Financial Accountant magazine just published my analysis of the £1.9 billion Jaguar Land Rover cyberattack. But here’s what the article couldn’t cover: the small suppliers who died from JLR’s breach. You didn’t get hacked. Your biggest customer did. You still lost everything.

One supplier laid off 40 people because JLR couldn’t place orders for six weeks. Proper security. Good practices. Still went bust. After 40 years in the IT world Intel, Disney, and the BBC, I’ve seen this pattern before. Enterprise companies have bailouts and cash reserves.

Small suppliers have three weeks of runway. Your cybersecurity doesn’t matter if your customer’s fails.

Four zero-days. One perfect 10.0 severity score. Hundreds of thousands of sites already compromised.

Criminals are exploiting Exchange Servers, Magento shops, and Oracle ERP systems right now - whilst you're reading this. SAP's vulnerability was so bad they deleted the entire component rather than fix it. WordPress sites are falling to a plugin bug that shouldn't exist. And that's just November.

Your patching strategy just became a lot more urgent.

Graham Falkner breaks down what to patch first:

Ofcom admits it is monitoring VPN use across Britain with a secret AI tool and unnamed data sources. That should worry any small business that relies on encrypted links for daily work. The tool cannot tell a secure office connection from someone dodging age checks. Section 121 still sits in law, ready to force scanning of encrypted chats. Does that sound like a free internet to you? Document your use. Keep your controls tight. Ask your MP why this is acceptable. Do you want regulators watching your privacy tools without showing their maths? Will you push back today? Act now.

Here's a question for your weekend: Did anyone ask if UK small businesses wanted to fund Microsoft's nuclear reactor restart?

Because that's what's happening. While Microsoft spends $1.6 billion restarting Three Mile Island, Google partners with Kairos Power for small modular reactors, and Amazon secures nuclear capacity across multiple projects, your cloud bills are climbing to pay for it.

Nobody took a vote. Nobody asked permission. Tech giants made a collective decision that AI is worth unlimited energy consumption, and UK SMBs are involuntary investors in that bet. Let's talk about that.

Twenty-three employees. Eighteen months. Forty-seven thousand pounds wasted on cloud infrastructure they didn't need, SaaS subscriptions nobody used, and auto-scaling rules designed by a consultant who'd never checked back. This isn't a horror story about a massive enterprise with unlimited budget.

This is CloudBridge Digital, a Nottingham digital agency that discovered they'd been hemorrhaging cash while Microsoft, AWS, and a parade of SaaS vendors quietly helped themselves to the company bank account.

Here's what went wrong, how they discovered it, and the six-month recovery plan that clawed back £32,000 of annual waste.

Microsoft's restarting Three Mile Island. Google's building small modular reactors. Amazon's buying nuclear capacity. And you're getting the bill. While tech giants scramble for gigawatts to power their AI fantasies, your cloud costs are climbing faster than a hyperactive squirrel on espresso.

AWS up 15%, Azure up 12%, SaaS tools adding "AI features" you didn't ask for at 20% premium. But here's what nobody's telling you: you don't need to accept this as inevitable. Seven specific actions you can take today to stop funding Silicon Valley's nuclear renaissance with your operating budget.

Three Mile Island. You remember it, right? The 1979 nuclear accident that terrified an entire generation and effectively killed nuclear power plant construction in America for 40 years?

Microsoft just spent $1.6 billion to restart Unit 1. Not for clean energy virtue signaling. Because they're bloody desperate.

Google committed to 500 megawatts of Small Modular Reactors. Amazon's all-in on multiple nuclear projects. Meta wants up to 4 gigawatts.

Billions in nuclear investment. Timeline: 2028 to 2035 delivery.

Meanwhile, AI's energy demands are immediate and accelerating. And you're paying for every watt through exploding cloud bills.

They're growing brain tissue in Swiss laboratories and using it to process information. Not simulations. Actual living human neurons, derived from skin cells, housed in specialized chambers, connected to electrodes, computing.

FinalSpark's Neuroplatform has 16 brain organoids containing roughly 160,000 neurons total. Each organoid interfaces with 8 electrodes sampling at 30 kHz. The system has operated continuously for four years, testing over 1,000 organoids, collecting 18 terabytes of data.

The peer-reviewed research is published. Nine universities have free access. You can watch neurons computing in real-time on their website.

This is happening right now. Not science fiction. Science fact.

The April 2026 Cyber Essentials update introduces a game-changing rule: multi-factor authentication is now mandatory. Not recommended. Not "nice to have." Mandatory. If your cloud service offers MFA (free or paid) and you're not using it, you automatically fail. No exceptions.

This single change will expose how many UK businesses have been skating by with terrible security. With potentially 30,000+ certified companies lacking proper MFA configuration, the fallout will be significant.

