Back to News
IT Support

Scattered Spider Conviction — 22 June 2026: The £29m TfL Breach Playbook Every UK SME Must Study Before the Next Attack

CloudSwitched Team28 June 2026
Scattered Spider Conviction — 22 June 2026: The £29m TfL Breach Playbook Every UK SME Must Study Before the Next Attack

On 22 June 2026, two British teenagers stood in the dock at Woolwich Crown Court and pleaded guilty to one of the most disruptive cyber attacks ever carried out against a UK public body. Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, admitted their roles in the Scattered Spider attack on Transport for London — an intrusion that ran from 31 August to 3 September 2024, cost TfL an estimated £29 million in losses and recovery, exposed the data of around 5,000 customers, and forced all 28,000 TfL employees to physically attend an office to have their passwords reset by hand. There were no zero-day exploits. There was no nation-state malware. The attackers talked their way in.

That last point is the one every UK SME leader needs to absorb today. The Scattered Spider playbook — voice phishing calls to the IT service desk, multi-factor authentication fatigue bombing, and SIM-swapping to defeat phone-based verification — is not exotic. It does not require state-level resources. It is a method any reasonably organised criminal can replicate against any service desk, including yours. The same collective has been linked to the 2025 attacks on Marks & Spencer and the Co-op, and Jubair separately faces United States charges spanning more than 120 intrusions across 47 US entities, with over $115 million in ransom payments alleged. Sentencing in the UK is set for 16 July 2026. This article breaks down exactly how the TfL breach worked, why your IT support function is the front line, and the practical 10-step programme to harden your service desk before the social-engineering wave reaches you.

£29m
Estimated cost of the TfL breach in losses and recovery
28,000
TfL staff forced to attend an office in person for a password reset
120+
Intrusions linked to Jubair in the parallel US indictment
16 Jul 2026
Sentencing date at Woolwich Crown Court

What Actually Happened at Transport for London

The TfL attack began on 31 August 2024. Over the following three days, the Scattered Spider operators worked their way into TfL’s identity systems — centred on Microsoft Entra ID, the cloud identity platform formerly known as Azure Active Directory — and gained access to internal systems holding both employee and customer information. The National Crime Agency, which led the UK investigation, has confirmed that the breach exposed the data of approximately 5,000 customers, including in some cases bank account details associated with Oyster card refunds. TfL took multiple customer-facing services offline as a containment measure, and the disruption to internal systems rippled across the organisation for weeks.

The detail that has drawn the most attention from security professionals is the password reset. Because the attackers had compromised TfL’s identity layer, the organisation could not trust its remote verification processes. The only way to be certain that a password was being reset by the genuine employee — and not by an attacker impersonating them — was to verify identity in person. So TfL required all 28,000 staff to physically attend an office, present identification, and reset their credentials face to face. This is the operational nightmare scenario that every identity compromise threatens: when you can no longer trust who is on the other end of a phone call or a chat message, the cost of re-establishing trust is enormous.

Crucially, the entry method was not technical wizardry. Scattered Spider is known for and built its reputation on social engineering — manipulating people rather than breaking software. The group’s signature techniques are voice phishing (“vishing”) calls to corporate IT help desks, in which an operator impersonates an employee and persuades a support agent to reset a password or register a new MFA device; MFA fatigue or “prompt bombing”, where the attacker triggers a flood of push notifications until the target approves one out of irritation or confusion; and SIM-swapping, where the attacker convinces a mobile carrier to port a victim’s number to a new SIM, defeating SMS-based authentication. None of these require a software vulnerability. They require a convincing story and a service desk that is not trained or empowered to say no.

