The acting head of America's cybersecurity agency just uploaded government secrets to ChatGPT. Meanwhile, a Dublin IT manager discovered £18,000 worth of unused incident response services sitting in his cyber insurance policy. Passkeys can eliminate phishing attacks completely. And those viral Trump cloud cartoons? They're exposing the infrastructure dependency crisis threatening UK businesses. Four critical cybersecurity stories. Three expert guests. 45 minutes that could transform how your business approaches security. This isn't your typical cybersecurity podcast. Listen now.

Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.

The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.

UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.

You've read the threat intelligence. You understand AITM attacks. Now you need to actually deploy passkeys without breaking everything. This is the technical guide your IT person needs: Microsoft 365 integration steps, device compatibility requirements, troubleshooting the inevitable issues, and realistic timelines for businesses that can't afford downtime during authentication migration.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.

Create your first cyber risk register in 2 hours. No consultant needed.
Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs).
Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate).
Step 3: Document impact including business closure potential (28% of SMEs).
Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores.
Step 6: Specify additional controls with costs.

Step 7: Assign board-level owners.

Step 8: Create quarterly review schedule.

Total time: 2 hours creation plus 30 minutes quarterly.

Eight hours annually to manage business-ending risks. Template included.

Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline.

Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection.

Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confident ignorance. Graham Falkner demonstrated all these biases on Episode 31. Understanding this psychology changes how you present cyber risk to boards.

Facts alone don't work. Systematic bias dismantling does.

Graham Falkner told me before recording that small businesses don't need formal cyber risk registers. By the end of Episode 31, he'd completely changed his mind.

UK government data shows only 27% of businesses have board-level cyber security responsibility, down from 38% in 2021. Meanwhile, 43% got breached and 28% of SMEs say a single attack could put them out of business. The evidence is overwhelming. Risk registers aren't bureaucracy - they're systematic thinking applied to survival.

This episode documents Graham's complete conversion from skeptic to believer, and challenges every UK board to create a risk register this week.

What if I told you the biggest cyber threat to your business isn't hackers, but your office printer? Sounds mad, right? That's what a 30-person marketing agency thought before someone accessed their client files for weeks through an HP printer with factory default credentials. Episode 30 reveals the devices everyone forgets are computers: printers storing documents, CCTV systems livestreaming your premises, thermostats providing network access. Currently Top 12 in Apple Podcasts Management category worldwide with 3,500 daily downloads. Thirty episodes making cybersecurity almost entertaining whilst being brutally honest. Listen now. Check your printer later. You'll understand why.

Most people copy what the big players do and call it a cyber strategy. That works for them. It probably kills you. This episode flips the script. Instead of worshipping best practice, we dissect the car crashes.

Target, Equifax, Colonial Pipeline and SolarWinds. We ask one question. What actually went wrong and have you quietly made the same mistakes in your own business.

If you run a UK small or mid sized firm and feel lost in security buzzwords, this is your shortcut. Learn from other peoples disasters before you become the next case study. Your future self will approve.

After two days discussing frameworks and technical standards, let's examine why personal accountability actually works when corporate fines consistently fail. The psychology is fascinating and explains decades of regulatory success and failure.

When British Airways faced a £20 million fine, nobody lost their job. When HSE prosecutes directors, workplace safety transforms overnight. The difference isn't the amount of money. It's whose money gets spent and whose freedom gets threatened. Human psychology responds very differently to personal consequences versus corporate abstractions.

Yesterday's podcast proposed criminal liability for cybersecurity negligence. Today, we're dismantling the three-tier framework piece by piece so you know exactly where your business stands. Tier One protects small businesses with explicit gross negligence thresholds and Cyber Essentials safe harbour. Tier Two raises the bar for medium organisations whilst maintaining proportionate standards. Tier Three brings genuine consequences for large enterprises and public sector bodies that still can't implement MFA. This isn't fear-mongering. It's showing you precisely what reasonable care looks like at every business size so you can demonstrate compliance before anyone asks.

Yes, you read that correctly. Prison time for directors who allow catastrophic cybersecurity failures. Before you close this tab in horror, hear me out. We already send directors to prison for health and safety failures. Workplace fatalities dropped 85% after the Health and Safety Executive got proper enforcement powers. The ICO? They send sternly worded letters whilst breaches affecting millions go unpunished. Today, Mauven and I lay out exactly what a proper UK cybersecurity enforcement regime would look like - one that protects small businesses whilst holding negligent executives accountable. Pull up a chair.

This week, we established why directors should face criminal prosecution for gross cybersecurity negligence. We examined the Synnovis case where a patient died because free MFA was not enabled. We provided technical analysis, psychological examination, and practical implementation guides. Saturday's opinion piece argued forcefully for criminal liability. Next week, we move from "why" to "how."

What would a Corporate Cyber Negligence Act actually say? What are the thresholds between bad luck and criminal negligence? How do we protect small businesses while targeting genuine negligence? What defences exist? How would enforcement work? We are designing the solution. Join us Monday.

I am tired of watching preventable disasters kill people while executives walk away with bonuses intact.

A patient died because Synnovis did not enable free multi-factor authentication. Nobody will face criminal prosecution.

If a construction director failed to provide hard hats and a worker died, that director would go to prison.

Yet when healthcare executives fail to enable free security controls and a patient dies, nothing happens. This is not justice. This is not accountability.

This is a broken system that treats cybersecurity negligence as an acceptable cost of doing business. It needs to stop. Here is why directors should face prison time for gross cyber negligence.

On 3 June 2024, a patient arrived at a London hospital A&E feeling unwell. A blood test was ordered. The patient waited. The medics waited. They all waited some more. The patient died. Why? Ransomware had shut down blood testing at Synnovis, the NHS pathology provider.

The security control that would have stopped it? Multi-factor authentication. Completely free. Built into every platform. The consequences for executives who chose not to enable it?

Nothing. In this episode, we ask the uncomfortable question: what if directors faced prison time for gross cybersecurity negligence, just like they do for health and safety failures?

Four zero-days. One perfect 10.0 severity score. Hundreds of thousands of sites already compromised.

Criminals are exploiting Exchange Servers, Magento shops, and Oracle ERP systems right now - whilst you're reading this. SAP's vulnerability was so bad they deleted the entire component rather than fix it. WordPress sites are falling to a plugin bug that shouldn't exist. And that's just November.

Your patching strategy just became a lot more urgent.

Graham Falkner breaks down what to patch first:

Ofcom admits it is monitoring VPN use across Britain with a secret AI tool and unnamed data sources. That should worry any small business that relies on encrypted links for daily work. The tool cannot tell a secure office connection from someone dodging age checks. Section 121 still sits in law, ready to force scanning of encrypted chats. Does that sound like a free internet to you? Document your use. Keep your controls tight. Ask your MP why this is acceptable. Do you want regulators watching your privacy tools without showing their maths? Will you push back today? Act now.

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.

The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.

Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.

Stop getting fleeced.