Most small businesses know they should think about cybersecurity risk. What often stops them isn’t a lack of concern, but uncertainty. They’re not sure what a risk assessment is supposed to look like, how formal it needs to be, or whether they’re even the right person to do it. The term itself tends to conjure […]
Most small businesses don’t think of themselves as a cybersecurity risk. That isn’t denial, and it isn’t ignorance. It’s a perfectly reasonable conclusion based on lived experience. Nothing serious has happened. Systems seem to work. Clients are happy. Work gets done. From the outside, everything looks fine. Cybersecurity, meanwhile, is largely invisible when it’s working. […]
For a long time, cybersecurity awareness was treated as a reasonable endpoint. If staff had completed the training, clicked through the module, and acknowledged the policy, organisations could confidently say they had done what was required. Awareness was something you could evidence, report on, and move on from. That approach made sense in a world […]
Most cyber training is built on a quiet assumption: that when a security decision matters, people will have the time, focus, and mental space to make a good one. That assumption is rarely questioned, and it underpins everything from awareness sessions and policies to how incidents are later explained. Yet it sits uncomfortably with how […]
On 6 January 2026, the UK Government published the Government Cyber Action Plan, setting out how cyber resilience is expected to be strengthened across central government, local authorities, public services, and the suppliers they rely on. At face value, this is a delivery plan. It outlines how responsibility is organised, how capability will be developed, […]
There is a phrase that comes up again and again in conversations with small organisations, usually delivered calmly, often reasonably, and rarely with any sense of denial or bravado. “We’re too small to be a target.” It might be said during a discussion about training, while reviewing budgets, or when someone raises a question about […]
If you look closely at most cybersecurity incidents, a familiar pattern appears. The tools were in place. The policies existed. Training had been delivered. On paper, the organisation had done what it was supposed to do. And yet, something still went wrong. More often than not, the incident didn’t involve a technical failure or a […]
Cyber insurance is often spoken about in the same way as firewalls, backups, and incident response plans. Something sensible organisations are expected to have. Something that reassures boards, clients, and insurers alike. And yet, when incidents actually happen, many businesses discover that their understanding of cyber insurance was built on assumptions rather than reality. Claims […]
If you sit in enough meetings about risk, compliance, or “cyber”, you start to notice something interesting. The language changes, but the assumptions rarely do. Cybersecurity and information security are used as if they’re interchangeable. Different words, same meaning. Same budget line. Same responsibility. Most of the time, no one challenges that assumption. It feels […]
Running a small, service-based business doesn’t automatically exempt you from thinking about environmental responsibility. In fact, in many ways it makes the question more uncomfortable. When your footprint is modest, it’s easy to tell yourself that the impact is negligible, that bigger organisations are the ones who need to worry about policies, plans, and accountability. […]