Why this is a direct threat to your business, not just to TfL

It is tempting to read a £29 million breach of a 28,000-employee transport authority and conclude it has nothing to do with a 40-person professional services firm. That is precisely the wrong lesson. The Scattered Spider method scales down far more easily than it scales up. A small business service desk — whether an internal one-person IT role or an outsourced helpdesk — is often more vulnerable than a large enterprise’s, because it has fewer documented verification procedures, less formal authority to refuse an urgent-sounding request, and a stronger cultural pressure to be helpful. The attackers do not need your business to be large or famous. They need one support interaction where a plausible voice on the phone is granted a password reset or a new authenticator without rigorous identity proofing. The convictions on 22 June 2026 confirm that this is a proven, repeatable, prosecutable crime — and that the people committing it can be teenagers using nothing more than a phone and a script.

The Timeline: From Attack to Conviction

31 August 2024 — Intrusion begins
Scattered Spider operators gain initial access to Transport for London’s environment through social engineering, ultimately reaching the Microsoft Entra ID identity layer that underpins staff authentication.
1–3 September 2024 — Escalation and containment
The attackers move through internal systems while TfL detects the activity and begins containment, taking customer-facing services offline. Around 5,000 customers’ data, including some bank details tied to Oyster refunds, is exposed.
September 2024 — The 28,000-staff password reset
Unable to trust remote verification after the identity compromise, TfL requires every one of its 28,000 employees to attend an office in person to reset credentials and re-establish trusted authentication.
2025 — M&S and Co-op attacks linked to the same group
Scattered Spider is connected to the high-profile attacks on Marks & Spencer and the Co-op, both of which caused significant operational disruption to UK retail and reinforced the group’s focus on identity and service-desk compromise.
September 2024 onward — NCA investigation and arrests
The National Crime Agency pursues suspects in connection with the TfL attack as the investigation progresses, working alongside international partners including US law enforcement.
22 June 2026 — Guilty pleas at Woolwich Crown Court
Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, plead guilty to offences relating to the TfL hack. Jubair separately faces US charges covering 120+ intrusions across 47 entities with over $115m in ransoms alleged.
28 June 2026 — Today’s position
UK businesses now have a fully documented, court-confirmed case study in social-engineering attack. The method is public, the technique is proven, and the lesson for every IT support function is unambiguous: identity verification at the service desk is the new perimeter.
16 July 2026 — Sentencing
Both defendants are due to be sentenced at Woolwich Crown Court, marking one of the first major UK criminal outcomes against the Scattered Spider collective and a reference point for the seriousness with which these offences are now treated.

The Scattered Spider Attack Surface, Ranked

Service-desk vishing (impersonation phone calls)
Primary vector
MFA fatigue / prompt bombing
High
SIM-swapping to defeat SMS codes
High
Phishing portals harvesting credentials
Moderate
Entra ID / cloud identity token theft
Moderate
Help-desk new-device MFA registration abuse
Moderate
Zero-day software exploits
Not used

The bar chart above ranks the techniques that define a Scattered Spider-style operation by how central they are to the method — and it makes the single most important point of this entire article visible at a glance. The bottom bar, zero-day software exploits, sits at almost nothing. The top bars, all of which centre on manipulating human beings and identity processes, dominate. This is the inversion that catches so many businesses out. Most SME cyber security spending goes towards technical controls — firewalls, antivirus, patching — that defend against the bottom of this chart. The actual attack comes from the top. A firewall does not stop a help-desk agent from resetting a password for a convincing caller. Antivirus does not stop an employee approving an MFA prompt they did not initiate. The defences that matter against this threat are procedural, human and identity-centric.

How Much of This Risk Is Human, Not Technical

90%
Share of the Scattered Spider TfL playbook that relied on social engineering and identity abuse rather than software exploitation

The TfL breach contained essentially no traditional hacking in the sense most people imagine it. There was no clever exploit of an unpatched server, no buffer overflow, no malware payload smuggled past defences. The overwhelming majority of the attack chain — reconnaissance, initial access, privilege escalation through the identity layer, and the maintenance of access — depended on persuading people and abusing legitimate identity and authentication processes. That is why we represent the playbook as roughly nine-tenths human and identity-driven. For a UK SME, this proportion should reshape where attention and budget are directed. If 90 per cent of the threat is social and procedural, then a defence strategy that is 90 per cent technical is fundamentally mismatched to the risk.

