They're Not 'Hacking' — They're Logging In: The Dangerous Myth Small Businesses Fall For
They're Not 'Hacking' — They're Logging In: The Dangerous Myth Small Businesses Fall For  
Podcast: The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups
Published On: Fri Mar 06 2026
Description: Imagine an attacker not as a hoodie-wearing wizard wrestling with your firewall, but as someone quietly slipping through an unlocked back door with keys they bought on the dark web. In this episode we sit down with Corrine Jefferson, a former government cyber professional who now helps UK small businesses understand how real attackers operate. Grounded in Palo Alto Networks Unit 42's Global Incident Response Report 2026, our conversation is built on more than 750 serious, real-world investigations from October 2024 to September 2025. Not theory. Not vendor marketing. Actual cases. The numbers are stark: identity weaknesses featured in nearly 90% of incidents, and 65% of all initial access was identity-driven. We start by setting the scene: your people live in the browser. Outlook, payroll, Teams, your CRM, and a pile of SaaS tools. That ordinary click is the battleground. Attackers buy credentials, harvest session tokens, and exploit OAuth grants. Once they have a valid login, they blend into normal traffic and move silently. Corrine brings these statistics to life with vivid examples of reused passwords, push-MFA fatigue, shared admin accounts, and contractors who still have permanent access three years after leaving. The stakes are immediate. Unit 42 found that the fastest quarter of intrusions reached data theft in just 72 minutes, down from 285 minutes the previous year. A simulated AI-assisted attack did it in 25 minutes. That means from one careless click to your customer data being packaged for extortion can happen faster than a cup of tea. This episode guides you away from romantic myths about firewalls and sophisticated exploits and toward the uncomfortable truth: most breaches are enabled by preventable exposure and excessive identity trust. We walk through the failure modes that make small businesses attractive targets: recycled passwords, MFA that's easy to social-engineer, standing global admin accounts, and forgotten integrations that act like zombie doors. Corrine explains why these aren't technical puzzles for nation-states. They are human, operational, and fixable. She also lays out how attackers exploit browser-based OAuth flows and session cookies to live off long-lived access without ever triggering an alert. This is not just a lecture. It is a plan. If you do one thing this quarter, make it identity. If you do one thing this week, do these three: deploy phishing-resistant MFA for admins and finance roles; remove or disable all ex-employee and contractor accounts across Microsoft 365, your VPN, and remote support tools; and cut standing admin rights while shortening session lifetimes on sensitive applications. By the end of the episode you will see the difference between spending on another perimeter box and actually locking the doors that matter. This is a call to action for small businesses: stop hoping you will not be targeted and start hardening the identities attackers are already using. Three Actions You Can Take This Week Action 1: Deploy Phishing-Resistant MFA What: FIDO2 hardware security keys or passkeys. Not SMS codes. Not basic push notifications. Where to start: Administrators, finance roles, and anyone with access to sensitive data or privileged systems. Why it matters: Standard push-based MFA is vulnerable to adversary-in-the-middle attacks and push-bombing. FIDO2 provides phishing resistance, guessing resistance, and theft resistance. NCSC guidance: FIDO2 is recommended by the NCSC as the strongest available MFA type for UK organisations. Hardware options include Authentrend, Keys, Platform options include Windows Hello for Business and Apple Touch ID. Action 2: Remove Zombie Access What to audit and disable: All accounts belonging to former employees All accounts belonging to former contractors Unused service accounts Dormant OAuth integrations and app permissions Where to look: Microsoft 365 Admin Centre, your VPN gateway, remote support tools, and any SaaS platform connected to your business. Why it matters: Unit 42 found that 99% of 680,000 cloud identities had excessive permissions, many unused for 60 days or more. Each one is an unlocked back door. How to find OAuth zombies: In Microsoft 365, go to Azure Active Directory > Enterprise Applications > All Applications. Sort by last sign-in date. Revoke anything unrecognised or unused. Action 3: Eliminate Standing Admin Rights What: Move from permanent administrator accounts to just-in-time (JIT) privilege elevation. How: Remove persistent administrator role grants Require time-bound elevation through Microsoft Entra Privileged Identity Management or equivalent Shorten session lifetimes on sensitive applications Enable strong logging on all privilege escalation events Why it matters: A compromised account with no standing privileges yields nothing. JIT elevation changes the attacker's calculation from "I have the keys" to "I have nothing." Sources and References     Source Resource Palo Alto Networks Unit 42 Global Incident Response Report 2026 (Full Report) Palo Alto Networks Unit 42 Global Incident Response Report 2026 (Executive Edition) Palo Alto Networks Unit 42 Global IR Report 2026: Blog Summary NCSC Multi-Factor Authentication for Your Corporate Online Services NCSC Recommended Types of MFA NCSC Authentication Methods: Choosing the Right Type NCSC Cyber Essentials Scheme Overview NCSC NCSC: Information for Small and Medium-Sized Organisations FIDO Alliance FIDO2: Web Authentication Standards MITRE ATT&CK T1219: Remote Access Tools (Referenced in Unit 42 C2 Data)   #CyberSecurity #SmallBusinessSecurity #IdentitySecurity #MFA #FIDO2 #Passkeys #UKBusiness #CyberEssentials #CyberSecurityPodcast #SecurityAwareness #TechPodcast #NoBS #SmallBizTech #CyberResilience #DirectorAccountability #BusinessRisk #DataProtection #GDPR #ZeroTrust #CloudSecurity #SaaSSecurity #IncidentResponse #ThreatIntelligence #IdentityManagement #SessionSecurity #Unit42 #PaloAltoNetworks #NCSC #CyberAware #UKCyber   Disclaimer This podcast provides general cybersecurity guidance based on publicly available research and industry best practices. It is not a substitute for professional security assessment or legal advice. Organisations should consult qualified security professionals and legal counsel to address their specific circumstances and regulatory requirements. All statistics cited from the Unit 42 Global Incident Response Report 2026, published by Palo Alto Networks, covering incident response engagements between 1 October 2024 and 30 September 2025. NCSC guidance referenced is published by the UK National Cyber Security Centre. All URLs verified at time of publication.