The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
The MFA Reality Check - Why Only 30% of Schools Have It Properly Enabled
Only 30% of schools have Multi-Factor Authentication enabled, but the reality is worse than that statistic suggests. Many schools have "partial MFA" - enabled for head teachers and SENCOs but not teaching assistants or admin staff. From a security perspective, everyone with access needs MFA, or you're not protected. The challenge? Phone-based authenticator apps conflict with safeguarding policies that ban phones near children. Hardware security keys offer the solution. FIDO2-certified tokens from providers like Authentrend work without phones, satisfying both security and safeguarding requirements. The principle is simple: MFA for everyone or MFA for nobody.
When Six Ministers Co-Sign a Letter to Your CEO, It's Time to Listen
When the Chancellor, three Cabinet Ministers, the NCSC CEO, and the Director General of the National Crime Agency personally co-sign a letter to UK business leaders, you don't ignore it. The NCSC just reported 204 nationally significant cyber incidents, with 18 highly significant attacks marking a 50% increase for the third consecutive year. Marks & Spencer lost over £300 million. A healthcare attack contributed to a patient death. Empty shelves appeared in supermarkets. The government has given you three specific actions and free tools to implement them. The question isn't whether you'll face a cyber incident. It's whether you'll be prepared.
Cybersecurity is Now Safeguarding - Understanding the 2025 Guidance Game-Changer
September 1st, 2025 marked a fundamental shift in UK education: cybersecurity officially became a safeguarding issue under the Keeping Children Safe in Education guidance. Paragraph 144 explicitly links cyber security to safeguarding responsibilities, meaning schools can no longer dismiss security as "just an IT problem." This changes everything from a compliance perspective. When framed as "keeping children safe" rather than "good IT security," schools respond differently. Governors now have statutory duties to ensure cyber standards are met. Yet many schools remain unaware. The Kido breach of 8,000 children's data is now officially a safeguarding failure, not just an IT incident.
The Kido Nursery Breach - How a GitHub Repository Exposed 8,000 Children
The Kido nursery breach exposed 8,000 children's data in September 2025, but the attack vector reveals a critical lesson for schools: this wasn't sophisticated hacking. Security researchers discovered a publicly accessible GitHub repository containing API credentials in plain text. The kido-kidssafe/myskio-api repository had the "keys to the kingdom visible in the clear." Two 17-year-olds were arrested in Hertfordshire, but the real story is how preventable this breach was. Schools must audit their GitHub repositories, check for custom code with embedded credentials, and implement proper secrets management before they become the next headline.
Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation
This is the complete insider threat action plan for small businesses. Start with the non negotiables. Enable MFA on email and cloud apps. Audit who has access to what. Test your backups and prove you can restore. Then build. Roll out a password manager. Separate admin from day to day accounts. Turn on activity alerts and review them weekly. Segment guest, IoT and finance. Add EDR. Finish with drills, metrics, and monthly reviews. Do your leaders model the right behaviour? Do people know who to call at 3 am? Can you restore in four hours? If not, what will you change this week?
Your Insider Threat Assessment Framework: A Practical Self-Audit Guide
Most security assessments fail small businesses. They ask the wrong questions or drown you in paperwork. You need a fast test that flags real risk and gives clear next steps. Start with five pillars. Access control. Authentication. Activity monitoring. Data protection. Incident response. Score each with simple questions. Fix the lowest pillar first. Turn on MFA. Remove excess access. Enable login alerts. Test restores. Write a one page incident plan. Track progress monthly with a few metrics. Does your team know who to call at 3 am? Can you revoke access in one hour? If not, this framework is for you.
When Insider Threats Strike: Real-World Case Studies and Business Lessons
A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan for vendor failure. Will you act before your data funds someone else’s payday?
Technical Defences Against Insider Threats: Solutions That Actually Work
Small businesses do not need theory. They need controls that block real attacks without new headcount. Start with MFA. It is included in Microsoft 365 and Google Workspace. It kills password reuse and shoulder surfing. Apply least privilege. Split admin from day to day use. Roll out a business password manager. Turn on sign in alerts that flag odd times and places. Test backups with the 3 2 1 rule and keep one copy offline. Segment guest, IoT and finance. These steps are cheap and proven. Will you ship them this month, or wait until an employee exports your client list?