You've got six months to prepare. I can tell you this is overdue and absolutely necessary. Here's what you need to do now.

There's a lab in Switzerland where they're building computers out of living human neurons. Sounds completely barking mad, right?

Here's the thing: these brain cells compute using one million times less energy than silicon. Meanwhile, training a single AI model now produces the carbon emissions of 500 cars over their entire lifetimes. Microsoft, Google, and Amazon just committed billions to restart nuclear power plants because they can't keep the lights on.

And your business? You're paying for every watt through exploding cloud bills. Listen to this week's episode. It's properly mental.

Why do smart people keep making the same catastrophic mistake? Cut security spending, congratulate themselves on efficiency, watch everything fall apart, spend vastly more recovering. It's not ignorance. It's psychology. Measurable costs are visible, politically defensible, easy to justify cutting. Invisible value is theoretical until it disappears. CFOs get promoted for cutting £50,000 from budgets. Nobody gets promoted for preventing breaches that don't happen. This asymmetry creates systematic bias toward destroying things that actually matter. Weekend reflection on why efficiency theatre keeps winning despite catastrophic costs.

Manchester marketing agency, 28 staff, £2.4M revenue. CFO proposed cutting security training: "£12,000 annually for slides nobody watches." Board agreed. Six months later, junior account manager clicked phishing link in fake client brief. No training meant she didn't recognise warning signs. Credentials stolen, ransomware deployed, three weeks offline. Recovery costs: £190,000. ICO investigation: inadequate training documented.

They saved £12,000 and spent £190,000 learning what training actually prevented. This is a real case, anonymized details, taught me never to treat training as optional expense. Names changed. Mistakes real. Costs actual.

Stop cutting security costs based on gut feel and budget pressure. Start using actual frameworks that calculate downside risk. This practical guide walks you through evaluating any security spending decision: What's the notional function versus actual value? What's the cost of being wrong? What's the expected cost multiplied by probability? What invisible value disappears when you cut this? Includes checklists, decision trees, and real cost calculations for training, MFA, insurance, IT staff, and vendor relationships. Because the British Library's £7 million lesson shouldn't need to be learned individually by every UK business.

They saved £12,000 and spent £190,000 learning what training actually prevented. This is a real case, anonymized details, taught me never to treat training as optional expense. Names changed. Mistakes real. Costs actual.

The British Library decided not to implement MFA on administrator accounts. Their reasoning: "practicality, cost and impact on ongoing programmes." That decision cost them £7 million in recovery, 600GB of staff data dumped on the dark web, and over a year of service disruption. This is Mauven's Take on one of the clearest examples of the doorman fallacy in UK history. When cost-cutting decisions focus narrowly on immediate expense whilst ignoring catastrophic downside risk, you get exactly this result. And before you say "but we're not a major institution," remember: the attack vector works identically on your systems.

I've watched businesses make the same catastrophic mistake for 40 years. They look at security costs through a narrow efficiency lens, define roles by their obvious function, cut them to save money, and completely miss the invisible value. Until it's gone. Then they spend 10 times more fixing what they broke. The doorman fallacy explains every stupid IT decision I've ever seen: training cuts that cost millions in breaches, MFA removal that gifts credentials to attackers, insurance cancellation that leaves businesses exposed, IT staff replacement that destroys institutional knowledge. Stop optimising for obvious functions. Start understanding actual value.

What's the most expensive cost-saving decision you can make? Firing your hotel doorman and replacing him with an automatic door. Saves you £35,000 a year in salary, costs you £200,000 in lost revenue because your hotel just became ordinary. This isn't about hotels. It's about every IT budget cut I've seen in the last 40 years. New episode drops today: The Doorman Fallacy, or How to Accidentally Destroy Your Business Whilst Congratulating Yourself on Efficiency Gains. Featuring examples that will make you uncomfortably aware of past decisions.

All right folks, buckle in. Last Monday, the planet just got schooled yet again in why we've put all our digital eggs in one totally cracked basket. AWS US-EAST-1 region had a DNS hiccup and half the world's internet decided it was nap time. Snapchat, Venmo, even the app that tells you if your cat's used the loo, all snuffed out. Why does a digital sneeze in Virginia take out customer payments in Edinburgh? And here's the kicker: this is the third major outage in five years for the same bloody region. We need to wise up.

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.

The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.

Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.

Stop getting fleeced.

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.

The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.

Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.

Stop getting fleeced.

Every week I talk to UK business owners who've just spent £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 worth of basic IT security. Or they've paid consultants to develop "enterprise information security frameworks" for 15-person companies that can't keep Windows updated. The security industry profits from keeping you confused about InfoSec versus CyberSec versus IT Security. This week's episode cuts through the bollocks to explain what each term actually means, what they really cost, and which one will keep your business alive instead of just making consultants rich. Listen now.