What would you do if you arrived at work tomorrow and all your files were gone?

Not just missing. But locked up. Encrypted. Held for ransom by criminals demanding a massive payout just to get them back.

Maybe.

That’s the reality of ransomware. And it’s getting worse.

In the first quarter of 2025, ransomware attacks hit a new high. Up 84% compared to the same period last year.

It’s no longer a case of “if” your business might be targeted… but “when”.

In fact, two-thirds of businesses have been hit by ransomware in the last two years. It’s the kind of stat that makes you stop and think: Is your business ready?

Now, the good news (yes, there is some) is that there is a very effective way to protect your business: Immutable backup storage.

I’ll explain what that is in a second.

First, a quick refresher on ransomware. It’s a type of cyber attack where criminals gain access to your systems, encrypt your files, and then demand a ransom payment to unlock them.

It’s nasty stuff.

And these attacks don’t just target your day-to-day files anymore. According to recent research, 96% of businesses that were hit by ransomware in the last two years saw their backups targeted too.

That’s right. The attackers know about that safety net you thought would save you. And they’re gunning for it.

This is where immutable backup storage comes in.

“Immutable” means unchangeable. With immutable storage, once your backup data is written, it can’t be edited, deleted, or overwritten. Even by someone with admin access.

That means if a ransomware attacker does manage to get into your system, they still can’t tamper with these backups. It’s like putting your most important information into a vault, locking it up, and throwing away the key… except you still have a secure way to access it when you really need it.

Traditionally, businesses achieved this by storing backups on devices that were physically disconnected from the network. What we call “air-gapped” storage.

But these days, we’ve got smarter, cloud-based options that offer the same level of protection without the need for bulky hardware or complex routines.

So, why isn’t every business using immutable backups?

That’s a great question. Even though 81% of IT professionals say it’s the best way to protect against ransomware, only 59% of businesses are using it. And that’s a worry.

Today, security hardening alone isn’t enough. Firewalls, security software, and careful user permissions are all part of the picture. But if ransomware gets through (and often, it does), your last line of defence is your backups.

They need to be untouchable.

I call it having a “breach mentality”. Working on the assumption that an attack will happen at some point. That means preparing for recovery, not just prevention.

Immutable backup storage is one of the smartest investments you can make right now. When the worst happens, being able to restore your data quickly and safely (without paying a ransom) can be the difference between a bad day… and business-ending disaster.

Got questions about how to get started with immutable storage or want help reviewing your backup strategy? My team and I can help. Get in touch.

Be honest. Do you still have at least one password that looks like “12345” or “password123”?

If so, you’re not alone.

But that doesn’t mean it’s OK.

Despite years of warnings from IT experts (people like me), weak passwords are still everywhere. And that’s a real problem. Because they’re one of the easiest ways for cyber criminals to break into your business systems.

You’d be amazed how many companies are still using passwords that can be cracked in less than a second.

Recent research found that the most common business password is still “123456”.

Right behind it? “123456789”, “password”, and even the ever popular “qwerty123”.

These aren’t just lazy choices. They’re open doors for hackers.

What’s worse, it’s not just huge enterprises that are getting this wrong. Small and medium sized businesses are guilty too. And they’re often hit harder when things go wrong, because they don’t always have the same resources to recover.

A single stolen password can let an attacker access your email, files, financial systems, or even customer data.

The damage? It can be serious. Both financially and to your reputation.

You might think, “But we don’t have anything worth stealing.” Trust me, you do. Even if you’re a team of five, your accounts, client data, and communications are all valuable targets. Cyber criminals don’t discriminate. They go for easy wins. And weak passwords are the easiest win there is.

Now here’s the kicker: Even if you’re not using “123456”, that doesn’t necessarily mean your passwords are secure. The research also found people using their own email address or their name as a password (eye roll). Some even used phrases like “iloveyou”.

It’s all very sweet… until a cyber criminal uses it to get into your systems.

So… what can you do to protect your business?

Start by making sure everyone uses strong, unique randomly generated passwords. That means longer phrases with a mix of letters, numbers, and symbols. Nothing predictable.

Nobody wants to remember 30 complex passwords. That’s where a password manager comes in. It can create super strong passwords for every login and store them securely, so your team doesn’t have to rely on memory (or sticky notes).

Better still, consider enabling two-factor authentication. That’s the thing where you get a code on your phone or app when logging in. Even if someone does steal a password, they can’t get in without that second code. It’s one of the easiest and most effective ways to add a layer of protection.

And if you want to future-proof your security, look at passkeys. These are a new way to log in without traditional passwords at all. Using biometrics like fingerprint or facial recognition, or secure device-based authentication. It’s safer and simpler, and it’s quickly becoming the new standard.

