Cybersecurity, in plain English.
News, trends, and practical guidance for small and mid-size businesses running on Microsoft 365 and Azure — written so you don’t need a security background to follow them.
- 3 min read
Microsoft 365 prices went up on July 1: what your business gets for it
Microsoft 365 Business plans cost more as of July 1, 2026. What changed, the link protection you now get, and the one setting to check at renewal.
Microsoft 365Small businessRead - 3 min read
No Password Required: The Kali365 Phishing Kit Hijacking Microsoft 365 Accounts
The FBI is warning about Kali365, a subscription phishing kit that steals Microsoft 365 access without ever touching your password — and walks right past MFA. Here's how the trick works and the one setting that blocks it.
Microsoft 365Email securityIdentityRead - 3 min read
Ransomware Is Now a Small-Business Problem: 5 Numbers From Verizon's 2026 Breach Report
Verizon's 2026 breach report found ransomware in 88% of small-business breaches — and unpatched software is now the #1 way attackers get in. Here are the numbers and five moves that change your odds.
RansomwareSmall businessTrendsRead - 3 min read
The 'Accept' button that hands over your mailbox: consent phishing, explained
A new wave of attacks skips passwords entirely: victims approve an innocent-looking app permission screen and hand criminals long-lived access to their Microsoft 365 mailbox and files. One setting shuts most of it down.
Microsoft 365IdentitySocial engineeringRead - 2 min read
That party invite asking for your password? The FTC says it's a scam
The FTC is warning about fake Evite and Paperless Post invitations that lead to counterfeit Google and Microsoft sign-in pages. Here's why a 'personal' scam is a business problem — and the one rule to share with your team.
Email securitySocial engineeringSmall businessRead - 3 min read
Infostealers: the 30-second malware behind many of today's break-ins
Infostealer malware copies every password and login session off a computer in seconds, then sells them — often within 48 hours. Here's how it works and the five defenses that actually counter it.
IdentityRansomwareTrendsRead - 3 min read
"We have Microsoft 365, so we're covered" — and 4 settings that prove otherwise
Microsoft 365 is secure-capable, not secure-by-default. Out of the box, several settings are left wide open — and attackers know exactly which ones. Here are four to check this week.
Microsoft 365Small businessGetting startedRead - 3 min read
Why attackers love small businesses (it's not the size of the payout)
Small businesses often assume they're too small to be a target. In 2026, the opposite is true — and the reason has nothing to do with how much money you have.
TrendsSmall businessRansomwareRead - 4 min read
Multi-factor authentication, explained — and why turning it on is not the finish line
MFA stops most stolen-password attacks cold. But 'turned on' and 'properly configured' are not the same thing, and the gap between them is where accounts still get compromised.
IdentityGetting startedRead - 4 min read
Business email compromise: how one fake email reroutes a real payment
Business email compromise doesn't need malware or movie-style hacking. It just needs a believable email at the right moment — and it's targeting small businesses more than any other size.
Email securitySmall businessRead - 4 min read
How to spot a phishing email in 2026 — a five-point gut check for your whole team
Phishing emails used to be easy to spot. In 2026, they are not. Here is a short, teachable checklist any employee can use before they click.
Email securityGetting startedRead - 4 min read
Everything you were taught about passwords is changing — here's what matters now
Forced 90-day resets and complexity rules felt rigorous. Modern guidance says they actually make things worse. Here is what security experts recommend instead.
IdentitySmall businessRead - 4 min read
Ransomware, explained for business owners — and the one habit that beats it
Ransomware locks your files and demands payment to get them back. It sounds like a big-company problem. It is not — and one unglamorous habit changes the outcome entirely.
RansomwareSmall businessRead - 4 min read
What 'the cloud' actually is — Microsoft 365 vs Azure, in plain English
Everyone says their business is 'in the cloud.' Fewer people can explain what that means — or why it changes who is responsible for keeping things secure.
CloudGetting startedRead - 3 min read
Your vendors can get you breached — third-party risk for small teams
The apps you connect, the IT provider you trust, the contractor with a shared password — any of them can become the door an attacker walks through into your systems.
