Create your first cyber risk register in 2 hours. No consultant needed. Step 1: Identify five specific risks (phishing, ransomware, insider threats are mandatory for all UK SMEs). Step 2: Assess likelihood using real government statistics (85% phishing, 43% breach rate). Step 3: Document impact including business closure potential (28% of SMEs). Step 4: List current controls with verification dates. Step 5: Calculate residual risk scores. Step 6: Specify additional controls with costs. Step 7: A
Why do intelligent board members hear "43% of UK businesses got breached" and think "that won't happen to us"? It's not stupidity; it's psychology. Optimism bias makes us believe bad things happen to others. Present bias makes tomorrow's disaster less urgent than today's deadline. Availability heuristic makes personal experience trump statistics. Illusion of control makes certificates feel like protection. Normalcy bias treats "it hasn't happened yet" as evidence. Dunning-Kruger creates confiden
Most cyber risk registers are useless compliance documents. They contain vague descriptions, unverifiable controls, and no honest assessment of likelihood or impact. A working risk register has exactly seven columns: specific risk scenarios, likelihood based on real UK statistics, quantified impacts including business closure potential, verifiable current controls, residual risk ratings, costed additional controls, and named board-level owners. Every UK SME must address five mandatory risks: phi
After two days discussing frameworks and technical standards, let's examine why personal accountability actually works when corporate fines consistently fail. The psychology is fascinating and explains decades of regulatory success and failure. When British Airways faced a ยฃ20 million fine, nobody lost their job. When HSE prosecutes directors, workplace safety transforms overnight. The difference isn't the amount of money. It's whose money gets spent and whose freedom gets threatened. Human psyc
Yesterday's podcast proposed criminal liability for cybersecurity negligence. Today, we're dismantling the three-tier framework piece by piece so you know exactly where your business stands. Tier One protects small businesses with explicit gross negligence thresholds and Cyber Essentials safe harbour. Tier Two raises the bar for medium organisations whilst maintaining proportionate standards. Tier Three brings genuine consequences for large enterprises and public sector bodies that still can't i
