Latest News for 4TC
We have loads to say!
We have loads to say!
It all looked right. The logins worked, email started flowing, the files moved across without a hitch, and Microsoft 365 was declared ready to go.
That moment, when everything works and nobody touches the settings again, is exactly where the risk begins.
Microsoft 365 is one of the most capable platforms a small business can run on. It’s also one of the most heavily targeted, and the version most London SMEs are actually running isn’t configured to defend itself the way its owners assume it is.
Let’s explore the common misconfigurations and how Microsoft 365 security can be kept in good shape with the right managed IT in London behind it.
A Microsoft 365 licence gives you the tools to be secure, but it does not switch them all on for you.
Microsoft operates a shared responsibility model. That means they keep the platform itself running and patched, but everything inside your tenant is yours to configure. This includes who can log in, how they prove it’s them, what can be shared externally, and which old protocols stay open.
Default settings are built for a smooth start. Hardening the environment tends to add small frictions, so it rarely happens on its own. A few things are commonly left in their out-of-the-box state:
None of these announce themselves, which is precisely why the gaps go unnoticed.
These issues show up repeatedly across London businesses, but they’re rarely the result of carelessness. They’re usually the natural consequence of a setup that was done once and never revisited.
From April 2026, the UK’s Cyber Essentials scheme made MFA mandatory across every cloud service that supports it, Microsoft 365 included.
Under the updated v3.3 requirements, a single in-scope account without MFA is now an automatic fail. The change, set by the NCSC and administered by IASME, reflects how routinely unprotected cloud logins are still being exploited.
The usual suspects include the following:
Attackers think in terms of effort. Microsoft 365 is appealing because so many tenants look almost identical, so a technique that works against one often works against hundreds.
Automated tooling sweeps thousands of targets at once, which is how a small London business ends up caught in the same net as a large one. Attackers often probe for:
The reassuring part is that the most common entry point is also the most preventable. Identity attacks are usually password-based, so properly enforced MFA shuts out the vast majority of them.
Security drifts over time as your staff, tools and work processes change. That’s why it’s so important to regularly review your Microsoft 365 environment.
Proactive managed IT in London turns security into an ongoing discipline. In practice, that means:
At 4TC, we work with businesses across London and Hertfordshire to keep Microsoft 365 secure as standard practice, so the environment stays hardened as the business grows and changes.
You don’t need to be technical to get a rough sense of where you stand. Run through these questions:
If you hesitated on any of these, that is your starting point.
Not sure if your Microsoft 365 setup is as secure as it should be? Get in touch with the team at 4TC for a no-obligation review.

Six months after a member of staff leaves, the login still works. Messages keep landing in an inbox no one reads, and the shared drive shows the same access it did on that final day.
Nobody decided this should happen; it just never got undone, and that is the gap most businesses carry without realising it.
When someone leaves, the energy goes into the handover and the goodbyes. The accounts, devices and permissions they leave behind rarely get the same attention, because nothing visibly breaks when they go.
For SMEs in Bishop’s Stortford and throughout Hertfordshire, managing employee access can easily be overlooked during a hectic week. Treating it as a cyber security and continuity issue, rather than an afterthought, is what closes that gap.
The thing to remember about a leaver’s login is that it doesn’t know its owner has gone.
Email, Microsoft 365, the CRM, shared folders, the accounting platform, and the various SaaS tools picked up along the way – all of these stay exactly as functional the day after someone leaves as the day before, unless somebody steps in to change that.
While an account stays open, it remains a route into business data. The exposure usually takes one of a few forms:
Attackers tend to look for the path of least resistance, and a live login that nobody is watching fits that description well.
The government’s Cyber Security Breaches Survey 2025/2026 found that the proportion of businesses reporting a breach that led to loss of revenue or share value rose from 2% to 5% over the year, with reputational damage climbing from 1% to 3%.
When incidents do bite, they increasingly cost real money and real standing, and unmanaged access is one of the simpler ways to hand an incident the opening it needs.
It would be a mistake to file unmanaged access purely under cyber security. The fallout reaches into parts of the business that have nothing to do with hackers:
These are continuity issues as much as security ones. A business that cannot reliably account for who holds access to what is a business carrying hidden operational risk.
