The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security
When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer believing, systematic verification becomes your primary defense. Here's your step-by-step guide to implementing enterprise-level verification procedures without enterprise-level complexity - or budgets.
The CVE-2025-53770 Crisis: Why Your SharePoint Response Reveals More About Human Psychology Than Technical Competence
After analyzing the global response to CVE-2025-53770, the critical SharePoint zero-day that's compromised 75+ organizations in 48 hours, I'm convinced this isn't about technical competence.
It's about human psychology. Right now, IT administrators who know their systems are vulnerable (CVSS 9.8) are doing nothing because of normalcy bias, sunk cost fallacy, and optimism bias.
The organizations getting breached aren't those lacking knowledge - they're the ones whose psychology prevents acting on information they already possess. This is a masterclass in how cognitive biases turn manageable security events into disasters.
What the White House CIO Sees That UK SMBs Don't: The Threat Landscape Reality Check
The White House CIO has access to threat intelligence that would make UK SMB owners lose sleep for weeks. While British businesses worry about basic phishing, US government analysts are tracking systematic campaigns targeting supply chains, MSPs, and small businesses as stepping stones to bigger targets.
They're seeing patterns you've never heard of: criminal groups spending months mapping your vendor relationships, state actors using SMBs to access critical infrastructure, and ransomware cartels that make the mafia look disorganized.
Here's what America's top cybersecurity official knows about threats heading your way.
Technical Debt Is Economic Suicide: Why Britain Is Building Its Own Digital Downfall
After investigating technical debt disasters across the UK for over four decades, I've reached an uncomfortable conclusion: we're not just accumulating IT shortcuts, we're systematically building Britain's digital economic collapse.
This week's deep-dive into technical debt revealed a pattern that goes beyond individual business failures. Every "temporary" solution, every deferred security update, every cost-cutting IT decision is another brick in the wall of our national digital vulnerability.
While other nations invest in cyber resilience, Britain optimizes for short-term savings and long-term catastrophe. Pull up a chair for some uncomfortable truths about where this leads.
The Midlands Manufacturing Firm That Technical Debt Murdered
Pull up a chair for the most preventable business disaster I've investigated this year. A 78-employee Midlands manufacturing firm just got completely destroyed by technical debt they'd been accumulating since 2019.
Six years of "temporary" solutions, unpatched systems, and IT shortcuts created the perfect storm when DarkSide ransomware hit in May 2025.
£2.8 million in losses, 45 redundancies, and business closure within 8 weeks. Every single vulnerability that enabled this attack was documented, known, and fixable for under £50,000.
Instead, they chose to keep bleeding money on maintenance costs until the criminals finished them off. Here's how technical debt murders businesses.
Stop Bleeding Money on Yesterday's Shortcuts
After this week's deep-dive into technical debt psychology, let's talk about actually fixing the bloody mess. Your "temporary" solutions from 2019 are now permanent vulnerabilities that criminals are actively exploiting.
Every day you delay proper technical debt management, you're bleeding money on maintenance, security patches, and the inevitable breach costs. I've seen £50 million companies destroyed by technical debt they knew existed but couldn't prioritize properly.
Here's your framework for triaging technical debt before it kills your business: assess, prioritize, execute, and maintain. No psychology, no excuses, just practical steps to stop the bleeding.
The Psychology of Technical Debt: Why Smart Teams Make Tomorrow's Security Problems
After this week's podcast on technical debt and supply chain failures, I want to examine why intelligent, well-meaning IT teams consistently create tomorrow's security disasters.
Technical debt isn't just a coding problem - it's a psychological trap that 78% of UK businesses fall into repeatedly.
We take shortcuts under pressure, defer security updates for stability, and convince ourselves that "temporary" solutions won't become permanent vulnerabilities.
Understanding the cognitive biases behind technical debt accumulation is crucial for breaking the cycle that turns today's quick fixes into next year's ransomware entry points.