Windows 11 25H2: Microsoft's Security Update You're Probably Ignoring (And Why That's Bloody Stupid)
Windows 11 25H2 landed on 30 September 2025, and you're probably ignoring it because "it's just another update." Wrong. This is Microsoft finally removing the attack surfaces ransomware gangs have been exploiting for years. PowerShell 2.0? Gone. WMIC? Gone. Both are documented malware vectors that criminals use to bypass your security. The update weighs 200KB for existing 24H2 systems. One restart. Done. Enterprise editions get 36 months of support. But you're still on 23H2, aren't you? Your support clock is ticking faster than you think. Deploy this or explain to the ICO why you didn't.
Confessions of a Reformed School Hacker: How Getting Caught Changed My Career
Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes underground. Would your systems survive a bright teenager with time after school? If not, what will you change this week?
Kido Nursery Rant: When We Lost Whatever Was Left of Our Souls
The Kido International ransomware attack represents cybersecurity's darkest moment. Eight thousand children's photos, addresses, medical records, and safeguarding notes were stolen and posted online by the Radiant gang. Hackers then called parents directly, demanding they pressure the nursery to pay. This wasn't just a data breach, it was a calculated attack on the most vulnerable data imaginable. After 40 years in cybersecurity, this crosses every line. But here's the terrifying truth: the same security failures that allowed this attack exist in small businesses everywhere. Your organization could be next, and the lessons from this nightmare could save you from becoming tomorrow's headline.
Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats
Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If a pupil could beat them before lunch, what would your team do?
Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers
Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curiosity, not fear. Can your security survive a Year Eleven with time to spare? If not, you need to fix it now.
Action Plan: Moving Beyond Your Single Point of IT Failure
Enough theory. Time for action. Here's your step-by-step plan to move from "Dave does everything" to sustainable IT support that won't collapse when Dave finally reaches breaking point. Start tomorrow.
Building Sustainable IT Support: Beyond the Single Dave Model
You don't need to choose between Dave and professional IT support. The best approach? Dave becomes your strategic IT leader while specialist MSPs handle the complex stuff Dave shouldn't have to figure out alone.
When Criminals Target Children: The Kido Nursery Attack and What It Means for UK Small Businesses
After yesterday's Kido International ransomware attack, I've spent the night reading through the technical details and regulatory implications. What I'm seeing isn't just disturbing. It's a fundamental shift in how we need to think about protecting sensitive data in British small businesses.
Yesterday morning, 18 UK nursery locations woke up to a ransomware attack. The attackers didn't just encrypt systems. They stole the entire database. Names of 8,000 children. Home addresses. Photos. Safeguarding notes.
Then they did something I've never seen in four decades of IT: They published profiles and photographs of ten children on their darknet leak site.
Documentation: Getting Critical Knowledge Out of Dave's Head Before It's Too Late
Dave's the only one who knows the admin passwords. Dave's the only one who understands the custom configurations.
Dave's the only one who knows which cables do what. When Dave goes, that knowledge disappears. Forever.
Co-op's £80 Million Cybersecurity Bill: The True Cost of "Just" a Data Breach
Co-op's CEO has officially confirmed their April 2024 cyberattack cost £80 million in earnings impact. The perpetrators? Teenagers using basic social engineering to steal personal data from all 6.5 million members. No sophisticated nation-state attack, just "Can you reset my password, mate?" targeting the right employee. With zero cyber insurance coverage, Co-op absorbed every penny while 2,300 stores suffered empty shelves and 800 funeral homes reverted to paper-based systems. But £80 million might just be the opening act here. Pending ICO fines, potential individual member compensation claims, and mounting legal costs could easily push the final bill past £400 million total.
Warning Signs Your IT Manager is Drowning (And You're Ignoring Them)
Dave's first in, last out every day. Dave hasn't taken a proper lunch break in months. Dave gets defensive when you ask about the systems. Sound familiar?
Your IT manager is drowning, and you've been pretending not to notice
The DORA Reckoning: How September's Cyberattacks Just Triggered Europe's First Cross-Border Regulatory Crisis
September 2025's Collins Aerospace and JLR cyberattacks weren't just operational disasters - they triggered Europe's first cross-border regulatory crisis under DORA. While aviation experts focused on flight delays, they missed the real story: EU authorities now have direct oversight powers over US companies like Collins Aerospace serving European financial infrastructure. DORA's January 2025 implementation created unprecedented cross-border enforcement mechanisms that most businesses don't understand. Collins faces potential Critical Provider designation, direct EU regulation, and millions in fines. Meanwhile, UK businesses remain spectacularly unprepared for a regulatory framework that can penalize their technology dependencies. The DORA reckoning has begun.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.