The Bank of England runs live cyberattack simulations on the UK's most critical financial institutions every year. Real attacks, on live systems, designed by intelligence analysts who know exactly how sophisticated threat actors operate. The 2025 results are in. Weak passwords. Overly permissive access controls. Systems that haven't been patched. Staff who hand over credentials when asked convincingly. Third year running. Same findings. If the institutions that hold your money, process your payr
Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong. This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through th
After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse. I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. An
Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what y
There's a philosophy thought experiment from the 1960s that explains, better than any threat report I've read, exactly why reactive security is a trap. It's called Newcomb's Paradox. A near-perfect predictor places money in two boxes. Grab both and you walk away with £1,000. Grab just one and you walk away with a million. Except the decision was made before you walked in the room. Your attackers work the same way. They've already run their reconnaissance. They've already decided what kind of tar
Hello, Mauven here. Yesterday, Dutch military and domestic intelligence confirmed what European security agencies have been circling for weeks: Russian state-sponsored hackers are running a large-scale global campaign to take over Signal and WhatsApp accounts. Not by breaking the encryption. By asking for the keys. Two governments have now issued formal warnings. Dutch officials have confirmed their own employees are among the victims. And the attack method is devastatingly simple. If your busin
If you're flashing a Cyber Essentials badge on your website but couldn't explain the difference between Willow and Danzell without Googling it, you're not certified. You're exposed. One awkward question from a big customer, an insurer, or a regulator and that logo goes from asset to evidence. In Season 2 Episode 10 of The Small Business Cyber Security Guy, Noel Bradford, Graham Falkner, and Lucy Harper walk through every material change in CE v3.3: scope rules, cloud scoping, FIDO2, the 14-day p
Most of the real damage from a data breach does not happen during the initial compromise. It happens in the scramble afterwards. Someone panics and wipes a server. Someone else coordinates the response through the email account that is already compromised. A well-meaning manager posts on social media before anyone understands what happened. The first hour determines whether this becomes a bad day you recover from or a business-ending week you do not. This playbook walks you through exactly what
Nine years. Half a million pounds. Zero victim compensation. Lawyers billing on both sides for the best part of a decade. A regulator declaring "significant victory" while 14 million people's limitation periods quietly expired. The Currys DSG saga is not an edge case or an administrative anomaly. It is a precise and accurate picture of how UK data enforcement actually works. This is my verdict: the system is structurally broken, everyone in the industry knows it, and the comfortable fiction that
Darren Warren asked for five thousand pounds for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is the story of how 14 million people en
I spent time with Mauven this week working through the Unit 42 Global Incident Response Report 2026. Seven hundred and fifty incident response engagements. Fifty-plus countries. Real cases. The headline statistic, 89% of investigations involving identity as a material factor, is striking. But it's not the number that should concern you most. It's what that number tells us about where organisations are spending their security budgets versus where attackers are actually operating. They are not in
Malware sat on 5,390 Currys tills for nine months. Nobody noticed. That is not a sophisticated nation-state attack. That is a basic monitoring failure. The ICO called the missing controls "basic, commonplace security measures." In plain English: this was avoidable. If you run a small or medium-sized business and you process payment data, hold customer records, or manage staff information, this week's practical guide gives you four specific controls to implement. No expensive tooling. No consulta
The ICO's General Counsel called the Currys Court of Appeal ruling "a significant victory." And in strict legal terms, she is right. Lord Justice Warby's judgment closes a dangerous loophole and clarifies that personal data must be assessed from the controller's perspective. But while the lawyers celebrate, roughly 14 million people are sitting with expired limitation periods and no compensation route. The legal system confirmed DSG was in the wrong at the precise moment most victims could no lo
Last week, researchers proved something that should make every small business owner put down their coffee. Your Wi-Fi guest network, the one you set up so visitors don't touch your business systems, doesn't actually protect you. A new attack called AirSnitch lets anyone already on your network spy on every device connected to the same physical router, regardless of which network name they joined, regardless of whether you're running WPA2 or WPA3. Every single router tested failed. Here's what it
In September 2024, a UK tribunal concluded that 5.6 million stolen card records might not constitute personal data. The argument was structural, not frivolous. Hackers who cannot identify individuals from card numbers alone are not, the Upper Tribunal suggested, processing personal data. The Court of Appeal corrected that in February 2026. Lord Justice Warby's ruling establishes a clean and reusable test: you assess whether data is personal from the controller's perspective, not the attacker's.
Darren Warren asked for five thousand pounds in compensation for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is a case study in how 1
In early 2026, the FBI served Microsoft with a search warrant. Microsoft handed over the BitLocker encryption keys for three laptops. No hack. No breach. No compromised passwords. Just a warrant, and Microsoft's compliance. Here is what nobody in UK small business is talking about: those same default settings that allowed this are almost certainly running on your devices right now. And the legal mechanism that made it possible, the US CLOUD Act, reaches across the Atlantic directly into your Mic
France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data. The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations. Noel Bradford, with 40-odd years of watching the UK IT e
An Amazon driver just delivered the most useful security lesson of 2026 and he charged absolutely nothing for it. While trying to drop off a parcel, he couldn't find a safe place, so he thought laterally, worked out the code to a locked shed, left the parcel inside, and then wrote a note explaining exactly how he got in. He documented the breach. He filed the report. He even ticked the compliance checkbox. Your IT company just got shown up by a bloke in a high-vis jacket. The question is: are yo
Switzerland's military commissioned a 20-page risk assessment of Palantir's software. The findings were blunt: data held by Palantir could be accessed by the American government, leaks could not be technically prevented, and the Army would become dependent on Palantir specialists. The recommendation was unambiguous: consider alternatives. Neutral Switzerland quietly walked away. The United Kingdom looked at the same company and gave them more than £900 million in contracts across the NHS, Minist
