By the time anyone at Meridian Advisory noticed the problem, their Cyber Essentials certificate had been renewed four times. Each renewal had covered the same carefully defined scope: two office servers, the on-premises file share, and about fifteen managed laptops. By 2025, the actual business ran on Microsoft 365, a cloud-based CRM, a remote project management platform, and a VOIP system. None of those were in scope. When a credential-based breach exposed client financial data held in the CRM,
The Bank of England runs live cyberattack simulations on the UK's most critical financial institutions every year. Real attacks, on live systems, designed by intelligence analysts who know exactly how sophisticated threat actors operate. The 2025 results are in. Weak passwords. Overly permissive access controls. Systems that haven't been patched. Staff who hand over credentials when asked convincingly. Third year running. Same findings. If the institutions that hold your money, process your payr
Darren Warren asked for five thousand pounds for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is the story of how 14 million people en
The ICO's General Counsel called the Currys Court of Appeal ruling "a significant victory." And in strict legal terms, she is right. Lord Justice Warby's judgment closes a dangerous loophole and clarifies that personal data must be assessed from the controller's perspective. But while the lawyers celebrate, roughly 14 million people are sitting with expired limitation periods and no compensation route. The legal system confirmed DSG was in the wrong at the precise moment most victims could no lo
Darren Warren asked for five thousand pounds in compensation for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is a case study in how 1
France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data. The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations. Noel Bradford, with 40-odd years of watching the UK IT e
Switzerland's military commissioned a 20-page risk assessment of Palantir's software. The findings were blunt: data held by Palantir could be accessed by the American government, leaks could not be technically prevented, and the Army would become dependent on Palantir specialists. The recommendation was unambiguous: consider alternatives. Neutral Switzerland quietly walked away. The United Kingdom looked at the same company and gave them more than £900 million in contracts across the NHS, Minist
Here's a question that should keep every director awake: what happens when the device meant to protect your network becomes the primary way attackers get in? Between 2023 and now, Fortinet's SSL VPN has been exploited three separate times using the same type of vulnerability. Chinese intelligence services stole configurations from 20,000 organizations worldwide. Cyber insurers charge double the premiums for businesses using Fortinet kit. Yet Fortinet posted 50% revenue growth and continues to do
Nobody wakes up and decides to let patients die through cybersecurity negligence. Yet that is precisely what happened at Synnovis. The executives who failed to enable multi-factor authentication were not cartoon villains. They were educated professionals running a critical healthcare organisation. So why did they make a decision that, in hindsight, seems obviously catastrophic? The answer lies in the psychological mechanisms that allow intelligent people to rationalise terrible choices, the orga
Financial Accountant magazine just published my analysis of the £1.9 billion Jaguar Land Rover cyberattack. But here’s what the article couldn’t cover: the small suppliers who died from JLR’s breach. You didn’t get hacked. Your biggest customer did. You still lost everything. One supplier laid off 40 people because JLR couldn’t place orders for six weeks. Proper security. Good practices. Still went bust. After 40 years in the IT world Intel, Disney, and the BBC, I’ve seen this pattern before. En
Twenty-three employees. Eighteen months. Forty-seven thousand pounds wasted on cloud infrastructure they didn't need, SaaS subscriptions nobody used, and auto-scaling rules designed by a consultant who'd never checked back. This isn't a horror story about a massive enterprise with unlimited budget. This is CloudBridge Digital, a Nottingham digital agency that discovered they'd been hemorrhaging cash while Microsoft, AWS, and a parade of SaaS vendors quietly helped themselves to the company bank
A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan f
Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If
Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curios
After yesterday's Kido International ransomware attack, I've spent the night reading through the technical details and regulatory implications. What I'm seeing isn't just disturbing. It's a fundamental shift in how we need to think about protecting sensitive data in British small businesses. Yesterday morning, 18 UK nursery locations woke up to a ransomware attack. The attackers didn't just encrypt systems. They stole the entire database. Names of 8,000 children. Home addresses. Photos. Safeguar
September 2025's Collins Aerospace and JLR cyberattacks weren't just operational disasters - they triggered Europe's first cross-border regulatory crisis under DORA. While aviation experts focused on flight delays, they missed the real story: EU authorities now have direct oversight powers over US companies like Collins Aerospace serving European financial infrastructure. DORA's January 2025 implementation created unprecedented cross-border enforcement mechanisms that most businesses don't under
Three out of four UK businesses admit they’d break the law to pay a ransomware gang, proving they’re not prepared — they’re desperate. This hard-hitting article exposes the brutal truth behind the PR Newswire findings and dismantles the myth that cybersecurity is too expensive. It’s not. What’s expensive is losing your business, your data, and your reputation. We break down why defensive investment is always cheaper than recovery, what leaders are doing wrong, and how to fix it before disaster s
The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely. We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protectio
After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse. This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.
Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019. Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025. £2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented,
Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption. The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them. This isn't about having perfect systems, it's about building resilience. Wednesd
After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication
Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed. While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook. Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's alrea
A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives. Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches. While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate j
M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call. The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop. When Archie Norman admits they had "no cyber attack plan" and describ
A $48 billion global technology giant just got destroyed by criminals who exploited a basic firewall misconfiguration. Ingram Micro, the backbone of every MSP and reseller on the planet, is bleeding £136 million daily because someone forgot to tick a checkbox properly. SafePay ransomware walked through their VPN like it was an open door, bringing down the entire global IT supply chain. If you're an MSP depending on single vendors, you're about to learn the brutal cost of trusting other people's
Right, pull up a chair. We need to have a bloody serious conversation about the EV charging disaster that's been hiding in plain sight. Oxford researchers just confirmed what should terrify every electric vehicle owner: your charging cable is a 47-meter antenna broadcasting your vulnerability to anyone with £200 worth of kit from eBay. The "Brokenwire" attack can kill charging sessions wirelessly, and it's built into the bloody standards that govern 12 million EVs worldwide. Known since 2019, st
CASE STUDY: Midlands manufacturing SMB spent 18 months and £45,000 getting ISO27001 certified. Six months later: ransomware attack, £50k losses, customer data exposed. They had perfect documentation for email security but forgot to actually secure their email. This is compliance theatre in its purest form - expensive certificates that impress auditors but don't stop criminals. Today's case study exposes the brutal reality of governance vs protection and what UK SMBs should learn from this expens
The British Horseracing Authority just got absolutely hammered by ransomware, and frankly, I'm not surprised. Here's an organization that regulates a £1 billion industry, handles medical records for hundreds of jockeys, and oversees one of Britain's most prestigious sporting events. And they fell for the oldest trick in the book: some criminal rang their IT helpdesk, pretended to be an employee, and walked away with the keys to the kingdom. If the people who regulate horse racing can't secure th
BREAKING: Another SOC 2 certified company just suffered a massive data breach. Shocked? You shouldn't be. While they were busy documenting their security procedures in triplicate, hackers walked through the front door they forgot to lock. This is compliance theatre in action: expensive certificates that impress auditors but don't stop criminals. Today's reality check exposes why governance frameworks fail against real threats and what UK SMBs should learn from this latest security disaster
Your MSP's favourite remote access tool just got breached. Again. ConnectWise ScreenConnect, the software thousands of managed service providers use to "protect" small businesses, has been hit by yet another cyberattack—this time by suspected state-sponsored hackers. But here's the real scandal: this is the same platform that suffered critical vulnerabilities in 2024, enabling ransomware gangs to turn MSP networks into criminal infrastructure. If your IT provider is still using repeatedly compro
Your £6,000 professional printer just joined a criminal botnet. For six months, Procolored shipped malware-infected drivers that turned customer systems into cryptocurrency theft machines, netting criminals nearly $1 million in stolen Bitcoin. When YouTuber Cameron Coward tried to install the "legitimate" software, his antivirus screamed warnings. Procolored's response? "False positive." Even after researchers found 39 infected files containing backdoors and Bitcoin stealers, the company kept de
Think the hackers are your biggest threat? Think again. That smiling MSP rep who promised “complete protection” might just be the reason your business is on its knees. Ransomware rarely walks in the front door it’s invited through by lazy patching, crap backups, and a culture of "just enough" IT. From misconfigured firewalls to fake dashboards and vendors more interested in sales than security, this is the real story of how ransomware thrives, enabled by the very people paid to stop it. If you t
A ransomware attack just crippled one of the UK’s key cold chain hauliers, leaving thousands of pounds’ worth of meat to rot before it ever reached supermarket shelves. Peter Green Chilled, who proudly promote their “bespoke IT systems,” couldn’t even keep order processing online. The result? Spoiled stock, supply chain chaos, and radio silence from a company with £25 million in turnover and not a single cybersecurity certification. This isn’t just an embarrassing IT failure. It’s a wake-up call
You’d think ISO27001 and SOC 2 certifications mean a business is secure. But if 2023 and 2025 have shown us anything, it’s that those badges don’t stop breaches. From Capita’s data leaks to Harrods’ containment chaos, and Co-op’s app disruption to the MOVEit dominoes, governance frameworks have failed where basic cyber hygiene would have succeeded. Cyber Essentials, often dismissed as small business fluff, turns out to be the missing frontline control in all of these high-profile failures. This