This does not mean technical controls are irrelevant — far from it. Strong, phishing-resistant multi-factor authentication, conditional access policies in Entra ID, privileged access management and rapid patching all make the attacker’s job harder and reduce the blast radius if they do get in. But these controls only deliver their value when they sit on top of a service desk that follows rigorous identity-verification procedures and a workforce that has been trained to recognise and resist manipulation. The technology and the human process are complementary. The TfL case shows what happens when world-class scale meets a process gap at the help desk: the technology cannot save you on its own.

The Service-Desk Social-Engineering Scorecard

Where most UK SME IT support functions are exposed today
Documented identity-verification script for password resets High risk — rarely formalised in SMEs
Authority for agents to refuse or escalate urgent requests High risk — culture favours being helpful
Phishing-resistant MFA (FIDO2 / passkeys) deployed High risk — most still use push or SMS
MFA fatigue protections (number matching, limits) Mid — available but often not enforced
Controls on new-device MFA registration via the help desk High risk — a known Scattered Spider entry point
SIM-swap resilience (no SMS as primary factor) Mid — SMS still widely relied upon
Conditional access policies in Entra ID Mid — licensed but under-configured
Staff trained on vishing and impersonation scenarios High risk — training focuses on email phishing

The scorecard reflects a consistent pattern we see across UK SMEs: the controls that defend against email-based attacks have matured, but the controls that defend against the voice-based, identity-centric attacks that define Scattered Spider have not. Most businesses now run email phishing simulations and have spam filtering in place. Far fewer have a written, rehearsed identity-verification procedure that a help-desk agent must follow before resetting a password or registering a new authenticator — and even fewer have explicitly given their agents the authority and the cultural backing to refuse a request that does not pass verification, no matter how senior or urgent the caller claims to be.

The Cost of a Service-Desk Compromise by Business Size

Business size Typical service-desk model Primary exposure Indicative incident impact
Micro (1–9 employees) Owner or one staff member handles IT informally No verification process at all; resets done on trust Account takeover, fraudulent payments, email compromise
Small (10–49 employees) Part-time IT or outsourced helpdesk, few documented procedures Inconsistent identity proofing under time pressure £4,000–£25,000 plus days of disruption
Medium (50–249 employees) Internal helpdesk or managed service provider New-device MFA registration and reset abuse £25,000–£250,000 plus regulatory exposure
Large (250+ employees) Tiered service desk, formal but high-volume Scale makes one weak interaction statistically likely Six to seven figures; mandatory ICO reporting
TfL (public sector benchmark) Large enterprise identity estate (Entra ID) Identity layer compromise via social engineering £29,000,000 and a 28,000-person manual reset

The indicative figures here are deliberately framed as ranges rather than precise predictions, because the true cost of a service-desk compromise depends heavily on what the attacker reaches once inside. The pattern across business sizes, however, is consistent: the smaller the business, the less formal the verification process, and the more the entire defence rests on a single individual’s judgement in the moment. That is not a criticism of small-business IT staff — it is a structural reality. A micro business cannot run a tiered service desk with separation of duties. What it can do is adopt a simple, written verification procedure and use phishing-resistant authentication so that even a successful impersonation has fewer places to go. The TfL row anchors the table: even an organisation with enterprise-grade identity tooling was brought to a 28,000-person manual reset because the human process at the front line was the weak point.

