332 articles · Page 1 of 17
Priya spent five months trying to tell someone about the unpatched remote access server. She filed two written reports. She raised it at three consecutive meetings. Meridian Professional Services' planning cycle never made it to that item. Their attackers were less patient.
Read more →
Another European government department has taken a hit. If you think that is somebody elseβs problem, think harder. The Dutch Finance Ministry breach is a warning shot for every UK organisation that still believes attackers only care about the big glamorous targets.
Read more →
This week's podcast raised four questions every small business should be asking. Graham Falkner turns them into a structured half-day process: no consultants, no specialist tools, no new budget. Just one person, a spreadsheet, and the willingness to hear answers you might not like.
Read more →
Law enforcement landed a hit on Tycoon2FA. Then Tycoon2FA got back up. That should tell you everything you need to know about identity attacks in 2026. If your plan begins and ends with MFA, you are still leaving the door open.
Read more →
A January 2026 survey found that 75% of UK business leaders who consider cyber their top risk simultaneously doubt their ability to manage one. Corrine Jefferson on what that gap represents, why it persists, and the three conversations to have before the end of this week.
Read more →
If you have a QNAP router humming away in a cupboard and nobody has looked at it in months, this story is for you. QNAP has patched critical QuRouter flaws, and the bigger issue is not just the bugs. It is the number of businesses that forget the edge device exists until it bites them.
Read more →
Todayβs hot cyber security story is not subtle. Citrix has patched a critical NetScaler flaw, NHS England has already put out an alert, and any UK organisation using vulnerable NetScaler kit needs to move now. If your remote access stack includes NetScaler, this is your wake up call.
Read more →
A trusted security tool got turned into a thief. That is the part people keep missing. The Trivy supply chain attack is not just a developer story. It is a board level lesson in what happens when your pipeline trusts tags, tokens and wishful thinking.
Read more →
58% of UK business leaders rank cyber breaches as their top risk for 2026. Three quarters doubt their ability to respond when one happens. The gap between those two facts is what's costing UK SMBs an average of Β£195,000 per incident β and it's not a knowledge problem.
Read more →
No ransomware. No smashed firewall. No dramatic movie scene. Just a fraudulent invoice, a trusted relationship, and $432,739.21 gone. If you think this cannot happen to your business, you need to read this.
Read more →
Noel left us unsupervised, two bottles of Prosecco, and a microphone. What followed was a serious conversation about the security vulnerability nobody likes to name: overconfidence. The kind that sounds completely reasonable in a meeting β and has preceded some very expensive afternoons.
Read more →
Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables. What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost. SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose
Read more →
For five months, anyone with a Companies House login could access the private dashboard of any of the five million registered UK companies. Home addresses. Dates of birth. Email addresses. All the personal data fraudsters need to impersonate a director, open accounts in your company's name, or reroute your banking. Not by hacking. Not by sophisticated exploit. By pressing the back button. That is the entirety of the technical skill required. The government body responsible for the UK's corporate
Read more →
Bronze means firewalls and backups. Silver means individual accounts and MFA on email. Gold means EDR, DMARC, and a proper incident response plan. Platinum means someone actually checks your work. Diamond means you pay ethical hackers to break in and find the holes before real criminals do. That's the SMB1001 ladder in five sentences. The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accoun
Read more →
There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at Β£75 a year. It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009. In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut
Read more →
A week of Cyber Essentials v3.3 done. Scope reviews, cloud scoping rules, MFA for everyone, the 14-day patching window. You now know more about CE than most IT managers I've spoken to this year. Next Monday we zoom out. SMB1001 runs from Bronze to Diamond and was built specifically for small businesses that want a structured security roadmap beyond the CE baseline. It is not a UK government scheme, it does not carry the same procurement weight, and the two frameworks do not map neatly. So the qu
Read more →
Your Cyber Essentials badge is either a credential or creative writing. There is no third option. If you certified properly, maintained your scope, kept your controls current, and can explain v3.3 to a customer without reaching for Google, it's a credential. If your cert expired six months ago, your scope hasn't been reviewed since the original certification, your cloud services were never in scope, and you couldn't name the five controls under pressure, you're not certified. You're exposed. And
Read more →
By the time anyone at Meridian Advisory noticed the problem, their Cyber Essentials certificate had been renewed four times. Each renewal had covered the same carefully defined scope: two office servers, the on-premises file share, and about fifteen managed laptops. By 2025, the actual business ran on Microsoft 365, a cloud-based CRM, a remote project management platform, and a VOIP system. None of those were in scope. When a credential-based breach exposed client financial data held in the CRM,
Read more →
Microsoft's Defender Experts published research yesterday on a campaign called Contagious Interview. Attackers pose as recruiters, walk your developers through a convincing fake job interview, then get them to clone and run a malicious code repository. The moment they do, your cloud credentials, API tokens, signing keys, and password manager databases are on their way out the door. This campaign has been running since at least December 2022. Your developers are the target. Your infrastructure is
Read more →
Right. Noel and Mauven have told you what's changing in Cyber Essentials v3.3 and why scope failures become legal problems. My job is the bit that comes after: what do you actually do, in what order, with realistic timelines? I have broken this into a 30-60 day plan that works for most UK SMBs, whether you're renewing before 26th April under Willow or preparing for Danzell afterwards. No tools to buy, no consultants to hire for the basics. Mostly time, a spreadsheet, and an honest look at what y
Read more →