Why do smart people keep making the same catastrophic mistake? Cut security spending, congratulate themselves on efficiency, watch everything fall apart, spend vastly more recovering. It's not ignorance. It's psychology. Measurable costs are visible, politically defensible, easy to justify cutting. Invisible value is theoretical until it disappears. CFOs get promoted for cutting £50,000 from budgets. Nobody gets promoted for preventing breaches that don't happen. This asymmetry creates systematic bias toward destroying things that actually matter. Weekend reflection on why efficiency theatre keeps winning despite catastrophic costs.

Manchester marketing agency, 28 staff, £2.4M revenue. CFO proposed cutting security training: "£12,000 annually for slides nobody watches." Board agreed. Six months later, junior account manager clicked phishing link in fake client brief. No training meant she didn't recognise warning signs. Credentials stolen, ransomware deployed, three weeks offline. Recovery costs: £190,000. ICO investigation: inadequate training documented.

They saved £12,000 and spent £190,000 learning what training actually prevented. This is a real case, anonymized details, taught me never to treat training as optional expense. Names changed. Mistakes real. Costs actual.

Stop cutting security costs based on gut feel and budget pressure. Start using actual frameworks that calculate downside risk. This practical guide walks you through evaluating any security spending decision: What's the notional function versus actual value? What's the cost of being wrong? What's the expected cost multiplied by probability? What invisible value disappears when you cut this? Includes checklists, decision trees, and real cost calculations for training, MFA, insurance, IT staff, and vendor relationships. Because the British Library's £7 million lesson shouldn't need to be learned individually by every UK business.

They saved £12,000 and spent £190,000 learning what training actually prevented. This is a real case, anonymized details, taught me never to treat training as optional expense. Names changed. Mistakes real. Costs actual.

The British Library decided not to implement MFA on administrator accounts. Their reasoning: "practicality, cost and impact on ongoing programmes." That decision cost them £7 million in recovery, 600GB of staff data dumped on the dark web, and over a year of service disruption. This is Mauven's Take on one of the clearest examples of the doorman fallacy in UK history. When cost-cutting decisions focus narrowly on immediate expense whilst ignoring catastrophic downside risk, you get exactly this result. And before you say "but we're not a major institution," remember: the attack vector works identically on your systems.

I've watched businesses make the same catastrophic mistake for 40 years. They look at security costs through a narrow efficiency lens, define roles by their obvious function, cut them to save money, and completely miss the invisible value. Until it's gone. Then they spend 10 times more fixing what they broke. The doorman fallacy explains every stupid IT decision I've ever seen: training cuts that cost millions in breaches, MFA removal that gifts credentials to attackers, insurance cancellation that leaves businesses exposed, IT staff replacement that destroys institutional knowledge. Stop optimising for obvious functions. Start understanding actual value.

What's the most expensive cost-saving decision you can make? Firing your hotel doorman and replacing him with an automatic door. Saves you £35,000 a year in salary, costs you £200,000 in lost revenue because your hotel just became ordinary. This isn't about hotels. It's about every IT budget cut I've seen in the last 40 years. New episode drops today: The Doorman Fallacy, or How to Accidentally Destroy Your Business Whilst Congratulating Yourself on Efficiency Gains. Featuring examples that will make you uncomfortably aware of past decisions.

This week we explored compliance theatre vs real security. Next week, we're diving into the monthly war zone that every IT team knows: Microsoft's Patch Tuesday roulette where one wrong decision can sink your business.

Monday's podcast takes you inside the 6 PM chaos when UK teams scramble with late-breaking updates, and Tuesday's deep-dive exposes why traditional patch management advice is built for enterprises that don't exist.

Plus, practical survival strategies for when you're fighting attackers who reverse-engineer fixes faster than you can deploy them.

The British Horseracing Authority just got absolutely hammered by ransomware, and frankly, I'm not surprised. Here's an organization that regulates a £1 billion industry, handles medical records for hundreds of jockeys, and oversees one of Britain's most prestigious sporting events. And they fell for the oldest trick in the book: some criminal rang their IT helpdesk, pretended to be an employee, and walked away with the keys to the kingdom. If the people who regulate horse racing can't secure their own stable, what hope do the rest of us have? Pull up a chair.

