The 43% Cyber Attack Statistic: Are We Being Sold Fear?

Every spring, the UK government drops a cyber statistic that makes headlines, fills vendor slide decks, and gives nervous business owners another reason to stare bleakly into their coffee. The claim? Around 43% of UK businesses suffered a cyber breach or attack last year.

Sounds terrifying, doesn’t it?

Except there is a problem. A bloody big one.

The methodology counts phishing emails as breaches even when nobody clicked, nobody engaged, and nothing happened. In other words, your business could block thousands of dodgy emails, suffer no damage, lose no money, and still get swept into the headline figure.

Buried deeper in the same government report is a far more useful number.

In this episode, the team pulls apart ten years of survey data and asks an uncomfortable question: who benefits when cyber risk gets inflated? Government comms teams get a stronger headline. Vendors get better scare copy. Compliance theatre gets another curtain call. Meanwhile, small businesses are left wondering whether they are genuinely at risk or just being sold another steaming plate of fear.

We also admit something important. We fell for the 43% number ourselves two weeks ago. So this episode is not just a takedown. It is a correction.

What should a 20 person business actually do with this information? Ignore cyber risk? Absolutely not. Panic buy another shiny security product because someone waved a big scary percentage at you? Also no.

The answer sits somewhere far more useful: understand the real risk, ask better questions, spend money where it matters, and stop letting fear based marketing write your security strategy.

Links

• Department for Science, Innovation and Technology
• Cyber Security Breaches Survey 2026
• Office for Statistics Regulation
• Office for National Statistics
• Home Office
• Computer Misuse Act 1990
• FBI IC3 Annual Reports
• NCSC Cyber Essentials Overview

The Celebrity Stalkerware Leak: Not Encryption, Endpoint Compromise

In late April 2026, headlines screamed about 86,000 private screenshots leaked from a prominent European celebrity's phone. The story dominated tech press coverage, but crucial context went missing. This was not hackers breaking encryption or sophisticated cyber warfare. It was endpoint compromise: stalkerware capturing screenshots directly from a device after messages had already been decrypted on screen. The database, allegedly linked to the collapsed Cocospy spyware ecosystem, contained WhatsApp chats, Instagram activity, invoices, intimate images and more. Whilst the core reporting appears sound, the framing obscured important truths. A VPN would not have stopped this attack. Encrypted messaging apps could not protect against malware already installed locally. And beneath the sensational headlines lies a grim pattern: commercial spyware marketed as parental monitoring or employee oversight, repeatedly exposed in breaches that reveal its real use in coercive control and domestic abuse. This episode unpacks what actually happened, why the technical details matter, and why we need to stop calling this surveillance software anything other than what it is.

Chapters

• Intro
  Noel introduces the celebrity stalkerware leak story from April 2026, cutting through sensational headlines to frame what this incident actually was: endpoint compromise, not encryption failure.
• What The Story Claimed
  Breaking down the original ExpressVPN report by researcher Jeremiah Fowler, which detailed 86,859 screenshots from a celebrity's device, including encrypted app content, intimate images and personal data.
• This Was Not Breaking Encryption
  Clarifying the critical technical misunderstanding: the spyware did not crack WhatsApp or Signal encryption. It simply captured screenshots after messages were already decrypted and displayed on screen.
• The Cocospy Bit
  Unpacking the Cocospy connection. The spyware ecosystem collapsed in 2025 after a massive breach, but leftover infrastructure appears linked to this incident, which targeted one victim rather than millions.
• The VPN Problem
  Addressing the uncomfortable commercial context: the story appeared on ExpressVPN's blog, yet a VPN would not have prevented this attack. Transparency and vendor-owned media ecosystems matter in security reporting.
• The Bigger Issue Nobody Talks About
  The depressing normalisation of stalkerware. Marketed as parental monitoring, these tools repeatedly surface in breaches exposing their use in coercive control and domestic abuse, not legitimate oversight.
• Outro
  Final verdict: the core story appears accurate, but framing matters. This was endpoint compromise, not encryption failure. And the industry should stop euphemising commercial spyware designed for abuse.

Links

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

Noel Bradford delivers a direct examination of YellowKey, the reported BitLocker bypass that exploits the Windows Recovery Environment on TPM-only configurations.

This episode strips away vendor comfort narratives and green-tick dashboards to focus on what default encryption settings actually protect against when a laptop is stolen or accessed physically.

He explains how YellowKey targets trusted recovery paths rather than breaking encryption mathematics, why TPM-only BitLocker represents a convenience trade-off rather than maximum assurance, and how businesses confuse enabled controls with proven protection.

The episode provides practical guidance on identifying high-risk devices, reviewing BitLocker protectors, implementing TPM plus PIN where appropriate, locking firmware settings, restricting USB storage, and properly escrowing recovery keys.

The episode argues that physical access remains a normal business risk through stolen laptops, lost devices, and compromised bags, not merely a theoretical attack scenario.

The episode challenges boards and decision-makers to move beyond checkbox assurance and ask what their laptop security actually proves under adversarial conditions.

