Research & Analysis
Insights
In-depth guides on cybersecurity, compliance, and AI risk for organisations in regulated industries.
What is cybersecurity?
Cybersecurity protects systems, networks and data from attack. A practical guide to what the discipline covers, common threats and where to start.
Read more
Machine identities: the attack surface your security team isn't managing
API keys, service accounts and TLS certificates now outnumber user accounts. Most organisations have no complete inventory.
Read more
Microsoft 365 Copilot: how to implement it safely and what goes wrong when you don't
Copilot inherits your existing Microsoft 365 permissions — every file a user can access, the AI can surface. This guide covers the permissions audit, technical prerequisites, real-world vulnerabilities, and the adoption steps that determine whether the rollout succeeds.
Read more
EU AI Act: what your business needs to do before the August 2026 deadline
The EU AI Act's high-risk AI obligations apply from August 2026. This guide covers the four risk tiers, which AI uses are already banned, deployer obligations for high-risk AI, GPAI model rules, and the €35M fine structure.
Read more
Zero Trust architecture: the identity-first security model for remote and hybrid organisations
The corporate perimeter no longer defines your security boundary. Zero Trust replaces implicit network trust with verified identity and device compliance on every request. This guide explains the five pillars, where to start, and how it maps to NIS2 and ISO 27001.
Read more
Cyber Resilience Act: a compliance guide for manufacturers and distributors of connected products
The EU Cyber Resilience Act is in force. Vulnerability reporting to ENISA becomes mandatory in September 2026. Full compliance is required by December 2027. This guide covers who is in scope, the three product classes, SBOM requirements, and what to do now.
Read more
Deepfakes and identity fraud: how AI voice and video manipulation is targeting businesses
AI voice cloning takes three seconds of audio. Real-time face-swapping passes live video calls. The $25M Arup fraud showed what happens when both tools are combined. This guide covers vishing, KYC bypass, and the verification controls that hold up under real attacks.
Read more
ISO 42001: the AI management system standard your organisation needs to know
ISO/IEC 42001:2023 is the first internationally recognised, certifiable framework for AI governance. This guide explains the standard's structure, the AI system impact assessment, how it pairs with ISO 27001, and how it maps to EU AI Act obligations.
Read more
AI-generated and polymorphic malware: how autonomous threats are evading detection
Malware that rewrites its own code using AI is outpacing signature-based defences. This guide explains polymorphic and metamorphic techniques, the BlackMamba POC, underground LLM tools like WormGPT, and the behavioural EDR controls that actually stop them.
Read more
Beyond the password: how attackers bypass MFA and how to stop them
Stolen credentials are behind over 80% of enterprise breaches, and adversary-in-the-middle proxy attacks bypass TOTP and push MFA in real time. This guide explains six bypass techniques, why FIDO2 is different, and the session-layer controls that close the gaps.
Read more
How to conduct a DORA gap analysis: a step-by-step framework for FinTechs
DORA has applied since January 2025. Most FinTechs have partial controls and open gaps across all five pillars. This framework shows you where to look, what to measure, and how to build a prioritised remediation roadmap your board can approve.
Read more
NIS2 vs. ISO 27001: do you need both, and where do you start?
NIS2 is EU law. ISO 27001 is a voluntary standard. Both land on the same compliance officer's desk, and about 70% of what they require overlaps. This guide maps what you get for free, where the gaps sit, and which to tackle first.
Read more
MFA: why one extra step prevents most breaches
MFA stops over 99% of automated credential attacks. Most businesses know they need it but haven't deployed it properly. This guide covers MFA types, where to start, common mistakes, and how to configure it in Microsoft 365.
How much should your business spend on IT? A budget framework for SMEs
Most SMEs spend 1–2% of revenue on IT. Benchmarks for professional services suggest 4–7%. This guide covers the five spending categories, hardware refresh cycles, software audits, and building a three-year IT budget.