Reactive vs Proactive: Two Service-Desk Postures

Reactive posture

What most UK SMEs operate today

  • Password resets granted on a recognised voice or a plausible story
  • No written identity-verification script for support agents
  • SMS or push MFA accepted as sufficient everywhere
  • New-device MFA registration handled informally on request
  • MFA prompt bombing not detected or rate-limited
  • Staff trained to spot phishing emails, not phone impersonation
  • Conditional access policies unconfigured or in report-only mode
  • No tested runbook for an identity compromise

Proactive posture

Where managed IT support takes you

  • Mandatory multi-point identity verification before any reset
  • Documented, rehearsed help-desk verification script
  • Phishing-resistant MFA (FIDO2 passkeys) for privileged accounts
  • Strict, audited process for registering new authenticators
  • Number matching and request limits to defeat prompt bombing
  • Vishing and impersonation built into security awareness training
  • Conditional access enforced: device, location, risk-based
  • Tested incident runbook with NCSC and ICO escalation paths

The 10-Step Service-Desk Hardening Plan for UK SMEs

Step 1 — Map your identity estate: every account, every privileged role, every place a credential or MFA device can be reset
Week 1
Step 2 — Write a service-desk identity-verification script: define the multi-point checks required before any reset or device registration
Week 1–2
Step 3 — Empower agents to refuse: give explicit authority and management backing to decline or escalate any request that fails verification
Week 2
Step 4 — Deploy phishing-resistant MFA: roll out FIDO2 security keys or passkeys for all administrative and remote-access accounts first
Week 2–4
Step 5 — Lock down new-device registration: require in-person or strongly verified approval before any new authenticator is added
Week 3–4
Step 6 — Defeat prompt bombing: enable number matching, cap MFA requests, and alert on repeated denied prompts
Week 4
Step 7 — Remove SMS as a primary factor: eliminate SIM-swap exposure by retiring text-message codes for anything sensitive
Week 4–5
Step 8 — Configure conditional access: enforce device compliance, trusted locations and risk-based sign-in policies in Entra ID
Week 5–6
Step 9 — Train against vishing: run impersonation and phone-based social-engineering scenarios, not just email phishing simulations
Week 6–7
Step 10 — Build and test an identity-compromise runbook: define containment, mass-reset and escalation steps to NCSC and the ICO
Week 7–8
33%
Typical SME service-desk readiness against social engineering before a structured hardening programme
The single highest-value change you can make this week

If you do only one thing in response to the Scattered Spider convictions, write down your service-desk identity-verification procedure and brief everyone who handles support requests on it. It costs nothing and closes the exact gap that the TfL attackers exploited. A workable starting procedure: never reset a password or register a new MFA device on the strength of a phone call alone; require verification through a second, independent channel — a call back to the number held in your HR system, confirmation from the user’s line manager, or an in-person check; and treat any “urgent” pressure, any request to bypass the normal process, and any attempt to rush the agent as a red flag rather than a reason to hurry. The attackers rely on helpfulness and urgency. A written procedure replaces both with discipline. Pairing this with phishing-resistant MFA on privileged accounts gives even a small business a posture that would have stopped the TfL intrusion at the door.

At-a-Glance: Key Facts for UK Business Leaders

Topic Key figure or fact Source
TfL breach window 31 August – 3 September 2024 NCA / NCSC
Estimated total cost to TfL £29 million in losses and recovery NCA, June 2026
Staff forced into in-person password resets All 28,000 TfL employees NCA / NCSC
Customers whose data was exposed Approximately 5,000, some with bank details NCA
Defendant 1 Thalha Jubair, 20, East London Woolwich Crown Court, 22 June 2026
Defendant 2 Owen Flowers, 18, Walsall Woolwich Crown Court, 22 June 2026
US charges against Jubair 120+ intrusions, 47 US entities, $115m+ in ransoms US Department of Justice indictment
Other UK attacks linked to the group Marks & Spencer and the Co-op (2025) Public reporting / NCSC
Primary attack technique Service-desk vishing and MFA abuse — no zero-days NCSC social-engineering guidance
Identity platform compromised Microsoft Entra ID Incident analysis
Sentencing date 16 July 2026, Woolwich Crown Court UK courts
Relevant Cyber Essentials v3.3 controls Access control, MFA, patch management NCSC / IASME

Why Your IT Support Function Is the Front Line

The traditional mental model of cyber security places the perimeter at the firewall: the boundary between your network and the internet. The Scattered Spider convictions confirm what security professionals have argued for several years — that the real perimeter has moved to identity, and the gate to identity is the service desk. Every time a support agent resets a password, registers a new authenticator, or unlocks an account, they are making an identity decision that, if wrong, hands an attacker the keys. This is not a peripheral administrative task. It is the most security-critical interaction your business has, and it happens dozens of times a week in many organisations with almost no scrutiny.