A decade ago, removing someone’s access mostly meant disabling their network account and collecting their laptop. The perimeter was the office. Today it’s far less tidy, for a few reasons:
The result is that the question “what does this person actually have access to?” has become difficult to answer. It’s that difficulty which is exactly why access control deserves more attention now.
You cannot remove access you don’t know exists, and the modern toolset makes it very easy for access to exist in places nobody is tracking.
There is a part of leaving that often gets missed entirely, which is making sure the business keeps what belongs to it.
Important emails, working files, client records and shared documents need to be transferred into the right hands before or immediately after someone goes. If that does not happen, the knowledge simply leaves with the person.
Think about what tends to sit only in one place:
All of it can vanish into a deactivated account or an unreturned device. Treating handover as a data exercise means deciding in advance where a leaver’s files should end up and who becomes responsible for them.
This protects continuity and keeps you on the right side of your data protection obligations at the same time.
The reason access lingers is often because offboarding gets handled differently each time, depending on who is around and how busy the week is.
Proactive IT support closes that gap by making access management an ongoing discipline rather than a scramble at the point of exit. That means keeping a clear view of who has access, managing permissions, and removing access promptly when someone leaves.
At 4TC, we work with businesses across Bishop’s Stortford and Hertfordshire to keep this consistent as teams grow and change so a departure is handled to the same standard, whoever happens to be managing it that week.
The goal is straightforward. When someone leaves, their access should leave with them, and your data should stay where it belongs.
Former employee access should not become a hidden security risk.
Speak to 4TC about managed IT support that helps keep your systems, data, and users under control. Get in touch today.

When an employee leaves, most businesses know how to handle the paperwork. Final pay is calculated, the P45 goes out, and the leaving card is organised. What happens to their accounts, devices and access rights is usually less organised, and it is the part that creates the most risk.
The window between a resignation date and a fully closed-out account is where former employees, lost devices and forgotten logins can still reach business data. For SMEs in Bishop’s Stortford and across Hertfordshire, where IT teams are often small or outsourced, employee IT offboarding can stretch out longer than anyone intends. The Information Commissioner’s Office expects employers to “document the leavers’ process and regularly check to confirm compliance” as part of basic data protection accountability. In practice, very few small businesses can show what good looks like.
The checklist below sets out the IT steps worth getting right every time someone leaves.
The single most important step is also the most delayed. Every system the leaver touched needs its access revoked on or before their final day – email, Microsoft 365, cloud platforms, CRMs, shared drives, VPNs, accounting tools and any line-of-business applications. That includes the smaller subscriptions as well as the obvious central accounts: design tools, marketing platforms, and anything where someone signed up using their work email.
ICO guidance on access control puts this in straightforward terms: businesses should keep records to demonstrate they “remove access rights in a timely fashion”. The UK government’s Cyber Security Breaches Survey 2024 shows that half of UK businesses experienced a breach or attack in the previous twelve months, and the most disruptive ones tend to involve credentials being misused rather than systems being broken into. Closing accounts promptly is one of the few entirely free controls a business has.
A useful practice is to disable accounts on the last day rather than deleting them immediately. That gives IT time to forward email, archive files and assign ownership of anything that needs to move on, without leaving access open.
Laptops, phones, tablets, monitors, security keys, dongles, chargers and the small mountain of accessories sent out during the hybrid-working era all need to be tracked back in. Without a record of what was issued and to whom, it is difficult to know whether anything is missing until somebody else needs it.
Two things make device recovery less painful. The first is keeping an up-to-date asset register, ideally linked to the standard staff lifecycle process so any new kit is added at the point of issue. The second is having the ability to remotely lock or wipe a device if it is not returned, which is now standard with most modern mobile device management platforms.
This is also the right point to make sure encryption is enabled and verified. A returned laptop with no encryption configured is still a meaningful data risk.
Most leavers will have created or saved files in a mix of locations such as their OneDrive, Teams sites, SharePoint, network shares, sales platforms, or the occasional Dropbox folder. A structured offboarding step should review every shared area the person had access to, transfer ownership of business-critical files, and check that nothing important is sitting somewhere only they could see.
The harder question is what to do about personal storage. If a leaver has used a personal device or a personal cloud account to handle business data, the business needs to know. The ICO’s employment records guidance makes clear that data protection accountability covers all the places business data ends up, not just the ones the employer chose. Asking the question as part of the exit conversation, and following up if anything is found, is part of doing this properly.
