The Small Business
Cyber Security Guy
Welcome to the blog and podcast, where we share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my and the team’s thoughts, not those of our employers, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where we unpack it all. Pull up a chair.
Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached
Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.
The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.
Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.
Stop getting fleeced.
InfoSec, CyberSec, IT Security: Vendors Are Selling You the Wrong One on Purpose
Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.
The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.
Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.
Stop getting fleeced.
InfoSec vs CyberSec vs IT Security - Stop Wasting Money on the Wrong Protection
Every week I talk to UK business owners who've just spent £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 worth of basic IT security. Or they've paid consultants to develop "enterprise information security frameworks" for 15-person companies that can't keep Windows updated. The security industry profits from keeping you confused about InfoSec versus CyberSec versus IT Security. This week's episode cuts through the bollocks to explain what each term actually means, what they really cost, and which one will keep your business alive instead of just making consultants rich. Listen now.
Compliance Alone Is Digital Security Theatre
After decades of watching government departments wave certificates while getting breached,
I'm done pretending compliance equals security. Yes, you need SOC 2 for some contracts. Yes, ISO27001 impresses procurement teams. But if you think those certificates will stop ransomware, you're living in a dangerous fantasy.
I've seen FTSE 100 companies with pristine audit reports get absolutely destroyed by basic phishing attacks.
It's time for some brutal honesty about what compliance actually protects (your contracts) versus what it doesn't (your business). Pull up a chair, this is going to sting.
ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real
Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene.
Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster.
This article lays out the real problem and preaches the blunt truth: no ISO, no SOC 2, no procurement badge means a thing unless Cyber Essentials or equivalent is tested, verified, and enforced.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.