I have watched this exact disaster unfold five times in 40 years. Personal computers in the eighties. BYOD in the 2010s. Cloud migrations that nobody secured. SaaS tools that HR adopted without telling IT. And now AI agents that can read your email, execute commands on your machine, and send data anywhere, installed by employees who thought they were being productive. OpenClaw is not the problem. OpenClaw is the symptom. The problem is that every time a shiny new technology appears, businesses adopt it first and think about security never. This time the cycle is measured in weeks, not years.

The Data (Use and Access) Act just went live on 5 February, and if you're only hearing about it now, you're not alone. The commencement regulations were published two days before the provisions kicked in. That's the government's idea of adequate notice. Guest contributor Kathryn Renaud cuts through the panic with something actually useful: four repeatable workflows for DSARs, complaints, cookies, and automated decisions that any UK SMB can build this week with tools they already own. No expensive software. No consultant fees. Just structure, ownership, and documented processes. Read this before the ICO comes knocking.

Your business just plugged an AI chatbot into its website, an AI assistant into email, or a coding copilot into your dev team. Congratulations.

You may have just installed a backdoor. A landmark research paper from Bruce Schneier, Ben Nassi, and their colleagues has mapped a full malware kill chain for AI systems. They call it promptware.

It is not theoretical. Twenty-one documented attacks already cross four or more stages of this kill chain, in live production systems. The NCSC agrees the threat is being catastrophically underestimated. Pull up a chair. This one is going to sting.

Graham here. Microsoft dropped six actively exploited zero-days on us yesterday, three of them publicly disclosed before the patch even landed. That means attackers had working exploits before you had fixes.

Three bypass your security warnings entirely. One gives SYSTEM access through Remote Desktop Services. CrowdStrike confirmed active abuse in the wild. Meanwhile, SAP shipped a CVSS 9.9 code injection flaw and Adobe patched 44 vulnerabilities across nine products.

If your patching approval process takes longer than 48 hours, you are giving attackers a documented, step-by-step guide to your network. Here is what to patch first.

Russia's Sandworm hacking group just attempted the largest cyber attack on Poland's energy infrastructure in years, deploying custom wiper malware called DynoWiper against 30 wind farms, solar installations, and a heat plant serving half a million people. The attack failed, but only barely. The NCSC is now warning UK critical infrastructure operators to act immediately. If you think nation-state attacks on power grids are somebody else's problem, think again. Every UK business sitting in those supply chains just became a potential stepping stone for the next Sandworm operation.

UK Government's shocking admission: cyber risk critically high, 28% legacy systems vulnerable, 2030 targets unachievable. The numbers are damning.

You've got MFA turned on. Authenticator app, text codes, the lot. You think you're protected. Now picture this: your finance director clicks a legitimate-looking link, signs in, approves the MFA request like always, and boom—an attacker just stole her session token. Full access to Microsoft 365. No more MFA prompts needed. Welcome to 2026, where adversary-in-the-middle attacks surged 146% in the past year. Nearly 40,000 incidents daily. Your traditional MFA? Doing precisely nothing to stop them. Time to talk about phishing-resistant authentication before your competitor gets breached instead of you.

Remember that fun photo booth snap at your mate’s wedding? The one where you’re pulling faces with the bridesmaids? It’s been sitting on an unprotected server for the past three weeks, accessible to anyone who could count to 1,000. Hama Film, an Australian photo booth company with operations in the UAE and United States, spent months exposing customer photos through a security flaw so basic it makes WannaCry look sophisticated. No authentication. No rate-limiting. Just pure, unfiltered incompetence serving up private moments to anyone curious enough to look. And they’re still not fixing it properly.