Your smart home isn't smart: it's a corporate surveillance network that makes the Stasi look like amateurs. While you're asking Alexa about the weather, Amazon's recording everything and building psychological profiles to flog to advertisers.

Your Samsung TV captures 30 screenshots per minute, Google Home logs every conversation, and data brokers are making millions from your family's most intimate moments.

The FBI warns these devices can be hijacked, yet homes everywhere are stuffed with always-listening corporate spies disguised as convenience gadgets. We've voluntarily built our own digital panopticon and called it "smart living." Absolute madness.

Your MSP's favourite remote access tool just got breached. Again. ConnectWise ScreenConnect, the software thousands of managed service providers use to "protect" small businesses, has been hit by yet another cyberattack—this time by suspected state-sponsored hackers. But here's the real scandal: this is the same platform that suffered critical vulnerabilities in 2024, enabling ransomware gangs to turn MSP networks into criminal infrastructure. If your IT provider is still using repeatedly compromised tools while charging you for "enterprise security," you're not getting protection—you're paying for exposure. Time to ask some very uncomfortable questions.

Yes, this is real. Yes, it’s still happening. Businesses in 2025 are still exposing Remote Desktop Protocol (RDP) to the open internet like it’s a perfectly normal thing to do. It’s not. It’s deranged.

It’s like licking a petrol pump and being surprised you got sick. If you’re still running RDP with no VPN, no access controls, no MFA, and no clue , buckle up. This isn’t just a best practice failure.

This is IT malpractice. And if you’re an MSP still recommending it? You should probably stop calling yourself a professional. You’re part of the problem.

Microsoft Teams is the new darling of UK business. It’s chat, calls, meetings, file sharing and productivity all in one app. Unfortunately, it’s also a goldmine for attackers, and they know it.

With the Tycoon 2FA phishing kit now targeting Microsoft 365 users through fake Teams login prompts, criminals are bypassing multifactor authentication in real time. It’s slick. It’s scary.

And worst of all, it works. If your business still believes Teams is “safe because it’s Microsoft,” you’re dangerously behind the curve.

Phishing has moved in. And it brought its own desk chair.

It’s 2025, but some UK councils and NHS departments are still sending confidential data via fax machines.

That’s right. No encryption, no audit trail, just a shrieking relic from the 1980s spewing out safeguarding case notes or your latest blood test results from the GUM clinic into a shared office tray.

With the analogue switch-off looming, this isn’t just old-fashioned, or quaint, it’s reckless. Why the hell are printer manufacturers are still enabling this madness - Looking at you HP, Epson, Xerox et al.

If your council or trust or SMB still faxes, they’re not just behind the times. They’re holding the door wide open to the next data breach.

Think the hackers are your biggest threat? Think again. That smiling MSP rep who promised “complete protection” might just be the reason your business is on its knees.

Ransomware rarely walks in the front door it’s invited through by lazy patching, crap backups, and a culture of "just enough" IT.

From misconfigured firewalls to fake dashboards and vendors more interested in sales than security, this is the real story of how ransomware thrives, enabled by the very people paid to stop it.

If you trust your IT supplier blindly, you might already be compromised.

A ransomware attack just crippled one of the UK’s key cold chain hauliers, leaving thousands of pounds’ worth of meat to rot before it ever reached supermarket shelves. Peter Green Chilled, who proudly promote their “bespoke IT systems,” couldn’t even keep order processing online. The result?

Spoiled stock, supply chain chaos, and radio silence from a company with £25 million in turnover and not a single cybersecurity certification.

This isn’t just an embarrassing IT failure. It’s a wake-up call. If you're still treating cybersecurity like a nice-to-have instead of a must-do, pull up a chair. Because you're not just vulnerable. You're on the menu.

It’s 2025. You’re in a sterile, brightly lit dental surgery — and there it is. A screen glowing with the unmistakable Windows 7 login. The same OS that went end-of-life in 2020. What the actual hell? That PC isn't just a relic — it’s a walking GDPR violation and a ransomware welcome mat.

If your dentist is still running patient records on Windows 7 or even XP, you’re not just risking plaque you’re risking identity theft. Please for the love of all things secure STOP THIS NOW. Before a root canal becomes the least painful part of your visit.

Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene.

Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster.

This article lays out the real problem and preaches the blunt truth: no ISO, no SOC 2, no procurement badge means a thing unless Cyber Essentials or equivalent is tested, verified, and enforced.