<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Insights on Malwise · UK Cyber Security &amp; Cyber Essentials Certification</title><link>https://malwise.co.uk/blog/</link><description>Recent content in Insights on Malwise · UK Cyber Security &amp; Cyber Essentials Certification</description><generator>Hugo</generator><language>en-gb</language><lastBuildDate>Thu, 16 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://malwise.co.uk/blog/index.xml" rel="self" type="application/rss+xml"/><item><title>Microsoft is retiring text-message sign-in codes. Is your business actually ready for passkeys?</title><link>https://malwise.co.uk/blog/microsoft-passkeys-default-are-you-ready/</link><pubDate>Thu, 16 Jul 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/microsoft-passkeys-default-are-you-ready/</guid><description>&lt;p>Some time after 1 September, people in your business are going to see a new prompt when they sign in to Microsoft 365: register a passkey. Here is the readiness test, in one question. Will they know whether it is real?&lt;/p>
&lt;p>In most small businesses, honestly, no. Nobody will have told them it was coming, nobody will know whether clicking it is safe, and the decision will be made individually, at nine in the morning, by whoever hits it first. That is what unreadiness looks like, and it is entirely avoidable, because Microsoft has published the whole timeline.&lt;/p></description></item><item><title>Cyber Essentials explained: what it is, what it covers, and how to prepare</title><link>https://malwise.co.uk/blog/cyber-essentials-explained-how-to-prepare/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/cyber-essentials-explained-how-to-prepare/</guid><description>&lt;p>Cyber Essentials is the most requested security certification in the UK, and the most misunderstood. Businesses put it off for months believing it demands a security team and a budget to match, then discover the real work was a fortnight of housekeeping. Others assume it is a formality, submit without preparing, and fail on something they could have fixed in an afternoon.&lt;/p>
&lt;p>This guide explains what the scheme actually is, what the five controls require in plain English, where scope catches people out, and how to prepare properly. At the end there is a one-page cheat sheet you can download, print, and work through.&lt;/p></description></item><item><title>Half-time 2026: what six months of UK cyber security news actually means for your business</title><link>https://malwise.co.uk/blog/uk-cyber-security-half-year-review-2026/</link><pubDate>Wed, 01 Jul 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/uk-cyber-security-half-year-review-2026/</guid><description>&lt;p>Six months into 2026 and the shape of the year is clear. Incidents are up, the law is changing, the government is spending, and attackers have quietly switched tactics in a way that should change where small businesses put their effort.&lt;/p>
&lt;p>Most mid-year reviews are written for security teams. This one is for the people who run businesses. Five developments from the first half of 2026, what each one actually means, and one thing to do about each.&lt;/p></description></item><item><title>Your IT provider is about to be regulated: the Cyber Security and Resilience Bill explained for UK businesses</title><link>https://malwise.co.uk/blog/cyber-security-resilience-bill-uk-businesses/</link><pubDate>Wed, 24 Jun 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/cyber-security-resilience-bill-uk-businesses/</guid><description>&lt;p>On 10 June 2026, the Cyber Security and Resilience Bill completed its final stages in the House of Commons. A week later it moved to the House of Lords. Royal Assent is expected later this year.&lt;/p>
&lt;p>Most UK businesses will never be named in this legislation. Almost all of them will feel it anyway, because the Bill regulates the companies they hand their IT to.&lt;/p>
&lt;p>This post explains what the Bill actually does, who is in scope, who is not, and what a business that outsources its IT should be doing about it now. In plain English, because the coverage so far has mostly been written for lawyers and large enterprises.&lt;/p></description></item><item><title>612,000 reasons to take Cyber Essentials seriously: what the 2025/26 breaches survey is really telling directors</title><link>https://malwise.co.uk/blog/612000-reasons-cyber-essentials-csbs-2026/</link><pubDate>Wed, 27 May 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/612000-reasons-cyber-essentials-csbs-2026/</guid><description>&lt;p>The UK Government&amp;rsquo;s Cyber Security Breaches Survey for 2025/26 came out on 30 April. It is the same survey, run the same way, for the eleventh year running. The numbers move slightly. The shape never does.&lt;/p>