Business email compromise: the fraud hiding in your inbox
BEC doesn't need malware or malicious links. Attackers impersonate executives, suppliers, and lawyers to redirect payments. Phishing losses jumped 274% in one year. This guide explains how it works and how to stop it.
Ransomware: what to do before, during and after an attack
Ransomware appeared in 88% of SMB breaches. Average demands now exceed £100,000 before recovery costs. This guide covers the defences that limit damage, what to do in the first 24 hours, and how to recover without paying.
Signs your IT infrastructure is holding your business back
Recurring helpdesk tickets, rising costs with no clear cause, staff using personal tools to get around IT. These are not random problems. They are signals that your infrastructure has structural gaps. This guide covers seven warning signs and what each one means.
How to build an IT service desk without hiring a full team
Most growing businesses do not need a large in-house IT team to run effective support. This guide covers support tiers, ticketing setup, realistic SLAs, and when a managed service provider makes more sense than another hire.
What is penetration testing and when does your business need one
A penetration test simulates a real attacker to find weaknesses before someone else does. This guide explains the difference from a vulnerability scan, the types of test available, and how to act on the results once you have them.
In-house IT vs. managed service provider: how to decide
Most SMEs make this decision reactively. This guide covers the real costs, trade-offs, and decision framework for choosing between an in-house IT hire and a managed service provider.
Windows 10 end of life: what your business needs to do now
Microsoft stopped patching Windows 10 in October 2025. Around 30% of business machines in the UK and EU are still running it. This guide covers your options: upgrade in place, replace hardware, or buy extended support.
The most common cybersecurity mistakes small and medium businesses make
Treating security as a one-time project, skipping MFA, giving everyone admin rights. These mistakes are common, avoidable, and expensive. This guide covers seven of the most frequent errors and what to do instead.
Implementing cybersecurity controls for NIST CSF 2.0 and NIS2
NIST CSF 2.0 and NIS2 require the same cybersecurity controls. Most organisations implement them twice. This guide maps all 10 NIS2 Article 21 measures to their CSF 2.0 equivalents and shows how to run one security programme that satisfies both.
Read more
ISO 27001: building IT security management for small and medium businesses
ISO 27001 gives smaller businesses a structured IT security management system: identify what you are protecting, assess the risks, and put controls in place. This guide covers the six-step path, realistic timelines, and what it costs.
Read more
The cybersecurity risks hotels need to address, and usually don't
A mid-size hotel holds more sensitive data per customer than most banks: payment cards, passport numbers, loyalty data, and travel patterns in one place. This analysis covers the four attack surfaces that matter most, and what a credible security baseline actually looks like.
Read more
Using AI in your healthcare organisation without creating GDPR exposure
Healthcare AI is moving fast, but most tools that process health data create GDPR and EU AI Act obligations that generic guidance misses entirely. Five questions to ask before any clinical or administrative AI deployment.
Read more
IT risk and cybersecurity in financial services: what DORA requires
DORA sets binding IT risk and cybersecurity requirements for banks, insurers, and payment firms across the EU. Most firms have addressed the five pillars. Third-party ICT risk, where the deepest gaps sit, is where most still fall short.
Read more
What your cyber insurer expects before paying a claim
Cyber insurers now require specific technical controls before binding cover and before paying claims. This guide covers what underwriters check, how claims get evaluated, and which exclusions are catching organisations out.
Read more
NIS2 cybersecurity readiness: the 10 security controls your organisation needs
NIS2 is a practical cybersecurity baseline, not just a regulatory checkbox. It covers access control, incident detection, supply chain risk, and more. This guide walks through all 10 mandatory security controls and how to get them in place.
Read more
GDPR compliance for businesses in the EU: what you actually need to have in place
Eight years on, many organisations still have gaps in the basics: no lawful basis documented, breach response plans that miss the 72-hour window, and processing records that have never been updated. This guide covers the obligations that matter most.
Read more