They said the fine was £828,000 in some headlines — the ICO said £963,900. Numbers matter, but the real scandal is deeper than a headline figure: this is about trust, monopoly, and a regulator that finally acted. In this episode the Small Business Cybersecurity Guide tells the story of how a single phishing email in September 2020 became a twenty‑month lodger inside a utility network, and how a monopoly provider of an essential service left hundreds of thousands of people exposed.

It starts small: a malicious attachment, a foothold, then complacency. For almost two years the attacker lived in the estate, quiet and unseen, until May 2022 when they began a methodical campaign of lateral movement and privilege escalation. By July they held domain administrator access — the keys to the kingdom. They weren’t stealthy ninjas; they were guests who moved in, opened the cupboards, and helped themselves.

Detection? Not artisanal monitoring or heroic threat hunting. It was system performance degradation — the IT equivalent of noticing the house is on fire because the TV has melted. The compromise produced a failed ransom demand and, eventually, a dump of more than four terabytes of stolen data on the dark web: names, addresses, emails, dates of birth, phone numbers, account details, bank sort codes, service credentials and even information that could infer disability status for priority customers. 633,887 UK people were affected.

The ICO’s findings are the part that should make every director and IT lead sit up. This wasn’t a story of exotic attack techniques — it was a catalogue of basic control failures: outdated software (Windows Server 2003 in a live environment), inadequate logging and monitoring, weak vulnerability management, no meaningful scans for long periods, and a third‑party SOC only watching 5% of the estate. That is not coverage; it’s a comfort blanket.

Hear the frustration and the anger: when customers can’t vote with their feet, protecting their data isn’t optional. This episode pushes past corporate press releases and settlements to ask what really matters — the people. What does this exposure mean for vulnerable customers, staff, and anyone who trusted a critical service provider to keep their information safe?

Then the episode turns outward with hard lessons every organisation must learn. Know your estate — you cannot protect what you cannot see. Retire legacy systems properly. Enforce least privilege so domain admin access is exceptional, not daily. Monitor the entire environment, not a token slice. Scan, patch, remediate. Test your incident response and your communications before chaos forces you to explain to frightened customers what happened to their data.

Above all, this is a governance failure. Cybersecurity isn’t just an IT problem or a checkbox for audit season — it’s board‑level risk management. The board must own the risk, demand evidence, and stop hiding behind vendor portals and PDFs that mean nothing in a crisis. The episode pulls no punches: if you haven’t modelled the cost of a breach, you’ve found the root problem.

The ICO finally acted — good. But the real question the episode leaves listeners with is uncomfortable and direct: if the regulator walked into your business tomorrow, what could you actually prove? This is a wake‑up call to utilities, regulated sectors and every UK business. Basic controls, evidence, and leadership matter. If you wait for criminals, regulators or journalists to force the issue, you’ll have bought a public kicking on credit.

Listen as the Small Business Cybersecurity Guide blends forensic detail, sharp critique and practical advice to turn a headline into a blueprint: how to stop being the next story. — Noel Bradford

It’s that time of the month: Patch Tuesday. The headlines shout 137 CVEs and a perfect 10.0 somewhere in the noise, but this episode narrows the story down from global panic to what actually matters for a small business with a server room, a handful of laptops, and a CEO who needs to log in on Monday morning.

I’m Graham Falkner and in this edition of the Small Business Cyber Security Guy I walk you into the trenches of May 2026’s update cycle — the numbers, the new role AI is playing in vulnerability hunting, and the four bugs you can’t ignore. I tell the story of how an unpatched domain controller can become the pivot point for a full-blown takeover (think Zero Logon’s ghost), why every Windows endpoint’s DNS client suddenly matters again, and how an Atlassian single sign‑on plugin could let an attacker impersonate any user. These aren’t abstract CVEs on a spreadsheet; they’re concrete threats with reachable fixes.

You’ll hear exactly what to do, in the order to do it: find and patch on‑prem domain controllers in the next 48 hours (NetLogon — CVE‑2026‑41089, KBs by Windows Server version), push a small test ring for endpoint updates and watch for BitLocker recovery prompts (CVE‑2026‑41096), and treat on‑prem Dynamics 365 and Atlassian SSO as high‑priority if you run them locally. I give the KB numbers, realistic time estimates — an hour per domain controller — and a no‑hype deployment schedule that keeps your business running while you secure it.

The narrative also walks through an operational snag that will catch teams off guard: some devices may prompt for a BitLocker recovery key after reboot. I explain the three pre‑deployment checks to prevent a CEO‑level outage (adjust a TPM group policy, verify where recovery keys live, and reapply baselines later), and why you should demand a plan from your MSP before they push updates.

Along the way I bust headlines that distract — the CVE‑2026‑42826 “Perfect 10” in Azure DevOps is already mitigated by Microsoft, so there’s no customer action — and remind you that other vendors patched too: Adobe, SAP, AMD, Apple. Patch week is not a one‑vendor event.