For UK SMEs, the implication is that IT support cannot be treated as a purely operational, cost-to-be-minimised function. A help desk that exists only to get users working again as quickly as possible, with no countervailing discipline around identity verification, is optimised for exactly the behaviour the attackers exploit. A managed IT support function that builds verification, phishing-resistant MFA, conditional access and social-engineering awareness into its standard operating procedures turns the same interactions into a defensive asset. The difference between the two is not primarily about budget — many of the controls are configuration and process changes within tooling businesses already own, such as Microsoft 365 and Entra ID. The difference is about whether security is designed into the support process from the start.

This is also where the alignment with the Cyber Essentials scheme matters. The five Cyber Essentials controls — firewalls, secure configuration, access control, malware protection and patch management — include access control and the multi-factor authentication requirements that were tightened in recent versions of the scheme. A business pursuing Cyber Essentials, particularly Cyber Essentials Plus with its hands-on technical audit, is forced to confront exactly the identity and access weaknesses that the TfL attack exploited. The social-engineering hardening described in this article and the Cyber Essentials baseline are two views of the same underlying discipline. Treating them as one programme — supported by a managed IT partner who runs the day-to-day service desk and the certification work together — is the most efficient route to closing the gap.

Readers following this series will find directly relevant context in our analysis of the Five Eyes AI cyber warning and the Cyber Essentials action plan, which set out the strategic backdrop to this case; the breakdown of the May 2026 Patch Tuesday Windows Netlogon and DNS fixes, which underline why rapid patching complements identity controls; the Secure Boot certificate expiry and Windows deployment planning; and the WordPress mass-takeover web-stack audit plan. Together they describe the layered posture — identity, patching, configuration and process — that a resilient UK SME needs in mid-2026.

Is your service desk ready for a Scattered Spider-style call?

Cloudswitched managed IT support builds identity verification, phishing-resistant MFA, conditional access and social-engineering awareness into the way your help desk operates every day — turning your support function from the soft target into the front-line defence. Proactive monitoring, a dedicated account manager and defined SLAs come as standard.

