The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
Five Questions That Reveal Your Business Needs Strategic IT Leadership (And It's Not What You Think)
Most UK businesses think they're fine without strategic IT leadership until they're not. These five diagnostic questions expose the difference between thriving with technology and merely surviving despite it.
Question 1: Are technology decisions made strategically or reactively? If you're replacing servers because they died rather than planned refresh cycles, you need help.
Question 5: Will current systems scale gracefully as you grow? Planning to double in size without considering technology impact is business suicide.
Answer honestly: reactive technology management costs more than strategic guidance. The question isn't whether you need leadership—it's whether you'll get it before competitors do.
£180k CIO vs £25k Fractional: Why Smart UK Businesses Choose the Latter
Full-time CIO in London: £180k-250k annually plus benefits. Fractional CIO: £15k-30k for strategic expertise when you need it.
The mathematics are brutal, but the quality difference might surprise you. Many fractional executives are senior professionals who prefer variety over corporate politics.
You get FTSE 250 CIO experience for a fraction of full-time cost. While your competitors burn budget on executives who spend half their time in meetings, you access strategic guidance scaled to actual needs.
Smart UK businesses are realising that technology leadership isn't about seat time—it's about strategic thinking that drives business results.
Stop Calling Dave from IT, Your CIO (He's Not, and It's Destroying Your Business)
Dave from IT is brilliant at keeping your systems running. But calling him your CIO is like calling your mechanic an automotive engineer.
Most UK small businesses confuse operational IT support with strategic technology leadership, and it's costing them millions. While Dave troubleshoots email issues, real CIOs design five-year technology roadmaps.
The difference? Strategic thinking that aligns technology investments with business objectives. Fractional CIO services deliver genuine C-level expertise for £15k-30k annually versus £180k+ for full-time hiring.
Stop expecting Dave to be everything. Give him the strategic backup he desperately needs.
60% of Small Businesses Don’t Survive Cyberattacks. Are You Listening Yet?
Cybersecurity isn’t just an enterprise issue — it’s a survival issue for UK SMEs. With 96% of attacks aimed at small businesses and 60% of victims closing within six months, the myth of being “too small to hack” is lethal.
This article tears apart the excuses business owners use, reveals the hidden costs of breaches, and explains why simple, affordable defences like Cyber Essentials, patching, MFA, and staff training are the only reason some firms survive. Don’t wait until it’s too late — find out why cybersecurity has become the difference between continuity and closure.
September 2025 Patch Tuesday: Business Risk Assessment and Compliance Timeline
September’s Microsoft Patch Tuesday isn't just another routine update cycle. With 81 vulnerabilities patched including 9 critical flaws, and active exploitation campaigns already targeting SharePoint servers, this represents significant business risk. Cyber Essentials certified organisations have until September 23rd to deploy updates, but waiting 14 days significantly increases risk exposure. The psychological tendency to defer technical updates creates dangerous security gaps. From authentication bypass vulnerabilities to network storage compromise, these aren't theoretical risks: they're operational realities affecting business continuity, regulatory compliance, and cyber insurance validity. Strategic deployment planning starts now.
Think You’re Too Small to Be Hacked? So did the Last 60%
Too many UK small businesses still believe they’re “too small to hack.” It’s the most dangerous myth in business today.
With 96% of cyberattacks targeting SMEs and 60% of victims closing within six months, denial is a death sentence.
This article pulls apart the excuses business owners use, exposes the real-world costs of breaches, and explains why simple, affordable steps like Cyber Essentials, MFA, patching, and staff training are the difference between survival and closure.
Think you’re too small to be hacked? So did the last 60%.
Why Small Businesses Must Rethink Cybersecurity NOW (Before It’s Too Late)
Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis.
This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential.
Written for directors and leaders, it lays out practical steps to protect your business before it’s too late.
The Massive Lie That’s Killing UK Businesses: Cybersecurity is NOT Just an Enterprise Problem
Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis. This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential. Written for directors and leaders, it lays out practical steps to protect your business before it’s too late.
60% of Small Businesses Die After Cyberattacks – Are You Next?
Sixty per cent of small businesses don’t survive a cyberattack. That’s not a scare tactic, it’s a reality. UK SMBs are under siege, targeted in 96% of attacks because criminals know you’re under-protected and overconfident. This post rips apart the myth that cybersecurity is “only an enterprise problem” and shows how MSP malpractice, human error, and supply chain risk are leaving businesses exposed.
Most importantly, it lays out the simple, affordable steps like Cyber Essentials that block 95% of attacks. Because once the breach hits, it’s already too late.
The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger Target
The UK Government's July 2025 consultation response commits to implementing world-leading ransomware legislation by late 2026.
Three key proposals include payment bans for public sector/CNI, universal 72-hour incident reporting, and government pre-approval for private sector payments.
This will dramatically increase ransomware targeting of SMBs as criminals pivot from restricted sectors to easier private targets.
