Tonight’s episode opens in an empty studio, a fridge with two bottles of Prosecco and a conspicuously absent Noel — the perfect stage for a conversation that is equal parts wry and urgent. Three hosts trade jokes and a refill, but the real story soon emerges: many cyber disasters don’t begin with cinematic black‑hat brilliance. They begin with everyday confidence, with the quiet sentence, “We’ll revisit that next quarter.” We tell the story through small, human scenes: Davina from IT documenting a firewall hole and being ignored; a busy owner insisting the dashboards look fine; staff pasting customer notes into an AI co‑pilot because it saves time. Those moments feel ordinary, even sensible. But together they create an irresistible path for attackers — unpatched servers, excessive permissions, reused credentials, and shadow SaaS tools that no one thought to approve. The breach that looks sophisticated in a post‑incident writeup often starts with a password used in the wrong place, or a medium finding waved away until it can be chained with others. We push back against comforting myths: that a tool equals a process, that your business is too unique to be targeted, or that a theoretical finding can safely wait. Instead, we reframe humility as a security control — a practical habit of updating your view when evidence changes, surfacing awkward truths quickly, and learning without scapegoating. Psychological safety isn’t a workshop buzzword here; it’s the difference between catching a problem early and making headlines. The episode then moves into practical, bite‑size remedies you can use this week. Start by asking: what have we delayed because it’s inconvenient? who has more access than they need? what unsanctioned tools or AI are people using? and where do people raise concerns, and what happens when they do? Make a stop‑doing list: pick one convenience‑led risk and fix or formalize it. Give staff a boring, reliable route to flag risks — a 10‑minute slot in an ops call, a simple shared list, or a no‑blame MSP review — and reward the person who brings bad news early. We finish with a quiet but powerful leadership practice: say out loud, “I might be wrong.” That sentence flips the dynamic. It turns performative certainty into honest curiosity, shrinks blast radius by encouraging early action, and makes resilience a habit rather than a purchase order. No giant security teams required — just cleaner permissions, timely patches, governed AI use, and the grit to listen when someone like Davina says, calmly, that something is off. By the end of the episode the mood is hopeful. The hosts have had their Prosecco, given practical checklists, and reminded listeners that strong organizations don’t sound the most certain — they admit uncertainty early, correct course quickly, and make space for truth before convenience becomes a liability.

Do small businesses really need another cyber security badge? In this episode, Noel Bradford, Mauven MacLeod and Graham Falkner dig into SMB 1001, a five tier cyber security standard aimed at small and medium sized businesses. They break down what the bronze, silver, gold, platinum and diamond levels actually mean, where the framework came from, and whether it has any real value for UK firms. The team also looks at how SMB 1001 compares with Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance and ISO 27001. More importantly, they ask the question many business owners should be asking already. Do you need another logo for the website, or do you need security controls that actually work? Expect plain English, practical analysis, and a healthy level of scepticism about cyber theatre, vanity certifications and providers who still cannot get clients to the basics. In this episode What SMB 1001 is and who it is for How the five certification levels work Why it is not a replacement for Cyber Essentials in the UK Where it aligns with good practice and where it does not Which level is realistic for most UK SMEs Why good security matters more than collecting badges Why listen? If you run a UK small business, buy IT support, fill in supplier questionnaires, or keep hearing about standards and certifications, this episode will help you cut through the noise. What should you actually focus on first? And what is just expensive reassurance dressed up as strategy?

Listen in as the Small Business Cybersecurity Guy rips through March 2026 Patch Tuesday like a mechanic with a torque wrench: blunt, precise, and impossible to ignore. This episode opens on a single, brutal premise — Windows updates are not a choose‑your‑own‑adventure. They are binary. You either deploy the cumulative payload or you leave every unpatched edge of your estate like a neon target for attackers. The stakes aren’t fireworks; they’re the slow, quiet escalation chains attackers use after a single phishing click. We trace the real playbook attackers follow: step one, land as an ordinary user; step two, chain an Elevation of Privilege. This month Microsoft shipped six EOP fixes — graphics, kernel twice, accessibility, SMB, and WinLogon — and slapped them with "exploitation more likely." In plain English, these are the exact plumbing pieces an intruder needs to turn a compromised laptop or RDS session into full environment control. You’ll hear why delaying the patch is an active, informed choice to leave those doors open. Then the narrative sharpens into a thriller: Copilot in Excel. A critical CVE that reads like a very small script with an outsized punch — a near‑zero‑click XSS‑style flaw that can make Copilot agent mode obediently hand over internal secrets. Picture your finance lead or CEO, spreadsheets and Copilot live, and a crafted workbook quietly acting as an insider. No macros, no drama — just a nudge that sends data where it shouldn’t. The episode makes the risk vivid and personal, not academic. We also unpack two more critical Office RCEs via the preview pane — the sort of everyday behavior (previewing mail, browsing SharePoint) that real people do all day. Microsoft says exploitation is less likely, but only if you’re patched. The episode forces you to confront the gap between marketing calm and the real-world tradeoffs IT teams make when budgets and reboot windows collide with executive convenience. Finally, the show gives you a short, brutal checklist — what to do this week if you run a small business or juggle multiple clients: verify actual build numbers, identify who has Copilot agent mode, sanity‑check DLP and egress for AI tools, and roll in third‑party updates like Acrobat alongside Office and Windows. It’s not a six‑month project; it’s triage and discipline. The narration is urgent but practical, a call to action delivered with the weary authority of someone who’s patched one too many servers at 2 a.m. Tune in for a tight, no‑fluff ride through what looks quiet on the surface but is dangerously loud under it — because the difference between a quiet month and a disaster is how long you choose to stay vulnerable. Hit the blog for scripts, guides, and the deeper dive promised at the end of the episode.

Imagine your website is a billboard: a shining Cyber Essentials badge promising security and trust. Now imagine a regulator, insurer or large customer asks one awkward question — and that glossy logo turns from an asset into potential evidence against you. In this episode we walk into that exact moment and refuse to let it be a surprise. Join Graham Falkner, Noel Bradford and our resident translator of tech, Lucy Harper as they pull apart the new Cyber Essentials changes and stitch the pieces back together into something a small business can actually use. We start with the simple truth: the requirements document (V3.2, V3.3 and whatever comes next) is the standard you must meet, and the Willow and Danzel question sets are the forms you fill in when you buy certification. Get the wrong combination, or try to recycle last year’s answers, and assessors will fail you — quietly at first, then painfully when a tender or a claim comes along. From there we map the conflict: scope, cloud and asset management. V3.3 pulls the rug on the old ‘that’s someone else’s problem’ attitude — cloud services, BYOD devices that touch organisational data, and remote workers are in the frame. If your asset list is a half-dead spreadsheet and some post-it notes, you cannot honestly answer whether you are compliant. The drama here is avoidable, but only if you stop pretending the messy bits aren’t part of your estate. We decode the five controls — firewalls, secure configuration, security update management, user access control and malware protection — and translate them into Monday-morning tasks: lock down admin interfaces, remove default accounts, document inbound firewall rules, treat vendor configuration changes as security fixes, and make sure anti-malware actually blocks things rather than sitting in the tray. Authentication gets a starring role. V3.3 clarifies passwordless (hello FIDO2 and passkeys) and treats modern approaches as valid multi-factor methods. SMS is grudgingly still acceptable, but it’s the floor, not the ceiling. If your tenant runs on Microsoft 365 or Google Workspace, we give concrete examples of what ‘good enough’ looks like for normal users and admins. We don’t stop at problems — we hand you a plan. Nail your scope and inventory; map assets to the five controls; enable MFA everywhere; clean up admin accounts; ensure critical vendor fixes are applied within the 14‑day window; and prepare evidence in a spreadsheet before you pay for the portal. Treat certification as a living process, not a sticker you won once. For the procrastinators, we lay out a rapid action plan: days 1–10 define scope and update your asset list; days 11–30 enable MFA, tidy accounts and prove you can hit 14‑day patches; days 31–60 tighten firewall rules, confirm anti-malware and run a dry self-assessment against Willow or Danzel depending on your purchase date. This episode is equal parts wake-up call and field guide — built for business owners who don’t have a security department but do have customers, contracts and reputations to protect. Listen for the practical checklist, the red flags that bite in tenders and post-breach enquiries, and the honest reassurance that Cyber Essentials will help you — if you stop gaming the edges and start being truthful about what you actually run. By the end you’ll either feel the pressure to act or you’ll be able to explain your scope in 30 seconds. Either way, we give you the first steps: patch your systems, turn on MFA, and stop pretending the cloud is somebody else’s problem.

Imagine an attacker not as a hoodie-wearing wizard wrestling with your firewall, but as someone quietly slipping through an unlocked back door with keys they bought on the dark web. In this episode we sit down with Corrine Jefferson, a former government cyber professional who now helps UK small businesses understand how real attackers operate. Grounded in Palo Alto Networks Unit 42's Global Incident Response Report 2026, our conversation is built on more than 750 serious, real-world investigations from October 2024 to September 2025. Not theory. Not vendor marketing. Actual cases. The numbers are stark: identity weaknesses featured in nearly 90% of incidents, and 65% of all initial access was identity-driven. We start by setting the scene: your people live in the browser. Outlook, payroll, Teams, your CRM, and a pile of SaaS tools. That ordinary click is the battleground. Attackers buy credentials, harvest session tokens, and exploit OAuth grants. Once they have a valid login, they blend into normal traffic and move silently. Corrine brings these statistics to life with vivid examples of reused passwords, push-MFA fatigue, shared admin accounts, and contractors who still have permanent access three years after leaving. The stakes are immediate. Unit 42 found that the fastest quarter of intrusions reached data theft in just 72 minutes, down from 285 minutes the previous year. A simulated AI-assisted attack did it in 25 minutes. That means from one careless click to your customer data being packaged for extortion can happen faster than a cup of tea. This episode guides you away from romantic myths about firewalls and sophisticated exploits and toward the uncomfortable truth: most breaches are enabled by preventable exposure and excessive identity trust. We walk through the failure modes that make small businesses attractive targets: recycled passwords, MFA that's easy to social-engineer, standing global admin accounts, and forgotten integrations that act like zombie doors. Corrine explains why these aren't technical puzzles for nation-states. They are human, operational, and fixable. She also lays out how attackers exploit browser-based OAuth flows and session cookies to live off long-lived access without ever triggering an alert. This is not just a lecture. It is a plan. If you do one thing this quarter, make it identity. If you do one thing this week, do these three: deploy phishing-resistant MFA for admins and finance roles; remove or disable all ex-employee and contractor accounts across Microsoft 365, your VPN, and remote support tools; and cut standing admin rights while shortening session lifetimes on sensitive applications. By the end of the episode you will see the difference between spending on another perimeter box and actually locking the doors that matter. This is a call to action for small businesses: stop hoping you will not be targeted and start hardening the identities attackers are already using. Three Actions You Can Take This Week Action 1: Deploy Phishing-Resistant MFA What: FIDO2 hardware security keys or passkeys. Not SMS codes. Not basic push notifications. Where to start: Administrators, finance roles, and anyone with access to sensitive data or privileged systems. Why it matters: Standard push-based MFA is vulnerable to adversary-in-the-middle attacks and push-bombing. FIDO2 provides phishing resistance, guessing resistance, and theft resistance. NCSC guidance: FIDO2 is recommended by the NCSC as the strongest available MFA type for UK organisations. Hardware options include Authentrend, Keys, Platform options include Windows Hello for Business and Apple Touch ID. Action 2: Remove Zombie Access What to audit and disable: All accounts belonging to former employees All accounts belonging to former contractors Unused service accounts Dormant OAuth integrations and app permissions Where to look: Microsoft 365 Admin Centre, your VPN gateway, remote support tools, and any SaaS platform connected to your business. Why it matters: Unit 42 found that 99% of 680,000 cloud identities had excessive permissions, many unused for 60 days or more. Each one is an unlocked back door. How to find OAuth zombies: In Microsoft 365, go to Azure Active Directory > Enterprise Applications > All Applications. Sort by last sign-in date. Revoke anything unrecognised or unused. Action 3: Eliminate Standing Admin Rights What: Move from permanent administrator accounts to just-in-time (JIT) privilege elevation. How: Remove persistent administrator role grants Require time-bound elevation through Microsoft Entra Privileged Identity Management or equivalent Shorten session lifetimes on sensitive applications Enable strong logging on all privilege escalation events Why it matters: A compromised account with no standing privileges yields nothing. JIT elevation changes the attacker's calculation from "I have the keys" to "I have nothing." Sources and References     Source Resource Palo Alto Networks Unit 42 Global Incident Response Report 2026 (Full Report) Palo Alto Networks Unit 42 Global Incident Response Report 2026 (Executive Edition) Palo Alto Networks Unit 42 Global IR Report 2026: Blog Summary NCSC Multi-Factor Authentication for Your Corporate Online Services NCSC Recommended Types of MFA NCSC Authentication Methods: Choosing the Right Type NCSC Cyber Essentials Scheme Overview NCSC NCSC: Information for Small and Medium-Sized Organisations FIDO Alliance FIDO2: Web Authentication Standards MITRE ATT&CK T1219: Remote Access Tools (Referenced in Unit 42 C2 Data)   #CyberSecurity #SmallBusinessSecurity #IdentitySecurity #MFA #FIDO2 #Passkeys #UKBusiness #CyberEssentials #CyberSecurityPodcast #SecurityAwareness #TechPodcast #NoBS #SmallBizTech #CyberResilience #DirectorAccountability #BusinessRisk #DataProtection #GDPR #ZeroTrust #CloudSecurity #SaaSSecurity #IncidentResponse #ThreatIntelligence #IdentityManagement #SessionSecurity #Unit42 #PaloAltoNetworks #NCSC #CyberAware #UKCyber   Disclaimer This podcast provides general cybersecurity guidance based on publicly available research and industry best practices. It is not a substitute for professional security assessment or legal advice. Organisations should consult qualified security professionals and legal counsel to address their specific circumstances and regulatory requirements. All statistics cited from the Unit 42 Global Incident Response Report 2026, published by Palo Alto Networks, covering incident response engagements between 1 October 2024 and 30 September 2025. NCSC guidance referenced is published by the UK National Cyber Security Centre. All URLs verified at time of publication.