Shared logins are a fact of life in small businesses. The marketing inbox, the company social media account, and the supplier portal nobody else has set up a profile for. When somebody leaves, every shared password they knew needs to be changed, and any admin rights they held need to be reviewed and reassigned.
Two specific areas to check: saved passwords in browsers, which can quietly preserve access long after an account is closed, and any password manager memberships the leaver had. If those are left in place, the business can find that the leaver still holds the keys to platforms IT thought had been locked down.
Permissions are worth a wider sweep at the same time. The ICO recommends auditing privileged accounts and assigning end dates to access where it is not needed permanently. Someone leaving is a good moment to look across the rest of the team and confirm nobody else is carrying access they no longer need.
The reason so many small businesses end up with orphaned accounts and unaccounted-for laptops is rarely carelessness. It is that each exit gets handled slightly differently, depending on who is around and how busy the week is. A consistent, written process closes that gap.
A useful baseline is a single checklist that covers accounts, devices, data, passwords and confirmation that each step has been completed and by whom. The checklist should sit with whoever manages the IT function, whether that is an internal lead or an external partner, and trigger automatically when HR confirms a leaver.
When an employee leaves, work through the following:
4TC supports businesses across Bishop’s Stortford and Hertfordshire in setting up structured leaver processes alongside the rest of their IT, so each exit is handled to the same standard without anyone having to remember the steps.
If your business needs a clearer process for removing access, securing devices and protecting company data when staff leave, speak to 4TC about proactive IT support.

Most cyber attacks make the news only after the work is done. The intrusion that ends up in the press is typically the final stage of a chain that began months earlier, with a username and password listed for sale on a criminal forum. Verizon’s 2025 Data Breach Investigations Report found that 22% of breaches begin with stolen credentials, and 88% of attacks against basic web applications involve them. The November 2025 cyber attack on three London councils, where shared IT systems between Kensington and Chelsea, Westminster, and Hammersmith and Fulham allowed disruptions to spread across boroughs, is the public version of something that happens to far smaller organisations every week.
Specific software is necessary to access the dark web, a layer of the internet that Google or Bing does not index. It hosts criminal marketplaces, forums, and data dumps where stolen login details change hands. Credentials get there through a handful of routes: phishing emails, infostealer malware that scrapes passwords from infected machines, and large-scale breaches at third parties whose users reused the same password elsewhere. Verizon’s report found that 54% of ransomware victims had credentials appear in infostealer logs before the attack itself was carried out, which shows how often the underground sale precedes visible damage.
A leaked password rarely gets used the same day it’s harvested. It enters circulation; gets traded; is often sold in bulk; and may go through several hands before anyone tries it against a live system. IBM’s 2025 Cost of a Data Breach Report puts the global mean time to identify and contain a breach at 241 days, the lowest figure in nine years but still over eight months. Staff details can sit on a criminal forum for the better part of a year before any sign of misuse appears in the environment they came from.
A credential set rarely surfaces in isolation. The accompanying records can include date of birth, home address, National Insurance number, mobile number, and previous passwords used by the same individual. Verizon’s analysis of breached databases found that email addresses appeared in 61%, phone numbers in 39%, and government-issued IDs in 22%. Together they make identity theft, business email compromise, and tailored phishing far simpler to pull off, particularly when an attacker can match a personal address to a corporate login.
Headline coverage tends to follow large enterprises, but the UK government’s Cyber Security Breaches Survey 2025/2026 estimates that around 612,000 UK businesses identified a cyber breach or attack in the last 12 months. Smaller organisations are appealing to attackers because they hold fewer dedicated security staff, less mature monitoring, and accounts that often unlock access to clients, suppliers, and partners further up the chain. Many SMEs hold the keys to far larger client and supplier networks, whether it’s an accountancy firm with shared portals for its clients, a managing agent with access to dozens of landlords, or a marketing consultancy with admin rights on a customer’s website. One compromised credential at the smaller end can give an attacker access to the larger one.