Cyber Essentials: The £300 Security Framework That Actually Works (And How to Get It Without Going Mental)
After Monday's podcast revelation that government cybersecurity frameworks can actually make sense, let's talk implementation reality. Cyber Essentials costs £320-600 for self-assessment, takes 2-4 weeks of focused effort, and genuinely stops 80% of attacks targeting UK SMBs.
But here's what the NCSC won't tell you: most businesses discover massive security gaps during the assessment process. I've guided dozens through certification, and the pattern is always the same.
"We thought we were secure" becomes "bloody hell, how were we not breached already?" Pull up a chair, this is going to be educational.
Still Letting Your Help Desk Reset MFA? Scattered Spider Says Thanks
Your help desk just became your biggest security liability. Scattered Spider criminals are ringing UK support teams, impersonating executives, and convincing staff to reset multi-factor authentication. Within hours, they're inside your network deploying DragonForce ransomware.
The July 2025 IC3/CISA advisory exposes how these English-speaking social engineers are systematically destroying businesses through basic phone manipulation.
If your Tier 1 support can reset MFA without proper verification, you've built a fortress with no gate. Time to wake up before the 2:47am call telling you everything's encrypted.
It’s Cheaper to Be Defensive: Why Waiting for a Breach Is the Most Expensive Mistake You’ll Ever Make
Three out of four UK businesses admit they’d break the law to pay a ransomware gang, proving they’re not prepared — they’re desperate.
This hard-hitting article exposes the brutal truth behind the PR Newswire findings and dismantles the myth that cybersecurity is too expensive. It’s not. What’s expensive is losing your business, your data, and your reputation.
We break down why defensive investment is always cheaper than recovery, what leaders are doing wrong, and how to fix it before disaster strikes.
If you're gambling on hope instead of hard controls, this is your wake-up call. Prevention isn’t optional. It’s survival.
The Psychology of Cyber Essentials: Why Smart People Make Terrible Security Decisions
Hello, Mauven here. After Monday's podcast and yesterday's technical deep-dive, I want to tackle the elephant in the room: if Cyber Essentials is so brilliant, why do smart business owners avoid it like a tax audit?
The answer isn't ignorance or stubbornness - it's human psychology. Our brains evolved to make quick survival decisions, not manage enterprise cybersecurity frameworks.
We're fighting millions of years of evolution with documentation requirements and compliance deadlines.
Understanding this psychology is the key to implementing security that actually works in the real world, not just in government guidance documents.
Cyber Essentials Deep Dive: Five Controls That Actually Work
After Monday's podcast revelation that government frameworks can actually make sense, let's dive deep into the five Cyber Essentials controls that provide enterprise-level protection without enterprise-level budgets. Boundary firewalls, secure configuration, access control, malware protection, and patch management.
Five areas that stop 80% of attacks against 80% of small businesses 80% of the time. That's a lot of eighties, but the maths works.
These aren't theoretical controls dreamed up by bureaucrats who think cybersecurity means installing antivirus and hoping for the best. They're battle-tested defences based on actual attack analysis.
The Online Safety Act: Digital Dictatorship Disguised as Child Protection
The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely.
We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protection - it's digital authoritarianism disguised as safety theatre. Pull up a chair to the circumvention party.
Cyber Essentials: When Government Frameworks Actually Make Sense
Right, let's address the elephant in every small business owner's mind after last week's White House security episode: if we're facing enterprise-level threats, do we need enterprise-level budgets? The answer is a resounding no.
The UK's Cyber Essentials framework takes everything we learned about systematic security thinking and distills it into five achievable controls that cost less than most businesses spend on coffee.
Insurance companies love it (lower claims), government contracts require it, and it stops 80% of attacks cold.
Enterprise thinking, small business budget. Pull up a chair.
How Corner Shops Can Get White House Security
After last week's mind-bending dive into White House security with Theresa Payton's insights, you're probably wondering if protecting your business requires government-sized budgets and ex-GCHQ analysts. The answer will surprise you. Monday's episode reveals how the UK's Cyber Essentials framework takes everything we learned about systematic security thinking and makes it achievable for businesses that can't hire situation room experts.
Five controls, 80% protection against real threats, costs less than your monthly coffee budget. From presidential protection to practical implementation. Episode drops Monday morning.
Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security
When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer believing, systematic verification becomes your primary defense. Here's your step-by-step guide to implementing enterprise-level verification procedures without enterprise-level complexity - or budgets.
The CVE-2025-53770 Crisis: Why Your SharePoint Response Reveals More About Human Psychology Than Technical Competence
After analyzing the global response to CVE-2025-53770, the critical SharePoint zero-day that's compromised 75+ organizations in 48 hours, I'm convinced this isn't about technical competence.
It's about human psychology. Right now, IT administrators who know their systems are vulnerable (CVSS 9.8) are doing nothing because of normalcy bias, sunk cost fallacy, and optimism bias.
The organizations getting breached aren't those lacking knowledge - they're the ones whose psychology prevents acting on information they already possess. This is a masterclass in how cognitive biases turn manageable security events into disasters.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.