Picture yourself tapping your card at a bustling store, the till chirps, you walk away thinking that’s the end of the story. For millions of Currys' customers, that ordinary moment in 2017 was the opening scene of a nearly decade-long drama that would ripple through courtrooms, regulator offices and countless inboxes. This episode unpeels that story — malware on thousands of point-of-sale terminals, 14 million people exposed, and a legal fight that turned a monumental failure into what worked out as roughly three and a half pence per person under the old law. We set the scene as a crime thriller: silent malware skimming payment data across 5,390 tills for nine months, basic security absent where it mattered most, and a regulator reaching for the only enforcement tool it had under an older statute. Then the plot thickens. DSG fights back, tribunals slice and dice the ICO’s case, and years of appeals stretch this into a slow-motion moral fable about who the system really protects. But this isn’t just legal theatre — it’s human fallout. We follow the people on the receiving end: anxious customers, stalled group claims, and a lone litigant whose attempt at compensation is bounced between courts and stays. By the time the Court of Appeal finally says the obvious — a retailer that can link card numbers to people must treat them as personal data — most victims are already out of time to sue. The episode shows how the machinery of justice can leave ordinary people stranded. Alongside the outrage, we pull apart the courtroom arguments that nearly let a multinational off the hook: the dangerous idea of judging identifiability from a hacker’s viewpoint, and the peril of treating data fragments as harmless. The Court of Appeal’s eventual clarity is legally important, but the delay exposes a chilling truth — if you’ve got deep pockets, you can litigate and wait out consequences while victims go uncompensated. This is also a playbook episode for anyone who runs a small or mid-sized business. We translate the Court of Appeal’s ruling into a simple controller’s-eye test you can run on Monday morning: if you, as the organisation, can link data to a person, it’s personal and worth protecting. From that test we give concrete, low-cost actions: map your data, cut unnecessary access, name who watches your logs, patch and MFA the essentials, and keep a one-page accountability pack that proves you took reasonable steps. We don’t just point fingers — we hand you a route out. The Currys' saga becomes the cautionary tale that makes the normal business case for basics suddenly urgent: monitoring that notices intrusions, access reviews that kill zombie accounts, and documentation that shows you’re not winging it. Do these things and you move from case study risk to trusted steward of customer data. Finally, the episode is a story of how law, business and people collide — a vivid reminder that prevention matters more than litigation, and that the protections for customers are only as strong as the choices organisations make before the breach. Tune in to feel the outrage, understand the legal twists, and walk away with practical steps to stop your business from becoming headline fodder nine years from now.

Picture this: you’re a minister in Europe and Washington quietly asks for a peek. Your emails, drafts and cabinet notes aren’t in a secret vault — they live on someone else’s servers. This episode opens on that impossible, very real moment and follows the ripple effects: threats of sanctions, a neutral Switzerland walking away from Palantir, and the uncomfortable truth that the UK handed that very company the keys to its health, defence and policing systems. We meet the players: Noel Bradford, the Small Business Cybersecurity Guy, who’s spent four decades turning tape backups into survival tactics; Corinne Jefferson, an ex-US intelligence officer who refuses to say “told you so”; Mauven MacLeod, the ex-UK government cyber analyst with biscuits and sarcasm; and Graham Falkner, whose voice narrates the creeping, bureaucratic apocalypse with unnerving charm. Together they pull the camera tight on Palantir — a firm born with CIA-connected funding, hardened in intelligence use, repackaged for civilian life — and show how its DNA matters for everyone from governments to your local charity. The episode walks you through the high-stakes decisions: Switzerland’s 2024 risk assessment that warned data could be reached by American authorities and that leaks from Palantir are architecturally unavoidable; the UK’s contrasting embrace of the same tools across NHS, the MOD and border planning; and how this divergence should set off alarms for every organization that has leaned on US SaaS as neutral plumbing. We translate the legal jargon into a human story. Think of the Cloud Act like an American landlord who can be ordered to open a warehouse — even if your files are stored in London. Encryption doesn’t save you unless you control the keys. UK and EU data rules complicate the picture but don’t yet provide a clean escape. That legal murk leaves businesses and charities sitting on unquantified exposures — not because they’re spies, but because convenience and market share created choke points that politics or courts can exploit. This isn’t fearmongering; it’s a practical wake-up call. Noel guides you through what to do next: a simple Cloud Act exposure audit, naming your crown-jewel data, and deciding which systems deserve extra protection or customer-managed keys. The episode offers concrete, manageable steps — split sensitive fields, demand clear vendor answers, build exit plans — so your small firm isn’t left exposed if geopolitics changes the rules. By the end you’ll see the world differently: your email and CRM aren’t just tools, they’re legal and geopolitical choices. The narrative closes on an urgent but solvable note — map your dependencies, protect what matters, and start asking the awkward questions. The story lands as both a warning and a roadmap: serious, fixable, and essential for anyone who cares where their data really lives.

In this episode of Small Business Cybersecurity Guy, host Maurven McLeod and guest Dr Corinne Jefferson (former US government intelligence analyst turned London-based consultant) unpack Google Threat Intelligence’s alarming report on the Defence Industrial Base (DIB) and explain exactly why it matters to small and medium-sized businesses. They move straight from the uncomfortable headline — Chinese state-linked hackers averaging 393 days of dwell time inside victim networks — to practical implications for 50–80 person companies across manufacturing, logistics, and software supply chains. Topics covered include clear definitions (APT, UNC), the distinction between edge devices and endpoints, why firewalls and VPN appliances are attractive, under-monitored targets, and why EDR often misses the real entry points. They discuss documented campaigns (UNC-3886, UNC-5221/Brickstorm) and how multiple zero-day exploits against edge vendors have been used to gain long-term access and persistence. The episode also examines other nation-state tradecraft: Russian actors targeting messaging apps and device-linking features, North Korean operatives obtaining remote jobs inside companies, and sophisticated recruitment-themed phishing using AI-generated reconnaissance. Maurven and Dr Jefferson highlight how attackers map supply chains professionally — meaning you can be a target even if you don’t self-identify as a defence contractor — and how ransomware and dual-use manufacturing create huge blast radii that can stop production and bankrupt small firms. Most importantly, the hosts give a pragmatic, non-bankrupting 90-day plan for SMEs: an immediate “Edge Reality Check” to interrogate MSP visibility on VPNs/firewalls, a short-term segmentation win to reduce blast radius, and phased rollout of phishing-resistant MFA for key admin and finance accounts. They offer exact questions to ask your MSP, the metrics and controls procurement teams will soon demand, and how to frame the business case to your board. Listeners should expect a mix of blunt intel, real-world examples, and actionable next steps to reduce risk without breaking the bank — plus a call to assume compromise, improve edge monitoring, and stop treating VPNs as magic shields. Tune in for practical guidance, concrete conversation starters for your MSP, and the motivation to make measurable security improvements this quarter.

Host Graham Falkner breaks down Microsoft’s February 2026 Patch Tuesday: more than 50 vulnerabilities across Windows and Microsoft 365, including six that were actively exploited before patches arrived. This episode explains which flaws matter, who’s affected, and the practical steps businesses should take immediately. Coverage includes the six confirmed actively exploited vulnerabilities (triple January’s count): three security‑feature bypasses that remove user protections (including a Word document bypass that is not triggered by Outlook preview), Desktop Window Manager (DWM) flaws that allow privilege escalation — and are being exploited for a second month — a Remote Desktop Services elevation issue found by CrowdStrike, and a Remote Access Connection Manager VPN crash vulnerability with a ready‑made exploit tool in criminal circulation. CISA has added all six to its known exploited list, with federal agencies required to patch by March 3. The episode also highlights developer‑focused risks: three serious GitHub Copilot flaws that let hidden malicious instructions run commands on a developer’s machine, and a 9.8‑severity flaw in Microsoft’s Azure Cloud Tools for Python. Faulkner explains why developers are high‑value targets and why organizations that build or buy software must prioritize these fixes. Other major items: January’s three out‑of‑band patches rolled into February’s cumulative update; Microsoft’s upcoming certificate updates that begin expiring from June (important for old or rarely‑connected hardware); SAP’s 26 security notes including a 9.9 remote‑command vulnerability and multiple high‑risk issues that can impact supply chains; Adobe’s 40+ fixes (27 critical), and updates from BeyondTrust, Ivanti, Cisco, Fortinet and others. Note: Google’s Android bulletin for February reported no security fixes. Special callouts: an Outlook vulnerability that can capture credentials just by previewing a crafted email in the reading pane (apply all related Outlook patches), and Microsoft’s gradual retirement of NTLM which may break legacy business apps unless you plan ahead. Actionable priorities and patch playbook: First wave (within 24 hours) — apply all six actively exploited fixes, the Azure Python tool patch for developer teams, and all Outlook fixes. Second wave (within 72 hours) — SAP (if you run it), Exchange Server, GitHub Copilot mitigations for developer teams, BeyondTrust remote‑support fixes. Third wave (within one week) — remaining SAP and Adobe updates, Cisco, Fortinet, and other important but not‑yet‑exploited updates. Faulkner stresses verifying deployment, testing remote desktop and Office workflows, and building patch management into incident response playbooks. Who should listen: IT managers, small business owners, developers, MSPs, and security teams responsible for patching and remote access. The episode gives clear, prioritized guidance to reduce exposure quickly and recommends sharing the full CVE tables and patch tiers with your IT team or managed service provider.   Find the Blog Post here: - https://noelbradford.squarespace.com/blog/patch-tuesday-february-2026-six-zero-days-uk-smb-guide-2026   podscan_adfmJQJllh7XQBrNPLHkG9va1aIn6VKo

In this urgent episode of Small Business Cybersecurity Guy, hosts Mauven MacLeod and Graham Falkner join the notably fed-up Noel Bradford to unpack four simultaneous, high‑impact campaigns that emerged between late January and early February 2026. We walk listeners through detailed research from Trellix, Securonix, Rapid7 and Microsoft and explain why these attacks matter to every small business — even if you think you’re too small to be a target. We open with APT28 (Fancy Bear) exploiting CVE‑2026‑21509: a weaponised Office document that triggers on open, drops an Outlook backdoor (MiniDoor/NotDoor) and a C++ implant (Beardshell) injected into svchost.exe, exfiltrating email and system data while blending traffic into legitimate cloud services. Next, Securonix’s “Dead Vax” campaign shows how commodity criminals now match nation‑state tradecraft. Phishing delivers VHD files that mount like drives, bypass mark‑of‑the‑web warnings and execute fileless loaders that ultimately deploy AsyncRAT — giving attackers remote control, keylogging and full data access. Rapid7’s analysis of the Chrysalis backdoor reveals a supply‑chain compromise of Notepad++ hosting infrastructure: poisoned installers selectively targeted victims, abused DLL side‑loading and trusted signed binaries to achieve persistent, encrypted backdoors and lateral movement tools. This is supply‑chain risk in practice. Microsoft’s macOS research details multiple Stealer campaigns (Digit Stealer, Mac Sync, ClickFix, Atomic Stealer and more) distributed through poisoned Google Ads, fake AI tools and messaging apps. These attacks live off native macOS utilities, use AppleScript and Python, and harvest passwords, crypto wallets, SSH keys and cloud credentials — exposing the myth that Macs are immune. We connect the dots: all four campaigns abused legitimate platforms and native features, used memory‑resident or fileless techniques that bypass signature AV, injected into trusted processes, and moved faster than patch cycles. The real victims are not random users but procurement staff, developers and privileged employees. Small businesses face the same capabilities for a fraction of the cost via malware-as-a-service. On the regulatory front we cover the Data Use and Access Act (DUAA) changes that took effect in February 2026: cookie and e‑marketing fines jump to £17.5m or 4% of global turnover, new rules around children’s higher protection matters, a new lawful basis for limited public interest processing, and mandatory complaints handling procedures coming into effect on June 19. We explain why a breach today risks vastly larger financial and compliance consequences. Finally, we give practical, prioritized guidance for small businesses: immediate zero‑cost steps (patch Office, verify Notepad++ versions, show file extensions, audit cookie banners, start a complaints procedure), technical controls to adopt (EDR/behavioral monitoring, managed email security, Mac MDM/EDR, fractionally engaged CISO/CIO), and realistic budgets and trade‑offs for a 20‑person company. Links to all source research and a detailed blog post are in the show notes for listeners who want the technical deep dive.

In this urgent episode of The Small Business Cybersecurity Guide, hosts Noel Bradford, Mauven McLeod and Graham Faulkner bring together three experts to answer one question: why you’re doing security wrong and what practical steps will actually protect your business. We cover four pressing, unconnected problems that share the same root cause — a massive gap between perceived and real security. Dr. Sarah Chen explains passkeys in plain English: how they remove the shared secret that makes passwords vulnerable, why they defeat phishing, credential stuffing and most brute-force attacks, and exactly how small businesses should pilot them this week. She outlines a three-step rollout (check your identity platform, pilot with five users, support them through setup), recovery and accessibility considerations, device and cost guidance, and the measurable benefits — including dramatically fewer password reset tickets. Former US government cyber analyst Corinne Jefferson unpacks the CISA ChatGPT incident, where the acting director uploaded sensitive government contracting documents to public ChatGPT despite an approved internal alternative. Corinne explains how exceptions become normalized, why convenience often defeats policy, how this damages security culture, and what organizations should do: enforce technical controls, require documented risk assessments for privileged exceptions, and ensure detection is coupled with a consistent response regardless of who triggers the alert. Seamus O’Leary shares a practical small-business win: after realising he’d never introduced himself to his insurer’s incident response team, he discovered £18,000+ of pre-incident services already included in his cyber policy — IR plan templates, tabletop exercises, forensics retainers, quarterly scans and a 24/7 breach hotline. The episode walks through the five-week process he used to onboard the insurer’s IR team, fix gaps, run a tabletop, uncover critical weaknesses (unverified backups, unclear ransomware authority, GDPR notification issues) and win board-level funding to replace vulnerable infrastructure. Noel and the team close with a structural look at cloud sovereignty and vendor concentration: why relying on US cloud providers (AWS, Azure, Google) creates real legal and operational risk regardless of where data is physically stored, how the Cloud Act and post‑Schrems II rules change transfer obligations, and practical mitigation options — encryption with external key control, transfer impact assessments, supplementary measures, vendor diversification and multi‑cloud planning. Key takeaways for listeners: enable and pilot passkeys to eliminate credential-based attacks; enforce technical controls and documented approvals so seniority doesn’t become an exception to security; call your insurer’s IR contacts and use the services you’ve already paid for; treat cloud region selection as latency choice, not legal sovereignty, and perform real transfer impact assessments and mitigation. The episode mixes concrete how-to steps, governance advice, and real-world examples — from phishing-defeating authentication to saving thousands by activating policy services — all aimed at helping small businesses turn security theatre into dependable protection.

