Bronze means firewalls and backups. Silver means individual accounts and MFA on email. Gold means EDR, DMARC, and a proper incident response plan. Platinum means someone actually checks your work. Diamond means you pay ethical hackers to break in and find the holes before real criminals do. That's the SMB1001 ladder in five sentences. The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accoun
There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at £75 a year. It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009. In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut
Your Cyber Essentials badge is either a credential or creative writing. There is no third option. If you certified properly, maintained your scope, kept your controls current, and can explain v3.3 to a customer without reaching for Google, it's a credential. If your cert expired six months ago, your scope hasn't been reviewed since the original certification, your cloud services were never in scope, and you couldn't name the five controls under pressure, you're not certified. You're exposed. And
After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse. I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. An
Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what y
If you're flashing a Cyber Essentials badge on your website but couldn't explain the difference between Willow and Danzell without Googling it, you're not certified. You're exposed. One awkward question from a big customer, an insurer, or a regulator and that logo goes from asset to evidence. In Season 2 Episode 10 of The Small Business Cyber Security Guy, Noel Bradford, Graham Falkner, and Lucy Harper walk through every material change in CE v3.3: scope rules, cloud scoping, FIDO2, the 14-day p
In September 2024, a UK tribunal concluded that 5.6 million stolen card records might not constitute personal data. The argument was structural, not frivolous. Hackers who cannot identify individuals from card numbers alone are not, the Upper Tribunal suggested, processing personal data. The Court of Appeal corrected that in February 2026. Lord Justice Warby's ruling establishes a clean and reusable test: you assess whether data is personal from the controller's perspective, not the attacker's.
In early 2026, the FBI served Microsoft with a search warrant. Microsoft handed over the BitLocker encryption keys for three laptops. No hack. No breach. No compromised passwords. Just a warrant, and Microsoft's compliance. Here is what nobody in UK small business is talking about: those same default settings that allowed this are almost certainly running on your devices right now. And the legal mechanism that made it possible, the US CLOUD Act, reaches across the Atlantic directly into your Mic
The US CLOUD Act gives American courts the power to compel any US technology company to hand over your data, regardless of whether it sits in a London data centre or a bunker in Wyoming. UK GDPR Article 48 says foreign court orders do not make that transfer lawful. No UK court has tested this conflict. No ICO enforcement action has targeted it. The NCSC does not mention it by name. Corrine Jefferson, our resident intelligence analyst, dissects the legal contradiction sitting quietly in the middl
I used to work in US government intelligence. I now live in London. Those two facts make me uniquely uncomfortable about Palantir's expanding presence across the British state. In December 2024, Switzerland's military concluded that data held by Palantir could be accessed by the American government and that leaks "cannot be technically prevented." Their recommendation was unambiguous: find alternatives. The UK's response to the same evidence has been to award Palantir more than £900 million in c
I have watched this exact disaster unfold five times in 40 years. Personal computers in the eighties. BYOD in the 2010s. Cloud migrations that nobody secured. SaaS tools that HR adopted without telling IT. And now AI agents that can read your email, execute commands on your machine, and send data anywhere, installed by employees who thought they were being productive. OpenClaw is not the problem. OpenClaw is the symptom. The problem is that every time a shiny new technology appears, businesses a
The Data (Use and Access) Act just went live on 5 February, and if you're only hearing about it now, you're not alone. The commencement regulations were published two days before the provisions kicked in. That's the government's idea of adequate notice. Guest contributor Kathryn Renaud cuts through the panic with something actually useful: four repeatable workflows for DSARs, complaints, cookies, and automated decisions that any UK SMB can build this week with tools they already own. No expensiv
You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure. They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem. This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outl
The reality is this: the acting director of America's civilian cybersecurity agency uploaded sensitive government contracting documents to ChatGPT's public platform. Multiple automated alerts were triggered. A Department of Homeland Security investigation was launched. And somehow, this still happened. From my former life in government service, I can tell you this isn't just embarrassing. It's a systems failure that reveals fundamental problems with how we approach privileged access, AI governan
Right, so I'll be honest. Six months ago, I thought cyber insurance was just another checkbox on the compliance list. Pay the premium, tick the box, hope you never need it. Then Noel challenged me to actually read my policy and treat my insurer as an incident response partner. What I found changed everything. Turns out my €10,200 annual premium wasn't buying risk transfer. It was buying a specialist IR team, forensics support, tabletop exercises, and gap assessments I'd been trying to budget for
The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.
I watched a board meeting where someone was asked to turn off their hearing aid during a security discussion. Bluetooth concerns, apparently. The company meant well, but they'd created a policy that would exclude anyone using assistive technology. I've seen this same pattern emerge in charity governance—organisations pursuing Cyber Essentials creating barriers for disabled trustees and staff. This isn't about security frameworks being flawed. It's about implementation requiring thought beyond ch
