You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.
You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them.
Remember that fun photo booth snap at your mate’s wedding? The one where you’re pulling faces with the bridesmaids? It’s been sitting on an unprotected server for the past three weeks, accessible to anyone who could count to 1,000. Hama Film, an Australian photo booth company with operations in the UAE and United States, spent months exposing customer photos through a security flaw so basic it makes WannaCry look sophisticated. No authentication. No rate-limiting. Just pure, unfiltered incompete
If you run a small or medium-sized business in the UK, the government just sent you a message: you are on your own. The November 2025 Cyber Security and Resilience Bill protects hospitals and power grids. It does not protect you. Of 5.5 million UK SMBs, exactly zero gained new cybersecurity protection. This was deliberate policy. Meanwhile, 43% of UK businesses experienced breaches last year, costing an average £3,550 per incident. Germany took a different approach—and it works. This article giv
Directors should face criminal prosecution for cyber security negligence. The HSE precedent proves personal criminal liability transforms director behaviour. Before HSE had teeth, workplace deaths were common. After directors faced imprisonment, safety transformed. Civil liability isn't working for cyber security: 73% of businesses lack board responsibility despite 43% breach rates and 28% closure risk. Friday's case study showed £3.337 million loss preventable with £90 investment. Proposed: Cri
March 2024: UK manufacturing company with £18 million turnover lost £2.4 million to business email compromise. Finance director phished, email credentials stolen (no MFA), attacker monitored for two weeks, sent fraudulent payment instruction from compromised account, major client processed payment overseas. Total immediate costs £3.337 million. Company survived through private equity investment that diluted family ownership from 100% to 23%. Managing director resigned. Eight redundancies. What w
Create your first cyber risk register in 2 hours. No consultant needed. Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs). Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate). Step 3: Document impact including business closure potential (28% of SMEs). Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores. Step 6: Specify additional controls with costs. Step 7: A
Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline. Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection. Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confiden
Most cyber risk registers are useless compliance documents. They contain vague descriptions, unverifiable controls, and no honest assessment of likelihood or impact. A working risk register has exactly seven columns: specific risk scenarios, likelihood based on real UK statistics, quantified impacts including business closure potential, verifiable current controls, residual risk ratings, costed additional controls, and named board-level owners. Every UK SME must address five mandatory risks: phi
Apple released iOS 26.2 on 12 December 2025 patching two WebKit zero-day vulnerabilities that were actively exploited before patches existed. Google's Threat Analysis Group discovered CVE-2025-43529 and CVE-2025-14174 being used in sophisticated attacks against targeted individuals. These vulnerabilities allow arbitrary code execution through malicious websites with no user interaction required. The update patches over 20 vulnerabilities total, including a kernel bug allowing root access and an
Graham Falkner told me before recording that small businesses don't need formal cyber risk registers. By the end of Episode 31, he'd completely changed his mind. UK government data shows only 27% of businesses have board-level cyber security responsibility, down from 38% in 2021. Meanwhile, 43% got breached and 28% of SMEs say a single attack could put them out of business. The evidence is overwhelming. Risk registers aren't bureaucracy - they're systematic thinking applied to survival. This epi
Right, I'm done being diplomatic about this. After 40 years watching the same preventable disasters repeat themselves with different technology, I'm calling it: selling network-connected devices with default administrative credentials should be illegal in the UK. Not "discouraged." Not "recommended against." Illegal. With criminal penalties for manufacturers and civil liability for distributors. Pull up a chair. This intervention has been brewing for three decades. The free market has had 30 yea
A 30-person marketing agency in Manchester did everything right. £15,000 invested in proper security: new firewalls, enterprise endpoint protection, hardware authentication keys for every staff member, and even an external security audit that came back clean. They were feeling quite good about themselves. Two months later? Someone had been accessing their client files for weeks through their HP printer that still used admin/admin as credentials. Total costs: £43,400 direct expenses, three lost c
The ICO just fined LastPass £1,228,283 for security failures. Yes, a password manager company, fined for password security failures. The irony would be funny if 1.6 million UK customers hadn't had their data compromised. LastPass allowed senior employees to access corporate vaults from personal devices and let them link business and personal accounts with one master password. When an attacker exploited vulnerable Plex software on an engineer's home computer, they grabbed the keys to everything.
Practical Value: After Monday's podcast about the marketing agency breach through an unsecured printer, the most common question we've received is: "How do I actually do this audit myself?" Fair question. Telling business owners they have a problem is easy. Providing practical steps to fix it is harder. This guide walks you through conducting a comprehensive IoT device audit using free tools. Time investment: 4-6 hours for initial audit. Cost: Free to £200 for network scanning tools. Difficulty:
After this week's podcast revelation about the marketing agency losing client files through an unsecured printer, my inbox has been full of variations on the same question: how do intelligent business owners with otherwise solid security miss something this obvious? The answer isn't comfortable, but it's important: IoT security failures aren't about lack of intelligence. They're about systematic psychological blind spots that affect everyone from small business owners to government departments.
December 2025 Patch Tuesday is supposed to be the quiet cruise into Christmas, right? Instead we got fifty seven vulnerabilities, three zero days and one actively exploited Windows privilege escalation that hits almost every supported build. Add in one hundred and thirty nine Adobe fixes and an awkward five week gap until the next Patch Tuesday in January and you have a perfect festive storm. Are you really happy to leave servers and laptops unpatched while everyone is on holiday, or do you want
Right, let's talk about the £15,000 security investment that just got absolutely destroyed by a £300 office printer. A marketing agency did everything right: new firewalls, endpoint protection, hardware authentication keys for every staff member, security audit came back clean. Two months later? Someone had been accessing their client files for weeks through their HP printer still using admin/admin as credentials. While you've been securing laptops and servers, your printer has full network acce
What if I told you the biggest cyber threat to your business isn't hackers, but your office printer? Sounds mad, right? That's what a 30-person marketing agency thought before someone accessed their client files for weeks through an HP printer with factory default credentials. Episode 30 reveals the devices everyone forgets are computers: printers storing documents, CCTV systems livestreaming your premises, thermostats providing network access. Currently Top 12 in Apple Podcasts Management categ
Right, enough theory. Today we're getting practical: the actual tools, templates, and processes you need to implement reverse benchmarking without spending a fortune. Everything in this guide is either free or costs less than a decent takeaway curry per month. Because I'm sick of "enterprise security" guides that assume unlimited budgets and dedicated staff. This is the real-world, shoestring-budget, one-person-wearing-multiple-hats implementation guide. Asset inventory using Google Sheets: free