In this episode of Small Business Cybersecurity Guy, hosts Mauven MacLeod, Noel Bradford and Graham Falkner walk you through Module One of their six-part incident response plan series: building your response team. Through the real-world Katie Roberts case study (name changed), they show why independence matters when a breach hits — and how an unbiased incident manager can quickly uncover the truth, coordinate response, and save a business from far worse outcomes.   Topics covered include the four core incident roles (external incident manager, technical lead, business continuity coordinator, communications lead), how to find and contract an external IM (insurance, IT referrals, retainer vs pay-per-incident), what an IM can and cannot do, authority and spending limits, and realistic costs and timelines. The hosts explain a simple, achievable four-week setup plan that takes roughly four hours of actual work, and they share templates for team structure, external contacts, authority scripts, implementation timelines, and validation checklists.   Key points and takeaways: why impartial coordination matters, how to avoid common provider cover-up biases, the practical steps Katie used to stabilise her business, a real case study of an architecture firm saved from a Friday-afternoon ransomware attack, and concrete homework: find your IM, assign three internal roles, document everything on a single page, brief and validate your team. Listeners will leave with a clear, actionable plan, links to downloadable templates, and the promise that preparation reduces cost, stress, and downtime.

Hosted by Graham Falkner, this episode is a rapid, no‑nonsense January Patch Tuesday breakdown aimed at small businesses and IT owners. Graham walks listeners through Microsoft’s unusually large release of 114 security updates, explains the essential jargon (CVE and CVSS), and highlights why severity scores don’t replace real‑world risk assessments. The show covers the one vulnerability already being actively exploited (CVE‑2026‑2805 in Desktop Window Manager) and two other high‑risk items used in targeted attacks, plus three zero‑day bugs. Graham takes a deep dive into the critical on‑premises SharePoint emergency (Toolshell campaign, CVE‑2025‑53‑700‑70 and related issues), urging immediate patching and incident response for exposed servers. He also explains the severe Kestrel/ASP.NET Core HTTP request smuggling flaw (CVE‑2025‑55315) and the practical impact on web apps and deployment teams. The episode reviews other major vendor fixes: SAP’s 16 security updates (including four critical vulnerabilities), Apple’s two WebKit zero days, Adobe’s 32 patches (eight critical affecting Acrobat, Reader and creative apps), HPE OneView’s unauthenticated RCE (CVE‑2025‑37164), and ongoing VMware ESXi risks. Graham calls out long‑delayed Fortinet SSL‑VPN vulnerabilities (including CVE‑2020‑12812) and newer FortiCloud SSO bypasses, stressing that overdue patching still causes widespread compromises. Practical guidance and priorities are clear and actionable: patch Windows cumulative updates, exposed SharePoint servers, Fortinet edge devices and HPE OneView within 24 hours; address .NET/web app fixes and SAP critical patches within the next 72 hours to one week; then continue with routine maintenance for browsers, Adobe, Cisco and other software. The episode also flags upcoming deadlines and logistics—Oracle’s critical patch update on January 20 and the end of Windows 10 support—so listeners can plan maintenance windows and migrations. Key takeaways: assume compromise if you haven’t patched exposed services, verify systems after applying updates, assign owners who can patch and redeploy quickly, and treat cumulative Windows updates as all‑or‑nothing. There are no external guests—this episode is hosted solo by Graham Faulkner and aimed at helping small organizations act fast and reduce risk in the wake of an intense Patch Tuesday.

In this episode of the Small Business Cybersecurity Guy, host Noel Bradford is joined by Mauven McLeod and Graham Falkner to unpack the Cabinet Office’s January 2026 Government Cyber Action Plan — a blunt, 100‑page admission that the UK government’s cybersecurity posture is “critically high” risk and that many of its own targets are unachievable. The trio break down the report’s headline findings, case studies of high‑profile failures, and why this matters to you even if you’ve never worked with government. Key revelations from the Plan covered in the episode include: roughly 28% of government IT is legacy and cannot be defended with modern tools; repeated systemic failures across departments (poor patching, weak passwords, lack of monitoring); high‑cost incidents such as the British Library ransomware recovery and the CrowdStrike outage that cost the UK economy billions; and the Electoral Commission breach that exposed millions of voter records. The hosts explain the language the report uses — from “historical underinvestment” to “not achievable” targets — and what those admissions mean in plain English. The episode also examines the Cabinet Office’s proposed response: new accountability rules giving accounting officers (permanent secretaries) personal responsibility for cyber risk, routine cyber risk reporting to boards, escalation mechanisms, and potential consequences including removal or public parliamentary scrutiny. The hosts discuss how this mirrors the health & safety/HSE accountability model and why public‑sector reform will likely set the precedent for private‑sector regulation (including implications of forthcoming cyber security and resilience legislation). Financing and timelines are analysed too: the government has allocated around £210 million to kickstart a central cyber transformation unit with milestones through 2029, but the hosts stress this is a down payment — true remediation will take years and likely billions. The Plan’s investment priorities (visibility/monitoring, accountability, supply‑chain assurance, incident response and skills) form a checklist for businesses to adopt now. Supply‑chain requirements are a central takeaway: departments will require security schedules, certification (Cyber Essentials, Cyber Essentials Plus, ISO 27001 where appropriate), and documented evidence of controls. These requirements will cascade down through primes to second‑ and third‑tier suppliers, so small businesses should expect tightened demands for proof of security and that compliance will become a competitive advantage. The hosts finish with practical, actionable advice for small businesses: treat cyber risk as board‑level risk; establish personal accountability and clear escalation; prioritise visibility and monitoring; inventory and pragmatically manage legacy systems; obtain appropriate certifications (Cyber Essentials Plus, ISO etc.) if you have or might have public‑sector exposure; segregate and protect government work; build or improve incident response capability; and use this moment to push cultural change so security is embedded across the organisation. Throughout the episode Noel, Mauven and Graham provide candid analysis, real examples from recent government failures, and specific steps SMBs can take now to reduce risk and gain a competitive edge as regulation and procurement expectations tighten. Listeners are pointed to the full Government Cyber Action Plan on gov.uk and the podcast blog for a detailed breakdown and sources.

In this episode Mauven McLeod and Graham Faulkner (with Noel Bradford joining partway through) unpack a worrying trend: adversary‑in‑the‑middle (AITM) attacks that steal session tokens and completely bypass conventional multi‑factor authentication (MFA). Using Microsoft’s recent telemetry (a 146% jump in AITM incidents) as a backdrop, they explain how transparent proxy phishing pages relay credentials and MFA approvals to capture session tokens and gain hours of unrestricted access to Microsoft 365 accounts. The hosts explain, in plain technical terms, why SMS codes, authenticator app push prompts and one‑time codes fail against these attacks and why the stolen session token becomes a single‑factor credential for attackers. They describe what attackers typically do after compromise — mailbox reconnaissance, forwarding rules, OAuth app persistence, and registering new authentication methods — and highlight the scale of automated phishing‑as‑a‑service tools that make these attacks cheap and fast. The episode then walks through the practical, phishing‑resistant solutions every small business should consider: Windows Hello for Business, hardware security keys (YubiKey, Authentrend and similar), and passkeys on mobile devices. For each option they cover how it works, deployment requirements, licensing or purchase costs, user experience trade‑offs, and which users to prioritize for rollout. Mauven and Graham recommend a tiered, risk‑based rollout strategy: protect admin and privileged accounts first, then finance/HR/executives, and finally the wider workforce over months. They discuss real‑world gotchas — legacy apps that don’t support modern auth, BYOD complications, mobile workflows, and the need for a secured “break glass” account — plus expected labour, training and hardware costs for a typical 30‑user small business. Beyond replacing or upgrading MFA, the hosts cover essential complementary controls: conditional access policies, continuous access evaluation (CAE) to shorten token windows, blocking legacy authentication (SMTP/IMAP/POP), impossible‑travel detection, and concrete incident response steps (revoking sessions, removing rogue MFA methods and OAuth apps, checking forwarding rules and mailbox rules, and doing forensics on accessed data). The episode closes with an immediate to‑do list for small businesses: verify MFA is actually enabled, remove SMS/email MFA methods, plan a phishing‑resistant rollout starting with tier‑1 users, enable conditional access and CAE, and budget for training and support. They also preview an upcoming multi‑episode series to help businesses build a practical incident response plan. Listeners can expect a technically grounded but actionable discussion aimed at business owners and IT staff: why traditional MFA is still valuable, why it’s not enough against AITM, and exactly how to adopt phishing‑resistant authentication to close that gap.

What You'll Learn Three in the morning. Your phone's ringing. Someone's encrypted your customer database. What do you do? This trailer launches our most ambitious series yet: a six-module programme running January through March 2026 that transforms panic into a complete, tested incident response plan. Each module drops every two weeks, giving you time to implement before the next one arrives. Between modules, normal episodes continue covering current threats, breaches, and patches. This Series Will Give You: Complete incident response framework for small businesses Communication templates you can use during an actual incident Threat-specific playbooks for ransomware, data breaches, and system compromises Testing procedures that prove your plan works under pressure Implementation time built into the schedule Practical guidance for teams with real constraints What This Series Covers Module 1: Incident Response Foundations (Early January 2026) What You'll Build: Clear decision tree for incident classification Role definitions (even if your team is three people) Initial response procedures Documentation requirements Escalation pathways Practical Outputs: Who does what, when, and how Your first response checklist Contact list template Module 2: Building Your Response Team (Late January 2026) What You'll Build: Response team structure for small businesses Role assignments that work with limited staff External contact management Vendor coordination procedures Backup personnel plans Practical Outputs: Team roster with responsibilities External contacts database Succession planning for key roles Module 3: Communication Plans (Early February 2026) What You'll Build: Internal notification procedures Customer communication templates Regulatory reporting guidance Media handling basics Stakeholder management Practical Outputs: Communication templates ready to use Notification timelines Contact escalation matrix Module 4: Threat-Specific Playbooks (Late February 2026) What You'll Build: Ransomware response procedures Data breach protocols System compromise workflows Phishing incident handling Insider threat procedures Practical Outputs: Step-by-step playbooks for each threat type Decision trees for common scenarios Evidence preservation guides Module 5: Testing Your Plan (Early March 2026) What You'll Build: Tabletop exercise framework Simulation scenarios Assessment criteria Continuous improvement process Lessons learned documentation Practical Outputs: Test schedule Simulation scripts Improvement tracking system Module 6: Complete System Integration (Late March 2026) What You'll Build: Your complete, customised IR plan Integration with existing processes Maintenance schedule Annual review procedures Staff training programme Practical Outputs: Final incident response plan document Ongoing maintenance checklist Training materials for your team Between Modules: Normal Episodes Continue Every other week between module releases, you'll get: Latest Breach Analysis: What happened, how it happened, what you can learn Critical Security Patches: What you need to apply and why (see our December 2025 Patch Tuesday analysis) Emerging Threat Intelligence: Current attacks targeting UK small businesses Practical Implementation Guides: Hands-on advice for immediate action Because security doesn't pause whilst you're building your plan. The Two-Week Implementation Rhythm Week 1: Module episode drops Week 2: Implementation time + normal episode Week 3: Next module episode drops Week 4: Implementation time + normal episode This cadence gives you: Time to actually implement each module Space to ask questions and refine Current threat intelligence throughout Sustainable pace for resource-constrained teams Why This Series Matters The UK Small Business Reality Current State: 43% of UK small businesses experienced cyber breaches last year (DSIT 2025) Average breach cost: £250,000 Some breaches exceed £7 million 60% of small businesses close within six months of a major cyber incident NCSC estimates 50% of UK SMBs will experience a breach annually The Gap: 73% have no board-level cybersecurity responsibility (see Episode 31: The Risk Register Argument) Most have no documented incident response plan Existing plans are often enterprise frameworks that don't work for SMBs When incidents occur, response is reactive panic rather than systematic procedure The Opportunity: Having a tested incident response plan can reduce breach impact by up to 70% Cut recovery time significantly Minimise business disruption Demonstrate due diligence for cyber insurance Meet regulatory requirements Protect customer trust This Isn't Enterprise Security Theatre Traditional incident response planning assumes you have: Dedicated security team 24/7 SOC coverage Unlimited budget Complex organisational structure Enterprise-grade tools This series assumes you have: Limited staff wearing multiple hats Constrained budget Time pressure Real business to run Practical need for procedures that actually work Every recommendation is: Tested in actual small business environments Budget-conscious Time-realistic Scalable as you grow Focused on high-impact, low-cost implementations Who Should Listen to This Series This series is particularly relevant for: UK small business owners (5-50 employees) who need incident response capability Startup founders building security from the ground up SME managers responsible for cybersecurity without security backgrounds Solo IT staff who handle everything Business owners who've invested in prevention but lack response capability Anyone who thinks "we're too small to need an incident response plan" Directors concerned about personal liability under the Companies Act Businesses pursuing Cyber Essentials or cyber insurance Professional services firms handling sensitive client data You'll especially benefit if: You've asked "what happens if we get breached?" and had no good answer Your current plan is "call the IT guy and hope" You've got prevention sorted but no response capability You need to demonstrate due diligence for insurance or compliance You're responsible for security but lack formal training Your team is small and you can't afford enterprise solutions What Makes This Series Different Practical Implementation Focus Not theoretical frameworks or consultant waffle. Every module produces concrete, usable outputs you can implement on a Tuesday afternoon between customer calls. Small Business Specific Built for teams of 3-50 people, not Fortune 500 enterprises. Acknowledges real constraints around time, money, and expertise. Tested in Real Environments Every procedure comes from actual small business implementations. No academic theory or enterprise assumptions. Sustainable Pace Two-week rhythm gives you time to implement, refine, and ask questions before the next module arrives. Continuous Relevance Normal episodes between modules keep you current on threats, breaches, and patches whilst you're building your plan. Complete System Six modules build into one cohesive incident response capability, not disconnected tips. Content Calendar January 2026: Week 1: Module 1 - Incident Response Foundations Week 2: Normal Episode (current threats) Week 3: Module 2 - Building Your Response Team Week 4: Normal Episode (current threats) February 2026: Week 1: Module 3 - Communication Plans Week 2: Normal Episode (current threats) Week 3: Module 4 - Threat-Specific Playbooks Week 4: Normal Episode (current threats) March 2026: Week 1: Module 5 - Testing Your Plan Week 2: Normal Episode (current threats) Week 3: Module 6 - Complete System Integration Week 4: Normal Episode (current threats) Subscribe Now Don't miss any module in this series. Subscribe on your preferred platform: Apple Podcasts: Currently ranked #13 in Management category worldwide Spotify: New episodes every week All Major Podcast Platforms: Search for "The Small Business Cyber Security Guy" RSS Feed: Direct feed link Connect With Us Need Help? If you need direct assistance with incident response planning or any cybersecurity topic we cover: Email: hello@thesmallbusinesscybersecurityguy.co.uk Website: thesmallbusinesscybersecurityguy.co.uk Resources & Guides Visit our website for: Detailed implementation guides Template downloads Step-by-step walkthroughs All episode show notes and transcripts Blog articles expanding on episode topics Newsletter "No BS Cyber for SMBs" on LinkedIn - practical cybersecurity advice delivered weekly by Noel Bradford Share This Series Know someone who needs this? Share with: Business owners without incident response plans IT managers dealing with limited resources Directors concerned about cyber liability Anyone responsible for small business security About the Hosts Noel Bradford With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses. Mauven MacLeod Former UK Government cyber analyst, Mauven brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered. Related Episodes & Blog Posts Preparation for This Series: Episode 17: Social Engineering - The Human Firewall Under Siege Episode 30: The Printer Is Watching - IoT Security Episode 29: Reverse Benchmarking - Learning from Disasters Episode 31: Boards, Breaches and Accountability - Risk Registers Related Blog Posts: Reverse Benchmarking: Why Studying Cyber Failures Beats Copying Best Practices The Risk Register Argument - When Your Co-Host Says You're Wrong About Governance How to Build a Cyber Risk Register That Actually Works Your First Cyber Risk Register: 2-Hour Implementation Guide Your £15,000 Security Investment Just Got Defeated by a £300 Printer Three Zero Days And A Christmas Timebomb: December Patch Tuesday Analysis Support the Show If this series provides real value to your business: Leave a Review on Apple Podcasts or Spotify - tell us what you're implementing Share Episodes with other business owners who need this Tell Us What's Landing - your feedback helps us create more useful content Subscribe so you don't miss any modules Legal Disclaimer Everything discussed in this series is for general guidance and educational purposes. It's meant to point you in the right direction but absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What works brilliantly for one business might be completely inappropriate for another. We do our very best to keep everything accurate and current, but the cybersecurity world moves quickly. Things can change between when we record and when you're listening, so always double-check critical technical details with qualified professionals before making major changes to your systems. If we mention websites, products, or services, we're giving you information, not necessarily endorsing them. We can't be responsible for what happens on their end or if things go sideways when you use them. If you're dealing with serious cybersecurity incidents, actual data breaches, or complex compliance issues, please talk to proper professionals rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team. Think of us as your knowledgeable mates down the pub who work in cybersecurity, not your official contracted consultants. We care about your business, but we're not your insurance policy. Stay safe out there, keep learning, and remember: when in doubt, get a second opinion from someone who can see your specific situation. This has been a Small Business Cyber Security Guy production. Copyright 2025, all rights reserved. Series Preview | December 2025 | The Small Business Cyber Security Guy Podcast Hashtags #IncidentResponse #CyberSecurity #SmallBusiness #UKBusiness #SMBSecurity #CyberEssentials #BusinessContinuity #DisasterRecovery #NCSC #InfoSec #RiskManagement #DataProtection #GDPR #CyberInsurance #BusinessResilience #ThreatResponse #SecurityPlanning #UKCyber #EnterpriseSecurity #PracticalSecurity

