What's the most expensive cost-saving decision you can make? Firing your hotel doorman and replacing him with an automatic door. Saves you £35,000 a year in salary, costs you £200,000 in lost revenue because your hotel just became ordinary. This isn't about hotels. It's about every IT budget cut I've seen in the last 40 years. New episode drops today: The Doorman Fallacy, or How to Accidentally Destroy Your Business Whilst Congratulating Yourself on Efficiency Gains. Featuring examples that will
All right folks, buckle in. Last Monday, the planet just got schooled yet again in why we've put all our digital eggs in one totally cracked basket. AWS US-EAST-1 region had a DNS hiccup and half the world's internet decided it was nap time. Snapchat, Venmo, even the app that tells you if your cat's used the loo, all snuffed out. Why does a digital sneeze in Virginia take out customer payments in Edinburgh? And here's the kicker: this is the third major outage in five years for the same bloody r
Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security. The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protecti
Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security. The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protecti
Every week I talk to UK business owners who've just spent £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 worth of basic IT security. Or they've paid consultants to develop "enterprise information security frameworks" for 15-person companies that can't keep Windows updated. The security industry profits from keeping you confused about InfoSec versus CyberSec versus IT Security. This week's episode cuts through the bollocks to explain what each term actually means, what
Schools don't need expensive enterprise solutions to improve cybersecurity - they need practical, accessible guidance. The NCSC Cyber Assessment Framework provides exactly that: free, non-technical guidance designed specifically for schools with limited budgets. It covers user access control, incident management, and supply chain security in accessible language. Start with quick wins: enable MFA for everyone, conduct a GitHub repository audit, rotate all credentials organization-wide. The CAF is
Only 30% of schools have Multi-Factor Authentication enabled, but the reality is worse than that statistic suggests. Many schools have "partial MFA" - enabled for head teachers and SENCOs but not teaching assistants or admin staff. From a security perspective, everyone with access needs MFA, or you're not protected. The challenge? Phone-based authenticator apps conflict with safeguarding policies that ban phones near children. Hardware security keys offer the solution. FIDO2-certified tokens fro
September 1st, 2025 marked a fundamental shift in UK education: cybersecurity officially became a safeguarding issue under the Keeping Children Safe in Education guidance. Paragraph 144 explicitly links cyber security to safeguarding responsibilities, meaning schools can no longer dismiss security as "just an IT problem." This changes everything from a compliance perspective. When framed as "keeping children safe" rather than "good IT security," schools respond differently. Governors now have st
When the Chancellor, three Cabinet Ministers, the NCSC CEO, and the Director General of the National Crime Agency personally co-sign a letter to UK business leaders, you don't ignore it. The NCSC just reported 204 nationally significant cyber incidents, with 18 highly significant attacks marking a 50% increase for the third consecutive year. Marks & Spencer lost over £300 million. A healthcare attack contributed to a patient death. Empty shelves appeared in supermarkets. The government has g
The Kido nursery breach exposed 8,000 children's data in September 2025, but the attack vector reveals a critical lesson for schools: this wasn't sophisticated hacking. Security researchers discovered a publicly accessible GitHub repository containing API credentials in plain text. The kido-kidssafe/myskio-api repository had the "keys to the kingdom visible in the clear." Two 17-year-olds were arrested in Hertfordshire, but the real story is how preventable this breach was. Schools must audit th
This is the complete insider threat action plan for small businesses. Start with the non negotiables. Enable MFA on email and cloud apps. Audit who has access to what. Test your backups and prove you can restore. Then build. Roll out a password manager. Separate admin from day to day accounts. Turn on activity alerts and review them weekly. Segment guest, IoT and finance. Add EDR. Finish with drills, metrics, and monthly reviews. Do your leaders model the right behaviour? Do people know who to c
Most security assessments fail small businesses. They ask the wrong questions or drown you in paperwork. You need a fast test that flags real risk and gives clear next steps. Start with five pillars. Access control. Authentication. Activity monitoring. Data protection. Incident response. Score each with simple questions. Fix the lowest pillar first. Turn on MFA. Remove excess access. Enable login alerts. Test restores. Write a one page incident plan. Track progress monthly with a few metrics. Do
A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan f
Small businesses do not need theory. They need controls that block real attacks without new headcount. Start with MFA. It is included in Microsoft 365 and Google Workspace. It kills password reuse and shoulder surfing. Apply least privilege. Split admin from day to day use. Roll out a business password manager. Turn on sign in alerts that flag odd times and places. Test backups with the 3 2 1 rule and keep one copy offline. Segment guest, IoT and finance. These steps are cheap and proven. Will y
Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes undergroun
Windows 11 25H2 landed on 30 September 2025, and you're probably ignoring it because "it's just another update." Wrong. This is Microsoft finally removing the attack surfaces ransomware gangs have been exploiting for years. PowerShell 2.0? Gone. WMIC? Gone. Both are documented malware vectors that criminals use to bypass your security. The update weighs 200KB for existing 24H2 systems. One restart. Done. Enterprise editions get 36 months of support. But you're still on 23H2, aren't you? Your sup
The Kido International ransomware attack represents cybersecurity's darkest moment. Eight thousand children's photos, addresses, medical records, and safeguarding notes were stolen and posted online by the Radiant gang. Hackers then called parents directly, demanding they pressure the nursery to pay. This wasn't just a data breach, it was a calculated attack on the most vulnerable data imaginable. After 40 years in cybersecurity, this crosses every line. But here's the terrifying truth: the same
Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If
Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curios
Enough theory. Time for action. Here's your step-by-step plan to move from "Dave does everything" to sustainable IT support that won't collapse when Dave finally reaches breaking point. Start tomorrow.