TrendsSmall businessRead - 4 min read
Cyber insurance is asking harder questions — here's how to actually qualify
Insurers now require real controls before they'll cover a cyber incident — and they can deny claims if you misrepresented your setup. Here's what they're actually asking, in plain terms.
ComplianceSmall businessRead - 3 min read
When someone leaves: the 20-minute routine that prevents a breach
Disabling a laptop isn't enough when everything is in the cloud. Here's the complete access cleanup you should run every time someone leaves — whether it was their idea or yours.
IdentitySmall businessRead - 3 min read
Do small businesses really need to care about compliance? A plain-English guide
HIPAA, CIS, SOC 2 — the compliance alphabet can feel overwhelming. Here's when a small business actually needs to pay attention, and the reassuring truth about what most of it actually requires.
ComplianceGetting startedRead - 4 min read
Stop scammers from emailing as your company — SPF, DKIM, and DMARC without the jargon
By default, anyone can send an email that looks like it came from your domain. Three DNS records — SPF, DKIM, and DMARC — fix that. Here is what they do and why they matter for your business.
Email securityMicrosoft 365Read - 3 min read
Shadow IT: the apps your team signed up for that you don't know about
Shadow IT is the software and accounts your employees adopt without telling anyone. Here is why it matters and four practical steps to get a handle on it without blaming your team.
Small businessMicrosoft 365Read - 4 min read
The first hour of a suspected breach: a simple plan for a team with no IT department
If you suspect an account is compromised or a scam succeeded, the first hour matters. Here is a calm, step-by-step plan to prepare before you need it.
Small businessGetting startedRead - 4 min read
AI just made scams more convincing — here is what is new and how to defend
Attackers now use AI to write flawless phishing emails, clone voices on the phone, and build fake websites that look real. The defenses are mostly old-fashioned and they still work.
TrendsEmail securityRead - 3 min read
Security isn't 'set it and forget it' — and what 'drift' means for your business
Even a business that set up Microsoft 365 carefully will slowly slip out of shape. New employees, new apps, a quick fix that never got reverted — this gradual slide has a name, and it matters.
Small businessMicrosoft 365Read - 4 min read
Securing remote and hybrid work when you don't have an IT team
People working from home, cafes, and personal devices create real security gaps — but you don't need a dedicated IT person to close them. Here's what actually matters.
Remote workSmall businessRead - 4 min read
Working with clients and contractors safely — guest access and external sharing in Microsoft 365
Microsoft 365 makes it easy to invite outsiders into Teams and share files externally. That's useful. But left on default settings, it can also leave your data wider open than you realise.
Microsoft 365Remote workRead - 4 min read
Backups that actually save you — the 3-2-1 rule in plain English
Backups are the last line of defence against ransomware, accidental deletion, and a lost laptop. But a backup you have never tested is not really a backup. Here is what actually works.
RansomwareGetting startedRead - 3 min read
Social engineering: why attackers go after your people, not your firewall
Most break-ins don't start with clever code. They start with a convincing message that gets a real person to open the door. That is social engineering, and understanding it is half the defense.
Social engineeringSmall businessRead - 4 min read
Pretexting: the made-up story behind most successful scams
Before an attacker asks for anything, they set a scene — a believable reason for the request. That setup is called pretexting, and it is what turns a random ask into one your team acts on.
Social engineeringSmall businessRead - 4 min read
Vishing: the phone call that talks your team into a mistake
Phishing moved to the phone. A calm, confident voice claiming to be your bank or your IT provider can get past defenses that an email never would. Here is how voice scams work and how to shut them down.
Social engineeringSmall businessRead - 3 min read
Smishing: the scam hiding in a text message
We trust our text messages more than our inboxes, and attackers have noticed. Smishing is phishing by SMS — short, urgent, and surprisingly effective. Here is how to recognize it.
Social engineeringSmall businessRead - 3 min read
The fake-boss gift card scam, and why smart people fall for it
An urgent message from the boss asking an employee to quietly buy gift cards is one of the most common scams aimed at small teams. Here is the exact playbook and how to stop it cold.