Welcome to the Small Business Cybersecurity Guy Christmas Special with host Noel Bradford and guests Mauven MacLeod and Graham Falkner. This episode is a rapid-fire, often hilarious and sometimes horrifying roundup of the most spectacular cyber security disasters of 2025, told with a no-nonsense focus on what small businesses should learn from them. We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA. Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene. We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences. The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution. In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents. Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly. The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.   #Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice

Do UK small businesses need cyber risk registers? Graham said no. After this 40-minute debate with Noel Bradford, he changed his mind completely. This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers. UK cyber security statistics that changed Graham's mind: 43% of UK small businesses experienced cyber breaches last year (DSIT 2025) 73% have no board-level cyber security responsibility 28% of SMEs say one cyber attack could close them permanently (Vodafone 2025) Average UK small business breach costs £3,398 Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed. Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability. Practical cyber risk register implementation: ✓ Minimum viable cyber risk register template (8 columns, single spreadsheet) ✓ Board-level cyber security governance framework ✓ Quick remediation: enable MFA, test backup restoration, implement payment verification ✓ NCSC Board Toolkit guidance for UK SMEs ✓ Cyber insurance risk assessment requirements Perfect for UK small business owners, SME directors, startup founders, business managers responsible for cyber security compliance, GDPR, and corporate governance. Listen to this cyber security governance debate and learn why risk registers aren't bureaucracy - they're legal protection for directors and businesses.

Show notes December 2025 just shipped the last Microsoft security fixes of the year. Fifty seven vulnerabilities, three zero days, and one actively exploited Windows privilege escalation that hits almost every supported build. Are you patched before the Christmas break, or are you leaving a present for attackers in January? In this episode, Graham walks through the December Patch Tuesday release for 2025, with a focus on what actually matters for small and medium businesses. You will hear how CVE 2025 62221 in the Windows Cloud Files driver turns a low level account into full system compromise, why Office Preview Pane is once again a risk, and how AI powered tools like GitHub Copilot for JetBrains and PowerShell changes introduce new attack paths. Does your team know about any of that? You also get a fast tour of Adobe and other vendor updates, including ColdFusion, Android, Ivanti, Fortinet, React server components and SAP. Graham then zooms out to review the full year, with more than one thousand one hundred Microsoft vulnerabilities in 2025 and privilege escalation bugs leading the pack. Finally, he explains why the five week gap before the next Patch Tuesday on thirteen January 2026 makes December patching non negotiable. By the end of the episode you will know: Which patches you must treat as emergency work, especially CVE 2025 62221 How Office, Copilot and PowerShell changes affect day to day risk Why Windows 10 without Extended Security Updates is now a business liability What to ask your IT team or provider before everyone disappears for the holidays Are you confident your estate will survive the festive period, or do you need to push patching to the top of the list?

For our 30th episode, we're tackling the cybersecurity blind spot that almost no one discusses but everyone should worry about. You've secured your laptops. You've rolled out multi-factor authentication. Your firewall is properly configured. But what about that office printer quietly storing every contract and payslip you've printed this year on a hard drive nobody ever wipes, with a password an attacker can guess in three tries? This episode reveals the uncomfortable truth about Internet of Things (IoT) devices in your business. We're talking about printers, CCTV systems, smart thermostats, networked door locks, and every other "smart" device you've stopped thinking about as a computer. These forgotten devices are giving attackers a free pass into networks that are otherwise properly secured. We share a real case study from our recent emails about a marketing agency that spent £15,000 on security, passed their audit with flying colours, and still got breached through their office printer. This isn't theoretical paranoia. This is happening right now to businesses that think they've got security sorted. What You'll Learn Why your office printer is possibly the biggest security risk in your building How default passwords on "forgotten" devices create easy access points for attackers The real story of a £15,000 security investment defeated by a £300 printer What network segmentation actually means and why it matters for small businesses How to create and maintain an accurate device inventory Practical steps to secure IoT devices without enterprise budgets Why your CCTV system might be livestreaming to the internet right now How smart thermostats become backdoors into your network Key Topics Covered The Forgotten Device Problem Modern offices are full of computers disguised as other things. Every printer, every CCTV camera, every smart thermostat, and every networked door lock is actually a computer connected to your network. Most businesses secure their obvious computers whilst completely forgetting about these devices, creating perfect entry points for attackers who aren't bothering with sophisticated social engineering when they can just log in with "admin/admin". Real Case Study: The £15,000 Security Investment Defeated by a Printer A 30-person marketing agency listened to our ransomware and authentication episodes, then invested £15,000 in proper security: new firewalls, endpoint protection, hardware authentication keys for every staff member, and a security audit that came back clean. Two months later, they discovered someone had been accessing their client files for weeks through their HP printer that still used factory default credentials. The printer had full network access and stored copies of everything printed. Nobody had changed the password. Nobody had checked it during the audit. Nobody even thought about it. Default Credentials: The Epidemic Nobody Discusses Attackers maintain databases of default passwords for thousands of devices. They don't need to crack complex passwords when they can try "admin/admin" or "admin/password" and gain access to printers, cameras, or thermostats within seconds. These devices often ship with administrative interfaces accessible from the network, and most businesses never change the defaults because they don't think of these devices as security concerns. Network Segmentation Explained (Without Enterprise Complexity) Network segmentation sounds enterprise-level complicated, but the basic concept is simple: not everything on your network should be able to access everything else. Your printer doesn't need access to your accounting server. Your CCTV system doesn't need to reach your customer database. Creating separate network zones for different device types means a compromised printer can't become a stepping stone to your sensitive data. The Device Inventory Challenge Most small businesses have no accurate list of what's actually connected to their network. They know about the laptops and servers but often forget about the smart coffee machine someone plugged in last year, the wireless access points in the meeting rooms, or the networked thermostat the facilities team installed. Without knowing what's connected, you can't secure it. We discuss practical methods for discovering and documenting every device on your network. Practical IoT Security Steps We break down actionable steps that don't require enterprise budgets or dedicated security teams. This includes conducting device audits, changing default passwords, implementing basic network segmentation, regular firmware updates, and creating ownership responsibility for every connected device. The goal is proportionate security that's actually achievable for small businesses. Key Takeaways Every connected device is a computer. If it has an IP address, it's a potential security risk that needs management and protection. Default passwords are attackers' best friends. The first thing to do with any new device is change the administrative password. Never assume factory defaults are acceptable. Network segmentation isn't optional anymore. IoT devices should be isolated from your main business network, even if that means starting with basic VLAN separation. Device inventory is fundamental. You can't secure what you don't know exists. Conduct regular network scans to discover forgotten devices. Ownership matters. Every device needs someone responsible for its security. Don't let devices become "nobody's problem" because that's when they become everyone's problem. Security audits miss IoT devices. Standard security assessments often focus on servers and workstations whilst completely overlooking printers, cameras, and other IoT equipment. Firmware updates apply to everything. IoT devices need security patches just like computers. Many businesses forget this entirely. Your £15,000 security investment can be defeated by a £300 printer. Security is only as strong as your weakest link, and IoT devices are often the weakest links because they're forgotten. Resources & References Mentioned in This Episode Previous Episodes Referenced: Episode 17: Social Engineering - The Human Firewall Under Siege Ransomware episodes (multiple) Authentication episodes featuring Mark Bell Cyber Essentials episodes Electoral Commission accountability episode Hardware Authentication: AuthenTrend hardware keys (mentioned as sponsor) Case Studies: Marketing agency breach via printer (anonymized client) Recommended Reading & Tools NCSC Guidance: National Cyber Security Centre - IoT security guidance Network Discovery Tools: Fing, Advanced IP Scanner, or similar free network scanning utilities Device Documentation: Spreadsheet templates for device inventory available on our website Practical Action Steps This Week: Find your printer's admin interface. Log in. If you can't remember the password, that's probably because it's still set to "admin". Change it. Now. List five connected devices that aren't computers or phones. These are your starting inventory. Check one device's firmware. Is it up to date? When was it last updated? Who's responsible for keeping it current? This Month: Complete device inventory. Use network scanning tools to discover everything connected to your network. Document it all. Change all default passwords. Every printer, camera, thermostat, and access point needs unique, strong credentials. Assess your network segmentation. Can your printer access your file server? It shouldn't. Start planning basic network separation. Assign device ownership. Every device needs someone responsible for its security, updates, and maintenance. This Quarter: Implement basic network segmentation. Even simple VLAN separation is better than everything on one network. Create update schedules. IoT devices need regular firmware updates just like computers. Review and test. Verify your device inventory is accurate. Check that passwords actually changed. Confirm segmentation works. Who Should Listen to This Episode? This episode is particularly relevant for: Small business owners who've invested in cybersecurity but may have overlooked IoT devices IT managers and solo IT staff responsible for securing business networks with limited resources Office managers who purchase and install connected devices without considering security implications Business owners who think they've "done security" but haven't considered printers, cameras, and similar devices Anyone who's ever said "it's just a printer" when security concerns were raised Why This Episode Matters We've covered passwords, multi-factor authentication, ransomware, supply chain attacks, shadow IT, and social engineering across 30 episodes. We've discussed major breaches at household names and examined what it takes to protect heads of state. But we've deliberately avoided IoT security until now because we knew it would make people uncomfortable, possibly angry, and definitely worried. The uncomfortable truth is that whilst you've been securing laptops and servers, your office printer has had full network access, stores every document you print, and still uses the password it shipped with. The CCTV system protecting your premises might be livestreaming to the internet because nobody changed the default settings. The smart thermostat saving you money on heating is potentially giving attackers a way into your network. This isn't theoretical paranoia. We're seeing breaches through IoT devices happen to businesses that have otherwise invested properly in cybersecurity. The marketing agency case study we discuss spent £15,000 on security and still got breached through a printer nobody thought to check during the security audit. IoT security is the blind spot in small business cybersecurity. This episode gives you the knowledge and practical steps to finally address it without enterprise budgets or dedicated security teams. Celebrating 30 Episodes This milestone episode also marks an important achievement for the podcast. Since launching in June 2025, we've: Reached Top 12 in Apple Podcasts Management category worldwide Peaked at 3,500 daily downloads Built an audience that's 47% US, 37% UK despite being a UK-focused show Made cybersecurity almost entertaining whilst maintaining technical accuracy Helped businesses actually implement security improvements, not just understand threats We're genuinely grateful to everyone who's been listening, sharing, and most importantly, doing the work. The chart positions and download numbers are nice, but what matters more is when someone emails to say they've finally sorted Cyber Essentials or retired Dave from IT as a single point of failure. Coming Up Episode 31 (Next Week): Regular episode format continues with another crucial small business cybersecurity topic Episode 32 (22nd December): Christmas Special - a festive take on cybersecurity for small businesses Connect With Us Need Help? If you need direct assistance with IoT device security, Cyber Essentials, network segmentation, or any topic we've covered, contact us at: hello@thesmallbusinesscybersecurityguy.co.uk Website & Resources Visit thesmallbusinesscybersecurityguy.co.uk for: Detailed guides on everything we've discussed Step-by-step walkthroughs for printer security, camera configuration, and network segmentation Device inventory templates and checklists All episode show notes and transcripts Subscribe & Follow Apple Podcasts: Currently Top 12 in Management category worldwide Spotify: New episodes every week All major podcast platforms: Search for "The Small Business Cyber Security Guy" Share This Episode Know someone who's ever said "it's just a printer"? They need this episode in their life. Share it with: Business owners who think they've got security sorted IT managers dealing with limited budgets and forgotten devices Office managers who purchase connected devices Anyone responsible for small business network security Support the Show If you've had real value from this podcast: Leave a review on Apple Podcasts or Spotify - tell us what you've actually changed in your business Share episodes with other business owners who need to hear this Tell us what's landing - your feedback helps us create more useful content Subscribe so you don't miss episodes About the Hosts Noel Bradford With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses. Mauven MacLeod Former government cyber analyst, Mauven, brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered. Graham Falkner Regular contributor and co-host for special episodes, Graham adds additional perspective and helps make complex cybersecurity topics accessible to small business audiences. His role includes managing the legal disclaimers and ensuring content remains grounded in practical business reality. Legal Disclaimer Everything discussed in this episode is for general guidance and educational purposes. It's meant to point you in the right direction but absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What worked brilliantly for one business might be completely inappropriate for another. We do our very best to keep everything accurate and current, but the cybersecurity world moves faster than a caffeinated squirrel. Things can change between when we record and when you're listening, so always double-check critical technical details with qualified professionals before making major changes to your systems. If we've mentioned any websites, products, or services, we're giving you information, not necessarily endorsing them. We can't be responsible for what happens on their end or if things go sideways when you use them. If you're dealing with serious cybersecurity incidents, actual data breaches, or complex compliance issues, please talk to proper professionals rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team. Think of us as your knowledgeable mates down the pub who work in cybersecurity, not your official contracted consultants. We care about your business, but we're not your insurance policy. Stay safe out there, keep learning, and remember: when in doubt, get a second opinion from someone who can see your specific situation. This has been a Small Business Cyber Security Guy production. Copyright 2025, all rights reserved. Episode 30 | December 2025 | The Small Business Cyber Security Guy Podcast