By the end of the episode you’ll have a simple, prioritized checklist you can act on this week: identify DCs and patch them now, test endpoints tomorrow, roll out by week’s end, and verify Atlassian plugins separately. This is a story about practical choices under pressure — stop chasing every headline and start fixing what can actually hurt your business.

It starts with a tempting spreadsheet: 25 staff, a cheaper IT quote that shaves £35 per user off the bill — £10,500 a year saved, instantly seductive. Noel Bradford and Mauven McLeod open this episode by turning that neat number upside down and asking the one question every business owner should be able to answer: what exactly has been removed from the service to make that price possible?

They walk you through a story many business owners will recognise — a colourful LinkedIn pitch that sells confidence and hides compromises. The cheap provider isn’t performing miracles; they’re quietly cutting controls: enforced MFA, disciplined patching, active monitoring, behaviour-based endpoint defence, security training, incident response and documented processes. Those missing pieces turn an attractive short-term saving into a long-term gamble.

Noel and Mauven do the arithmetic and show you the cold UK data: the DCIT survey found 43% of UK businesses suffered an incident in 2024, phishing hit 85% and even a 1% ransomware prevalence still means roughly 19,000 organisations were devastated. The average materially costly breach ran to about £8,260 in 2025 — already eclipsing that supposed annual IT saving — and real-world downtime, lost orders and reputational damage can push costs far higher.

They then lift the curtain on what a security-first MSP actually spends on the plumbing: remote monitoring, EDR, DNS filtering, email protection, application control, backups, SOC monitoring, documentation and professional tooling. Strip it down honestly and the true cost lands well above fantasy bargains — industry reality makes anything under roughly £50 per user per month alarming, and in London nearer £75.

Cyber insurance isn’t a free pass. Uptake has risen, but so have denials: missing MFA, poor patch evidence, misrepresented controls and late reporting regularly void claims. Insurers now demand proof — logs, timestamps and documented processes — and bargain providers rarely collect or produce that evidence. The result: a denied claim when you most need a payout.

Ransomware is the horror story that pulls everything together. Usually seeded through phishing and unpatched systems, ransom incidents produce recovery costs that dwarf the payment demand. Noel and Mova explain why the ransom is only the opening act — downtime, forensics, legal costs, client fallout and reconstruction push many small firms to the brink.

Regulators make the stakes worse. ICO fines and tougher technical expectations mean that skimping on controls isn’t just reckless, it can be an aggravating factor in enforcement. The cheapest IT quote won’t be an excuse in front of a regulator or in the aftermath of a client data breach.

The episode ends with practical, plain-English advice: seven questions every business should ask their provider about certification, enforced MFA, patching, EDR, proactive monitoring, incident response and insurance compliance. The message is simple — don’t buy the smallest number on a spreadsheet without understanding what you’ve agreed to carry. Spend wisely, not blindly.

How a Broken DNSSEC Signature Knocked Out .de Sites

One bad signature. Millions of websites. Gone.

On 5 May 2026, Germany's .de domain vanished from the internet for three hours. Amazon.de, Deutsche Bahn, Spiegel, DHL, major banks: all unreachable. Not hacked. Not ransomwared. One broken cryptographic record from the registry that manages 17.9 million domains.

The servers were perfectly healthy. Nobody could find them.

Corrine Jefferson and Graham Falkner break down what went wrong, why your business has the exact same invisible dependency, and what to do about it.

Read the full analysis: How a Broken DNSSEC Signature Knocked Out .de Sites

Hot Take: Google Chrome, Gemini Nano, and the 4 GB Consent Problem

Show Notes

Google Chrome has been quietly downloading a roughly 4 GB AI model called Gemini Nano onto user devices in the background. No clear consent prompt. No notification. Just a file called weights.bin turning up in a folder called OptGuideOnDeviceModel like it pays the mortgage.

In this Hot Take, Noel breaks down why this is not an "AI is evil" story. It is a consent story. A governance story. And a vendor entitlement story that every UK small business needs to take seriously.

What Noel Covers

• Why a 4 GB background download is not a minor browser update
• What Google's own developer documentation confirms about model lifecycle management, background downloads, and full model updates
• Why "it was in the documentation" is not consent
• The governance mess this creates for managed business devices
• PECR and the ICO's guidance on storage and access technologies
• The environmental cost at Chrome scale (67.97% worldwide browser share)
• Why AI Mode in Chrome and on-device Gemini Nano are not the same thing, and why the confusion matters
• The embarrassingly simple fix Google has not implemented
• What UK small businesses should actually do about it right now

Key Quote

"We have somehow built frontier AI and still can't manage the radical engineering challenge of a bloody consent prompt."

Read the Full Analysis

The full article includes the complete source documentation, PECR regulatory detail, competitive advantage strategies, board-level talking points, and a step-by-step action list for UK small businesses.

Read the full article on the blog

Sources Referenced

All 14 primary sources, including Google's own developer documentation, ICO PECR guidance, and StatCounter market share data, are cited in the full blog post.

Full source table in the article