The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely. We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protectio
Right, let's address the elephant in every small business owner's mind after last week's White House security episode: if we're facing enterprise-level threats, do we need enterprise-level budgets? The answer is a resounding no. The UK's Cyber Essentials framework takes everything we learned about systematic security thinking and distills it into five achievable controls that cost less than most businesses spend on coffee. Insurance companies love it (lower claims), government contracts require
After last week's mind-bending dive into White House security with Theresa Payton's insights, you're probably wondering if protecting your business requires government-sized budgets and ex-GCHQ analysts. The answer will surprise you. Monday's episode reveals how the UK's Cyber Essentials framework takes everything we learned about systematic security thinking and makes it achievable for businesses that can't hire situation room experts. Five controls, 80% protection against real threats, costs l
When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer b
After analyzing the global response to CVE-2025-53770, the critical SharePoint zero-day that's compromised 75+ organizations in 48 hours, I'm convinced this isn't about technical competence. It's about human psychology. Right now, IT administrators who know their systems are vulnerable (CVSS 9.8) are doing nothing because of normalcy bias, sunk cost fallacy, and optimism bias. The organizations getting breached aren't those lacking knowledge - they're the ones whose psychology prevents acting on
The White House CIO has access to threat intelligence that would make UK SMB owners lose sleep for weeks. While British businesses worry about basic phishing, US government analysts are tracking systematic campaigns targeting supply chains, MSPs, and small businesses as stepping stones to bigger targets. They're seeing patterns you've never heard of: criminal groups spending months mapping your vendor relationships, state actors using SMBs to access critical infrastructure, and ransomware cartel
After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse. This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.
Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019. Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025. £2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented,
After this week's deep-dive into technical debt psychology, let's talk about actually fixing the bloody mess. Your "temporary" solutions from 2019 are now permanent vulnerabilities that criminals are actively exploiting. Every day you delay proper technical debt management, you're bleeding money on maintenance, security patches, and the inevitable breach costs. I've seen £50 million companies destroyed by technical debt they knew existed but couldn't prioritize properly. Here's your framework fo
After this week's podcast on technical debt and supply chain failures, I want to examine why intelligent, well-meaning IT teams consistently create tomorrow's security disasters. Technical debt isn't just a coding problem - it's a psychological trap that 78% of UK businesses fall into repeatedly. We take shortcuts under pressure, defer security updates for stability, and convince ourselves that "temporary" solutions won't become permanent vulnerabilities. Understanding the cognitive biases behin
Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption. The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them. This isn't about having perfect systems, it's about building resilience. Wednesd
M&S lost £300 million because decades of technical debt left them unable to respond to basic social engineering. Co-op faced identical DragonForce attacks but recovered quickly through operational agility. The difference? M&S accumulated digital debt like a hoarder accumulates rubbish, whilst Co-op invested in resilience. Technical debt isn't just old software - it's every deferred security decision, every "temporary" workaround, every vendor relationship without oversight. Podcast Episo
Wednesday's parliamentary hearing was brutal. M&S Chairman Archie Norman squirming whilst explaining how criminals cost his company £300 million through basic social engineering. McDonald's serving up 64 million job seekers to potential identity thieves. Both disasters show the same pattern: years of deferred security investments creating systematic vulnerabilities. This isn't sophisticated hacking, it's criminal exploitation of corporate incompetence. M&S had no cyber attack plan despit
After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication
Buckinghamshire engineering firm thought they had "pretty good visibility" into their IT environment. DNS monitoring revealed 247 unauthorized cloud services, 43 different communication platforms, and £127,000 annual Shadow IT spending they didn't know existed. Dropbox, Google Drive, OneDrive, iCloud, plus dozens of project management tools, design software subscriptions, and messaging platforms. One week of DNS logs exposed six years of unauthorized software proliferation. The technical impleme
Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed. While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook. Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's alrea
Seven communication platforms. Fifteen employees. £23,000 legal discovery bill when employment tribunal demanded complete records. WhatsApp Business for customers, Slack for projects, Discord for "team building," Signal for "confidential" talks, Telegram for contractors. When they needed to reconstruct one client relationship, conversations were scattered across platforms they couldn't control. Customer satisfaction dropped 40% because every interaction started from zero knowledge. The legal pen
A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives. Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches. While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate j
M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call. The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop. When Archie Norman admits they had "no cyber attack plan" and describ
Microsoft's July 2025 Patch Tuesday just dropped 130 security fixes while most UK SMBs remain blind to 42% of applications running on their networks. From my government cyber experience, this represents a systematic organizational failure: you cannot patch what you cannot see. Critical vulnerabilities in Windows Kernel, BitLocker, and authentication systems require immediate deployment, but Shadow IT applications will break unpredictably. Worse, the buried Secure Boot certificate expiration warning affects
