The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
How Crap MSPs, Slack Vendors, and a Culture of Complacency Are Fueling the Ransomware Epidemic
Think the hackers are your biggest threat? Think again. That smiling MSP rep who promised “complete protection” might just be the reason your business is on its knees.
Ransomware rarely walks in the front door it’s invited through by lazy patching, crap backups, and a culture of "just enough" IT.
From misconfigured firewalls to fake dashboards and vendors more interested in sales than security, this is the real story of how ransomware thrives, enabled by the very people paid to stop it.
If you trust your IT supplier blindly, you might already be compromised.
The Meat Rots While the Firewalls Fail: How a Hack Took Out the Backbone of UK Chilled Logistics
A ransomware attack just crippled one of the UK’s key cold chain hauliers, leaving thousands of pounds’ worth of meat to rot before it ever reached supermarket shelves. Peter Green Chilled, who proudly promote their “bespoke IT systems,” couldn’t even keep order processing online. The result?
Spoiled stock, supply chain chaos, and radio silence from a company with £25 million in turnover and not a single cybersecurity certification.
This isn’t just an embarrassing IT failure. It’s a wake-up call. If you're still treating cybersecurity like a nice-to-have instead of a must-do, pull up a chair. Because you're not just vulnerable. You're on the menu.
Root Canal or Rootkit? Why Your Dentist’s PC Might Be More Dangerous Than the Drill
It’s 2025. You’re in a sterile, brightly lit dental surgery — and there it is. A screen glowing with the unmistakable Windows 7 login. The same OS that went end-of-life in 2020. What the actual hell? That PC isn't just a relic — it’s a walking GDPR violation and a ransomware welcome mat.
If your dentist is still running patient records on Windows 7 or even XP, you’re not just risking plaque you’re risking identity theft. Please for the love of all things secure STOP THIS NOW. Before a root canal becomes the least painful part of your visit.
Cyber Essentials 2025: The End of Checkbox Theatre
On 28 April 2025, the UK’s beloved Cyber Essentials scheme quietly lobbed a compliance grenade into your IT department.
The Willow question set has arrived, and with it comes a new standard for audits, especially for Cyber Essentials Plus. The big twist? You no longer get to pick the test machines. That’s right , your favourite “show laptop” patched 20 minutes before the audit isn’t going to save you.
The auditor picks now ,and gives you just three working days' notice. Smoke, meet exit. This article unpacks what’s changed, who it affects, and how to stop your next CE+ audit from turning into a public shaming.
ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real
Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene.
Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster.
This article lays out the real problem and preaches the blunt truth: no ISO, no SOC 2, no procurement badge means a thing unless Cyber Essentials or equivalent is tested, verified, and enforced.
ISO27001 vs Cyber Essentials (Part 2/3):Big Names, Big Certs, Big Breaches: The Truth Behind the Logos
You’d think ISO27001 and SOC 2 certifications mean a business is secure. But if 2023 and 2025 have shown us anything, it’s that those badges don’t stop breaches. From Capita’s data leaks to Harrods’ containment chaos, and Co-op’s app disruption to the MOVEit dominoes, governance frameworks have failed where basic cyber hygiene would have succeeded.
Cyber Essentials, often dismissed as small business fluff, turns out to be the missing frontline control in all of these high-profile failures. This article names names, unpacks the gaps, and shows why CE+ is no longer optional, it's essential.
ISO27001 vs Cyber Essentials (Part 1/3): Why They’re Not the Same and Why That Matters More Than Ever
Think Cyber Essentials and ISO27001 are just different flavours of the same thing? Think again. One’s a tactical shield against everyday threats, the other’s a strategic blueprint for governance. Mistake one for the other, and you’ll either overspend or leave the door wide open.
This article rips into the dangerous misconception that they’re interchangeable, explores how Cyber Essentials is built for every organisation, from startups to schools, and why it remains your frontline defence while ISO27001 governs the back office. Ignore this and you risk joining the breach statistics next quarter.
Ransomware Isn’t the Disease. It’s Just the Symptom.
Ransomware isn’t your biggest problem—it’s just the one that finally made you look. Behind every cyberattack sits a decade of crap decisions, from budget-stretched IT to untrained staff, weak passwords, and clueless suppliers.
You didn’t get hit because you were unlucky. You got hit because your house was already on fire.
This is part one of a blistering three-part series breaking down the disease beneath the ransomware epidemic ripping through the UK’s small business sector.
If you think you’re too small to be a target, read this—and pray you’re not already infected.
May 2025 Patch Tuesday: Microsoft Preps Fixes for Broken Logins, Missed Patches, and Security Chaos
May’s Patch Tuesday is coming in hot—and if April’s mess left your domain logins broken, WSUS deployments in meltdown, or your Hello PIN sulking in the corner, you’ll want this one.
Microsoft is set to mop up its authentication chaos, plug lingering Windows 10 holes, and squash a few zero-days while it’s at it.
But that’s not all. Adobe, Intel, and SAP are sneaking in updates too. This month’s patch drop might not be as noisy as April, but it’s arguably more important.
Brace yourself for impact on 14 May—and don’t forget to test before clicking “Install.”
Pearson’s Cybersecurity Fiasco: A Legacy of Incompetence and Arrogance
UK Legal Aid Agency Breach: Cybersecurity Incompetence Meets Supply Chain Chaos
The UK Legal Aid Agency has been hit by a serious cybersecurity incident—and the fallout could be catastrophic.