&lt;p>This year, 43% of UK businesses reported a cyber security breach or attack in the last twelve months. That is approximately 612,000 organisations. Phishing remained the most common attack vector by a long margin. The proportion of breaches resulting in loss of revenue or share value more than doubled, from 2% to 5%. Reputational damage tripled, from 1% to 3%.&lt;/p></description></item><item><title>How to harden Microsoft 365 in 2026: what's changed and what actually matters</title><link>https://malwise.co.uk/blog/microsoft-365-security-hardening-2026/</link><pubDate>Sun, 17 May 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/microsoft-365-security-hardening-2026/</guid><description>&lt;p>Most Microsoft 365 security guides cover the same list. Multi-factor authentication for all users. Block legacy authentication. Configure anti-phishing policies. Use Microsoft Secure Score as a benchmark. These are still correct. But 2026 has introduced enough changes to the platform that following last year&amp;rsquo;s hardening checklist will leave you with gaps that didn&amp;rsquo;t exist before.&lt;/p>
&lt;p>This post covers what&amp;rsquo;s actually changed, the things most hardening guides don&amp;rsquo;t address, and a practical priority order for UK businesses that haven&amp;rsquo;t had an independent review of their tenant configuration.&lt;/p></description></item><item><title>YellowKey: the BitLocker bypass that needs nothing but a USB stick</title><link>https://malwise.co.uk/blog/yellowkey-bitlocker-bypass-windows-11/</link><pubDate>Sat, 16 May 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/yellowkey-bitlocker-bypass-windows-11/</guid><description>&lt;p>On 12 May 2026, a researcher operating under the handle Nightmare-Eclipse published a working proof of concept that bypasses BitLocker on Windows 11, Windows Server 2022, and Windows Server 2025. The tool is called &lt;strong>YellowKey&lt;/strong>. It needs nothing more than physical access to the device and a USB stick. No password. No recovery key. No specialist hardware.&lt;/p>
&lt;p>We&amp;rsquo;ve tested it. It works. And if you&amp;rsquo;re running BitLocker on a Windows 11 laptop with the default settings, which is roughly 99% of UK business deployments we see, your &amp;ldquo;encrypted&amp;rdquo; drive can be read by anyone who picks it up.&lt;/p></description></item><item><title>Conditional Access in Microsoft 365: why it matters and how to get it right</title><link>https://malwise.co.uk/blog/conditional-access-most-important-control/</link><pubDate>Mon, 09 Mar 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/conditional-access-most-important-control/</guid><description>&lt;p>Every Microsoft 365 tenant we audit has at least one Conditional Access policy that is either doing nothing, actively blocking the wrong users, or creating a false sense of security by protecting the wrong things. In some cases, all three.&lt;/p>
&lt;p>Conditional Access is the most powerful security control in Microsoft 365. It is also the most consistently misconfigured. When it works properly, it removes the most common attack paths against a tenant. When it doesn&amp;rsquo;t, the rest of your security spend is largely decoration.&lt;/p></description></item><item><title>Why businesses fail Cyber Essentials: the five most common mistakes in 2026</title><link>https://malwise.co.uk/blog/five-things-that-fail-cyber-essentials/</link><pubDate>Wed, 18 Feb 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/five-things-that-fail-cyber-essentials/</guid><description>&lt;p>Cyber Essentials looks like a checklist. The questions seem straightforward. Yet as a &lt;a href="https://malwise.co.uk/services/cyber-essentials/">licensed Certification Body&lt;/a> reviewing assessments every week, we see the same failures come through again and again. Not because businesses haven&amp;rsquo;t done the work, but because the questions are sharper than they look, and the 2026 changes have made some of them significantly harder to pass.&lt;/p>
&lt;p>The scheme updated to version 3.3 (&amp;ldquo;Danzell&amp;rdquo;) on 27 April 2026. Several things that used to be major non-compliances, where you could still technically pass, are now &lt;strong>automatic failures&lt;/strong>. No appeals, no partial credit.&lt;/p></description></item><item><title>What's actually wrong with UK cyber security (and why we started Malwise)</title><link>https://malwise.co.uk/blog/why-we-started-malwise/</link><pubDate>Wed, 04 Feb 2026 00:00:00 +0000</pubDate><guid>https://malwise.co.uk/blog/why-we-started-malwise/</guid><description>&lt;p>There&amp;rsquo;s a version of cyber security that looks impressive and doesn&amp;rsquo;t work. You&amp;rsquo;ve probably seen it: the dashboard with seventeen threat categories, the quarterly report with a risk score that went from amber to green, the certificate in the reception area. Plenty of activity. Hard to say whether any of it made the business more secure.&lt;/p>
&lt;p>And then there&amp;rsquo;s the work that actually matters: finding out that your IT provider has been using a shared admin account for three years, getting multi-factor authentication on the email system that&amp;rsquo;s been &amp;ldquo;on the roadmap&amp;rdquo; since 2022, making sure the laptop your finance director lost on the train last month couldn&amp;rsquo;t be accessed by whoever found it.&lt;/p></description></item></channel></rss>