It’s that time of the month: Patch Tuesday. The headlines shout 137 CVEs and a perfect 10.0 somewhere in the noise, but this episode narrows the story down from global panic to what actually matters for a small business with a server room, a handful of laptops, and a CEO who needs to log in on Monday morning.

I’m Graham Falkner and in this edition of the Small Business Cyber Security Guy I walk you into the trenches of May 2026’s update cycle — the numbers, the new role AI is playing in vulnerability hunting, and the four bugs you can’t ignore. I tell the story of how an unpatched domain controller can become the pivot point for a full-blown takeover (think Zero Logon’s ghost), why every Windows endpoint’s DNS client suddenly matters again, and how an Atlassian single sign‑on plugin could let an attacker impersonate any user. These aren’t abstract CVEs on a spreadsheet; they’re concrete threats with reachable fixes.

You’ll hear exactly what to do, in the order to do it: find and patch on‑prem domain controllers in the next 48 hours (NetLogon — CVE‑2026‑41089, KBs by Windows Server version), push a small test ring for endpoint updates and watch for BitLocker recovery prompts (CVE‑2026‑41096), and treat on‑prem Dynamics 365 and Atlassian SSO as high‑priority if you run them locally. I give the KB numbers, realistic time estimates — an hour per domain controller — and a no‑hype deployment schedule that keeps your business running while you secure it.

The narrative also walks through an operational snag that will catch teams off guard: some devices may prompt for a BitLocker recovery key after reboot. I explain the three pre‑deployment checks to prevent a CEO‑level outage (adjust a TPM group policy, verify where recovery keys live, and reapply baselines later), and why you should demand a plan from your MSP before they push updates.

Along the way I bust headlines that distract — the CVE‑2026‑42826 “Perfect 10” in Azure DevOps is already mitigated by Microsoft, so there’s no customer action — and remind you that other vendors patched too: Adobe, SAP, AMD, Apple. Patch week is not a one‑vendor event.

By the end of the episode you’ll have a simple, prioritized checklist you can act on this week: identify DCs and patch them now, test endpoints tomorrow, roll out by week’s end, and verify Atlassian plugins separately. This is a story about practical choices under pressure — stop chasing every headline and start fixing what can actually hurt your business.

It starts with a tempting spreadsheet: 25 staff, a cheaper IT quote that shaves £35 per user off the bill — £10,500 a year saved, instantly seductive. Noel Bradford and Mauven McLeod open this episode by turning that neat number upside down and asking the one question every business owner should be able to answer: what exactly has been removed from the service to make that price possible?

They walk you through a story many business owners will recognise — a colourful LinkedIn pitch that sells confidence and hides compromises. The cheap provider isn’t performing miracles; they’re quietly cutting controls: enforced MFA, disciplined patching, active monitoring, behaviour-based endpoint defence, security training, incident response and documented processes. Those missing pieces turn an attractive short-term saving into a long-term gamble.

Noel and Mauven do the arithmetic and show you the cold UK data: the DCIT survey found 43% of UK businesses suffered an incident in 2024, phishing hit 85% and even a 1% ransomware prevalence still means roughly 19,000 organisations were devastated. The average materially costly breach ran to about £8,260 in 2025 — already eclipsing that supposed annual IT saving — and real-world downtime, lost orders and reputational damage can push costs far higher.

They then lift the curtain on what a security-first MSP actually spends on the plumbing: remote monitoring, EDR, DNS filtering, email protection, application control, backups, SOC monitoring, documentation and professional tooling. Strip it down honestly and the true cost lands well above fantasy bargains — industry reality makes anything under roughly £50 per user per month alarming, and in London nearer £75.

Cyber insurance isn’t a free pass. Uptake has risen, but so have denials: missing MFA, poor patch evidence, misrepresented controls and late reporting regularly void claims. Insurers now demand proof — logs, timestamps and documented processes — and bargain providers rarely collect or produce that evidence. The result: a denied claim when you most need a payout.

Ransomware is the horror story that pulls everything together. Usually seeded through phishing and unpatched systems, ransom incidents produce recovery costs that dwarf the payment demand. Noel and Mova explain why the ransom is only the opening act — downtime, forensics, legal costs, client fallout and reconstruction push many small firms to the brink.