M&S vs Co-op: When Technical Debt Meets Operational Agility
Same criminals. Same tactics. Completely different outcomes. M&S lost £300 million and took 46 days to restore online sales. Co-op faced identical DragonForce attacks but recovered swiftly with minimal disruption.
The difference wasn't sophisticated security - it was operational agility versus accumulated technical debt. M&S drowned in decades of deferred decisions whilst Co-op's modern processes saved them.
This isn't about having perfect systems, it's about building resilience. Wednesday's parliamentary hearing exposed the brutal truth: technical debt cripples businesses, operational agility saves them.
Your choice determines whether you survive like Co-op or take a massive hit like M&S.
Podcast Ep7: Technical Debt - The Digital Quicksand Drowning UK Businesses
M&S lost £300 million because decades of technical debt left them unable to respond to basic social engineering. Co-op faced identical DragonForce attacks but recovered quickly through operational agility. The difference? M&S accumulated digital debt like a hoarder accumulates rubbish, whilst Co-op invested in resilience.
Technical debt isn't just old software - it's every deferred security decision, every "temporary" workaround, every vendor relationship without oversight.
Podcast Episode 7 reveals how your past shortcuts are creating tomorrow's business extinction events. Because criminals don't attack your current systems - they attack your accumulated incompetence.
When Supply Chain Incompetence Meets Parliamentary Scrutiny (And Why Technical Debt Will Finish the Job)
Wednesday's parliamentary hearing was brutal. M&S Chairman Archie Norman squirming whilst explaining how criminals cost his company £300 million through basic social engineering. McDonald's serving up 64 million job seekers to potential identity thieves.
Both disasters show the same pattern: years of deferred security investments creating systematic vulnerabilities.
This isn't sophisticated hacking, it's criminal exploitation of corporate incompetence. M&S had no cyber attack plan despite £20 billion revenue.
McDonald's couldn't secure a chatbot. Technical debt isn't theoretical anymore. It's destroying billion-pound companies through preventable security failures. Wake up or get destroyed.
Shadow IT Isn't the Problem - It's the Symptom of Everything Wrong with Business Technology
After 40 years watching this bloody circus, this week's Shadow IT investigation revealed the most uncomfortable truth in business technology: unauthorized applications aren't the problem. They're proof that our entire industry has systematically failed small businesses through decades of vendor greed and procurement theatre. Seventeen project management tools because enterprise solutions are unusable garbage. £127k unauthorized spending because we sold them digital dumpster fires. Communication chaos because "professional" platforms are professionally useless. Employees aren't criminals - they're heroes solving problems we should have fixed twenty years ago. Shadow IT is the symptom. Enterprise software vendor arrogance is the disease.
The SME That Discovered 247 Unauthorized Cloud Services in One Week
Buckinghamshire engineering firm thought they had "pretty good visibility" into their IT environment. DNS monitoring revealed 247 unauthorized cloud services, 43 different communication platforms, and £127,000 annual Shadow IT spending they didn't know existed. Dropbox, Google Drive, OneDrive, iCloud, plus dozens of project management tools, design software subscriptions, and messaging platforms. One week of DNS logs exposed six years of unauthorized software proliferation.
The technical implementation took four hours. The business transformation took six months. Today, you can start discovering what's actually running in your network using the same techniques that saved this business from digital chaos.
VPNs are Critical in a Hybrid Working World - But Without MFA They Are Almost Pointless
Right, time for some brutal honesty about VPNs. They're not just broken, they're actively dangerous security theatre that's getting businesses destroyed.
While you're still pretending that GlobalProtect and Cisco AnyConnect provide meaningful security, criminals are systematically working through every VPN deployment in the UK using the same basic playbook.
Ingram Micro lost £136 million because someone misconfigured a VPN firewall. Your "secure" remote access is probably next. Microsoft's already solved this problem with Secure Access Service Edge, but you're still clinging to 1990s network architecture like it's some kind of digital security blanket. Wake up.
