443 articles · Page 7 of 23
No ransomware. No smashed firewall. No dramatic movie scene. Just a fraudulent invoice, a trusted relationship, and $432,739.21 gone. If you think this cannot happen to your business, you need to read this.
Read more →
Noel left us unsupervised, two bottles of Prosecco, and a microphone. What followed was a serious conversation about the security vulnerability nobody likes to name: overconfidence. The kind that sounds completely reasonable in a meeting — and has preceded some very expensive afternoons.
Read more →
Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables. What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost. SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose
Read more →
For five months, anyone with a Companies House login could access the private dashboard of any of the five million registered UK companies. Home addresses. Dates of birth. Email addresses. All the personal data fraudsters need to impersonate a director, open accounts in your company's name, or reroute your banking. Not by hacking. Not by sophisticated exploit. By pressing the back button. That is the entirety of the technical skill required. The government body responsible for the UK's corporate
Read more →
Bronze means firewalls and backups. Silver means individual accounts and MFA on email. Gold means EDR, DMARC, and a proper incident response plan. Platinum means someone actually checks your work. Diamond means you pay ethical hackers to break in and find the holes before real criminals do. That's the SMB1001 ladder in five sentences. The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accoun
Read more →
There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at £75 a year. It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009. In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut
Read more →
A week of Cyber Essentials v3.3 done. Scope reviews, cloud scoping rules, MFA for everyone, the 14-day patching window. You now know more about CE than most IT managers I've spoken to this year. Next Monday we zoom out. SMB1001 runs from Bronze to Diamond and was built specifically for small businesses that want a structured security roadmap beyond the CE baseline. It is not a UK government scheme, it does not carry the same procurement weight, and the two frameworks do not map neatly. So the qu
Read more →
Your Cyber Essentials badge is either a credential or creative writing. There is no third option. If you certified properly, maintained your scope, kept your controls current, and can explain v3.3 to a customer without reaching for Google, it's a credential. If your cert expired six months ago, your scope hasn't been reviewed since the original certification, your cloud services were never in scope, and you couldn't name the five controls under pressure, you're not certified. You're exposed. And
Read more →
By the time anyone at Meridian Advisory noticed the problem, their Cyber Essentials certificate had been renewed four times. Each renewal had covered the same carefully defined scope: two office servers, the on-premises file share, and about fifteen managed laptops. By 2025, the actual business ran on Microsoft 365, a cloud-based CRM, a remote project management platform, and a VOIP system. None of those were in scope. When a credential-based breach exposed client financial data held in the CRM,
Read more →
Microsoft's Defender Experts published research yesterday on a campaign called Contagious Interview. Attackers pose as recruiters, walk your developers through a convincing fake job interview, then get them to clone and run a malicious code repository. The moment they do, your cloud credentials, API tokens, signing keys, and password manager databases are on their way out the door. This campaign has been running since at least December 2022. Your developers are the target. Your infrastructure is
Read more →
Right. Noel and Mauven have told you what's changing in Cyber Essentials v3.3 and why scope failures become legal problems. My job is the bit that comes after: what do you actually do, in what order, with realistic timelines? I have broken this into a 30-60 day plan that works for most UK SMBs, whether you're renewing before 26th April under Willow or preparing for Danzell afterwards. No tools to buy, no consultants to hire for the basics. Mostly time, a spreadsheet, and an honest look at what y
Read more →
The Bank of England runs live cyberattack simulations on the UK's most critical financial institutions every year. Real attacks, on live systems, designed by intelligence analysts who know exactly how sophisticated threat actors operate. The 2025 results are in. Weak passwords. Overly permissive access controls. Systems that haven't been patched. Staff who hand over credentials when asked convincingly. Third year running. Same findings. If the institutions that hold your money, process your payr
Read more →
Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong. This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through th
Read more →
After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse. I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. An
Read more →
Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what y
Read more →
There's a philosophy thought experiment from the 1960s that explains, better than any threat report I've read, exactly why reactive security is a trap. It's called Newcomb's Paradox. A near-perfect predictor places money in two boxes. Grab both and you walk away with £1,000. Grab just one and you walk away with a million. Except the decision was made before you walked in the room. Your attackers work the same way. They've already run their reconnaissance. They've already decided what kind of tar
Read more →
Hello, Mauven here. Yesterday, Dutch military and domestic intelligence confirmed what European security agencies have been circling for weeks: Russian state-sponsored hackers are running a large-scale global campaign to take over Signal and WhatsApp accounts. Not by breaking the encryption. By asking for the keys. Two governments have now issued formal warnings. Dutch officials have confirmed their own employees are among the victims. And the attack method is devastatingly simple. If your busin
Read more →
If you're flashing a Cyber Essentials badge on your website but couldn't explain the difference between Willow and Danzell without Googling it, you're not certified. You're exposed. One awkward question from a big customer, an insurer, or a regulator and that logo goes from asset to evidence. In Season 2 Episode 10 of The Small Business Cyber Security Guy, Noel Bradford, Graham Falkner, and Lucy Harper walk through every material change in CE v3.3: scope rules, cloud scoping, FIDO2, the 14-day p
Read more →
Most of the real damage from a data breach does not happen during the initial compromise. It happens in the scramble afterwards. Someone panics and wipes a server. Someone else coordinates the response through the email account that is already compromised. A well-meaning manager posts on social media before anyone understands what happened. The first hour determines whether this becomes a bad day you recover from or a business-ending week you do not. This playbook walks you through exactly what
Read more →
Nine years. Half a million pounds. Zero victim compensation. Lawyers billing on both sides for the best part of a decade. A regulator declaring "significant victory" while 14 million people's limitation periods quietly expired. The Currys DSG saga is not an edge case or an administrative anomaly. It is a precise and accurate picture of how UK data enforcement actually works. This is my verdict: the system is structurally broken, everyone in the industry knows it, and the comfortable fiction that
Read more →