The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation
This is the complete insider threat action plan for small businesses. Start with the non negotiables. Enable MFA on email and cloud apps. Audit who has access to what. Test your backups and prove you can restore. Then build. Roll out a password manager. Separate admin from day to day accounts. Turn on activity alerts and review them weekly. Segment guest, IoT and finance. Add EDR. Finish with drills, metrics, and monthly reviews. Do your leaders model the right behaviour? Do people know who to call at 3 am? Can you restore in four hours? If not, what will you change this week?
Your Insider Threat Assessment Framework: A Practical Self-Audit Guide
Most security assessments fail small businesses. They ask the wrong questions or drown you in paperwork. You need a fast test that flags real risk and gives clear next steps. Start with five pillars. Access control. Authentication. Activity monitoring. Data protection. Incident response. Score each with simple questions. Fix the lowest pillar first. Turn on MFA. Remove excess access. Enable login alerts. Test restores. Write a one page incident plan. Track progress monthly with a few metrics. Does your team know who to call at 3 am? Can you revoke access in one hour? If not, this framework is for you.
When Insider Threats Strike: Real-World Case Studies and Business Lessons
A teenager extorted 2.85 million dollars from PowerSchool. A student in Iowa ran a grade change business with pocket keyloggers. UK schools lost days of teaching to ransomware. None of this needed elite tools. It needed access, weak controls, and time. That is your wake up call. Do you know what your vendors hold about you? Do you keep more data than you need? Could someone walk up and plug in a device? Layer simple controls. Use MFA. Limit access. Monitor for odd activity. Test restores. Plan for vendor failure. Will you act before your data funds someone else’s payday?
Technical Defences Against Insider Threats: Solutions That Actually Work
Small businesses do not need theory. They need controls that block real attacks without new headcount. Start with MFA. It is included in Microsoft 365 and Google Workspace. It kills password reuse and shoulder surfing. Apply least privilege. Split admin from day to day use. Roll out a business password manager. Turn on sign in alerts that flag odd times and places. Test backups with the 3 2 1 rule and keep one copy offline. Segment guest, IoT and finance. These steps are cheap and proven. Will you ship them this month, or wait until an employee exports your client list?
Confessions of a Reformed School Hacker: How Getting Caught Changed My Career
Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes underground. Would your systems survive a bright teenager with time after school? If not, what will you change this week?
Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats
Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If a pupil could beat them before lunch, what would your team do?
Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers
Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curiosity, not fear. Can your security survive a Year Eleven with time to spare? If not, you need to fix it now.
Action Plan: Moving Beyond Your Single Point of IT Failure
Enough theory. Time for action. Here's your step-by-step plan to move from "Dave does everything" to sustainable IT support that won't collapse when Dave finally reaches breaking point. Start tomorrow.
Building Sustainable IT Support: Beyond the Single Dave Model
You don't need to choose between Dave and professional IT support. The best approach? Dave becomes your strategic IT leader while specialist MSPs handle the complex stuff Dave shouldn't have to figure out alone.
Documentation: Getting Critical Knowledge Out of Dave's Head Before It's Too Late
Dave's the only one who knows the admin passwords. Dave's the only one who understands the custom configurations.
Dave's the only one who knows which cables do what. When Dave goes, that knowledge disappears. Forever.
Warning Signs Your IT Manager is Drowning (And You're Ignoring Them)
Dave's first in, last out every day. Dave hasn't taken a proper lunch break in months. Dave gets defensive when you ask about the systems. Sound familiar?
Your IT manager is drowning, and you've been pretending not to notice
Analyzing the Patterns: When Single IT Manager Models Fail Spectacularly
Let's examine the data: 30 years of single IT manager failures. The patterns are consistent, the outcomes predictable, and the business impact devastating. Here's what happens when your "Dave from IT" model reaches its inevitable breaking point.
