The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security
When someone who protected the President's digital communications tells you to "verify and never trust," you should probably listen. Former White House CIO Theresa Payton's evolution of Reagan's famous principle isn't just clever wordplay - it's essential survival advice for 2025. Deepfakes can fool video calls, AI perfectly mimics email writing styles, and social engineering has become so sophisticated that even cybersecurity professionals get caught out. When seeing and hearing are no longer believing, systematic verification becomes your primary defense. Here's your step-by-step guide to implementing enterprise-level verification procedures without enterprise-level complexity - or budgets.
Stop Bleeding Money on Yesterday's Shortcuts
After this week's deep-dive into technical debt psychology, let's talk about actually fixing the bloody mess. Your "temporary" solutions from 2019 are now permanent vulnerabilities that criminals are actively exploiting.
Every day you delay proper technical debt management, you're bleeding money on maintenance, security patches, and the inevitable breach costs. I've seen £50 million companies destroyed by technical debt they knew existed but couldn't prioritize properly.
Here's your framework for triaging technical debt before it kills your business: assess, prioritize, execute, and maintain. No psychology, no excuses, just practical steps to stop the bleeding.
Podcast Ep7: Technical Debt - The Digital Quicksand Drowning UK Businesses
M&S lost £300 million because decades of technical debt left them unable to respond to basic social engineering. Co-op faced identical DragonForce attacks but recovered quickly through operational agility. The difference? M&S accumulated digital debt like a hoarder accumulates rubbish, whilst Co-op invested in resilience.
Technical debt isn't just old software - it's every deferred security decision, every "temporary" workaround, every vendor relationship without oversight.
Podcast Episode 7 reveals how your past shortcuts are creating tomorrow's business extinction events. Because criminals don't attack your current systems - they attack your accumulated incompetence.
The SME That Discovered 247 Unauthorized Cloud Services in One Week
Buckinghamshire engineering firm thought they had "pretty good visibility" into their IT environment. DNS monitoring revealed 247 unauthorized cloud services, 43 different communication platforms, and £127,000 annual Shadow IT spending they didn't know existed. Dropbox, Google Drive, OneDrive, iCloud, plus dozens of project management tools, design software subscriptions, and messaging platforms. One week of DNS logs exposed six years of unauthorized software proliferation.
The technical implementation took four hours. The business transformation took six months. Today, you can start discovering what's actually running in your network using the same techniques that saved this business from digital chaos.
Shadow IT: The Digital Squatters in Your Business
Episode 6 drops today with a statistic that'll make your blood run cold: 42% of business applications are unauthorized. While you're worrying about hackers, your helpful employees have built them a data highway using WhatsApp customer service, Karen's Dropbox backup strategy (password: "Password"), and seventeen project management tools for twelve people.
Mauven brings her NCSC perspective on government Shadow IT disasters, while Noel shares the DNS monitoring method that revealed 200+ cloud connections in one SMB. This isn't theoretical cybersecurity, this is happening in your business right now. Listen before the digital squatters invite criminal friends.
Passkeys, Passwordless, and the End of Excuses: Why This Time It's Actually a Good Thing
Passwords are circling the drain, and this time it’s for real. Microsoft, Apple, and Google are killing off passwords and pushing passkeys by default across their platforms.
Microsoft is going passwordless by force, Apple is making it seamless, and Google is syncing passkeys everywhere. The UK government is onboard too, rolling out passkeys across public services.
This isn’t future talk, it’s happening now. If your IT provider is still clinging to complex password policies and SMS MFA, you’re being left behind.
Passkeys work. They’re safer, faster, and available today. So why are you still dragging your feet?
The Psychology of Password Chaos: Why Smart People Make Terrible Choices
After Monday's podcast and yesterday's NCSC deep-dive, I want to tackle the elephant in the room: if three random words are so brilliant, why do smart business owners still use "password123"? Why does 78% password reuse persist despite constant breach warnings? The answer isn't technical ignorance - it's human psychology.
We're fighting millions of years of evolution with spreadsheets and complexity requirements. Our brains aren't wired for digital security, they're wired for survival shortcuts. Understanding this psychology is the key to implementing security that actually works in the real world.
Three Random Words: The NCSC Solution That Actually Works
After last night's podcast revelation about our collective digital archaeology disaster, let's talk about the solution hiding in plain sight. The UK's National Cyber Security Centre dropped wisdom that sounds too simple to work: pick three random words for your passwords. "Coffee train fish." "Wall tin shirt." "CabbagePianoBucket."
Easy to remember, nightmare to crack, and unlike "password123," not on every hacker's greatest hits list. While we're mashing together words and numbers in barely inventive combinations, the NCSC figured out human psychology and gave us something that actually works.
Tonight at Midnight: The Password Archaeology Begins
Picture this: It's midnight, crisis hits, you need email access urgently. Staring at the login screen, mind completely blank. Was it your dog's name plus random numbers? Your old football team with an exclamation mark? Welcome to digital archaeology - the art of excavating your own memory for password variations you can't quite remember. Tonight's podcast reveals why we've become amateur archaeologists in our own digital lives, managing 250+ passwords while 78% of us reuse them. The midnight password panic is about to get much worse before it gets better.
