level complexity - or budgets.
The CVE-2025-53770 Crisis: Why Your SharePoint Response Reveals More About Human Psychology Than Technical Competence
After analyzing the global response to CVE-2025-53770, the critical SharePoint zero-day that's compromised 75+ organizations in 48 hours, I'm convinced this isn't about technical competence.
It's about human psychology. Right now, IT administrators who know their systems are vulnerable (CVSS 9.8) are doing nothing because of normalcy bias, sunk cost fallacy, and optimism bias.
The organizations getting breached aren't those lacking knowledge - they're the ones whose psychology prevents acting on information they already possess. This is a masterclass in how cognitive biases turn manageable security events into disasters.
What the White House CIO Sees That UK SMBs Don't: The Threat Landscape Reality Check
The White House CIO has access to threat intelligence that would make UK SMB owners lose sleep for weeks. While British businesses worry about basic phishing, US government analysts are tracking systematic campaigns targeting supply chains, MSPs, and small businesses as stepping stones to bigger targets.
They're seeing patterns you've never heard of: criminal groups spending months mapping your vendor relationships, state actors using SMBs to access critical infrastructure, and ransomware cartels that make the mafia look disorganized.
Here's what America's top cybersecurity official knows about threats heading your way.
Technical Debt Is Economic Suicide: Why Britain Is Building Its Own Digital Downfall
After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse.
This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.
While other nations invest in cyber resilience, Britain optimizes for short-term savings and long-term catastrophe. Pull up a chair for some uncomfortable truths about where this leads.
The Midlands Manufacturing Firm That Technical Debt Murdered
Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019.
Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025.
£2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented, known, and fixable for under £50,000.
Instead, they chose to keep bleeding money on maintenance costs until the criminals finished them off. Here's how technical debt murders businesses.
Stop Bleeding Money on Yesterday's Shortcuts
After this week's deep-dive into technical debt psychology, let's talk about actually fixing the bloody mess. Your "temporary" solutions from 2019 are now permanent vulnerabilities that criminals are actively exploiting.
Every day you delay proper technical debt management, you're bleeding money on maintenance, security patches, and the inevitable breach costs. I've seen £50 million companies destroyed by technical debt they knew existed but couldn't prioritize properly.
Here's your framework for triaging technical debt before it kills your business: assess, prioritize, execute, and maintain. No psychology, no excuses, just practical steps to stop the bleeding.
The Psychology of Technical Debt: Why Smart Teams Make Tomorrow's Security Problems
After this week's podcast on technical debt and supply chain failures, I want to examine why intelligent, well-meaning IT teams consistently create tomorrow's security disasters.
Technical debt isn't just a coding problem - it's a psychological trap that 78% of UK businesses fall into repeatedly.
We take shortcuts under pressure, defer security updates for stability, and convince ourselves that "temporary" solutions won't become permanent vulnerabilities.
Understanding the cognitive biases behind technical debt accumulation is crucial for breaking the cycle that turns today's quick fixes into next year's ransomware entry points.
M&S vs Co-op: When Technical Debt Meets Operational Agility
Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption.
The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them.
This isn't about having perfect systems, it's about building resilience. Wednesday's parliamentary hearing exposed the brutal truth: technical debt cripples businesses, operational agility saves them.
Your choice determines whether you survive like Co-op or take a massive hit like M&S.
Podcast Ep7: Technical Debt - The Digital Quicksand Drowning UK Businesses
M&S lost £300 million because decades of technical debt left them unable to respond to basic social engineering. Co-op faced identical DragonForce attacks but recovered quickly through operational agility. The difference? M&S accumulated digital debt like a hoarder accumulates rubbish, whilst Co-op invested in resilience.
Technical debt isn't just old software - it's every deferred security decision, every "temporary" workaround, every vendor relationship without oversight.
Podcast Episode 7 reveals how your past shortcuts are creating tomorrow's business extinction events. Because criminals don't attack your current systems - they attack your accumulated incompetence.
When Supply Chain Incompetence Meets Parliamentary Scrutiny (And Why Technical Debt Will Finish the Job)
Wednesday's parliamentary hearing was brutal. M&S Chairman Archie Norman squirming whilst explaining how criminals cost his company £300 million through basic social engineering. McDonald's serving up 64 million job seekers to potential identity thieves.
Both disasters show the same pattern: years of deferred security investments creating systematic vulnerabilities.
This isn't sophisticated hacking, it's criminal exploitation of corporate incompetence. M&S had no cyber attack plan despite £20 billion revenue.
McDonald's couldn't secure a chatbot. Technical debt isn't theoretical anymore. It's destroying billion-pound companies through preventable security failures. Wake up or get destroyed.
Shadow IT Isn't the Problem - It's the Symptom of Everything Wrong with Business Technology
After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication chaos because "professional" platforms are professionally useless. Employees aren't criminals - they're heroes solving problems we should have fixed twenty years ago. Shadow IT is the symptom. Enterprise software vendor arrogance is the disease.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.