Talk to us about Managed IT Support

Frequently Asked Questions

What is Scattered Spider, and why does the TfL case matter to a small business?
Scattered Spider is a loosely organised cybercriminal collective known for breaching large organisations through social engineering rather than technical exploits. Its members — including the two teenagers who pleaded guilty to the TfL attack at Woolwich Crown Court on 22 June 2026 — typically call corporate IT help desks, impersonate employees, and persuade support staff to reset passwords or register new multi-factor authentication devices. The TfL case matters to small businesses because the method requires no special tools or insider access. It works against any service desk that will act on a convincing phone call. A 40-person firm with an informal, trust-based support process is arguably more exposed than a large enterprise, because it has fewer documented verification steps and a stronger instinct to be helpful under pressure.
How did the attackers get into TfL without using any software vulnerabilities?
The TfL intrusion relied on manipulating people and abusing legitimate identity processes rather than exploiting software flaws. The hallmark techniques of this kind of attack are voice phishing — phoning the service desk while impersonating a real employee to obtain a password reset or a new authenticator registration; MFA fatigue, where the attacker bombards a target with authentication prompts until one is approved; and SIM-swapping, where a mobile number is fraudulently ported to defeat SMS-based codes. Once the attackers had valid credentials and a registered authentication device, they could log in as a genuine user and move through the environment, ultimately reaching the Microsoft Entra ID identity layer. From the systems’ point of view, the activity looked like a legitimate user signing in, which is precisely what makes social engineering so dangerous.
Why did TfL have to bring 28,000 staff into offices to reset passwords?
When an attacker compromises the identity layer that controls authentication, the organisation can no longer trust its own remote verification processes. If an attacker can impersonate employees convincingly enough to obtain credentials in the first place, then any remote password reset risks simply handing control back to the attacker. The only way to be certain a reset is being performed by the genuine person is to verify their identity in person. That is why TfL required all 28,000 employees to physically attend an office, present identification, and reset their credentials face to face. It is an extreme, expensive measure, and it illustrates the true cost of an identity compromise: re-establishing trust at scale is enormously disruptive. For an SME, the lesson is to prevent the compromise in the first place, because the recovery is always more painful than the prevention.
What is the single most important defence against this kind of attack?
A documented, mandatory identity-verification procedure at the service desk, backed by phishing-resistant multi-factor authentication. The procedure should require that no password reset or new MFA device registration is ever performed on the basis of a phone call alone. Verification should come through a second independent channel — a call back to a number held in your HR records, confirmation from the user’s line manager, or an in-person check. Support agents must be explicitly empowered to refuse or escalate any request that fails verification, regardless of how senior or urgent the caller claims to be. On top of that process, deploying FIDO2 security keys or passkeys for privileged accounts means that even a stolen password is not enough to gain access. These two measures — one procedural, one technical — directly counter the techniques used against TfL.
We use Microsoft 365 and Entra ID. Are we already protected?
Owning the platform is not the same as configuring it defensively. Microsoft 365 and Entra ID include powerful controls — conditional access, phishing-resistant authentication methods, number matching to counter prompt bombing, and tight controls on authenticator registration — but many of these are not enabled by default or are left in report-only mode. TfL itself operated an enterprise Entra ID estate and was still breached, because the weak point was the human process at the service desk, not the absence of tooling. The right approach is to treat your existing Microsoft licensing as a toolbox and work through which controls are actually switched on and correctly scoped: is conditional access enforcing device compliance and trusted locations; is SMS removed as a primary factor; is new-device registration restricted; are privileged accounts on passkeys. A managed IT partner can audit and configure these in tooling you already pay for.
What is MFA fatigue, and how do we stop it?
MFA fatigue, also called prompt bombing, is an attack in which a criminal who already has a user’s password triggers a stream of multi-factor authentication push notifications to the victim’s device. The aim is to wear the target down until they approve one prompt — out of irritation, confusion, or the assumption that it must be a glitch. It defeats the simplest form of push-based MFA. The defences are straightforward and available in most modern identity platforms: enable number matching, which requires the user to type a number shown on the login screen into their authenticator rather than just tapping “approve”; cap the number of prompts that can be issued in a short window; and alert on repeated denied or ignored prompts, which are a strong signal of an attack in progress. Moving privileged users to phishing-resistant methods such as passkeys removes the push prompt entirely.
How does this connect to Cyber Essentials?
The Cyber Essentials scheme, administered by IASME on behalf of the NCSC, includes access control and multi-factor authentication among its five technical controls, and these are exactly the areas the TfL attack exploited. Pursuing Cyber Essentials — particularly Cyber Essentials Plus, which includes a hands-on technical audit and external vulnerability scanning — forces a business to demonstrate that it has implemented strong access controls and MFA properly. The social-engineering hardening described in this article and the Cyber Essentials baseline are complementary: certification proves the technical controls are in place, while the service-desk verification process and staff training address the human element that certification alone does not fully cover. Treating them as a single programme, run by a managed IT partner who handles both the day-to-day support and the certification work, is the most efficient way to close the gap the TfL case exposed.
Should we be worried about SIM-swapping if we only use authenticator apps?
If you have genuinely eliminated SMS text-message codes as an authentication factor everywhere — including account recovery flows and any legacy systems — then SIM-swapping is far less of a threat to you, and that is the right goal. The risk is that SMS codes often linger in places businesses forget about: a recovery option on an email account, a fallback method on a banking portal, or an older line-of-business application. SIM-swapping works by tricking a mobile carrier into porting a victim’s number to a new SIM the attacker controls, after which any SMS code is delivered to the attacker. The defence is to audit every account and system for SMS-based factors and recovery options, retire them in favour of authenticator apps or, better, phishing-resistant passkeys, and confirm there is no forgotten back door where a text message still grants access.
Our IT support is outsourced. Does that make us safer or more exposed?
It depends entirely on how the outsourced service desk operates. A managed IT provider that builds identity verification, phishing-resistant MFA, conditional access and social-engineering awareness into its standard procedures makes you considerably safer, because those disciplines are applied consistently by trained staff who handle support as a security-critical function. A provider that simply prioritises fast ticket resolution with no documented verification steps may be no safer than an informal internal arrangement — and the Scattered Spider group has specifically targeted help desks, including outsourced ones, precisely because they handle identity decisions at volume. The right questions to ask any provider are: what is your identity-verification procedure before a password reset; how do you handle new-device MFA registration requests; are your agents empowered to refuse requests; and how do you train against voice-based social engineering, not just email phishing.
What should we do this week in response to the convictions?
Three actions are achievable for almost any SME within a week. First, write down your service-desk identity-verification procedure — the specific checks required before any password reset or MFA device registration — and brief everyone who handles support requests on it, including explicit authority to refuse requests that fail verification. Second, audit your authentication methods: identify every account and system still relying on SMS codes or simple push approval, prioritise privileged and remote-access accounts, and plan a move to number matching and phishing-resistant passkeys. Third, contact your IT provider or a managed IT partner to review your Entra ID conditional access configuration and your new-device registration controls. These three steps directly target the techniques used against TfL and form the foundation of the 10-step hardening programme set out above, which a managed partner can then take through to completion over the following weeks.