Week Ahead: The Digital Archaeology Intervention UK SMBs Desperately Need
This week we're staging an intervention for UK SMBs trapped in digital archaeology hell. Picture this: It's midnight, crisis hits, you need email access, and your mind goes completely blank. Was it your dog's name plus random numbers?
Your old football team with an exclamation mark? Welcome to digital archaeology - excavating your own memory for password variations across 250+ accounts.
Monday's podcast kicks off our deep-dive into why 78% of us reuse passwords, why only 15% use managers, and how the NCSC's three random words can save your sanity.
The Sheffield SME That Learned to Love Patch Tuesday
Meet the Sheffield manufacturing firm that turned patch management from monthly panic into competitive advantage. Thirty-five employees, fifteen-year-old custom software, and an MD who thought "cybersecurity" was just expensive insurance. Then a supplier breach nearly destroyed their government contracts.
Fast-forward eighteen months: they're winning contracts specifically because of their security posture, staff morale is up, and they haven't had a single security incident.
Their secret? They stopped treating patches as IT's problem and started treating them as business enablers. Here's exactly how they did it, and why their approach works for any UK SMB.
Patch Management That Won't Break Your Business
Stop treating patch management like Russian roulette. You don't need enterprise-grade test labs to deploy patches safely.
You need a structured approach that balances speed with stability. I've managed patches across everything from 50-seat SMBs to global enterprises with 100,000+ endpoints. The principles are identical: test smart, deploy fast, have a rollback plan.
Most SMBs get this backwards - they test forever and deploy never, leaving themselves exposed to known vulnerabilities while perfecting procedures for threats that already have public exploits. Here's how to patch like a professional without breaking the business that pays your salary.
Cybersecurity Is Not Optional: How a £60K Fine Just Woke Up Small Law Firms
Think your law firm is too small for hackers to bother with? DPP Law thought so too—right up until they faced a £60,000 fine and a public shaming after a catastrophic cyber attack. A single unsecured admin account was all it took to unleash chaos.
No MFA, no breach reporting, no chance. If you are still relying on luck instead of basic cyber hygiene, you are playing a dangerous game with your clients’ trust—and your firm’s future. Cyber Essentials is the starting line, not the victory lap. How much will you lose before you wake up?
Patch Me If You Can: Firewall Vendors Ranked by How Much They Care About Your Security
Not all firewalls are created equal—some vendors make patching painless, others seem to actively hide the fixes. We evaluated SonicWall, Fortinet, UniFi, DrayTek, Zyxel, WatchGuard, Sophos, Meraki and more using a realistic UK small business setup: one firewall, one switch, two access points.
Then we scored them out of 50 on cost, usability, licensing, and update handling.
Spoiler: UniFi smashed it. SonicWall? Not so much. If you want to know which vendor respects your time and budget—and which one just wants your wallet—this is your no-nonsense firewall buyer’s guide.
Fake CAPTCHAs Are Now Malware Traps – Because Of Course They Are!
Think you’re safe clicking through a CAPTCHA? Think again. Cybercriminals are hijacking your trust with fake CAPTCHA pop-ups that trick you into downloading malware—by following simple keyboard instructions you’d never question. One click and boom—your passwords, wallets, and entire digital life are up for grabs. This isn’t just clever, it’s terrifyingly effective. If you’ve ever hit "I’m not a robot," you need to read this before you hand your system over to hackers.
DrayTek Disaster: Why Your Business Wi-Fi Just Became a Cybersecurity Liability
A critical flaw in DrayTek routers is wreaking havoc on UK broadband connections — and no, this isn’t just a “techie problem.” Businesses across the country are unknowingly running vulnerable, outdated routers that are now being blocked by ISPs for good reason.
DNS hijacks, remote code execution, and silent compromises are all in play. If you're still clinging to your 2018 networking gear like it’s a family heirloom, it’s time to wake up. This isn’t about cost — it’s about negligence. Here’s what’s going on, why it matters, and what to do before your internet (and reputation) vanishes.
2-Step Verification: The Absolute Bare Minimum for People Who Actually Give a Damn
If you're still not using 2-Step Verification (2SV), you might as well leave your front door wide open, bake some cookies for the burglars, and leave a note that says, "Take what you like, I clearly don’t give a shit." Sounds ridiculous? So does ignoring the absolute bare minimum of online security. Passwords alone are about as effective as a chocolate teapot, and cybercriminals love people who think 2SV is “too much hassle.” If typing in a short code now and then feels like a chore, maybe the internet isn’t for you. Get 2SV enabled before you end up Googling, "What to do when my bank account is emptied?"
Lazarus Strikes Again: North Korean Hackers Crash the NPM Party
North Korea's Lazarus hackers are back, gleefully slipping malicious code into popular NPM packages—think razor blades hidden in your Halloween sweets. Hundreds of developers unwittingly invited cybercriminals into their digital lives, losing sensitive data and perhaps some self-respect. This latest supply-chain fiasco underscores a crucial lesson: trust no package blindly.
Treat your code dependencies like milk—check regularly, or risk finding something unpleasantly chunky in your morning coffee. Vigilance isn't optional; it's essential.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.