With over 1.5 million legal aid cases a year and £2.3 billion in funding flowing through its systems, sensitive data from criminal, immigration, and abuse cases could now be in the hands of cybercriminals.
Was it a supply chain failure? A government screw-up? (Spoiler: probably both.) If you thought justice was blind, wait until you see how blindfolded their cybersecurity really was. Here's everything they’re not telling you—yet.
EU Bans SIM Farms – Years Too Late, As Usual
The EU has finally banned SIM farms — about five years after scammers used them to turn SMS networks into a cybercrime playground. Bravo. This industrial-scale abuse wasn’t exactly a secret, yet regulators somehow needed a multi-year nap before acting.
Businesses were battered, individuals scammed, networks flooded and now, just as criminals are moving onto bigger, nastier tricks, the ban lands with all the urgency of a snail on sedatives.
It’s the right move, just years too late. If this is what "proactive" cybersecurity looks like, we might all want to invest in stronger helmets.
Breached (Part 4)
Think your MSP has your back? Think again. In Part 4 of Breached, we unpack the brutal truths most businesses only learn after the worst happens.
From useless logs to skyrocketing insurance, and a support ticket that nearly destroyed everything, this is the roadmap you wish you had before the call came. Ten hard lessons, zero fluff.
Why your MSP is there to sell, not protect. Why a good fractional CIO is worth their weight in gold. And why silence from your IT provider isn’t just dangerous—it might be deliberate. This isn’t theory. It’s survival. And you’d better be ready.
The Soft Underbelly: How UK SMBs Are Screwing the Nation on Cybersecurity
Think you're too small to be a target? Think again. UK small businesses are now the top attack vector for state-backed hackers from Russia and China, and your half-baked cybersecurity is a red carpet to our critical infrastructure.
M&S, Harrods, and the Co-op didn’t get hit by chance, they got hit through you. If you’re in the supply chain without Cyber Essentials Plus, real EDR, or even basic patching, you’re not just vulnerable — you’re a national liability. Time to grow up or get out of the way.
Breached (Part 3)
The breach was just the beginning. In Part 3 of Breached, the truth is out—and now come the consequences. The MSP tried to hide a misconfiguration. They failed.
Now the clients are calling, the regulators want answers, and the business owner is left holding the fallout. From a quiet boardroom to sleepless nights and rising insurance premiums, this is what happens when a cover-up gets exposed. Contracts are cancelled. Trust evaporates.
And the worst part? It all could have been prevented. If you've ever wondered what happens after the breach, this is the chapter that shows just how far it spreads.
Retail Cyber Crisis Uncovered: How the Co‑op Hack Is Just the Tip of the Iceberg
The Co-op breach? Just the start. Behind every checkout is a ticking digital time bomb—and UK retailers keep hitting snooze.
From Harrods to M&S, data is being leaked, stolen, and casually ignored while executives issue vague apologies and blame “sophisticated attacks.”
Payroll provider Zellis is quietly at the centre of it all—again. Meanwhile, your personal info is floating in the dark web like last season’s clearance stock.
In this brutal deep dive, we expose the rot behind the logos, the failures behind the firewalls, and ask the only question that matters:
Which high street brand is next?
Breached (Part 2)
What happens when your IT provider makes a mistake—and then tries to hide it? In Part 2 of Breached, a hidden support ticket, a missing firewall log, and over 400 unpatched vulnerabilities unravel a small business’s trust in the team meant to protect them.
The MSP said, “Don’t tell the client.” But she was accidentally copied in. What followed was seven days of denial, silence, and mounting pressure—until the truth was read aloud, word for word, in a boardroom gone cold. This isn’t about poor support. This is about betrayal, exposure… and what happens when you catch someone in the lie.
The SMS Scam: Why Your 2FA Strategy is an Open Goal for Hackers
Still using SMS for 2FA? You’re not securing your business—you’re leaving the door wide open and waving attackers in. A live zero-day exploit for SS7—the ancient, insecure telecom protocol still propping up your text messages—is being sold right now for five grand. That’s all it takes to intercept your logins, steal your bank codes, and track your phone. No malware.
No warnings. Just game over. If your IT team or MSP still thinks SMS is ‘good enough’, this article is the slap they need. Read it. Then rip SMS out of your security stack before someone else does it for you.
Breached (Part 1)
Katie Roberts thought it was just another Tuesday—until her personal phone rang at 11:27 a.m. The voice on the other end wasn’t a client. It was the National Crime Agency. Within minutes, her calm, structured world tilted on its axis. A cyber breach. Live. Real. Observed. And her business—the one she’d built from scratch—was now under threat. No plan. No warnings. Just a quiet office and a slow, sinking realisation that everything was about to change. What do you do when your worst-case scenario starts with a phone call? You listen. You freeze. And then… you start asking questions.
Co-op’s Data Breach: Another Day, Another Cyberattack in UK Retail
Co-op just confirmed a major data breach—but only after the hackers got sick of waiting and contacted the BBC themselves. Yes, really. It turns out customer data wasn’t just mishandled, it was gift-wrapped and forgotten like an expired loyalty card.
With Zellis—the same payroll firm linked to the BBC and BA MOVEit fiascos—once again in the mix, this breach isn’t just another blip.
It’s part of a growing pattern of retail cybersecurity disasters. And with legal and funeralcare data involved, the stakes are higher than most boardrooms seem willing to admit. So the real question is: who's next?
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.