What if the best way to protect your business isn't copying what the successful companies do, but avoiding what the failures did wrong? Welcome to reverse benchmarking, the cybersecurity equivalent of learning from other people's face-plants so you don't repeat them. In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses. You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones. This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works. Why This Episode Matters One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident. Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast. Key Takeaways 1. Traditional Benchmarking Often Fails SMBs Copying FTSE 100 security on a shoestring budget is a losing game Enterprise solutions don't scale down effectively By the time you copy last year's "best practice," threats have evolved Context matters more than copying 2. Compliance ≠ Security Being compliant doesn't mean you're secure Compliance is like passing your driving test - it proves you know the rules, not that you'll never crash Checkbox culture creates dangerous complacency Attackers don't check your certifications before striking 3. The Statistics Are Sobering One third of SMBs hit by cyberattacks annually Average breach cost: £250,000 Some breaches: £7 million 60% of small businesses close within six months post-attack NCSC estimates 50% of UK SMBs will experience a breach each year 4. Real-World Disasters Teach Practical Lessons Target breach: Lost $162 million because HVAC vendor credentials weren't properly segmented Colonial Pipeline: Shutdown of major US fuel infrastructure from weak VPN password UK holiday park ransomware: Peak season attack forced cash-only operations Common thread: Basic security fundamentals ignored 5. Third-Party Risks Are Existential 61% of breaches involve third-party access Small vendors create backdoors into larger networks Your security is only as strong as your weakest supplier Segment vendor access ruthlessly 6. Practical Implementation Steps Build your own "disaster library" of relevant failures Hold quarterly "what went wrong" review sessions Map your business to failed case studies Ask "could this happen to us?" for every breach you read about Create no-blame culture for reporting near-misses Detailed Show Notes Introduction (00:00 - 01:24) Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls. Key Quote: "Learn from other people's face-plants so we don't repeat them." What Is Reverse Benchmarking? (01:24 - 03:46) Traditional benchmarking means copying what successful companies do. Reverse benchmarking flips this around: study the worst failures in your industry and make certain you don't repeat them. The Problem with Traditional Benchmarking: Big enterprises have massive IT teams and unlimited budgets Trying to copy enterprise security on SMB resources is futile Benchmarking looks backwards - by the time you implement, hackers have moved on If everyone in your industry has the same gap, benchmarking won't reveal it Why It Matters Now: One third of SMBs were hit by cyberattacks in the past year Average cost: £250,000, with some reaching £7 million 60% of small businesses close within six months of a cyberattack Most small business owners still think they're too small to be targeted UK Context: The National Cyber Security Centre (NCSC) estimates around half of UK SMBs will experience a breach each year. Coin flip odds. If you're sitting in a board meeting saying "hackers won't bother with us," you might as well hang a sign reading "free Wi-Fi, no password." The Compliance Trap (03:46 - 06:15) Many businesses believe being compliant means they're secure. This is cybersecurity's biggest misconception. Compliance vs Security: Compliance is like passing your driving test - it means you know the rules, not that you'll never crash Or that you're a good driver Microsoft's security GM: "Some SMBs believe being compliant means they're safe. It doesn't." Hackers don't check whether you've got ISO certification before attacking The Checkbox Culture: "We did our annual password change. Job done." Hackers respond: "Challenge accepted." Following checklists creates false sense of security Real security requires ongoing vigilance, not annual tick-boxes The Hidden Risk: If everyone in your industry has the same security gap but meets the same compliance standards, benchmarking against them won't reveal your shared vulnerability. You're all vulnerable together, congratulating each other on your certifications. Case Study 1: The Target Breach (06:15 - 09:42) One of retail history's most infamous breaches demonstrates how third-party access becomes a catastrophic liability. What Happened: December 2013: Hackers stole 40 million credit card numbers and 70 million customer records Entry point: HVAC contractor with network access Attackers used vendor credentials to access Target's corporate network Then moved laterally to payment systems The Aftermath: Direct losses: $162 million CEO resigned CIO resigned Board chairman resigned Countless hours dealing with breach response, forensics, legal battles The Lesson: Your security is only as strong as your weakest supplier. That HVAC company, plumber, or IT consultant with network access? They're potential backdoors. Target's enterprise-grade security was bypassed through a small contractor's weak credentials. For Small Businesses: 61% of breaches involve third-party access Small businesses often provide services to larger enterprises Your compromise becomes their breach Vendor management isn't optional Practical Actions: Segment vendor access ruthlessly No contractor needs access to your entire network Use separate credentials for third parties Monitor vendor access continuously Regular vendor security audits Case Study 2: Colonial Pipeline (09:42 - 12:28) In May 2021, a single compromised password shut down a major fuel pipeline supplying 45% of the US East Coast's fuel. What Happened: Ransomware attack forced shutdown of 5,500-mile pipeline Entry point: Weak VPN password No multi-factor authentication (MFA) on VPN access Company paid $4.4 million ransom (partially recovered later) The Impact: Fuel shortages across southeastern United States Panic buying, price spikes Emergency government declarations Week-long shutdown of critical infrastructure The Lesson: Credentials are your front door. If you're not protecting them properly, you've left the door unlocked with a welcome mat out for attackers. For Small Businesses: The Colonial Pipeline didn't fail because of sophisticated zero-day exploits or nation-state malware. They failed because they didn't have MFA enabled on remote access. Your Action Items: Enable MFA everywhere, particularly VPN access Enforce strong password policies Monitor for credential compromise Phishing-resistant MFA (hardware tokens or biometrics) for privileged access Regular access reviews The Cost-Benefit Reality: Hardware security keys: £40-70 per user Potential breach cost: £250,000 average MFA prevents 99.9% of automated credential attacks The mathematics are straightforward Case Study 3: UK Holiday Park Ransomware (12:28 - 15:15) Closer to home, a UK holiday park discovered that timing matters when ransomware strikes. What Happened: Ransomware attack during peak summer season All booking systems encrypted Payment processing down Guest check-ins disrupted The Business Impact: Had to operate cash-only during busiest period Couldn't process new bookings Lost revenue during most profitable weeks Guest experience severely compromised Reputation damage The Lesson: Attackers choose timing deliberately. They struck during peak season when the business would be most desperate to restore operations quickly and most likely to pay the ransom. For Small Businesses: Seasonal businesses are particularly vulnerable during peak periods. That's precisely when attackers strike, knowing you can't afford downtime. Your Defence Strategy: Offline, air-gapped backups tested regularly Incident response plan practiced before peak season Alternative payment processing methods ready Staff trained on ransomware procedures Crisis communication templates prepared The Backup Reality: Having backups isn't enough. You need to test restoration procedures. The middle of a ransomware attack is not the time to discover your backups don't work or take three weeks to restore. Why Reverse Benchmarking Works Better (15:15 - 17:45) Traditional approaches focus on aspirational goals. Reverse benchmarking focuses on avoiding catastrophic failures. The Psychological Advantage: Failures provide concrete examples of what not to do Success stories often omit the messy details Disasters reveal the actual attack patterns you'll face Real consequences make lessons stick The Practical Advantage: You learn what actually breaks in the real world Not theoretical best practices that might work Understand attack chains step by step See how small gaps become massive breaches The Cost Advantage: Avoiding one disaster pays for years of modest security investment You don't need enterprise budgets to avoid enterprise mistakes Focus resources on genuine vulnerabilities Not on impressive-sounding but irrelevant controls The Timeliness Advantage: Recent failures reflect current threat landscape More relevant than last year's "best practices" See how threats evolve in real-time Adapt defences to actual attack methods Building Your Disaster Library (17:45 - 19:29) Practical implementation of reverse benchmarking for your business. Step 1: Collect Relevant Failures Focus on breaches in similar-sized businesses Same industry or adjacent sectors Similar technology stack Geographic relevance (UK regulations, threat actors) Step 2: Quarterly Review Sessions "What went wrong" meetings with your team Review recent breaches systematically Ask: "Could this happen to us?" Identify similar vulnerabilities in your environment Step 3: Map to Your Environment For each breach, trace the attack path Identify which elements exist in your business Where are your equivalent vulnerabilities? What would the impact be if it happened to you? Step 4: Prioritise Actions Not every lesson requires immediate implementation Focus on high-probability, high-impact scenarios first Quick wins vs long-term projects Balance cost against realistic risk Step 5: Create Your "Anti-Playbook" Document what you'll never do based on failure analysis Share with team so everyone knows the "forbidden" approaches Update as new disasters emerge Make it living document, not static policy Resources to Monitor: NCSC Weekly Threat Reports Information Commissioner's Office (ICO) breach reports Industry-specific security bulletins UK Cyber Security News Global breach databases with UK filter Creating a No-Blame Culture (19:29 - 20:45) If people hide mistakes, you lose the chance to fix vulnerabilities before an actual breach occurs. The Aviation Model: Airlines improve safety by fostering no-blame culture for near-misses. They want to hear about every close call so they can fix systemic issues before disaster strikes. Applying This to Cybersecurity: If Janet in accounting falls for a phishing test, berating her is counterproductive. Instead, make it a learning opportunity for everyone. Next time, she might be the one to spot a real phishing attempt and save your business. Practical Implementation: "Lessons learned" sessions, not "who screwed up" meetings Focus on systems and processes, not individuals Reward reporting of near-misses Share failures anonymously when needed Celebrate catches of suspicious activity The Payoff: Fear doesn't work. Education does. When people feel safe reporting potential issues, you catch problems early before they become breaches. Summary and Call to Action (20:45 - 21:37) Sometimes the best way to secure your business is by studying the worst failures out there and doing the opposite. Key Principles: Traditional benchmarking can lead you astray for SMBs Reverse benchmarking provides genuine security advantage Study disasters: Target, Colonial Pipeline, holiday park ransomware Build it into regular practice, not one-off exercise Your Mindset Shift: Think of yourself as Sherlock Holmes of cyber failures. Every incident is a case study that makes your business smarter. In cybersecurity, boring is good. If nothing's happening, it means your defences are working. Immediate Actions: Start your disaster library this week Schedule your first quarterly review session Map one recent breach to your business environment Implement one lesson learned from this episode Share this approach with your team Resources Mentioned Statistics and Studies National Cyber Security Centre (NCSC): UK SMB breach probability estimates Microsoft Security: Compliance vs security research Industry reports: 61% of breaches involve third-party access Bernard Ma: Quote on benchmarking limitations Case Studies Referenced Target Corporation data breach (2013): HVAC vendor compromise, 40 million cards stolen, $162 million loss Colonial Pipeline ransomware (2021): VPN password compromise, $4.4 million ransom, critical infrastructure shutdown UK holiday park ransomware: Peak season attack, cash-only operations UK Regulatory and Advisory Bodies National Cyber Security Centre (NCSC): www.ncsc.gov.uk Information Commissioner's Office (ICO): www.ico.org.uk Recommended Reading NCSC Weekly Threat Reports ICO breach notifications and enforcement actions Industry-specific security bulletins UK Cyber Security News aggregators Practical Checklist: Start Your Reverse Benchmarking Practice This Week: Create a folder or document for your "disaster library" Sign up for NCSC weekly threat report emails Identify three recent breaches in businesses similar to yours Schedule your first quarterly "what went wrong" review meeting This Month: Map one major breach to your business environment Identify your equivalent vulnerabilities to the mapped breach Implement one quick-win lesson from disaster analysis Share this approach with your leadership team This Quarter: Hold your first formal reverse benchmarking session Build your "anti-playbook" of forbidden approaches Establish no-blame reporting culture for near-misses Review and update third-party access controls Ongoing: Weekly review of new breach reports Monthly check: "Could this happen to us?" Quarterly team review sessions Annual comprehensive vulnerability mapping Questions for Your Team Use these discussion prompts in your quarterly review sessions: Which recent breach in our industry most closely resembles our business model? Do we have the same entry points that attackers used in [specific breach]? What would be our equivalent business impact if we experienced this type of attack? Which quick fixes could we implement this month to avoid similar failures? What systemic vulnerabilities do we share with failed organisations? Are we making the same assumptions that led to their breach? Would our backup and recovery process work in a real crisis? Do our third-party vendors have access they don't need? Where are we relying on compliance rather than actual security? What's our single point of failure that resembles their weakness? Next Episode Preview Episode 30: The Office Printer Hacker Saga Yes, office printers are a genuine security risk. Sounds hilarious, but it's genuinely scary. We'll explore why that seemingly innocent device in the corner is actually a network-connected computer with hard drives, stored documents, and often the same default admin password it shipped with. You'll discover the printer botnet that attacked an entire city, the university students who made campus printers output memes, and why your MFP (multi-function printer) knows more about your business than you'd be comfortable with. If you think printers are just about paper jams and toner costs, this episode will open your eyes to why printer security belongs in your threat model. Subscribe so you don't miss it. Share Your Story Have you learned from a cybersecurity blunder, either your own or someone else's? We'd love to hear about it. Send your story to us (anonymously if you prefer), and we might feature it in a future episode. Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming episodes. Connect With The Show Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms Leave a Review: Your reviews help other small business owners find practical cybersecurity advice Website: thesmallbusinesscybersecurityguy.co.uk Email: hello@thesmallbusinesscybersecurityguy.co.uk Legal Disclaimer The views and opinions expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of any organisations they work for, employers, advertisers, sponsors, or any other entities connected to the show. This podcast is for general educational and informational purposes only. It should not be treated as professional advice tailored specifically to your business circumstances. Your situation is unique, and you should consult with qualified cybersecurity professionals before implementing significant changes to your systems. Whilst we strive to keep all information accurate and current, the cybersecurity landscape evolves rapidly. Always verify critical technical details with qualified professionals before making major decisions. We cannot accept liability for any losses or problems that may result from following the suggestions in this podcast. Please think of us as knowledgeable colleagues sharing insights, not contracted consultants providing formal advice. When in doubt, get a second opinion from someone who can assess your specific situation. Copyright © 2025 The Small Business Cyber Security Guy. All rights reserved. Episode Tags #Cybersecurity #SmallBusiness #ReverseBenchmarking #CyberThreats #DataBreach #UKBusiness #SMBSecurity #InformationSecurity #ThreatIntelligence #SecurityStrategy #BusinessProtection #CyberResilience #RiskManagement #SecurityPodcast #UKCyber #NCSC #ThirdPartyRisk #ComplianceVsSecurity #CyberEducation #BusinessContinuity

