News

Britain’s cyber security authority has, for the first time, told the public to choose passkeys over passwords wherever they can. Here’s what that actually means for the businesses still running on “Summer2025!” and a sticky note.

Last week at CYBERUK 2026 in Glasgow, the National Cyber Security Centre — the part of GCHQ that issues the UK’s official cyber guidance — formally recommended that passkeys should be the default way of logging in to online services where they are available. It’s a striking departure from decades of advice telling us to pick longer, stranger, more memorable strings of characters, and it follows a similar move by the UK government to roll passkeys out across GOV.UK services in place of SMS verification, a change expected to save several million pounds a year.

The NCSC still recommends a good password manager paired with two-step verification for the many services that have not yet added passkey support. But where the option exists, the message is clear: take it.

For small business owners, that translates into something simple: if your suppliers, banks and cloud platforms support passkeys — and most of the big ones now do — it is time to start switching over.

This week’s passkey checklist

If you read no further, do these five things:

1. Turn on passkeys for your Microsoft 365 or Google Workspace admin accounts first, then your standard user accounts.
2. Register passkeys on at least two devices per account (typically a phone and a laptop).
3. Set up a working fallback for every account — recovery codes where offered, a second registered passkey where they’re not, and a Recovery Key on your Apple ID if you use iCloud Keychain.
4. Review the registered passkeys and sign-in methods on your critical accounts and remove anything you don’t recognise.
5. Make sure your IT provider has documented the recovery process before someone loses a phone — not after.

The rest of this article explains why, and what to do when things go wrong.

So what actually is a passkey?

Continue reading →

A humorous explainer on bits, bytes, storage, and the strange unit system that still confuses modern computing.

Our technology correspondent descends into the microscopic society living inside your laptop and returns with troubling news.

You may not be aware of this, but at this very moment there is a bustling society of microscopic workers living inside your laptop, your phone, and that suspiciously warm router in the hallway. They have a rigid class system. They have internal squabbles that were settled by committees decades ago and have never been revisited. And they are, almost without exception, much smaller than you’d think.

Allow me to introduce them.

The Bit: A Humble Beginning

At the bottom of the digital food chain lives the bit – the smallest employee in computing, paid in either a 0 or a 1 and nothing in between. Bits have exactly two moods and have shown no interest in developing a third. They have been asked, repeatedly, over the course of seventy-plus years, whether they might like to try being a 2. They have declined every time.

A single bit is, frankly, useless on its own. It can tell you whether the light is on or off, and that’s about it. This is why bits are never seen alone in polite society. They travel in packs.

The Nibble: A Unit Nobody Takes Seriously

Continue reading →

We get asked a lot of the same questions by businesses looking to move their IT to a proper managed provider. Here are the ones that come up most often, with straight answers.

Why would you use Trichromic?

If you value IT in your business and want a provider who actually cares about keeping things running smoothly, we’re a good fit. We’re passionate about what we do, genuinely pro-active, and we insist on getting to the root of chronic problems rather than patching the same issue month after month.

Why would you NOT use Trichromic?

If IT is just a cost you want to minimise — or you’d rather only hear from your IT provider when something’s broken — we’re probably not for you. We work best with businesses who see reliable, secure IT as an investment in their own productivity and reputation.

What makes Trichromic different?

Two things. First, our pro-active approach — we’re not content to just fix what’s in front of us, we want to stop issues recurring. Second, we run our own infrastructure and apply the same security standards we recommend to our clients, including the principles behind Cyber Essentials.

How long has Trichromic been in business?

Since 2006. Trichromic LLP is owned by Alex Bailey and Lloyd Reid, who still run the business day to day. Continue reading →

We’ve seen three successful attacks this year where users had MFA enabled and still got compromised. Here’s how it works and what you can do about it.

Multi-factor authentication is one of the most important security controls you can implement. Microsoft says it blocks over 99% of credential-based attacks. We enforce MFA for every user, on every account, with no exceptions.

But MFA isn’t bulletproof. This year alone, we’ve seen three successful attacks against Microsoft 365 accounts where the users had MFA enabled and working correctly. They entered their password, they completed the MFA challenge, and the attackers still got in.

This isn’t a theoretical vulnerability. It’s happening right now, and many IT professionals don’t fully understand how it works. This article explains the attack, why it succeeds, and what we’re doing to protect against it.

How Microsoft 365 Authentication Actually Works

To understand the attack, you need to understand what happens when you log into Microsoft 365. Continue reading →

For many SMEs across the UK, Remote Desktop remains a practical and cost-effective way to access private cloud desktops, line-of-business applications and hosted Windows environments.

Microsoft’s latest Windows 11 security update has now changed how that experience works when users open an .rdp file. From Microsoft’s 14 April 2026 cumulative update (KB5083769, builds 26100.8246 and 26200.8246), Remote Desktop shows the requested connection settings before connecting, with each setting turned off by default, and a one-time security warning appears the first time an .rdp file is opened on a device. The change is tied to CVE-2026-26151, a Remote Desktop spoofing vulnerability.

At first glance, that may sound like a minor interface change. In practice, it is a significant shift in how trust is handled for remote access. Microsoft has not removed digital signatures from signed .rdp files, and signatures still help verify who published the file and whether it has been altered. What has changed is the default behaviour at connection time: regardless of whether an .rdp file is signed or unsigned, every redirection it requests is now off by default, and the user must explicitly allow access to items such as clipboard, local drives, printers and other attached devices. The signature now determines which dialog banner the user sees, and whether a publisher name is shown, rather than granting automatic redirection trust. Continue reading →

If you’re an MSP or private cloud provider managing 3CX phone systems — or similar nginx-based platforms — there’s a good chance your certificate renewal process has changed in the last year or two. Certificate Authorities have been tightening up their issuance practices, and what used to be a simple “drop the new PEM in and restart” job now usually involves dealing with a full chain back to the root CA. The exact details vary by product, but the underlying patterns are similar wherever nginx is doing the TLS termination.

