Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables. What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost. SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose
A week of Cyber Essentials v3.3 done. Scope reviews, cloud scoping rules, MFA for everyone, the 14-day patching window. You now know more about CE than most IT managers I've spoken to this year. Next Monday we zoom out. SMB1001 runs from Bronze to Diamond and was built specifically for small businesses that want a structured security roadmap beyond the CE baseline. It is not a UK government scheme, it does not carry the same procurement weight, and the two frameworks do not map neatly. So the qu
Right. Noel and Mauven have told you what's changing in Cyber Essentials v3.3 and why scope failures become legal problems. My job is the bit that comes after: what do you actually do, in what order, with realistic timelines? I have broken this into a 30-60 day plan that works for most UK SMBs, whether you're renewing before 26th April under Willow or preparing for Danzell afterwards. No tools to buy, no consultants to hire for the basics. Mostly time, a spreadsheet, and an honest look at what y
There's a philosophy thought experiment from the 1960s that explains, better than any threat report I've read, exactly why reactive security is a trap. It's called Newcomb's Paradox. A near-perfect predictor places money in two boxes. Grab both and you walk away with ยฃ1,000. Grab just one and you walk away with a million. Except the decision was made before you walked in the room. Your attackers work the same way. They've already run their reconnaissance. They've already decided what kind of tar
Most of the real damage from a data breach does not happen during the initial compromise. It happens in the scramble afterwards. Someone panics and wipes a server. Someone else coordinates the response through the email account that is already compromised. A well-meaning manager posts on social media before anyone understands what happened. The first hour determines whether this becomes a bad day you recover from or a business-ending week you do not. This playbook walks you through exactly what
Malware sat on 5,390 Currys tills for nine months. Nobody noticed. That is not a sophisticated nation-state attack. That is a basic monitoring failure. The ICO called the missing controls "basic, commonplace security measures." In plain English: this was avoidable. If you run a small or medium-sized business and you process payment data, hold customer records, or manage staff information, this week's practical guide gives you four specific controls to implement. No expensive tooling. No consulta
An Amazon driver just delivered the most useful security lesson of 2026 and he charged absolutely nothing for it. While trying to drop off a parcel, he couldn't find a safe place, so he thought laterally, worked out the code to a locked shed, left the parcel inside, and then wrote a note explaining exactly how he got in. He documented the breach. He filed the report. He even ticked the compliance checkbox. Your IT company just got shown up by a bloke in a high-vis jacket. The question is: are yo
Every UK business using Microsoft 365, Google Workspace, or any US cloud service has an unassessed CLOUD Act exposure. This guide gives you a step-by-step process to map it: list your vendors, identify your crown jewels, check who controls the encryption keys, fold the findings into your DPIAs, and build a realistic exit plan. No consultancy fees, no jargon, no panic. One afternoon with your IT lead and a spreadsheet. By Friday you will know exactly where your business sits and what, if anything
You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ag
Enough theory. Today we're getting practical. Whether or not director liability becomes law, demonstrating reasonable care protects your business now. Insurance claims require evidence. Contracts demand due diligence. Regulators ask what you did before the breach. This guide gives you exactly what you need: the five controls that matter, documentation templates, evidence gathering processes, and realistic timelines for businesses of every size. No enterprise consultants required. No massive budg