Regulators make the stakes worse. ICO fines and tougher technical expectations mean that skimping on controls isn’t just reckless, it can be an aggravating factor in enforcement. The cheapest IT quote won’t be an excuse in front of a regulator or in the aftermath of a client data breach.

The episode ends with practical, plain-English advice: seven questions every business should ask their provider about certification, enforced MFA, patching, EDR, proactive monitoring, incident response and insurance compliance. The message is simple — don’t buy the smallest number on a spreadsheet without understanding what you’ve agreed to carry. Spend wisely, not blindly.

One bad signature. Millions of websites. Gone.

On 5 May 2026, Germany's .de domain vanished from the internet for three hours. Amazon.de, Deutsche Bahn, Spiegel, DHL, major banks: all unreachable. Not hacked. Not ransomwared. One broken cryptographic record from the registry that manages 17.9 million domains.

The servers were perfectly healthy. Nobody could find them.

Corrine Jefferson and Graham Falkner break down what went wrong, why your business has the exact same invisible dependency, and what to do about it.

Read the full analysis: How a Broken DNSSEC Signature Knocked Out .de Sites

Google Chrome has been quietly downloading a roughly 4 GB AI model called Gemini Nano onto user devices in the background. No clear consent prompt. No notification. Just a file called weights.bin turning up in a folder called OptGuideOnDeviceModel like it pays the mortgage.

In this Hot Take, Noel breaks down why this is not an "AI is evil" story. It is a consent story. A governance story. And a vendor entitlement story that every UK small business needs to take seriously.

• Why a 4 GB background download is not a minor browser update
• What Google's own developer documentation confirms about model lifecycle management, background downloads, and full model updates
• Why "it was in the documentation" is not consent
• The governance mess this creates for managed business devices
• PECR and the ICO's guidance on storage and access technologies
• The environmental cost at Chrome scale (67.97% worldwide browser share)
• Why AI Mode in Chrome and on-device Gemini Nano are not the same thing, and why the confusion matters
• The embarrassingly simple fix Google has not implemented
• What UK small businesses should actually do about it right now

"We have somehow built frontier AI and still can't manage the radical engineering challenge of a bloody consent prompt."

The full article includes the complete source documentation, PECR regulatory detail, competitive advantage strategies, board-level talking points, and a step-by-step action list for UK small businesses.

Read the full article on the blog

All 14 primary sources, including Google's own developer documentation, ICO PECR guidance, and StatCounter market share data, are cited in the full blog post.

Full source table in the article

Imagine watching the house next door burn and nodding sympathetically about smoke alarms — then never changing the battery in your own. That image opens our episode as Noel Bradford sits with Mauven MacLeod, Lucy Harper and Graham Falkner to unpack the UK Cybersecurity Breaches Survey 2025–26. This isn’t clickbait panic; it’s a weather report built from 2,112 businesses and 1,085 charities. The headline is simple and ugly: awareness rose after a year of big breaches on the news, but the boring, decisive basics slipped backwards.

The numbers feel like a betrayal: risk assessments fell from 48% to 41%, formal cybersecurity policies from 59% to 52%, and business continuity plans covering cyber plunged from 53% to 44% — nine points lost in a year. Those figures land harder when you remember that 43% of businesses still reported a breach or attack in the last 12 months. This is not rare misfortune; it’s roughly 612,000 organisations experiencing harm, often more than once — the median victim suffered three crimes in a year.

What explains the gap between knowing and doing? The episode frames it as a human story of overload, inertia and the tilt of daily fires over preventative work. Small-business owners juggle payroll, inventory and phone calls; cyber becomes a preventative chore that slides down the to-do list until a miserable Tuesday forces theatre rather than true repair. Awareness rose because the news was loud; conversion into diaries, policies and tested routines didn’t.

Phishing is still the thief in the night: 69% of the most disruptive incidents, and for 51% of breached businesses phishing alone was the culprit. The old advice — spot the typos, spot the scam — is breaking down as AI writes believable bait. The human being is no longer the reliable last line. So the fight shifts to identity: two-factor authentication and other account protections stop one mistake becoming total catastrophe. Progress exists — MFA adoption climbed from 40% to 47% — but more than half of firms remain exposed.