In this provocative second instalment of the accountability series, hosts Noel Bradford and Mauven MacLeod lay out a detailed proposal for a UK cybersecurity enforcement regime that balances protection for small businesses with personal liability for negligent directors. They compare the current weak regulatory approach to the Health and Safety Executive model, cite international evidence from Singapore, and explore why criminal consequences — up to fines, disqualification and, in extreme cases, prison — might be necessary to change boardroom behaviour. The episode explains a three-tier framework: Tier 1 (micro and small businesses) protected by Cyber Essentials and criminal liability only for gross negligence; Tier 2 (25–250 employees) required to follow industry-reasonable practice with qualified oversight and documented policies; and Tier 3 (large organisations and public sector) held to the highest standards (ISO/SOC) with lower thresholds for prosecution. The hosts walk through concrete, measurable standards, outcome-based testing, and safe-harbour defences for businesses that engage accredited advisors. Key technical and organisational measures discussed include Cyber Essentials, MFA, patching and backups, incident response plans, staff training, qualified security oversight (fractional CISOs or accredited MSPs), and government-approved lists of assessors. The episode stresses practical testing — inspectors verifying controls actually work — to prevent compliance theatre and ensure certificates match reality. Noel and Mauven outline a phased five-year implementation pathway: publication and guidance, data collection and mandatory reporting, staged enforcement beginning with large organisations, then medium businesses, and finally full enforcement — all accompanied by funded support programs, subsidies, and free advisory services to help firms comply. Costs, benefits and market effects are examined: basic Tier 1 protections are framed as affordable (Cyber Essentials, free MFA), while stronger governance yields lower insurance premiums, preferential procurement, and overall reduced breach costs. The hosts discuss the need to upskill the ICO into a technically capable enforcement agency, political and industry pushback, and international alignment with EU, Singapore and Australia precedents. The episode closes with a call to action for listeners: implement the basics now (Cyber Essentials, MFA, updates), pressure MPs and industry bodies for proportionate enforcement, and spread the conversation. Expect debates about proportionality, false positives, and safeguarding SMEs, but the central case is clear: a calibrated, evidence-based accountability regime could dramatically reduce breaches and force cybersecurity into the boardroom.

What happens when business negligence causes serious harm to thousands of people? If a faulty ladder injures someone, directors face prison time. If forty million people have their data stolen due to poor security, they receive a strongly worded letter. In this provocative first episode of our two-part series, Noel and Mauven examine the shocking disparity between health and safety enforcement and cybersecurity regulation in the UK. We compare the HSE's tough approach (prison sentences, director liability, millions in fines) with the ICO's gentle touch (guidance, occasional fines, zero criminal consequences). With 40 million voter records compromised at the Electoral Commission resulting in just a formal reprimand, whilst construction directors regularly face 18-month prison sentences for single workplace accidents, we ask the uncomfortable question: why is cybersecurity enforcement essentially performative? This isn't anti-business rhetoric. This is an evidence-based examination of a broken system that fails to protect either businesses or the public, presented through statistics, case studies, and historical precedent, which demonstrates that personal accountability is effective. What You'll Learn The Two Regulators: A Tale of Vastly Different Consequences Why HSE directors face up to 2 years imprisonment, whilst the ICO never imposes criminal penalties How HSE issued 13,424 enforcement notices and 399 prosecutions in 2023-24 Why the ICO issued just £2.7 million in total UK fines, whilst EU regulators issued over £1 billion The legal frameworks that create this enforcement gap The Public-Private Accountability Divide Electoral Commission breach: 40 million records compromised, 14 months of hostile state access, consequence: formal reprimand Construction site failures: single injuries lead to prison sentences and director disqualifications Why do government organisations face minimal consequences for security failures The message this sends about who matters and who doesn't Historical Context: How HSE Transformed Workplace Safety 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974 How personal criminal liability changed director behaviour overnight The construction industry transformation from dangerous to safety-conscious Evidence that accountability actually works when properly enforced Arguments Against Director Liability (And Why They Fail) "Security is too complex for criminal standards" - why doesn't this hold up "Small businesses can't afford proper security" - HSE already handles proportionate enforcement "Innovation will suffer" - data showing the opposite effect in the safety sector "Current system works fine" - statistics proving it demonstrably doesn't The Current State of Inertia Why ICO enforcement focuses on "guidance and support" over punishment Political pressure keeps cybersecurity consequences minimal Business lobby resistance to accountability measures The broken incentive structure that rewards negligence Key Statistics Referenced HSE Enforcement 2023-24: 13,424 enforcement notices issued 399 prosecutions brought £73.8 million in fines Regular prison sentences (average 12-18 months for serious breaches) ICO Enforcement 2023-24: £2.7 million total fines across all UK GDPR violations Zero prison sentences imposed Zero director disqualifications Focus on "guidance and support" over punishment Electoral Commission Breach: 40 million UK voter records compromised The hostile state actor maintained access for 14 months Basic security failures: poor patching, weak passwords, inadequate monitoring Consequence: Formal reprimand only Impact Statistics: 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974 EU regulators issued over £1 billion in GDPR fines (vs the UK's £2.7 million) Keymark Construction director: 18 months' prison for fatal fall (2023) Notable Cases Discussed Health and Safety Enforcement Keymark Construction (2023): Director sentenced to 18 months imprisonment following fatal fall due to inadequate safety measures Corporate Manslaughter Act 2007: Multiple organisations convicted when management failures caused death Cybersecurity Non-Enforcement Electoral Commission (2023-24): 40 million voter records compromised by hostile state actor, 14 months of system access, consequence was formal reprimand with no financial penalty or personal liability British Airways GDPR Fine: Initially £183 million, reduced to £20 million, no director consequences despite preventable security failures Why This Matters for Small Businesses This isn't about attacking business owners. It's about exposing a system that fails everyone: Honest businesses suffer when competitors cut security corners without consequences Directors lack incentive to invest in security when breaches only result in fines the company pays Small businesses become collateral damage when larger organisations treat security as optional The current approach demonstrably doesn't work - breaches increase year on year despite ICO "guidance" Understanding this enforcement gap helps you see why cybersecurity culture hasn't undergone the same transformation as workplace safety culture. Part 2 will explore what accountability with teeth would actually look like, and how to protect SMEs whilst implementing it. Resources Mentioned HSE Annual Report 2023-24: Full enforcement statistics and prosecution details ICO Enforcement Data: Annual reports showing UK GDPR fine totals Health and Safety at Work Act 1974: Foundation legislation that transformed UK workplace safety Corporate Manslaughter and Corporate Homicide Act 2007: Criminal liability framework for organisations Electoral Commission Breach Report: Technical details of 14-month compromise EU GDPR Enforcement Tracker: Comparison of UK vs European enforcement approaches Hosts Noel Bradford 40+ years in IT/Cybersecurity across enterprise and SMB sectors. Former Intel, Disney, BBC. Current CIO/Head of Technology for boutique security-first MSP. Brings enterprise-level knowledge to small business constraints. Mauven MacLeod Ex-NCSC Government Cybersecurity Analyst with deep threat intelligence expertise. Glasgow-based security professional who translates complex government-level security concepts into practical SMB advice. Coming in Part 2 "What If Cyber Had Corporate Manslaughter? The Case for Personal Liability" We'll explore: Specific legislative framework for "Corporate Cyber Manslaughter" SME protection mechanisms (proportionate thresholds) How other countries successfully implement director liability Expected cultural transformations Practical compliance guidance What "reasonable care" actually means for small businesses Take Action Share Your Thoughts: Should directors face criminal liability for gross cybersecurity negligence? Comment on our website or social media. Prepare for Part 2: Start thinking about what security measures you currently have in place. Could you demonstrate "reasonable care" if asked? Review Your Security: Whilst we wait for better enforcement, don't wait to improve your security. Free resources available from NCSC. Subscribe: Make sure you don't miss Part 2, where we build the case for what enforcement with teeth would actually look like. Forward This Episode: Every business owner needs to understand why the current system fails them. Episode Details Runtime: 42 minutes Release Date: November 17th 2025 Series: Part 1 of 2 Category: Cybersecurity, Business, Technology, Policy Content Warning: Discussion of regulatory failures, system criticism, and calls for significant policy change. Evidence-based but provocative examination of current enforcement approaches. Connect With Us Website: thesmallbusinesscybersecurityguy.co.uk LinkedIn: [The Small Business Cyber Security Guy] Email: hello@thesmallbusinesscybersecurityguy.co.uk Tags #Cybersecurity #SmallBusiness #UKBusiness #DataProtection #ICO #HSE #RegulatoryEnforcement #DirectorLiability #GDPR #BusinessSecurity #CyberAccountability #SecurityPolicy #UKRegulation #DataBreach #ElectoralCommission #CorporateManslaughter #BusinessCompliance #CyberGovernance #SecurityLeadership #RiskManagement Transcript Full episode transcript available on our website at thesmallbusinesscybersecurityguy.co.uk Support the Show If this episode opened your eyes to the enforcement gap, please: Leave a 5-star review on Apple Podcasts Share with business owners in your network Follow us on LinkedIn for ongoing discussion Subscribe to ensure you catch Part 2 Next Episode: Part 2 - What If Cyber Had Corporate Manslaughter? All Episodes: thesmallbusinesscybersecurityguy.co.uk/podcasts The Small Business Cybersecurity Guy Podcast offers practical, actionable cybersecurity advice for UK small businesses. We translate enterprise-grade security into affordable, implementable solutions for businesses with 5-50 employees. Disclaimer: This podcast provides general information and discussion about cybersecurity and business topics. This is not intended as legal, regulatory, or professional advice. Listeners should consult qualified professionals for personalised guidance tailored to their specific circumstances. © 2025 The Small Business Cyber Security Guy. All rights reserved.

Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams. Key Topics Covered Microsoft Security Updates 89 total vulnerabilities patched (12 critical, 4 zero-days) CVE-2025-0445: Windows Kernel privilege escalation (actively exploited) CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited) CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022) CVE-2025-1789: MSHTML remote code execution via Office documents CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release) 23 remote code execution vulnerabilities across Windows, Office, and developer tools Adobe Security Updates 35+ vulnerabilities patched across multiple products CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1) CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS) Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D Oracle Critical Patch Update (October 2025) 374 new security patches addressing ~260 unique CVEs CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups) 73 patches for Oracle Communications (47 remotely exploitable without authentication) 20 patches for Fusion Middleware (17 remote unauthenticated) 18 fixes for MySQL Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server SAP Security Updates 18 new security notes plus 1 updated note CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE) CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS) CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch) CVE-2025-42940: CommonCryptoLib memory corruption Mozilla Firefox Updates Firefox 145.0 released November 11th 15 security vulnerabilities fixed (8 high impact) New anti-fingerprinting measures halving trackable users Memory safety and sandbox escape prevention Apple Security Updates iOS/iPadOS 17.1 and macOS 14.1 released 100+ vulnerabilities patched across iPhones, iPads, Macs Critical kernel and WebKit bugs fixed Zero-click exploit prevention Google Security Updates Chrome 142 with 5 security bug fixes Android November 2025 bulletin (patch level 2025-11-01) CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16 Third-Party Critical Vulnerabilities WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected) WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed) Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment) Critical Action Items for Businesses IMMEDIATE (Deploy Within 24-48 Hours) Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento Windows Kernel - Patch CVE-2025-0445 zero-day exploit Edge/Chrome - Update browsers to address CVE-2025-0334 Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed WordPress Post SMTP - Update to v3.6.1 or remove plugin Cisco routers - Apply CVE-2025-20352 patches and check for compromise HIGH PRIORITY (Deploy Within 1 Week) SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887 WSUS servers - Verify CVE-2025-59287 patch installed correctly Adobe Connect - Update to version 12.10 Firefox, Chrome, Edge - Deploy browser updates organisation-wide Android devices - Deploy November 2025 security bulletin WatchGuard Firebox - Apply CVE-2025-9242 patch STANDARD PRIORITY (Deploy Within 2-4 Weeks) All other Microsoft patches - Complete Windows and Office updates Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc. Oracle - Complete October CPU deployment across all Oracle products SAP - Apply remaining security notes across SAP landscape CVE Quick Reference CVE ID Vendor Severity Status Product CVE-2025-0445 Microsoft Critical Actively Exploited Windows Kernel CVE-2025-0334 Microsoft Critical Actively Exploited Edge/Chrome V8 CVE-2025-0078 Microsoft Critical Not Exploited Yet Exchange Server CVE-2025-1789 Microsoft Critical Not Exploited Yet MSHTML CVE-2025-59287 Microsoft Critical (9.8) Actively Exploited WSUS CVE-2025-54236 Adobe Critical (9.1) Actively Exploited Magento/Commerce CVE-2025-49553 Adobe Critical (9.3) Not Exploited Yet Adobe Connect CVE-2025-61882 Oracle Critical Actively Exploited E-Business Suite CVE-2025-42890 SAP Critical (10.0) Not Exploited Yet SQL Anywhere Monitor CVE-2025-42887 SAP Critical (9.9) Not Exploited Yet Solution Manager CVE-2025-11833 WordPress Critical (9.8) Actively Exploited Post SMTP Plugin CVE-2025-20352 Cisco High Actively Exploited IOS/XE SNMP CVE-2025-9242 WatchGuard Critical Not Exploited Yet Firebox Firewalls Resources & Links Vendor Security Bulletins Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide Adobe Security Bulletins: https://helpx.adobe.com/security.html Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/ SAP Security Notes: https://support.sap.com/securitynotes Mozilla Security Advisories: https://www.mozilla.org/security/advisories/ CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog Patch Tuesday Resources Microsoft Tech Community: https://techcommunity.microsoft.com/ Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/ Security Week Patch Tuesday Coverage: https://www.securityweek.com/ Small Business Cybersecurity Resources Blog: https://thesmallbusinesscybersecurityguy.co.uk NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials Key Statistics 89 Microsoft vulnerabilities patched 4 actively exploited zero-days (Microsoft) 23 remote code execution flaws (Microsoft) 35+ Adobe vulnerabilities fixed 374 Oracle security patches 18 SAP security notes 200,000+ WordPress sites affected by Post SMTP bug 75,000 WatchGuard devices exposed online Narrator Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions. About The Small Business Cyber Security Guy Podcast The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining. Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints. Connect With Us Website: https://thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms Social Media: Follow us on LinkedIn for daily cybersecurity insights Contact: hello@thesmallbusinesscybersecurityguy.co.uk   Help us spread the word about practical cybersecurity for small businesses: ⭐ Subscribe to never miss an episode ⭐ Leave a review on Apple Podcasts or Spotify ⭐ Share this episode with other business owners who need to hear this ⭐ Comment below with topics you'd like us to cover next ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources Disclaimer This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile. Next Episode Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately. Episode Length: 10-11 minutes Difficulty Level: Intermediate to Advanced Best For: IT managers, business owners, MSP clients, anyone responsible for patching The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce Episode Information Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance Farce Episode Number: Hot Take Release Date: 11 November 2025 Duration: Approximately 18 minute Hosts: Mauven MacLeod & Graham Falkner Format: Research segment with heavy sarcasm Episode Description Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools. In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone. Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme? We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes. If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide. Key Topics Covered The Surveillance Revelation Ofcom confirms use of unnamed third-party AI monitoring tool TechRadar exclusive: "We use a leading third-party provider" with zero transparency Government surveillance of privacy tools sets a dangerous precedent Comparison to authoritarian regimes (China, Russia, UAE, Iran) The Numbers That Don't Add Up 1.5 million daily VPN users claim appears nowhere in official Ofcom documents No published methodology or verification VPN detection cannot determine the intent or legitimacy of use Analytics show VPN use is lower in countries with greater online freedom What Actually Happened on July 25th The UK Online Safety Act child safety duties became fully enforceable Mandatory "highly effective age assurance" replaced simple checkbox verification Proton VPN: 1,400% surge in UK signups within hours NordVPN: 1,000% increase in downloads ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store The Small Business Nightmare Business VPNs are essential security hygiene for remote work Ofcom's monitoring cannot distinguish legitimate business use from circumvention Undisclosed data collection creates unknowable privacy risks GDPR compliance implications when the government monitors your security tools Section 121: The Spy Clause Powers to require client-side scanning of encrypted communications Government promises not to use "until technically feasible" Cryptography experts: impossible without destroying encryption Apple shelved similar plans in 2021 Signal and WhatsApp threatened to leave the UK market The Authoritarian Playbook in Action Scope creep within days: blocking parliamentary speeches, news coverage, forums A cycling forum shut down due to compliance costs Small platforms are closing rather than face a compliance nightmare Chilling effect on legitimate content and discussion International Surveillance Creep 25 US states passed similar age verification laws EU debating Chat Control (mandatory encrypted message scanning) Australia is implementing age verification for search engines Legislative arms race using "protecting children" as a universal justification What Small Business Owners Must Do Document all VPN usage for legitimate business purposes Maintain VPN security protocols despite surveillance theatre Get legal advice if operating any platform with user-generated content Fines up to £18 million or 10% of global revenue Criminal liability for senior managers The GDPR Compliance Paradox How do you assess data protection risks from secret surveillance tools? Opacity makes compliance verification impossible Government monitoring creates unassessable risks to customer data   Resources & Links Mentioned Primary Source TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act Key Organizations Quoted Open Rights Group - James Baker's comments on surveillance precedent Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran Government Resources Online Safety Act 2023 - UK Government legislation Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements Section 121 - Client-side scanning provisions ("spy clause") VPN Statistics Sources Proton VPN: 1,400% surge report NordVPN: 1,000% increase report Apple UK App Store rankings: July 25-27, 2025 Related Coverage Petition to Repeal Online Safety Act: 550,000+ signatures Peter Kyle (UK Technology Secretary) statement on critics Parliamentary debate triggered by petition threshold Additional Reading GDPR compliance implications of government surveillance Cryptography expert analysis of client-side scanning Apple's 2021 decision to shelve client-side scanning plans Signal and WhatsApp statements on Section 121 Key Quotes from Episode Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?" Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it." Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics." Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent." Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'" Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties." Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'" Action Items for Small Business Owners Immediate Actions Document VPN Usage List which employees use VPNs Document business purposes for encrypted connections Maintain evidence of legitimate use for potential regulatory action Maintain Security Protocols Continue using VPNs for remote work security Don't let surveillance theatre compromise actual cybersecurity Protect against real threats (ransomware, phishing, etc.) Assess Platform Compliance If you operate any online platform, forum, or user-generated content site Get legal advice immediately Understand massive fines (£18m or 10% global revenue) and criminal liability. Ongoing Monitoring Stay Informed Section 121 could be activated at any time EU Chat Control could affect European operations US state laws are proliferating rapidly Monitor regulatory developments actively Engage Politically Contact your MP about the surveillance of privacy tools Reference the 550,000+ signature petition Make it clear that this is unacceptable in a democracy Push back before surveillance becomes normalised GDPR Compliance Review Assess how government VPN monitoring affects data protection obligations Document that opacity makes risk assessment impossible Consult legal counsel on compliance implications Visual Elements (for YouTube/Video) Screenshot: TechRadar exclusive article headline On-screen text: "1.5 million daily VPN users" with question mark Comparison graphic: VPN use in free vs. authoritarian countries Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring Text overlay: Section 121 "spy clause" powers Map graphic: International surveillance legislation spread (UK, US, EU, Australia) Infographic: Small business action checklist Key Themes Government surveillance of privacy tools in supposed liberal democracy Technical limitations make monitoring ineffective at stated purpose Scope creep from child protection to political content blocking within days Small business caught in surveillance net designed for age verification International trend toward authoritarian internet regulation models GDPR compliance paradox when government creates unknowable privacy risks Practical cybersecurity must continue despite surveillance theatre Political engagement essential before normalization occurs Tone & Style Notes Heavy sarcasm throughout - serious WTF tone without profanity Incredulous questioning of government logic and transparency Dark humour about dystopian surveillance implications Technical precision in explaining what monitoring can/cannot do Practical focus on small business implications Political urgency without becoming preachy Professional skepticism balanced with actionable guidance CTAs (Calls to Action) Primary CTAs Subscribe wherever you get your podcasts Share with other small business owners who need this information Leave a review if you found this episode useful (or terrifying) Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources Secondary CTAs Drop a comment with questions about VPN security or regulatory compliance Contact your MP about surveillance of privacy tools Sign the petition to repeal the Online Safety Act (if not already done) Document your VPN usage for legitimate business purposes starting today Social Media Hashtags #OnlineSafetyAct #VPNSurveillance #CyberSecurity #SmallBusinessSecurity #DigitalPrivacy #GDPR #UKTech #Section121 Next Episode Setup [To be determined based on episode schedule] Potential follow-ups: Deep dive on Section 121 and encryption threats GDPR compliance strategies in surveillance environment International comparison: UK vs. other countries' approaches Interview with digital rights expert on fighting surveillance creep Practical VPN selection and configuration for small businesses Production Notes Technical Specifications Duration: Approximately 10 minutes Word Count: 1,847 words Format: Two-host conversation (Mauven & Graham) Tone: Punchy, sarcastic, serious WTF energy Language: UK spelling and grammar throughout Profanity: None (despite heavy sarcasm) Research Verification All statistics verified against multiple sources TechRadar article quotes confirmed accurate Government legislation references checked VPN provider surge numbers from official company statements Expert quotes verified from named sources No unverified claims included Character Dynamics Mauven MacLeod: Ex-NCSC analyst, brings government cybersecurity expertise Graham Falkner: Former actor/narrator, handles research segments Natural professional banter with pub conversation energy Shared incredulity at government surveillance overreach Complementary expertise: technical precision + narrative delivery Content Strategy Small business cybersecurity focus maintained throughout Practical implications prioritized over abstract privacy philosophy Action items clear and immediately implementable Balances outrage with constructive guidance Positions podcast as authoritative voice on UK cybersecurity policy SEO Keywords Ofcom VPN monitoring Online Safety Act surveillance UK VPN usage 2025 Business VPN security Section 121 encryption Small business cybersecurity UK GDPR VPN compliance Government VPN tracking Age verification VPN UK internet surveillance Related Episodes [To be linked as series develops] Potential related content: Online Safety Act initial coverage (if previously covered) GDPR compliance series VPN security best practices Encryption fundamentals Remote work security Episode Tags Topics: VPN Surveillance, Online Safety Act, Ofcom, Government Monitoring, Privacy, Encryption, Section 121, Age Verification, GDPR, Small Business Security Category: Technology, Cybersecurity, Privacy, Government Policy, Business Difficulty Level: Intermediate (technical concepts explained accessibly) Target Audience: Small business owners (5-50 employees), IT managers, privacy advocates, UK businesses Geographic Focus: United Kingdom (with international context) Credits Hosts: Mauven MacLeod, Graham Falkner Research: Advanced web research on Ofcom VPN monitoring Script: Based on TechRadar exclusive and verified sources Production: Graham Falkner Music: The Small Business Cyber Security Guy Disclaimer This podcast episode provides commentary and analysis on publicly reported information about UK government surveillance policies. Nothing in this episode constitutes legal advice. Small business owners should consult qualified legal counsel regarding compliance with the Online Safety Act and related regulations. The opinions expressed are those of the hosts and do not represent legal or professional advice. All statistics and quotes have been verified against multiple sources and represent information available as of the episode recording date. The regulatory landscape continues to evolve rapidly. Blog Post Companion Full written breakdown available at: thesmallbusinesscybersecurityguy.co.uk Blog post should include: Complete source list with hyperlinks Detailed analysis of Section 121 implications Step-by-step VPN documentation guide for businesses GDPR compliance checklist Template for MP correspondence Updated information on the petition and parliamentary response International comparison chart Technical explainer: How VPN detection works (and doesn't work) Additional expert commentary Community discussion forum Last Updated: [Date] Version: 1.0 Status: Ready for production

In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security. Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers. The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites. Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers. The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts. Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice. Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly. Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade. In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032. This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right. Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed. Key Takeaways The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response. Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't complete until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't be completed until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement About The Host Noel Bradford brings over 40 years of IT and cybersecurity experience across enterprise and SMB sectors, including roles at Intel, Disney, and BBC. Currently serving as CIO and Head of Technology for a boutique security-first MSP, Noel specialises in translating enterprise-grade cybersecurity expertise into practical, affordable solutions for UK small businesses with 5-50 employees. His philosophy centres on "perfect security is the enemy of any security at all," focusing on real-world constraints and actionable advice over theoretical discussions. Noel's direct, no-nonsense approach has helped "The Small Business Cyber Security Guy Podcast" achieve Top 90 Business Podcast status in the USA and Top 170 in the UK, with a unique cross-Atlantic audience (47% American, 39% British). Legal & Disclaimer The information provided in this podcast is for educational and informational purposes only and should not be construed as professional cybersecurity, legal, or financial advice. Listeners should consult qualified professionals for guidance specific to their circumstances. Product and service mentions, including sponsors, are provided for informational purposes. The host and podcast do not guarantee results from implementing suggested strategies or using mentioned products. All case studies and incidents discussed are based on publicly available information and reporting. Facts are verified against multiple authoritative sources before publication. © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.   Credits Host: Noel Bradford Production: The Small Business Cyber Security Guy Productions Editing: Noel Bradford Research: Graham Falkner Show Notes: Graham Falkner Special Thanks: ANSSI (for their audit work that we wish the Louvre had acted upon), Libération journalist Brice Le Borgne (for his investigative reporting), and UK small businesses everywhere who take security more seriously than world-famous museums apparently do. Episode Tags #Cybersecurity #SmallBusiness #UKBusiness #PasswordSecurity #Louvre #DataBreach #HardwareAuthentication #FIDO2 #CyberAccountability #InformationSecurity #RiskManagement #SMBSecurity #CyberNews #HotTake #BusinessPodcast Next Episode: Coming Soon - Criminal Accountability for Cybersecurity Negligence (Two-Part Series) Average Episode Downloads: 3,000+ per day at peak Listener Demographics: 47% USA, 39% UK, 14% Other Target Audience: UK SMBs with 5-50 employees

In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope. Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free. Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain. Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