At the end of the day, strong passwords—or better, password alternatives—are your first line of defence. Don’t wait for a security scare to take them seriously. If your team is still using “abc123”, now’s the time for a change.

Need a hand reviewing your password policy or setting up a secure login system for your team? My team and I would love to help. Get in touch.

Have you ever stopped to think how much fraud could be costing your business?

It’s easy to consider fraud as a problem for big companies. The kind with thousands of employees and dedicated security teams.

But that’s a dangerous assumption.

Fraud is a growing threat to companies of every size. And small to medium sized businesses are often more exposed.

Why?

Because they typically don’t have the same layers of protection, resources, or formal training in place.

I’m talking specifically about identity fraud. When someone pretends to be a trusted contact (like your staff, suppliers, or customers) to steal money, access data, or infiltrate systems.

It might be a fake email from someone posing as your finance manager requesting an urgent payment. Or a cyber criminal using stolen login credentials to access sensitive business tools.

And the most common entry point? Stolen usernames and passwords. A trick that’s been around forever but still works.

With modern AI tools, scams are becoming harder to spot. Criminals can now fake emails, voices, and even videos that look and sound just like the real thing.

Around 69% of businesses say they’ve seen a rise in fraud attempts.

There is good news.

Businesses that adopt better identity protection, like biometric logins, device recognition, and AI-driven fraud detection, are seeing real results. Many are reporting significant savings and far fewer fraud-related costs.

Even small improvements can make a big difference. Start by reviewing your login practices:

• Are passwords randomly generated and never used for more than one application?
• Do you use multi-factor authentication, where you get a code on another device to prove it’s you?
• Can your team spot suspicious emails or messages, thanks to training?

The goal isn’t to make life harder. It’s to build smart, people-friendly security that protects your business without slowing you down.

Need a hand reviewing your current setup or figuring out which tools fit your needs? My team and I are here to help. Get in touch.

Have you ever felt like just when you’ve nailed your cyber security – BAM! – something new comes along to throw a spanner in the works?

That’s exactly what’s happening right now.

There’s a new scam doing the rounds. And it’s catching out businesses just like yours.

The worst part?

Cyber criminals don’t even need your password.

Scary…

It’s called device code phishing. It’s a clever trick that’s becoming more and more popular. Microsoft recently flagged a wave of these attacks, and we’re likely to see many more.

This one’s different to the usual phishing scams you’ve probably heard about. Normally, phishing is all about tricking people into giving away their usernames and passwords on fake websites.

But with device code phishing, scammers play a smarter game.

Instead of stealing your password, they get you to voluntarily give them access to your account. And they do it using real Microsoft login pages, so it looks totally legit.

It usually starts with a convincing email. Maybe it looks like it’s from your HR person, or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen.

Nothing seems out of place.

You’re asked to enter a code. Just a short one, called a “device code.” This code is supplied in the email, and you’re told it’s needed to join the meeting or finish logging in.

Here’s the catch: By entering that code, you’re not logging yourself in… you’re logging them in.

You’re unknowingly giving the attacker access to your Microsoft account on their device. And because the login goes through the proper channels, it can even bypass multi-factor authentication (MFA).

Yep, even if you’ve got extra security in place, they might still get in.

Once they’re in, they can do a lot of damage. Reading your emails, accessing your files, even using your account to trick others in your company. It’s like handing over the keys to your office and you don’t even realise it.

It’s dangerous because it doesn’t look suspicious. You’re on a real Microsoft site, not some suspicious fake. You didn’t click a weird link or enter your password into a phishing form. Everything looks above board… except it’s not.

And because attackers are using legitimate Microsoft login flows, traditional security tools don’t always catch it.

Plus, once they’re in, they can stay in. They don’t need to keep logging in if they’ve captured your session token (that’s a sort of digital “pass” that keeps you logged in behind the scenes). So even changing your password won’t necessarily kick them out right away.

A big question then: How can you protect your business?

Start by getting your team to be extra cautious with login requests. Especially ones that involve entering codes. If you get a device code from someone, stop and think: Did I request this? Do I know for sure this is real?

If you’re not sure, don’t go through with it. Use a separate method, like a direct phone call or your company’s messaging system, to double-check with the person who sent the email.

Remember, real Microsoft logins don’t involve someone else giving you a code to enter. If that ever happens, it’s a red flag.

From a technical side, your IT team (or IT provider) can also tighten things up. If your business doesn’t need device code login as part of its daily operations, it’s safest to turn it off altogether. They can also put in place extra security rules that only allow logins from trusted locations or devices.

And finally, keep training your people. Good cyber security is about awareness. If your team knows what to look out for, they’re much less likely to fall for these kinds of tricks.

Can we help you tighten up your security? Get in touch.