We recently went through this on a customer’s 3CX system and hit a few of the common pitfalls. Sharing them here in case it saves someone else half an hour of head scratching.

What Changed

In the past, many CAs would issue a single PEM file containing just the server certificate. Modern browsers and clients had the intermediate certificates cached or could fetch them via AIA (Authority Information Access), so an incomplete chain often worked anyway.

These days, when you renew you’ll typically end up with:

• Your private key — generated locally on your server as part of the CSR (Certificate Signing Request) process. The CA never sees this; it only receives the public key embedded in the CSR.
• A server certificate (.pem or .crt) — issued by the CA in response to your CSR.
• A bundle file (.bundle, .ca-bundle, or similar) — supplied by the CA alongside the certificate, containing the intermediate certificates and sometimes the root.

In a typical nginx deployment, the ssl_certificate file should contain the server certificate followed by the intermediate certificate(s) — and that’s what nginx (or anything sitting on top of nginx, like 3CX) wants to see.

The Right Order Matters

When you concatenate the server certificate with the bundle, the order is critical:

1. Server certificate first
2. Intermediate certificate(s) next
3. Root certificate — usually omitted. Clients already trust the root, so including it just adds bytes to the handshake. Only include it if a specific vendor or product requires it.

Get this wrong and nginx will either refuse to start or will serve a chain that fails validation on stricter clients. The TLS handshake expects the leaf certificate first. Continue reading →

Deadline Fixed, Legacy Prices Rising, and Copper Broadband Must Be Migrated Properly

With the PSTN switch-off now close, this is no longer something businesses can leave on the to-do list for “later”.

The deadline is fixed at 31 January 2027. Openreach has already confirmed 2026 price rises for legacy WLR services, and the biggest remaining area of confusion is broadband: if you still have a copper DSL service, the right migration path depends on whether FTTP is available at your premises.

If your business still relies on analogue lines, ISDN, or broadband tied to a traditional phone service, now is the time to review every circuit and every connected device.

The Deadline Is 31 January 2027

All users of the Openreach PSTN must be migrated to new services by 31 January 2027.

This is not only about voice calls. It also affects legacy services built around the old WLR/PSTN model, including analogue lines, ISDN and broadband services that still depend on a traditional phone line.

In practice, that means many older services now need to be replaced with digital alternatives such as FTTP or SOGEA.

Openreach Is Increasing Legacy Line Prices in 2026

Continue reading →

When nothing is broken, it is easy to wonder what you are paying for. Here is what happens behind the scenes to keep it that way.

If your IT is working properly, you probably do not think about it very much. Email works. Files are where they should be. You can log in. The internet is fast enough. Everything just works.

And when that is the case, it is natural to wonder what your IT provider is actually doing. You are paying a monthly fee, but there are no engineers on site, no major incidents, and no obvious signs of activity.

That is the point.

The purpose of managed IT is to stop you having to think about IT at all. But “nothing happening” on your side usually means a great deal is happening on ours. Here is what a typical month really looks like behind the scenes.

Every morning

Our day starts by checking what happened overnight.

Backup reports. Most client backups run overnight, so every morning we check that they completed successfully. Did the job finish? Were there warnings or failures? A backup that fails silently is often worse than no backup at all, because you only discover the problem when you need to restore data, and by then it is too late. Continue reading →

Microsoft released KB5079473 on 10 March 2026 for Windows 11 versions 24H2 and 25H2 as part of its regular Patch Tuesday updates. As with any monthly cumulative update, it included important security fixes along with a handful of quality improvements.

When the update first rolled out, it quickly attracted attention online. Reports started appearing of crashes, freezes, broken apps, sign-in problems, and even boot issues. A few weeks later, the picture is much clearer. Some of the concerns were real, one key issue has now been fixed by Microsoft, and at least one widely reported problem turned out not to be caused by the Windows update at all.

Here’s what happened, what’s been confirmed, and what users should do now.

What KB5079473 actually affected

The main issue Microsoft has officially confirmed after installing KB5079473 involved Microsoft account sign-ins.

Some users found that apps relying on a Microsoft account suddenly stopped signing in properly and displayed a false message claiming the PC was not connected to the internet. This affected apps and services such as Microsoft Teams Free, OneDrive, Microsoft Edge, Word, Excel, and Microsoft 365 Copilot when a Microsoft account login was required.

Importantly, this problem affected consumer Microsoft accounts, not organisations using Microsoft Entra ID.

So while early reports described a broad range of failures, the sign-in bug is the main issue Microsoft formally acknowledged as a known problem linked to KB5079473.

Microsoft has already issued a fix

Continue reading →

HMRC has awarded AWS a contract to migrate services from three Fujitsu datacentres running everything from Unix variants to Windows and VMware. The technical challenges are significant—and the procurement process raises its own questions.

On 23 March 2026, HMRC awarded Amazon Web Services a contract worth £472.8 million to migrate services from three Fujitsu-run datacentres to the cloud. The initial term is seven years, with extension options that could take it to ten. The migration is due to be completed by June 2028.

That’s just over two years to exit datacentres running a remarkably diverse mix of systems—a legacy estate that has been accumulating for decades. The way the contract was awarded raises questions about competition in government IT procurement.

What’s Actually Being Migrated

The procurement documents describe a mixed legacy estate spanning about a dozen platforms and operating environments. These include Unix variants like HP-UX, IBM AIX, and Solaris, but also Red Hat Linux, SUSE Linux, Windows, VMware ESXi, Oracle Linux, and NetApp ONTAP storage systems. Continue reading →