Things we've learned running IT for SMEs.
Field notes, decision frames, and the occasional story. Written by the JMO|Partners founders, Jamie, Matthew, and Oliver.
Gemini, Claude, ChatGPT, Copilot: where each earns its seat cost in an SME
Twice a week somebody asks us which AI product to buy. Four serious AI products compete for SME budget in 2026, and each has a place where it earns its seat cost cleanly. How we think about the fit.
You don't write the code, but you carry the risk: SME supply chain attacks after TanStack
TanStack is the latest in a long pattern of software supply chain attacks. Most SMEs don't write code, but the SaaS they pay for, the websites their agency builds, and the browser extensions their team installs all do. The four places to look first, and why doing nothing is no longer a defensible posture.
What Mythos changes, and what it doesn't
Anthropic's Mythos Preview found thousands of zero-days in software the world runs on. Some of what gets said about it will reshape how SMEs run their estate. Some of it is marketing noise. The line between the two matters for how SMEs plan the next twelve months.
Two years of UniFi rollouts: what we'd keep and what we'd swap
Thirty-odd UniFi sites in two years. Some of it has aged brilliantly. Some of it we'd do differently if we started again tomorrow.
Cyber-insurance underwriting in 2026: what changed and what's coming next
The questionnaire used to be a formality. It isn't any more, and the next round of changes is already visible.
AI tooling for SMEs: where it's earning its keep, where it isn't
A year into AI showing up in every SME conversation, the pattern of what's actually paying back is clearer than the marketing suggests.
Cloud-first AD: where SME estates are actually landing in 2026
The "cloud-first" pitch has been around for a decade. The actual landing pattern for SMEs in 2026 is more specific, and more interesting, than the pitch ever was.
Web filtering in 2026: what to stop paying for
A surprising number of SMEs are still paying for web-filtering products that solve a problem they no longer have.
WiFi vs Ethernet for the modern office: a 2026 take
WiFi 6 and 7 changed the conversation. The conversation isn't the one most clients think it is.
Cyber-insurance questionnaires are asking about AI: what underwriters want to see
The 2026 renewal questionnaire has four AI-related sections that did not exist 18 months ago. What they ask, what a good answer looks like, and the three documents underwriters want to see.
What a 25-person AI rollout looks like, week by week
The honest answer for a 25-person SME is six working weeks. Discovery, policy, pilot, train, roll, review. The cadence, the cost shape, and what runs in parallel.
Email security in 2026: the four layers and where SMEs trip
Four layers of email security, where each one stops what, and where SMEs trip in 2026.
The cyber-insurance questionnaire that caught everyone by surprise
The renewal that arrived with twenty-eight questions and a fortnight to answer them.
Copilot pilot pattern: five users, three months, what to actually measure
Most Copilot pilots are not really pilots. They are software purchases that did not get used. The five-user, three-month pattern, the four numbers to track, and the decision conversation at the end.
Hallucination tolerance by workflow: where AI mistakes cost you nothing, where they cost £15,000
Every workflow has a tolerance for AI mistakes, and matching the workflow's tolerance to the model's reliability is the whole job. The four risk bands we use on every AI discovery call.
The post-pilot Copilot stall: why power users love it and the rest of the team isn't
Month three of the pilot is good. Month six is suspiciously quiet. The post-pilot stall is a behaviour-change problem masquerading as a tooling problem. The recovery pattern that works.
Building an SME prompt library that's actually used
A team six months into AI has built up working prompts. They live in chat histories, in heads, on notebooks. A prompt library turns individual knowledge into team knowledge. The shape that lands.
XDR rollout for a 50-seat SME: what changed and what didn't
A composite story about rolling XDR into a 50-seat SME, what it actually caught, and where the value showed up.
The AI acceptable-use policy nobody reads (and how to write one that does)
Most inherited AI policies are six pages long and have not been opened by anyone except the person who saved them to SharePoint. The five-section, two-page version that actually shapes behaviour.
Rogue access points, unlabelled clients, and the audit that couldn't be "complete"
A composite story about a network audit that surfaced more than the audit was asked to find, and what we did about the gap between scope and reality.
We'd rather find the rogue access point than not
A story about the unlabelled access point that nobody had ordered and nobody could explain.
Cyber Essentials Plus renewal: the prep-window calendar
A 90-day prep window for CE+ renewal that avoids the last-minute scramble.
When the wrong people write the spec: a story from a CCTV install
A story about who should be in the room when scope gets written.
When a client tells us not to test something
On the awkward conversation where the scope of a test shrinks for the wrong reasons.
Why we end up rebuilding networks we didn't design
A pattern we keep meeting, and what we'd do differently if we'd been the ones holding the cable.
Tenancy migration: the unknowns that surfaced in week three
A composite story about the things a tenancy migration never tells you up front, and the week we found most of them.
The four kinds of IT debt every SME carries
IT debt is the bill that arrives whenever the gap between what an estate runs and what it has documented has to be paid. The four places it builds up in an SME, the questions that surface it, and what the score means once you have it.
Meeting room tech that actually gets used: the four-question test
A four-question test for meeting room tech that gets used after the first month, not abandoned for a hotspot.
SharePoint archiving without losing what matters: a four-step plan
A four-step plan for SharePoint archiving that keeps what matters and lets go of what doesn't.
People-count: the system that had been counting differently the whole time
A composite story about a people-count brief, two existing systems, and the reconciliation conversation that should have happened on day one.
SSL renewals that don't surprise anyone: the five-touchpoint checklist
A five-touchpoint checklist for SSL renewals that surface early, not at 11pm on a Friday.
UPS refresh: when "still works" isn't the right question
When to refresh a UPS, why "still works" is the wrong test, and how to plan the swap without an outage.
The audit that's never really "finished"
Why the final page of an audit report is usually the start of the work, not the end.
From four supplier contracts to one: a unified-internet story
A composite story about a 90-seat office, four separate internet suppliers, and what consolidation actually got the client.
Hardware refresh cycles: a 3-5-7 year decision frame
A 3-5-7 year decision frame for laptops, servers, and infrastructure that makes refresh budgeting predictable.
Three projects we should have split into six
Why the things you find mid-project are the strongest argument for splitting it in two.
The handover meeting that wasn't: what we learned about turnover risk
The IT manager left on a Tuesday. Nobody told us about the renewals.