On 17 June 2026 the NCSC's Richard Horne told RUSI his teams had handled more than 200 cyber incidents affecting UK critical national infrastructure and its supply chain in the year to May 2026, with around three-quarters linked to hostile states - Russia, China and Iran. He reframed cyber as a 'contest' rather than a 'risk' and asked every board to focus on three core capabilities. Thirty-six hours later, the DUAA data protection complaints duty switches on for every UK controller. Here is the four-day, 30-day and 90-day plan for UK schools, charities and businesses.
Three UK education organisations - Powys (13 schools), Great Marlow School and the University of Nottingham - disclosed cyber incidents in the ten days before the new Data (Use and Access) Act complaints duty switches on this Friday 19 June 2026. ShinyHunters used a pre-auth Oracle PeopleSoft zero-day (CVE-2026-35273) against more than 100 organisations, and Microsoft shipped its biggest ever Patch Tuesday on the same day Great Marlow closed. Here is the four-day, 30-day and 90-day plan for every UK school, charity and business.
From 19 June 2026 a new statutory duty under the Data (Use and Access) Act 2025 switches on. Every UK controller - every school, charity and business - must have a working data protection complaints process, an electronic form and at least one alternative route, a 30-day acknowledgement clock, and a record the ICO can ask to see. There are no carve-outs for size. Here is the minimum viable position for Friday week and the 30/60/90-day plan to make it boring.
On 27 May 2026 the Director of GCHQ used the agency's first ever Annual Lecture at Bletchley Park to say UK cyber security needs to be 'ten times more urgent', from boardrooms to living rooms. Eight working days later, on 10 June 2026, the Cyber Security and Resilience Bill reaches report stage in the Commons. We unpack what the speech and the Bill mean for UK schools, charities and businesses - who are largely exempt from the Bill directly but not from its supply-chain cascade - and what to do across the next 30, 60 and 90 days.
On 18 May 2026 the NCSC reissued joint guidance with CISA, the NSA and its Australian, Canadian and New Zealand counterparts on the 'Careful Adoption of Agentic AI Services.' Agentic AI - AI that does not just answer questions but plans, decides and takes actions inside your IT environment - is now arriving inside the SaaS that UK schools, charities and businesses already pay for. We unpack what changes about the risk picture, why the procurement signal is invisible, and what to do across the next 30, 60 and 90 days before switching it on across the organisation.
ShinyHunters compromised Instructure's Canvas LMS via the free Free-for-Teacher programme in late April 2026 and lifted around 3.65 TB of data covering roughly 275 million records and 8,809 institutions worldwide, including Oxford and a long list of other universities. Instructure reached an agreement on 11 May. We unpack the entry route, why it lands harder on UK schools, charities and businesses than it might appear, and what to do across the next 30, 60 and 90 days.
The UK government renewed its call on 12 May 2026 for organisations across the economy to sign the Cyber Resilience Pledge, the voluntary commitment first announced at CYBERUK 2026 on 22 April. The Pledge bundles three actions - board-level cyber ownership, the NCSC's free Early Warning service, and Cyber Essentials across the supply chain - into one signed, dated declaration. We unpack the three actions, why they map onto every major UK cyber story of the last twelve months, and what UK schools, charities and smaller businesses should do over the next quarter to be ready when the public signatory list opens in summer 2026.
BIBA's 2026 broker conference opens in Manchester on 13 May with cyber insurance as a feature topic for the first time, and the timing is not accidental. Premiums, exclusions and claim outcomes are now driven by a small set of security controls - the same controls Cyber Essentials Danzell now treats as auto-fail and the same controls the M&S, Co-op and Harrods stories told us actually matter. We unpack what underwriters are asking in 2026, where claims are getting denied, and what UK schools, charities and smaller businesses should have ready before they renew.
Last week the NCSC took a position it had been carefully avoiding for years: passkeys, not passwords, should now be the default way to log into online services. We unpack what changed in the April 2026 guidance, why it lines up so neatly with Cyber Essentials Danzell, the 2025/2026 breaches survey and the M&S supplier story - and the four things UK schools, charities and smaller businesses should actually do in the next ninety days.
It is one year since Marks & Spencer disclosed the cyber attack that took down its tills, click-and-collect and online store. The attackers did not exploit a zero-day - they phoned an outsourced IT helpdesk and got a password reset on a third-party supplier's account. We walk through what the M&S, Co-op and Harrods incidents really tell UK schools, charities and smaller businesses about supplier and service-desk risk - and the five things to change in the next ninety days.
DSIT published the Cyber Security Breaches Survey 2025/2026 on 30 April 2026. The headline of '43% of UK businesses breached' is broadly flat year on year, but the interesting findings are in the small movements - phishing increasingly AI-assisted, ransomware impact roughly doubled, and supply-chain reviews almost non-existent for smaller organisations. We unpack what the report actually says and the five things UK businesses, charities and schools should change in the next ninety days.
On 27 April 2026, Cyber Essentials v3.3 ('Danzell') replaced Willow as the mandatory question set. For the first time in the scheme's history there are auto-fail questions — missed MFA on a cloud service or a high-risk patch left longer than 14 days will now fail the assessment outright. Here is what changed and what to fix before your next renewal.
A critical pre-auth SQL injection in LiteLLM (CVE-2026-42208, CVSS 9.3) lets attackers steal every API key the proxy holds. Exploitation was observed in the wild within 36 hours of disclosure. Here is what to do this week.
HMRC's biggest tax overhaul in 29 years goes live on 6 April 2026, but 94% of affected businesses say they are not prepared. We break down who is affected, what has actually changed, and what to do if you have left it late.
David Heacock grew a $260 million air filter business and says AI matters more to plumbers than programmers. We unpack the opportunity for UK trades and businesses trying to do more with a small team.
A practical subset of security controls sized for small teams: MFA, endpoint hardening, backup testing, access reviews, and incident response checklists.
A priority sequence for anyone inheriting IT responsibility: audit current state, secure quick wins, establish documentation, review vendors, and build a roadmap.
A decision framework for cloud vs on-premises vs hybrid hosting, weighing data residency, cost structures, skills requirements, and compliance obligations.