Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables.

What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost.

SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose the right target tier, build a costed plan with your IT provider, and know exactly what you're signing when attestation time comes.

For five months, anyone with a Companies House login could access the private dashboard of any of the five million registered UK companies. Home addresses. Dates of birth. Email addresses. All the personal data fraudsters need to impersonate a director, open accounts in your company's name, or reroute your banking. Not by hacking. Not by sophisticated exploit. By pressing the back button. That is the entirety of the technical skill required. The government body responsible for the UK's corporate register sat on this vulnerability from October 2025 until 13 March 2026. If you are a company director, read this now.

Bronze means firewalls and backups.

Silver means individual accounts and MFA on email.

Gold means EDR, DMARC, and a proper incident response plan.

Platinum means someone actually checks your work.

Diamond means you pay ethical hackers to break in and find the holes before real criminals do.

That's the SMB1001 ladder in five sentences.

The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accountability trap most businesses walk straight into, and exactly how much this all costs.

Part 2 of Cyber Belts: The SMB1001 Deep Dive.

There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at £75 a year.

It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009.

In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut through the marketing and tell you exactly what SMB1001 is, and what it isn't.

Microsoft's Defender Experts published research yesterday on a campaign called Contagious Interview. Attackers pose as recruiters, walk your developers through a convincing fake job interview, then get them to clone and run a malicious code repository. The moment they do, your cloud credentials, API tokens, signing keys, and password manager databases are on their way out the door.

This campaign has been running since at least December 2022. Your developers are the target. Your infrastructure is the prize. And the attack is sophisticated enough that even technically sharp people fall for it. Here is what you need to know.

Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong.

This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through the Preview Pane. Quiet months are when attackers catch you napping. Get the cumulative update applied. This week.

The Bank of England runs live cyberattack simulations on the UK's most critical financial institutions every year. Real attacks, on live systems, designed by intelligence analysts who know exactly how sophisticated threat actors operate.

The 2025 results are in. Weak passwords. Overly permissive access controls. Systems that haven't been patched. Staff who hand over credentials when asked convincingly. Third year running. Same findings. If the institutions that hold your money, process your payroll, and underwrite your insurance can't manage basic cyber hygiene under direct regulatory pressure, you need to ask a harder question: what does your accountant's network look like?

Hello, Mauven here. Yesterday, Dutch military and domestic intelligence confirmed what European security agencies have been circling for weeks:

Russian state-sponsored hackers are running a large-scale global campaign to take over Signal and WhatsApp accounts. Not by breaking the encryption.

By asking for the keys. Two governments have now issued formal warnings. Dutch officials have confirmed their own employees are among the victims.

And the attack method is devastatingly simple. If your business uses WhatsApp, and most UK small businesses do, this concerns you directly.

Here is what is happening, how it works, and what you need to do before this afternoon.

There's a philosophy thought experiment from the 1960s that explains, better than any threat report I've read, exactly why reactive security is a trap. It's called Newcomb's Paradox.

A near-perfect predictor places money in two boxes. Grab both and you walk away with £1,000. Grab just one and you walk away with a million.

Except the decision was made before you walked in the room. Your attackers work the same way. They've already run their reconnaissance.

They've already decided what kind of target you are. The question is: what did they see when they looked? Noel Bradford explains.

I spent time with Mauven this week working through the Unit 42 Global Incident Response Report 2026. Seven hundred and fifty incident response engagements. Fifty-plus countries. Real cases. The headline statistic, 89% of investigations involving identity as a material factor, is striking.

But it's not the number that should concern you most. It's what that number tells us about where organisations are spending their security budgets versus where attackers are actually operating.

They are not in the same place. That gap is the problem. And it is one that UK small businesses are exceptionally well-positioned to close, if they choose to.

Malware sat on 5,390 Currys tills for nine months. Nobody noticed. That is not a sophisticated nation-state attack. That is a basic monitoring failure. The ICO called the missing controls "basic, commonplace security measures." In plain English: this was avoidable.