Dark web monitoring for businesses scans the criminal forums, paste sites, marketplaces, botnets, and chat groups where stolen credentials surface. Credential monitoring for UK businesses tracks specific identifiers, usually company email domains, and flags any time a match appears in a known dump or fresh listing. The output is timely intelligence on which of your accounts have been exposed, when, and in what context, which lets the response be precise rather than speculative. Done properly, this is continuous. Criminal forums refresh constantly, and a credential clean from six months ago may show up this week. It sits naturally alongside the day-to-day work of proactive IT support, where the goal is to address potential issues before they cause real damage.
When a match comes back, the response is straightforward and time-sensitive. Reset the password on the affected account, force the same on any system where that password may have been reused, check for unusual logins, enable multi-factor authentication if it’s not already in place, and brief the staff member involved on what was exposed. None of these steps are complex, but they only work if someone has told you the credential is out there. Without monitoring, the alert tends to come from a bank, a customer, or a regulator, by which point options have narrowed considerably. Credential monitoring works best as one layer in a defence-in-depth approach, sitting alongside managed anti-virus, patching discipline, and staff awareness.
The pattern across recent UK incidents is consistent. The intrusion that surfaces in headlines began, weeks or months earlier, as a line on a forum no one was watching. Knowing what’s already been exposed is one of the few defensive moves that doesn’t rely on guessing what an attacker will do next.
4TC’s Dark Web ID monitoring watches the darkest corners of the web so you don’t have to. Speak to the team today to find out if your credentials are already exposed.
On 24 November 2025, IT systems across three central London boroughs went dark.
The Royal Borough of Kensington and Chelsea, Westminster City Council, and the London Borough of Hammersmith and Fulham were all taken offline in what investigators treated as a coordinated cyber incident, with the National Crime Agency, the Metropolitan Police, and the National Cyber Security Centre all subsequently involved. Kensington and Chelsea later confirmed that attackers had copied and exfiltrated historical data from its systems. The three councils share parts of their IT infrastructure, and that shared architecture is precisely what made a single compromise so consequential.
For London businesses, a cyber attack on this scale should make you think: if three neighbouring councils sharing IT can be brought down by a single compromise, what would a similar event do to your operation?
The logic of shared IT services is sound on paper. Pooling resources across organisations reduces costs, avoids duplication, and often improves the quality of systems that no single entity could afford alone. Plenty of other organisations, from NHS trusts to private businesses, operate on the same principle, and so do most SMEs, albeit in a different form. Whether you rely on a cloud platform, a managed IT provider, or a suite of SaaS tools, your digital environment is connected to other organisations’ environments in ways that are not always visible.
The councils’ experience illustrates what happens when a shared system is compromised at a point that sits upstream of multiple tenants. One vulnerability, one set of stolen credentials, one unpatched entry point, and the blast radius extends to every organisation drawing on the same infrastructure. Hammersmith and Fulham had its public-facing services suspended even though investigators found no direct evidence its own systems had been breached. Proximity to a shared service was enough to force significant disruption.
The lesson isn’t that shared services are inherently unsafe, but that the junctions where dependencies converge need proportionate security controls. If you don’t know where those junctions sit in your own environment, you can’t defend them.
The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber security breach or attack in the preceding year. For large businesses the figure was considerably higher, at 74%. IT security in London has historically been framed as an enterprise concern, but the economics of automated attack tooling have closed that gap. Those tools probe for weaknesses across thousands of targets simultaneously, and a small business using the same cloud platform or managed service as a larger target can find itself caught in the same sweep.
Most London SMEs are, in practice, running a version of the shared-services model: cloud-hosted email, third-party CRM, outsourced IT support, and shared accounting platforms. Every one of those connections is a potential entry point. The council’s incident is unusual in scale, but the underlying mechanics are not: one compromised account, one exploited system, cascading disruption. The same pattern plays out against businesses of every size.
Organisations that contain these incidents quickly almost always have one thing in common: visibility before the attack gets underway, rather than defences only at the point of impact.
A common misconception is that cyber incidents begin the moment attackers enter a network. Instead, they begin weeks or months earlier, when credentials are stolen, traded, and eventually used. According to IBM’s 2024 Cost of a Data Breach Report, breaches involving compromised credentials took the longest of any attack vector to identify and contain, at nearly ten months. That is a significant window during which stolen credentials may be circulating on dark web forums before anyone inside the affected organisation is aware.
