The Small Business
Cyber Security Guy
Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.
Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.
What you’ll get here (and on the podcast):
Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)
I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.
This blog and the podcast is where I unpack it all. Pull up a chair.
From 17 Project Management Tools to Zero Productivity: The Communication Chaos Epidemic
Seven communication platforms. Fifteen employees. £23,000 legal discovery bill when employment tribunal demanded complete records. WhatsApp Business for customers, Slack for projects, Discord for "team building," Signal for "confidential" talks, Telegram for contractors. When they needed to reconstruct one client relationship, conversations were scattered across platforms they couldn't control.
Customer satisfaction dropped 40% because every interaction started from zero knowledge. The legal penalty cost three times more than the actual dispute.
Tonight, count how many platforms your business uses. Calculate your exposure. Because communication chaos isn't flexibility - it's liability waiting to explode.
The Hidden Apps Undermining Your Business Security
Yesterday's Episode 6 dropped the bombshell: 42% of business applications are unauthorized. Today we're diving deeper into the hidden app epidemic destroying UK SMB security.
Karen's Dropbox backup strategy with password "Password" shared via email. Marketing teams feeding confidential data to AI platforms. Customer service operations running through WhatsApp Business storing financial information in chat logs.
DNS monitoring revealing 200+ cloud connections in a single week. This isn't isolated incidents, it's systematic security failure hiding in plain sight. The digital squatters have moved in, and most businesses have no idea they're paying rent to criminals.
The VPN Security Crisis: A perspective on Why Traditional Remote Access Is Failing
After analyzing the Ingram Micro ransomware attack and reviewing the latest threat intelligence, I need to be brutally honest about VPN security. We're facing a 56% increase in VPN-related attacks, an 8-fold surge in edge device exploitation, and zero-day VPN exploits jumping from 3% to 22% of all incidents.
The SafePay group's destruction of a $48 billion distributor through basic VPN misconfiguration isn't an anomaly. It's the new normal.
From my NCSC experience, I can tell you that traditional VPN architectures are fundamentally incompatible with modern threat landscapes. Time for uncomfortable truths.
Patch Tuesday Is Microsoft's Security Theatre
Microsoft's Patch Tuesday is security theatre masquerading as systematic protection. Every second Tuesday, they dump 30-80 vulnerabilities on businesses and expect immediate deployment while providing minimal testing guidance.
It's a monthly game of Russian roulette disguised as responsible disclosure. SMBs get caught between "patch immediately or die" hysteria and "test everything or break the business" paralysis.
Meanwhile, Microsoft profits from both the problems and the solutions. Here's why the entire Patch Tuesday system is broken for small businesses, and what we actually need instead of monthly security panic cycles.
Patch Tuesday: Critical Fixes SMBs Are Ignoring
Microsoft just dropped 51 vulnerabilities in June's Patch Tuesday, including 18 rated critical. And I guarantee you, most UK SMBs will ignore the lot. CVE-2025-34567 allows remote code execution through a simple email attachment. CVE-2025-34701 lets attackers escalate privileges with ba
sic user credentials. These aren't theoretical risks but active attack vectors that criminals already exploit. Yet I'll bet half the businesses reading this still haven't patched last month's critical fixes.
This isn't about being behind the curve anymore. This is about being a sitting duck with a neon "hack me" sign flashing above your office.
Patch Tuesday Survival Guide: Why UK SMBs Get It Wrong
It's 6 PM on the second Tuesday of the month. While normal people are heading home, UK IT teams are just starting their monthly nightmare.
Microsoft has dumped 150 security fixes with zero consideration for how real businesses operate. No test environments, no staging procedures, no time to breathe.
Just impossible choices: patch immediately and risk breaking everything, or wait and become sitting ducks for "Exploit Wednesday" when criminals reverse-engineer the fixes.
After decades of watching this monthly chaos destroy businesses, I'm done pretending it's sustainable. Here's how to survive Microsoft's security roulette without losing your sanity or your business.
Still Using RDP Instead of a VPN in 2025? What the F*!k Are You Thinking?
Yes, this is real. Yes, it’s still happening. Businesses in 2025 are still exposing Remote Desktop Protocol (RDP) to the open internet like it’s a perfectly normal thing to do. It’s not. It’s deranged.
It’s like licking a petrol pump and being surprised you got sick. If you’re still running RDP with no VPN, no access controls, no MFA, and no clue , buckle up. This isn’t just a best practice failure.
This is IT malpractice. And if you’re an MSP still recommending it? You should probably stop calling yourself a professional. You’re part of the problem.
Still Faxing in 2025? The UK Councils Stuck in a Time Warp
It’s 2025, but some UK councils and NHS departments are still sending confidential data via fax machines.
That’s right. No encryption, no audit trail, just a shrieking relic from the 1980s spewing out safeguarding case notes or your latest blood test results from the GUM clinic into a shared office tray.
With the analogue switch-off looming, this isn’t just old-fashioned, or quaint, it’s reckless. Why the hell are printer manufacturers are still enabling this madness - Looking at you HP, Epson, Xerox et al.
If your council or trust or SMB still faxes, they’re not just behind the times. They’re holding the door wide open to the next data breach.
Root Canal or Rootkit? Why Your Dentist’s PC Might Be More Dangerous Than the Drill
It’s 2025. You’re in a sterile, brightly lit dental surgery — and there it is. A screen glowing with the unmistakable Windows 7 login. The same OS that went end-of-life in 2020. What the actual hell? That PC isn't just a relic — it’s a walking GDPR violation and a ransomware welcome mat.
If your dentist is still running patient records on Windows 7 or even XP, you’re not just risking plaque you’re risking identity theft. Please for the love of all things secure STOP THIS NOW. Before a root canal becomes the least painful part of your visit.
⚠️ Full Disclaimer
This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:
My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity
Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.
Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.
In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.