Turn your service desk from the target into the defence

The Scattered Spider convictions prove that social engineering against the IT support function is a real, repeatable and prosecutable threat to UK businesses of every size. Cloudswitched managed IT support hardens your service desk with documented identity verification, phishing-resistant MFA, conditional access and ongoing social-engineering training — and aligns it with your Cyber Essentials baseline. Predictable monthly cost, a dedicated account manager, and defined SLAs.

Talk to us about Managed IT Support
Tags:IT SupportCyber SecurityCyber Essentials
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Managed IT Support

Proactive monitoring, helpdesk and on-site support for London businesses

Learn More

More News

EU Flags AWS and Azure as DMA Gatekeepers — 25 June 2026: What Every UK Business Running Cloud Needs to Do NowAzure

EU Flags AWS and Azure as DMA Gatekeepers — 25 June 2026: What Every UK Business Running Cloud Needs to Do Now

27 June 2026
Google Ads Enters the AI Era — Conversational Discovery, AI Mode and Gemini-Powered Campaigns: The UK SME Google Ads Playbook for Summer 2026Google Ads

Google Ads Enters the AI Era — Conversational Discovery, AI Mode and Gemini-Powered Campaigns: The UK SME Google Ads Playbook for Summer 2026

26 June 2026
EU AI Act Transparency Deadline — 2 August 2026: 38 Days for UK Businesses to Comply or Face €35 Million FinesAI

EU AI Act Transparency Deadline — 2 August 2026: 38 Days for UK Businesses to Comply or Face €35 Million Fines

25 June 2026

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

12
  • IT Support

How to Set Up IT for a New Business: A Complete Guide

12 Mar, 2026

Read more
1
  • IT Office Moves

Post-Move IT Support: What to Expect in the First Week

1 Feb, 2026

Read more
18
  • Internet & Connectivity

How to Set Up a 4G/5G Backup Internet Connection for Business

18 Mar, 2026

Read more

Newsletter sign up form - it's quick and easy

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.