When Basics Break: How Simple Security Failures Cripple Big Brands
A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives.
Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches.
While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate job seekers discover their data was protected by supersized digital tissue paper. Pull up a chair.
From 17 Project Management Tools to Zero Productivity: The Communication Chaos Epidemic
Seven communication platforms. Fifteen employees. £23,000 legal discovery bill when employment tribunal demanded complete records. WhatsApp Business for customers, Slack for projects, Discord for "team building," Signal for "confidential" talks, Telegram for contractors. When they needed to reconstruct one client relationship, conversations were scattered across platforms they couldn't control.
Customer satisfaction dropped 40% because every interaction started from zero knowledge. The legal penalty cost three times more than the actual dispute.
Tonight, count how many platforms your business uses. Calculate your exposure. Because communication chaos isn't flexibility - it's liability waiting to explode.
When Britain's Biggest Retailers Get Absolutely Destroyed by a Phone Call
M&S just lost £300 million and Co-op exposed 20 million customer records because some criminal rang their IT help desk, pretended to be an employee, and walked away with the keys to the kingdom. Not sophisticated malware. Not zero-day exploits. A bloody phone call.
The parliamentary hearing this week revealed the shocking truth: Britain's biggest retailers have help desk security that wouldn't pass muster at a corner shop.
When Archie Norman admits they had "no cyber attack plan" and describes the response as "pure chaos," you know we're looking at IT malpractice on an industrial scale.
Patch Tuesday July 2025: When Shadow IT Makes Security Updates a Nightmare
Microsoft's July 2025 Patch Tuesday just dropped 130 security fixes while most UK SMBs remain blind to 42% of applications running on their networks. From my NCSC experience, this represents a systematic organizational failure: you cannot patch what you cannot see.
Critical vulnerabilities in Windows Kernel, BitLocker, and authentication systems require immediate deployment, but Shadow IT applications will break unpredictably.
Worse, the buried Secure Boot certificate expiration warning affects every Windows system since 2012 and could cause boot failures by June 2026. Patch management with unauthorized applications is like performing surgery blindfolded while the patient keeps moving.
The Hidden Apps Undermining Your Business Security
Yesterday's Episode 6 dropped the bombshell: 42% of business applications are unauthorized. Today we're diving deeper into the hidden app epidemic destroying UK SMB security.
Karen's Dropbox backup strategy with password "Password" shared via email. Marketing teams feeding confidential data to AI platforms. Customer service operations running through WhatsApp Business storing financial information in chat logs.
DNS monitoring revealing 200+ cloud connections in a single week. This isn't isolated incidents, it's systematic security failure hiding in plain sight. The digital squatters have moved in, and most businesses have no idea they're paying rent to criminals.
The VPN Security Crisis: A perspective on Why Traditional Remote Access Is Failing
After analyzing the Ingram Micro ransomware attack and reviewing the latest threat intelligence, I need to be brutally honest about VPN security. We're facing a 56% increase in VPN-related attacks, an 8-fold surge in edge device exploitation, and zero-day VPN exploits jumping from 3% to 22% of all incidents.
The SafePay group's destruction of a $48 billion distributor through basic VPN misconfiguration isn't an anomaly. It's the new normal.
From my NCSC experience, I can tell you that traditional VPN architectures are fundamentally incompatible with modern threat landscapes. Time for uncomfortable truths.
Shadow IT: The Digital Squatters in Your Business
Episode 6 drops today with a statistic that'll make your blood run cold: 42% of business applications are unauthorized. While you're worrying about hackers, your helpful employees have built them a data highway using WhatsApp customer service, Karen's Dropbox backup strategy (password: "Password"), and seventeen project management tools for twelve people.
Mauven brings her NCSC perspective on government Shadow IT disasters, while Noel shares the DNS monitoring method that revealed 200+ cloud connections in one SMB. This isn't theoretical cybersecurity, this is happening in your business right now. Listen before the digital squatters invite criminal friends.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.