Why "Dave from IT" is Your Business's Biggest Security Risk in 2025
It's Monday morning. Your server's having a wobble. Your email's down. Half your team can't access the customer database. And where's Dave? Probably fixing Janet's printer. Again. Welcome to the single point of failure that's about to snap and take your business with it.
The £800 Monthly Technology Disaster (And How Strategic Thinking Fixed It in 6 Months)
Manchester marketing agency hemorrhaged £800 monthly on cloud storage chaos. Four different platforms, zero coordination, Dave from IT drowning in strategic decisions while fixing printers. Classic small business approach: solve today's problem with today's solution. Six months after engaging fractional CIO services: single integrated platform costing £450 monthly, unified data governance, actual strategic roadmap.
Annual savings of £4,200 paid for strategic guidance while delivering competitive advantage. Dave returned to operational excellence, strategy got expert attention.
This transformation illustrates exactly why smart UK businesses choose strategic technology leadership over tactical firefighting.
Five Questions That Reveal Your Business Needs Strategic IT Leadership (And It's Not What You Think)
Most UK businesses think they're fine without strategic IT leadership until they're not. These five diagnostic questions expose the difference between thriving with technology and merely surviving despite it.
Question 1: Are technology decisions made strategically or reactively? If you're replacing servers because they died rather than planned refresh cycles, you need help.
Question 5: Will current systems scale gracefully as you grow? Planning to double in size without considering technology impact is business suicide.
Answer honestly: reactive technology management costs more than strategic guidance. The question isn't whether you need leadership—it's whether you'll get it before competitors do.
£180k CIO vs £25k Fractional: Why Smart UK Businesses Choose the Latter
Full-time CIO in London: £180k-250k annually plus benefits. Fractional CIO: £15k-30k for strategic expertise when you need it.
The mathematics are brutal, but the quality difference might surprise you. Many fractional executives are senior professionals who prefer variety over corporate politics.
You get FTSE 250 CIO experience for a fraction of full-time cost. While your competitors burn budget on executives who spend half their time in meetings, you access strategic guidance scaled to actual needs.
Smart UK businesses are realising that technology leadership isn't about seat time—it's about strategic thinking that drives business results.
Stop Calling Dave from IT, Your CIO (He's Not, and It's Destroying Your Business)
Dave from IT is brilliant at keeping your systems running. But calling him your CIO is like calling your mechanic an automotive engineer.
Most UK small businesses confuse operational IT support with strategic technology leadership, and it's costing them millions. While Dave troubleshoots email issues, real CIOs design five-year technology roadmaps.
The difference? Strategic thinking that aligns technology investments with business objectives. Fractional CIO services deliver genuine C-level expertise for £15k-30k annually versus £180k+ for full-time hiring.
Stop expecting Dave to be everything. Give him the strategic backup he desperately needs.
Think You’re Too Small to Be Hacked? So did the Last 60%
Too many UK small businesses still believe they’re “too small to hack.” It’s the most dangerous myth in business today.
With 96% of cyberattacks targeting SMEs and 60% of victims closing within six months, denial is a death sentence.
This article pulls apart the excuses business owners use, exposes the real-world costs of breaches, and explains why simple, affordable steps like Cyber Essentials, MFA, patching, and staff training are the difference between survival and closure.
Think you’re too small to be hacked? So did the last 60%.
Why Small Businesses Must Rethink Cybersecurity NOW (Before It’s Too Late)
Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis.
This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential.
Written for directors and leaders, it lays out practical steps to protect your business before it’s too late.
The Massive Lie That’s Killing UK Businesses: Cybersecurity is NOT Just an Enterprise Problem
Cybersecurity is not just an enterprise problem. With 96% of attacks targeting small businesses and 60% of victims closing within six months, UK SMEs face a survival crisis. This article exposes the myths keeping businesses vulnerable, the real financial impact of attacks, and the role of supply chain risk. It explains why Cyber Essentials and board-level governance are no longer optional, but essential. Written for directors and leaders, it lays out practical steps to protect your business before it’s too late.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.