The survey throws up other startling blindspots: 22% of the most senior people responsible for cyber didn’t know if their organisation had cyber insurance; only 15% formally review immediate suppliers and a tiny 6% review the wider supply chain; 31% of businesses are using or considering AI but only 24% of those have any controls in place. These are not theoretical gaps — they are the plumbing and the paperwork that determine whether a single clicked link turns into a multi-week catastrophe.

We refuse to finish on gloom. The episode turns evidence into a razor-sharp, do-able checklist you can act on this week. Five prioritised moves: turn on MFA everywhere that matters; get your cyber insurance confirmed in writing and save the policy where two people can find it; write a one-page breach list with names and first actions; institute three simple AI rules (don’t paste customer data into public tools, don’t feed contracts or financials into unknown models, and always human-check AI outputs before sending); and review the three suppliers who can touch your systems or customer data.

There’s also practical advice on when to DIY and when to pay. If you’re tiny and organised, you can implement the basics yourself. If your Microsoft tenancy, sensitive customer data, or backups are beyond your comfort, pay for competence — spend where mistakes are expensive. The point of each suggestion is the same: decisions, dated and tested, beat good intentions left on the sofa.

By the episode’s close Noel, Mauven, Lucy and Graham press the same ask: turn concern into calendar time. Pick one thing this week — MFA, insurance confirmation, a breach list, supplier questions or simple AI rules — and do it. These are small, affordable, and powerful first steps. The survey’s verdict is harsh but useful: the fixes are often obvious. The hard part is choosing to stop drifting.

Listen for the stories, the statistics and the practical push to act. If this episode rattles you, let it. Drift kills small firms. One decision, one scheduled action, can change the story from a miserable Tuesday to a business that survives the next headline.

When a government minister stood on a podium in Glasgow and said, “the cyber front line is already here,” it did not sound like a warning. It sounded like a cold, unavoidable truth.

In this episode, Noel Bradford is joined by Maurven and Graham, who attended Cyber UK 2026, to unpack what was said, what was left unsaid, and what it means for the small businesses quietly sitting inside UK supply chains.

The scale of the threat is no longer theoretical. Nationally significant cyber incidents are rising sharply. A single breach at Jaguar Land Rover reportedly cost nearly £2 billion across its supplier network. Nation state actors and ruthless criminal gangs are attacking faster, harder, and with greater precision. The old excuse of “we are too small to be targeted” is now dangerously out of date.

Noel, Maurven, and Graham break down the numbers, the reaction in the Glasgow conference hall, and the blunt reality behind the headlines. Government pledges may change the landscape, but they will not protect your business unless you act.

The episode also examines the government’s voluntary Cyber Resilience Pledge and why it matters. The most important part may be the supply chain effect. Large organisations that sign the pledge could start expecting their suppliers to hold Cyber Essentials certification. That may make Cyber Essentials a practical requirement for winning and keeping business, even if it is not yet written into law.

The team also explains why the £90 million funding commitment matters, but why small firms should not expect a sudden cash windfall. The immediate pressure will come from reputation, procurement, and customer expectations, not regulation.

There is also a reality check on AI. Powerful new models can now find deep, old vulnerabilities in hours. That gives attackers more speed and scale. But for most small businesses, the answer is not a six figure AI security platform. It is getting the basics right, faster.

Patch properly. Check whether your IT provider is ready for machine speed attacks. Start Cyber Essentials. Review AI use inside your business. Sign up to NCSC Early Warning.

By the end of the episode, you will have five practical, low cost actions you can take this week to move from passive hope to active defence.

If your business relies on larger customers, this episode gives you the timeline, the threat picture, and the checklist you need before the next procurement email lands.

Every office has that moment: the site won’t load, someone whispers “DNS,” and immediately half the room turns into a jury with opinions but no evidence. In this episode of Small Business Cybersecurity Guy, Noel Bradford, Mauven MacLeod, Lucy Harper and Graham Falkner turn that reflexive blame into a story—part detective work, part practical guide—about why DNS so often gets accused, what really breaks, and how to stop losing hours to assumptions.

167 vulnerabilities. Two zero-days. One already used in live attacks. Graham Falkner breaks down April's Patch Tuesday and what your business needs to do today — in under 10 minutes.

For full show notes etc: see https://thesmallbusinesscybersecurityguy.co.uk/blog/patch-tuesday-april-2026-sharepoint-zero-day-uk-smb/