If you run a small or medium-sized business and you process payment data, hold customer records, or manage staff information, this week's practical guide gives you four specific controls to implement.

No expensive tooling. No consultancy contract.

Just the controls that would have stopped the DSG breach in its tracks, adapted for a business your size.

Last week, researchers proved something that should make every small business owner put down their coffee. Your Wi-Fi guest network, the one you set up so visitors don't touch your business systems, doesn't actually protect you. A new attack called AirSnitch lets anyone already on your network spy on every device connected to the same physical router, regardless of which network name they joined, regardless of whether you're running WPA2 or WPA3. Every single router tested failed. Here's what it means, explained without the jargon, and what you need to do before your next client walks through the door.

In early 2026, the FBI served Microsoft with a search warrant. Microsoft handed over the BitLocker encryption keys for three laptops. No hack. No breach. No compromised passwords. Just a warrant, and Microsoft's compliance. Here is what nobody in UK small business is talking about: those same default settings that allowed this are almost certainly running on your devices right now.

And the legal mechanism that made it possible, the US CLOUD Act, reaches across the Atlantic directly into your Microsoft 365 tenancy, your Google Workspace, your entire US-hosted cloud stack. This is your five-step audit. No politics. No theory. Just the checks you need to do this week.

France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data.

The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations.

Noel Bradford, with 40-odd years of watching the UK IT establishment make the same mistakes on repeat, asks the question nobody in Whitehall wants to answer: when did we decide that digital independence was somebody else's problem?

An Amazon driver just delivered the most useful security lesson of 2026 and he charged absolutely nothing for it. While trying to drop off a parcel, he couldn't find a safe place, so he thought laterally, worked out the code to a locked shed, left the parcel inside, and then wrote a note explaining exactly how he got in. He documented the breach.

He filed the report. He even ticked the compliance checkbox. Your IT company just got shown up by a bloke in a high-vis jacket. The question is: are you laughing, or are you checking your shed code right now?

Every UK business using Microsoft 365, Google Workspace, or any US cloud service has an unassessed CLOUD Act exposure. This guide gives you a step-by-step process to map it: list your vendors, identify your crown jewels, check who controls the encryption keys, fold the findings into your DPIAs, and build a realistic exit plan.

No consultancy fees, no jargon, no panic. One afternoon with your IT lead and a spreadsheet. By Friday you will know exactly where your business sits and what, if anything, you need to change. This is governance, not a technology project.

You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ago, and what one awkward question on your next vendor call can change.

The US CLOUD Act gives American courts the power to compel any US technology company to hand over your data, regardless of whether it sits in a London data centre or a bunker in Wyoming. UK GDPR Article 48 says foreign court orders do not make that transfer lawful. No UK court has tested this conflict. No ICO enforcement action has targeted it. The NCSC does not mention it by name. Corrine Jefferson, our resident intelligence analyst, dissects the legal contradiction sitting quietly in the middle of your Microsoft 365 tenant, and explains why "it's encrypted" is not the answer you think it is.

That TP-Link router you bought because it was £40 cheaper than the alternatives? Two days ago, the state of Texas sued the manufacturer for allegedly handing the Chinese Communist Party access to Americans' devices.

A US federal ban is on the table. Sixteen thousand routers worldwide have already been conscripted into a Chinese state-sponsored attack network. And the UK? Doing absolutely nothing.

This isn't paranoia. This is documented, court-filed, backed-by-three-US-federal-departments reality. Here's what you need to know, and what you need to do, before this becomes your problem.

I have watched this exact disaster unfold five times in 40 years. Personal computers in the eighties. BYOD in the 2010s. Cloud migrations that nobody secured. SaaS tools that HR adopted without telling IT. And now AI agents that can read your email, execute commands on your machine, and send data anywhere, installed by employees who thought they were being productive. OpenClaw is not the problem. OpenClaw is the symptom. The problem is that every time a shiny new technology appears, businesses adopt it first and think about security never. This time the cycle is measured in weeks, not years.