In early 2026, the FBI served Microsoft with a search warrant. Microsoft handed over the BitLocker encryption keys for three laptops. No hack. No breach. No compromised passwords. Just a warrant, and Microsoft's compliance. Here is what nobody in UK small business is talking about: those same default settings that allowed this are almost certainly running on your devices right now.

And the legal mechanism that made it possible, the US CLOUD Act, reaches across the Atlantic directly into your Microsoft 365 tenancy, your Google Workspace, your entire US-hosted cloud stack. This is your five-step audit. No politics. No theory. Just the checks you need to do this week.

Switzerland's military commissioned a 20-page risk assessment of Palantir's software. The findings were blunt: data held by Palantir could be accessed by the American government, leaks could not be technically prevented, and the Army would become dependent on Palantir specialists. The recommendation was unambiguous: consider alternatives. Neutral Switzerland quietly walked away.

The United Kingdom looked at the same company and gave them more than £900 million in contracts across the NHS, Ministry of Defence, policing, nuclear weapons support, and border planning. Same company. Same risks. Opposite conclusions. This is the case study every UK business owner needs to read.

You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ago, and what one awkward question on your next vendor call can change.

The US CLOUD Act gives American courts the power to compel any US technology company to hand over your data, regardless of whether it sits in a London data centre or a bunker in Wyoming. UK GDPR Article 48 says foreign court orders do not make that transfer lawful. No UK court has tested this conflict. No ICO enforcement action has targeted it. The NCSC does not mention it by name. Corrine Jefferson, our resident intelligence analyst, dissects the legal contradiction sitting quietly in the middle of your Microsoft 365 tenant, and explains why "it's encrypted" is not the answer you think it is.

That TP-Link router you bought because it was £40 cheaper than the alternatives? Two days ago, the state of Texas sued the manufacturer for allegedly handing the Chinese Communist Party access to Americans' devices.

A US federal ban is on the table. Sixteen thousand routers worldwide have already been conscripted into a Chinese state-sponsored attack network. And the UK? Doing absolutely nothing.

This isn't paranoia. This is documented, court-filed, backed-by-three-US-federal-departments reality. Here's what you need to know, and what you need to do, before this becomes your problem.

I used to work in US government intelligence. I now live in London. Those two facts make me uniquely uncomfortable about Palantir's expanding presence across the British state. In December 2024, Switzerland's military concluded that data held by Palantir could be accessed by the American government and that leaks "cannot be technically prevented." Their recommendation was unambiguous: find alternatives. The UK's response to the same evidence has been to award Palantir more than £900 million in contracts spanning health records, defence operations, policing, and nuclear weapons systems. The reality is this: those are not compatible positions.

You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure.

They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem.

This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outlast any political cycle.

Let's dissect what those images actually represent, why they're simultaneously right and wrong, and what UK SMBs need to understand about where their data actually lives.

Your firewall vendor just announced another critical vulnerability. Last week brought two more. Last month? Six. When does "routine security update" become a vendor reliability crisis that threatens your business?

For UK SMBs running Fortinet or SonicWall, the CISA Known Exploited Vulnerabilities catalogue tells an uncomfortable story: your perimeter security is under active, documented attack. This isn't vendor marketing or compliance theatre.

This is your board-level "do we stay or do we leave" conversation, backed by evidence, decision frameworks, and a migration playbook that won't destroy your operations. Time to score your vendor.

Remember that fun photo booth snap at your mate’s wedding? The one where you’re pulling faces with the bridesmaids? It’s been sitting on an unprotected server for the past three weeks, accessible to anyone who could count to 1,000. Hama Film, an Australian photo booth company with operations in the UAE and United States, spent months exposing customer photos through a security flaw so basic it makes WannaCry look sophisticated. No authentication. No rate-limiting. Just pure, unfiltered incompetence serving up private moments to anyone curious enough to look. And they’re still not fixing it properly.

Your MSP's favourite remote access tool just got breached. Again. ConnectWise ScreenConnect, the software thousands of managed service providers use to "protect" small businesses, has been hit by yet another cyberattack—this time by suspected state-sponsored hackers. But here's the real scandal: this is the same platform that suffered critical vulnerabilities in 2024, enabling ransomware gangs to turn MSP networks into criminal infrastructure. If your IT provider is still using repeatedly compromised tools while charging you for "enterprise security," you're not getting protection—you're paying for exposure. Time to ask some very uncomfortable questions.