Social engineeringSmall businessRead - 3 min read
MFA fatigue: when approving the prompt is the mistake
Multi-factor authentication is one of your best defenses, but attackers found a way around it: ask for approval over and over until someone taps yes. Here is how MFA fatigue works and how to beat it.
IdentitySocial engineeringRead - 4 min read
Quishing: the QR code scam hiding in plain sight
QR codes are everywhere now, and we scan them without a second thought. Attackers turned that habit into an attack — sometimes with nothing more than a sticker. Here is how QR code scams work.
Social engineeringTrendsRead - 3 min read
Fake tech support: the popup and the phone call that want into your computer
A scary popup says your computer is infected and to call a number. A caller says they're from Microsoft. Both want the same thing: remote access. Here is how tech-support scams work and how to refuse them.
Social engineeringSmall businessRead - 3 min read
Holding the door: physical social engineering and the friendly stranger
Not every attack happens online. Sometimes someone just walks in behind an employee carrying coffee. Physical social engineering is real, low-tech, and surprisingly easy to overlook.
Social engineeringSmall businessRead - 3 min read
The dropped USB stick: why curiosity is an attack vector
Leave a few USB sticks in a parking lot and a surprising number get plugged into work computers. Baiting attacks weaponize curiosity and good intentions. Here is how they work and the simple rule that stops them.
Social engineeringGetting startedRead - 4 min read
Spear phishing and whaling: when the attacker did their homework
Most phishing is a wide net. Spear phishing is a targeted spear — a message written just for you, using real details, often aimed at the boss. Here is why it is so much harder to catch.
Email securitySocial engineeringRead - 3 min read
What your LinkedIn tells an attacker before they ever contact you
Attackers do research, and most of what they need is public. Your website, your team's LinkedIn, and your social posts can quietly hand over the org chart, the tools you use, and the perfect cover story.
Social engineeringTrendsRead - 3 min read
Insider risk: the threat that already has a key
Not every risk comes from outside. Sometimes it is a careless click, a disgruntled employee, or an account that kept access it should have lost. Insider risk is uncomfortable to think about, and worth thinking about.
IdentitySmall businessRead - 3 min read
How one stolen password becomes ten break-ins
Attackers don't always guess passwords. They reuse ones already leaked in other companies' breaches, trying them everywhere automatically. It is called credential stuffing, and password reuse is what makes it work.
IdentitySmall businessRead - 3 min read
Why even MFA isn't bulletproof: the session-theft trick explained
Multi-factor authentication blocks most attacks, but a newer technique gets around it by stealing your logged-in session instead of your password. Here is how it works and why MFA still matters.
IdentityTrendsRead - 3 min read
The one-character trick: lookalike domains and how they fool people
An attacker registers a web address one character off from a real one — and suddenly emails and login pages look completely legitimate. Lookalike domains are cheap, simple, and effective. Here is how to spot them.
Email securitySocial engineeringRead - 3 min read
Fake updates and bad downloads: when 'install now' is the trap
We're told to keep our software updated, so a popup urging us to update feels responsible to click. Attackers turned that good habit against us. Here is how fake-update and malicious-download attacks work.
Social engineeringGetting startedRead - 4 min read
Anatomy of a breach: how attackers actually move, step by step
A real breach is rarely one dramatic moment. It is a chain of small steps, each one ordinary. Seeing the whole sequence shows you where it can be broken — and how breaking one link stops the rest.
Small businessGetting startedRead - 4 min read
Building a human firewall: training a small team without boring them
Your team is either your weakest link or your best sensor, and the difference is a little training done well. Here is how to build real security awareness in a small business without a corporate program or a dull annual video.
Small businessGetting startedRead - 4 min read
Account takeover: what it looks like and how to take it back
When an attacker gets into an email or Microsoft 365 account, they try to stay quiet and dig in. Here are the signs of a hijacked account and the exact steps to lock them out and clean up.
IdentitySmall businessRead
See your own risk
Reading about it is one thing. Seeing your own gaps is another.
Start a 7-day Pro trial and get a plain-English security report for your Microsoft 365 and Azure — no credit card, set up in five minutes.