The attack on the councils almost certainly followed a similar pattern. Ransomware and data exfiltration events of this scale do not typically happen spontaneously. Attackers gather information, test access, and move deliberately. The starting point is almost always stolen credentials: an employee’s login, a service account password, or an email address paired with a reused password from an older breach.
Dark web monitoring addresses that gap. Rather than waiting for a breach to become visible inside your own systems, it scans the forums, marketplaces, and encrypted channels where stolen credentials are bought and sold and raises an alert when your organisation’s data appears. The window between a credential being stolen and it being used is often the only opportunity to invalidate it before it causes damage. Most London businesses are not watching that window at all.
4TC’s Digital ID service monitors the dark web continuously for email credentials and other company data associated with your domain. If your team’s logins surface in a breach dump or credential marketplace, you will know about it before an attacker uses them to gain access to your systems. It complements broader security measures such as managed anti-virus, fully managed IT support, and cloud backup.
The attack on the councils made headlines because it hit recognisable names in a concentrated area. The same dynamics are at work across businesses of every size: shared dependencies, credential-based entry points, and long detection windows that give attackers time to move. The councils had the NCA, NCSC, and specialist incident responders from NCC Group called in. Most SMEs do not have that infrastructure to fall back on.
Business continuity in a cyber attack scenario often comes down to how quickly the first indicators are spotted. Credentials circulating on the dark web are one of the earliest. The more practical response is to reduce the window in which an attacker can operate undetected, and that starts with knowing whether your credentials are already out there.
Find out how 4TC’s dark web monitoring can give your business an early warning against credential theft. Get in touch with the team today.

Most businesses in Bishop’s Stortford would not describe their IT approach as reactive. They have someone to call when things go wrong; they get problems fixed, and most of the time, things work.
The difficulty is that ‘most of the time’ is doing a lot of work in that sentence, and the costs of the gaps rarely appear on a single line of any invoice. But proactive IT support changes the game.
Reactive IT support, often called break-fix, operates on a simple principle: something stops working, and someone fixes it. There is no ongoing monitoring, scheduled maintenance, or structured approach to security.
For Bishop’s Stortford businesses, this can feel reasonable when IT needs are modest. The problem is that IT environments grow more complex over time, and complexity without oversight accumulates risk quietly in the background.
The most visible cost of reactive IT support is downtime, but the full picture is harder to see.
Emergency call-out rates carry a premium, staff lose hours waiting for fixes, and in some cases data cannot be fully recovered. The indirect costs, such as missed deadlines, delayed client communications, and lost productivity, rarely appear on a single invoice.
Cyber security costs are less visible still. Without active IT management, Bishop’s Stortford businesses are left with:
Recent data reveals that 71% of UK organisations experienced a cyber-attack in the past year, with the average annual SME losses from poor cyber security reaching £3.4 billion.
The shift towards proactive IT support comes down to a simple calculation: unplanned problems cost more than planned prevention. Proactive IT management treats your systems as something to be maintained continuously, rather than only being attended to when they break.
For Bishop’s Stortford businesses operating in competitive markets, where client expectations are high and margins are tight, that kind of operational resilience is increasingly the baseline rather than a premium.
A well-structured proactive IT arrangement covers several areas that reactive support leaves unaddressed:
When these are taken together, they represent the difference between an IT environment that is under control and one that is accumulating risk quietly in the background.
The most immediate benefit of proactive IT support is a reduction in unplanned downtime. Fewer failures mean fewer interruptions and fewer emergency call-outs, and for a small team in Bishop’s Stortford, even a single avoided outage can justify the investment.
Over time, the advantages extend further. Businesses with managed IT support typically see:
A proactive managed IT partner helps Bishop’s Stortford businesses make informed decisions about their technology rather than responding to problems as they surface.
At 4TC Services, we provide managed IT support to businesses across Bishop’s Stortford and Hertfordshire, covering monitoring, security, backup management, and structured IT reviews as part of an ongoing relationship rather than a series of one-off fixes.
If your current IT support feels more reactive than it should, get in touch with the team for a straightforward conversation about what a different approach might look like.


Email: support@4tc.co.uk
Tel: 020 7250 3840
5th Floor, 167‑169 Great Portland Street
London
W1W 5PF
Thremhall Park
Start Hill
Bishops Stortford
CM22 7WE

