The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
When Insider Threats Strike: Real-World Case Studies and Business Lessons
A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan for vendor failure. Will you act before your data funds someone else’s payday?
Confessions of a Reformed School Hacker: How Getting Caught Changed My Career
Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes underground. Would your systems survive a bright teenager with time after school? If not, what will you change this week?
Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats
Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If a pupil could beat them before lunch, what would your team do?
Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers
Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curiosity, not fear. Can your security survive a Year Eleven with time to spare? If not, you need to fix it now.
When Criminals Target Children: The Kido Nursery Attack and What It Means for UK Small Businesses
After yesterday's Kido International ransomware attack, I've spent the night reading through the technical details and regulatory implications. What I'm seeing isn't just disturbing. It's a fundamental shift in how we need to think about protecting sensitive data in British small businesses.
Yesterday morning, 18 UK nursery locations woke up to a ransomware attack. The attackers didn't just encrypt systems. They stole the entire database. Names of 8,000 children. Home addresses. Photos. Safeguarding notes.
Then they did something I've never seen in four decades of IT: They published profiles and photographs of ten children on their darknet leak site.
The DORA Reckoning: How September's Cyberattacks Just Triggered Europe's First Cross-Border Regulatory Crisis
September 2025's Collins Aerospace and JLR cyberattacks weren't just operational disasters - they triggered Europe's first cross-border regulatory crisis under DORA. While aviation experts focused on flight delays, they missed the real story: EU authorities now have direct oversight powers over US companies like Collins Aerospace serving European financial infrastructure. DORA's January 2025 implementation created unprecedented cross-border enforcement mechanisms that most businesses don't understand. Collins faces potential Critical Provider designation, direct EU regulation, and millions in fines. Meanwhile, UK businesses remain spectacularly unprepared for a regulatory framework that can penalize their technology dependencies. The DORA reckoning has begun.
It’s Cheaper to Be Defensive: Why Waiting for a Breach Is the Most Expensive Mistake You’ll Ever Make
Three out of four UK businesses admit they’d break the law to pay a ransomware gang, proving they’re not prepared — they’re desperate.
This hard-hitting article exposes the brutal truth behind the PR Newswire findings and dismantles the myth that cybersecurity is too expensive. It’s not. What’s expensive is losing your business, your data, and your reputation.
We break down why defensive investment is always cheaper than recovery, what leaders are doing wrong, and how to fix it before disaster strikes.
If you're gambling on hope instead of hard controls, this is your wake-up call. Prevention isn’t optional. It’s survival.
The Online Safety Act: Digital Dictatorship Disguised as Child Protection
The UK Online Safety Act has been live for 48 hours and it's already the most spectacular digital disaster since Internet Explorer. VPN usage surged 1,400%, teenagers are using Death Stranding screenshots to bypass age verification, and Ofcom is reduced to sending strongly worded letters to companies that ignore them entirely.
We've created a surveillance regime that doesn't protect children, doesn't stop harmful content, and can be defeated by PlayStation screenshots. This isn't child protection - it's digital authoritarianism disguised as safety theatre. Pull up a chair to the circumvention party.
Technical Debt Is Economic Suicide: Why Britain Is Building Its Own Digital Downfall
After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse.
This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.
While other nations invest in cyber resilience, Britain optimizes for short-term savings and long-term catastrophe. Pull up a chair for some uncomfortable truths about where this leads.
The Midlands Manufacturing Firm That Technical Debt Murdered
Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019.
Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025.
£2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented, known, and fixable for under £50,000.
Instead, they chose to keep bleeding money on maintenance costs until the criminals finished them off. Here's how technical debt murders businesses.
M&S vs Co-op: When Technical Debt Meets Operational Agility
Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption.
The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them.
This isn't about having perfect systems, it's about building resilience. Wednesday's parliamentary hearing exposed the brutal truth: technical debt cripples businesses, operational agility saves them.
Your choice determines whether you survive like Co-op or take a massive hit like M&S.
Shadow IT Isn't the Problem - It's the Symptom of Everything Wrong with Business Technology
After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication chaos because "professional" platforms are professionally useless. Employees aren't criminals - they're heroes solving problems we should have fixed twenty years ago. Shadow IT is the symptom. Enterprise software vendor arrogance is the disease.
VPNs are Critical in a Hybrid Working World - But Without MFA They Are Almost Pointless
Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed.
While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook.
Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's already solved this problem with Secure Access Service Edge, but you're still clinging to 1990s network architecture like it's some kind of digital security blanket. Wake up.
When Basics Break: How Simple Security Failures Cripple Big Brands
A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives.
Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches.
While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate job seekers discover their data was protected by supersized digital tissue paper. Pull up a chair.
When Britain's Biggest Retailers Get Absolutely Destroyed by a Phone Call
M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call.
The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop.
When Archie Norman admits they had "no cyber attack plan" and describes the response as "pure chaos," you know we're looking at IT malpractice on an industrial scale.
When a $48 Billion Giant Falls to Basic Password Bollocks: The Ingram Micro Disaster That Should Terrify Every UK Business
A $48 billion global technology giant just got destroyed by criminals who exploited a basic firewall misconfiguration. Ingram Micro, the backbone of every MSP and reseller on the planet, is bleeding £136 million daily because someone forgot to tick a checkbox properly.
SafePay ransomware walked through their VPN like it was an open door, bringing down the entire global IT supply chain. If you're an MSP depending on single vendors, you're about to learn the brutal cost of trusting other people's cybersecurity competence. This disaster should terrify every business owner.
Your EV Charger Is a 47-Meter Security Disaster: The Brokenwire Wake-Up Call
Right, pull up a chair. We need to have a bloody serious conversation about the EV charging disaster that's been hiding in plain sight.
Oxford researchers just confirmed what should terrify every electric vehicle owner: your charging cable is a 47-meter antenna broadcasting your vulnerability to anyone with £200 worth of kit from eBay.
The "Brokenwire" attack can kill charging sessions wirelessly, and it's built into the bloody standards that govern 12 million EVs worldwide. Known since 2019, still unfixed in 2025.
The industry's solution? "Don't use DC fast charging." That's like saying don't use the motorway. Brilliant.
The Midlands SME That Trusted ISO & Lost £50k Anyway
CASE STUDY: Midlands manufacturing SMB spent 18 months and £45,000 getting ISO27001 certified.
Six months later: ransomware attack, £50k losses, customer data exposed.
They had perfect documentation for email security but forgot to actually secure their email. This is compliance theatre in its purest form - expensive certificates that impress auditors but don't stop criminals.
Today's case study exposes the brutal reality of governance vs protection and what UK SMBs should learn from this expensive lesson.
When Horse Racing's Regulator Can't Secure Their Own Stable
The British Horseracing Authority just got absolutely hammered by ransomware, and frankly, I'm not surprised. Here's an organization that regulates a £1 billion industry, handles medical records for hundreds of jockeys, and oversees one of Britain's most prestigious sporting events. And they fell for the oldest trick in the book: some criminal rang their IT helpdesk, pretended to be an employee, and walked away with the keys to the kingdom. If the people who regulate horse racing can't secure their own stable, what hope do the rest of us have? Pull up a chair.
Why Another SOC 2 Certified Company Just Got Breached
BREAKING: Another SOC 2 certified company just suffered a massive data breach. Shocked? You shouldn't be. While they were busy documenting their security procedures in triplicate, hackers walked through the front door they forgot to lock. This is compliance theatre in action: expensive certificates that impress auditors but don't stop criminals. Today's reality check exposes why governance frameworks fail against real threats and what UK SMBs should learn from this latest security disaster
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.