What if I told you there’s a laboratory in Switzerland where scientists are building computers from living human neurons?   Sounds like science fiction, right? But it’s happening right now, and the energy crisis driving this research is about to affect every small business owner’s cloud computing bills.   In this episode, Noel, Graham, and Mauven explore FinalSpark’s revolutionary biocomputing platform. This Swiss company has created the Neuroplatform, a system using approximately 160,000 living human neurons to perform computational tasks. Their goal?   Solving the massive energy consumption problem created by artificial intelligence and modern data centres.   Your brain runs on 20 watts of power. Current AI data centres consume megawatts.   FinalSpark claims their biological processors could use a million times less energy than traditional computing. That’s not incremental improvement – that’s fundamental transformation.   But here’s the catch: this technology is still early, really early. So why should small business owners care about laboratory experiments with brain cells?   Because the energy costs driving this research are already affecting your Azure bills, your SaaS subscriptions, and your cloud hosting fees. And understanding where technology is heading helps you make better decisions about where to invest your limited resources.   What You’ll Learn Why energy consumption in computing matters to small businesses right now How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree) The realistic timeline for when this technology might affect your business What small businesses should actually do about emerging technologies The security implications nobody’s talking about yet The uncomfortable ethical questions around growing human neurons for computation   Key Quotes   Noel Bradford:“Training a single large AI model produces the same carbon emissions as five cars create during their entire lifetime. And that statistic is from 2019. Modern models like GPT-4 produce 50 to 100 times more emissions than that.”   Graham Falkner:“So naturally they thought, you know what, let’s just use actual neurons instead. Because that’s a perfectly reasonable next step when your silicon experiments don’t work.”   Mauven MacLeod:“Bloody hell. Today’s topic just got properly mental.”   Noel Bradford on timeline:“In the next 12 months, nothing. Ignore biocomputing entirely. Focus on the security basics most businesses are probably still getting wrong.”   On security implications:“How do you secure a computer made from living cells? Do you need to understand neuroscience to exploit vulnerabilities in bioprocessors? If someone breaches a living computer system, is it a cyber attack or biological warfare?”   About FinalSpark Founded by: Dr. Martin Kutter and Dr. Fred Jordan Location: Vevey, Switzerland Previous company: Alpvision (anti-counterfeiting specialists) Current project: The Neuroplatform   Research credentials: Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal Providing free access to 10 universities worldwide (36 applications received) Created APIs and documentation for remote access Built Discord community with 1,200+ members discussing biocomputing Participating universities: University of Michigan Free University of Berlin University of Exeter Lancaster University Leipzig University University of York Oxford Brookes University University of Bath University of Bristol Université Côte d’Azur (France) University of Tokyo Key Facts from the Episode   Energy consumption statistics: Data centres consumed 1.5% of global electricity as of 2024 Projected to reach 3% by 2030 AI is accelerating growth exponentially Meta, Google, and OpenAI are talking about building nuclear power stations   The biocomputing advantage: Human brain runs on 20 watts Modern AI data centres use megawatts (millions of watts) FinalSpark claims million-times efficiency (99.9999% reduction) Some sources cite up to billion-times more energy efficient   The Neuroplatform specifications: 10,000 living neurons per organoid 16 organoids total Approximately 160,000 neurons system-wide Neurons survive up to 100 days in active use Accessible remotely by researchers worldwide   Why This Matters for Small Businesses   Immediate concerns: Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy Every interaction costs carbon, and those costs eventually reach small businesses Future implications: If biocomputing proves viable, benefits arrive through infrastructure improvements Your cloud providers incorporate biological processors Your costs decrease, capabilities increase You won’t buy biocomputers any more than you buy specific processor architectures now   What to watch for (2-5 year timeline): •Early commercial applications in specialised tasks •Medical diagnostics applications •Pattern recognition improvements •Industry adoption signals   Practical Takeaways for Business Owners   Do these things now: Secure current systems properly (multi-factor authentication, proper backups) Train staff on cybersecurity basics Achieve Cyber Essentials certification Build adaptable IT infrastructure   Build awareness: Subscribe to technology news sources Spend 15 minutes monthly reading about emerging tech Build mental models of where technology might head Prepare for paradigm shifts Watch for these milestones: Commercial partnerships with major tech companies Published benchmarks proving practical advantages Scaling demonstrations (thousands of neurons for months) Security framework development Independent energy validation studies Remember: Mad ideas sometimes win (iPhone, Netflix, electric cars) Companies that survive aren’t the ones that predicted the exact future They’re the ones who built adaptable systems that could pivot Focus on fundamentals whilst keeping awareness of emerging tech   Resources Mentioned FinalSpark: Company website and Neuroplatform information FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons) Discord community (1,200+ members) Academic publications in Frontiers journal Further reading: Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk Research papers on biological computing Energy consumption studies for AI and data centres The Uncomfortable Questions We Need to Answer   As Noel, Graham, and Mauven discuss in the episode, biocomputing raises security and ethical questions that nobody has answers for yet:   Security concerns: How do you secure computers made from living cells? Can you hack biological neural networks? Do you need neuroscience expertise to exploit vulnerabilities? Is a breach a cyber attack or biological warfare? How do you wipe a neuron’s memory? Can you verify data deletion? How do you conduct forensic analysis on biological substrates? Ethical considerations: These neurons aren’t conscious or sentient (they’re biological cells performing functions) But they’re human neurons grown from human stem cells Where’s the ethical line if we can grow larger collections? How large before we worry about experiences or consciousness? How do we measure consciousness in biological systems grown for computation? Should these conversations happen now, before ubiquity? The hosts emphasize that awareness isn’t the same as answers, but these discussions need to happen before the technology becomes widespread.   What the Hosts Say You Should Actually Do   After 22 minutes of discussing living neurons, Swiss laboratories, and energy crises, the practical advice is refreshingly straightforward:   Do Nothing different for now at least!   Seriously. Don’t change your technology strategy based on biocomputing research. Instead: Secure your current systems properly Implement proper backup strategies Train your staff on cybersecurity basics Achieve Cyber Essentials certification Build IT infrastructure that serves your business objectives   Why? Because the exciting developments in biocomputing don’t change the fact that most UK small businesses still haven’t done the tedious, essential security work that prevents 95% of attacks.   As Noel puts it: “The companies that survive aren’t the ones that predicted the exact future. They’re the ones who built adaptable systems that could pivot when the future arrived unexpectedly.”   Next Steps Subscribe to the podcast so you don’t miss future episodes exploring where technology is heading and what it means for your business.   Leave a review if you found this episode valuable. Reviews genuinely help other small business owners find the show. Takes 30 seconds, makes a real difference.   Share this episode with business owners who need to understand how energy costs are about to affect their cloud computing bills.   Visit the blog at thesmallbusinesscybersecurityguy.co.uk for the comprehensive write-up with all technical details, source verification, and links to the research.   Comment with your thoughts: Do you think biocomputing is the future or an expensive dead end? Your questions sometimes become future episodes.   About The Small Business Cyber Security Guy Podcast Practical cybersecurity advice for UK small businesses, delivered with humour and authentic British personality.   Hosted by Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO) Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality) Mauven MacLeod (ex-government cybersecurity background) New episodes weekly Website: thesmallbusinesscybersecurityguy.co.uk Podcast feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml   Final Thoughts from the Hosts Noel Bradford:“After 40 years in this industry, I’ve learned that mad ideas sometimes win. Especially the really mad ones.” Mauven MacLeod:“Stay curious, stay sceptical, stay secure, and maybe keep one eye on the Swiss scientists growing computers in dishes.” Graham Falkner:“The small business cybersecurity challenges haven’t changed. But knowing where technology is heading helps you make better decisions about where to invest your limited resources.”   Legal Disclaimer The Small Business Cyber Security Guy Podcast is produced for educational and informational purposes. All information provided is believed to be accurate at the time of recording, but cybersecurity is a rapidly evolving field. Listeners should verify current information and seek professional advice specific to their circumstances. The hosts and producers are not liable for actions taken based on information provided in this podcast. Always implement cybersecurity measures appropriate to your business needs and risk profile. Copyright 2025. All rights reserved.   Tags biocomputing, FinalSpark, living neurons, computing energy crisis, AI energy consumption, small business technology, future of computing, cybersecurity, data centres, cloud computing costs, Swiss technology, enterprise technology, SMB technology strategy, emerging technology, biological computing, neural networks, technology innovation, small business podcast, UK business, cyber essentials

This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone. The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale. Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised. The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business. There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean. Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

The £18,000 Saving That Cost £200,000 in Revenue Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now. In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count. Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions. What You'll Learn The Core Concept What the Doorman Fallacy is and why it matters for cybersecurity The difference between nominal functions (what something obviously does) and actual functions (what it really does) Why efficiency optimisation without a complete understanding is just expensive destruction The five-question framework for avoiding Doorman Fallacy mistakes Five Catastrophic Case Studies 1. The Security Training Fallacy (Chapter 2) How cutting £12,000 in training led to a £70,000 Business Email Compromise attack Why training isn't about delivering information—it's about building culture The invisible value: shared language, verification frameworks, psychological safety What to measure instead of cost-per-employee-hour 2. The Cyber Insurance Fallacy (Chapter 3) The software company that saved £18,000 and lost £200,000 in client contracts Why insurance isn't just financial protection—it's a market signal Hidden benefits: third-party validation, incident response capability, customer confidence How cancelling coverage destroyed vendor relationships and sales opportunities 3. The Dave Automation Fallacy (Chapter 4) Insurance broker spent £100,000+ replacing a £50,000 IT person The £15,000 server upgrade that Dave would have known was unnecessary Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics Why ticketing systems can't replace anthropological understanding 4. The MFA Friction Fallacy (Chapter 5) Fifteen seconds of "friction" versus three weeks of crisis response The retail client who removed MFA and suffered £65,000 in direct incident costs Why attackers specifically target businesses without MFA The reputational damage you can't quantify until it's too late 5. The Vendor Relationship Fallacy (Chapter 6) Solicitors saved £4,800 annually, lost a £150,000 client Why "identical services" aren't actually identical The difference between contractual obligations and genuine partnerships What happens when you need flexibility and you've burned your bridges Key Statistics & Case Studies 42% of business applications are unauthorised Shadow IT (relevant context) £47,000 BEC loss vs £12,000 annual training savings £200,000 lost revenue vs £18,000 insurance savings £100,000+ replacement costs vs £50,000 salary £65,000 incident costs vs marginal productivity gains £150,000 lost client vs £4,800 vendor savings Common pattern: Small measurable savings, catastrophic unmeasurable consequences. The Five-Question Framework Before cutting any security costs, ask yourself: What's the nominal function versus the actual function? What does it obviously do vs what does it really do? What invisible benefits will disappear? Be specific: not "provides value" but "provides priority incident response during emergencies" How would we replace those invisible benefits? If you can't answer this, you're making a Doorman Fallacy mistake What's the actual cost-benefit analysis, including invisible factors? Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk" What's the cost of being wrong? In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection Practical Takeaways What to Do Tomorrow Review your most recent efficiency or cost-cutting decision. Ask: Did we define this function too narrowly? What invisible value might we have destroyed? Are we experiencing consequences we haven't connected to that decision? Better Metrics for Security Investments Instead of measuring cost-per-hour or savings-per-quarter, measure: Incident reporting rates (should go UP with good training) Verification procedure usage frequency Time-to-report for security concerns Vendor response times during emergencies Employee confidence in raising concerns Making Trade-Offs Honestly Budget constraints are legitimate. The solution isn't "never cut anything." It's: Acknowledge what you're sacrificing when you cut Admit the risks you're accepting Have plans for replacing invisible functions Make consequences visible during decision-making Ensure decision-makers bear some responsibility for outcomes Quotable Moments "The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel "Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel "We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel "You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven "The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel Chapter Timestamps 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision 02:15 - Intro: Why Marketing Books Matter for Cybersecurity 05:30 - Chapter 1: The Book, The Fallacy, The Revelation 12:00 - Chapter 2: The Security Training Fallacy 19:30 - Chapter 3: The Cyber Insurance Fallacy 27:00 - Chapter 4: The Dave Automation Fallacy 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message) 42:00 - Chapter 6: The Vendor Relationship Fallacy 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework 58:00 - Outro: Action Items & CTAs Total Runtime: Approximately 62 minutes Sponsored By Authentrend - Biometric FIDO2 Security Solutions This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity. Learn more: authentrend.com Resources & Links Mentioned in This Episode: Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life" Authentrend ATKey Products: authentrend.com Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4) Useful Tools & Guides: Download our Doorman Fallacy Decision Framework (PDF) Template: Articulating Invisible Value in Budget Meetings Checklist: Five Questions Before Cutting Security Costs Case Study Library: Real-World Doorman Fallacy Examples UK-Specific Resources: ICO Guidance on Security Measures NCSC Small Business Cyber Security Guide Cyber Essentials Scheme Information About Your Hosts Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints. Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints. Support The Show New episodes every Monday at Noon UK Time! Never miss an episode! Subscribe on your favourite podcast platform: Apple Podcasts Spotify Google Podcasts RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml Help us reach more small businesses: ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home) 💬 Comment with your own efficiency optimisation horror stories 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences Connect with us: Website: thesmallbusinesscybersecurityguy.co.uk Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/ Email: hello@thesmallbusinesscybersecurityguy.co.uk Episode Tags #Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication Legal The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs. Copyright © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved. Got a question or topic suggestion? Email us at hello@thesmallbusinesscybersecurityguy.co.uk or leave a comment below!

Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups. The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault. Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo). Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks. With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business. Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now. No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs. This Episode is Sponsored by Authentrend Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025 We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag. Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works. Learn more: authentrend.com What You'll Learn Understanding the Differences What Information Security actually covers (hint: it's not just digital) Why Cybersecurity isn't the same as IT Security (despite what vendors claim) The CIA triad explained without the jargon Real-world examples showing when each approach matters UK Business Reality Current threat landscape: 43% of UK businesses breached in 2025 Why small businesses (10-49 employees) face 50% breach rates Average incident costs: £3,400 (but the real number is much higher) UK GDPR, Data Protection Act 2018, and what actually applies to you What It Actually Costs Starting from scratch: £5,000-£15,000 annually for 10-20 employees Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys) Cyber Essentials: £300-£500 (your best bang for buck) Managed security services: £300-£450/month realistic pricing When £2,000-£3,500/month managed detection makes sense Free government resources you're probably ignoring Authentication Security Reality Why SMS codes and app-based MFA still get phished How FIDO2 hardware security keys cryptographically prevent credential theft Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually Special offer mentioned in episode: Authentrend keys at £40 until December 22nd Implementation Without the Bullshit Why IT Security basics beat fancy cybersecurity tools every time The five controls that address 90% of UK SMB threats Common mistakes that waste your security budget How to prioritise when you can't afford everything Vendor red flags and what to actually look for Regulatory Requirements Decoded ICO data protection fees: £40-£60/year (mandatory) What "appropriate technical and organisational measures" really means Why recent enforcement shows reprimands over fines for SMBs Insurance requirements and how to reduce premiums How phishing-resistant authentication affects cyber insurance premiums Key Statistics Mentioned 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025 £3,400 average cost per cyber incident (excluding business impact) 60% of small businesses close within 6 months of serious data loss 85% of cyber incidents involve phishing attacks 43% of all UK businesses experienced breaches in 2025 Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords) Products & Solutions Discussed Authentication Security (Featured in Episode) Authentrend ATKey Series (Episode Sponsor) ATKey.Pro: USB-A/USB-C with NFC support ATKey.Card: Contactless card format Pricing: £45 regular, £40 special offer until December 22nd FIDO Alliance Level 2 certified Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services Deployment cost: £80-90 per employee (2 keys for backup) Why hardware security keys matter: Cryptographically bound to specific domains (phishing technically impossible) Works even when users make mistakes One-time purchase vs ongoing subscription costs Significantly reduces cyber insurance premiums Email Security Options Microsoft Defender for Office 365 Plan 1: £1.70/user/month Google Workspace Advanced Protection: £4.60/user/month Sophos Email Security: £2.50/user/month Endpoint Protection Microsoft Defender for Business: £2.50/user/month Sophos Intercept X: £3.50/user/month CrowdStrike Falcon Go: £7.00/user/month Compliance & Frameworks Cyber Essentials: £300-£500 annually ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs) Resources Mentioned Free Government Resources NCSC Small Business Guidance: ncsc.gov.uk ICO Free Templates: ico.org.uk Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations Episode Sponsor Authentrend: authentrend.com Special offer: £40 per key (regular £45) until December 22nd, 2025 ATKey.Pro and ATKey.Card models UK distributor support available Related Blog Posts (From This Week's Series) Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025" Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached" Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection" Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure" Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs" Recommended First Steps Immediate Actions (This Week) Catalogue your information - 1 day exercise to understand what you have and where it lives Register for ICO data protection fee - £40-£60 annual mandatory requirement Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd) First Month Get Cyber Essentials certified - £300-£500, addresses 90% of common threats Implement email security - £900-£1,800 annually for proper anti-phishing Deploy phishing-resistant MFA - £80-90 per employee one-time investment Configure endpoint protection - £1,200-£2,500 annually for 15-30 users First Quarter Test your backups - Don't assume they work, actually restore something Basic staff training - Use free NCSC materials, focus on phishing recognition Review and document - Simple policies using ICO templates Budget Planning 15-20 employee business, first year total: £6,200-£14,500 Email security: £900-£1,800 annually Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400) Endpoint protection: £1,200-£2,500 annually Backup systems: £600-£1,200 annually Network security: £600-£1,800 (includes one-time hardware costs) Training: £0-£1,500 annually Testing: £500-£2,000 annually Ongoing costs (Year 2+): £3,800-£11,100 annually Hosts Noel Bradford - CIO/Head of Technology, Boutique Security First MSP 40+ years enterprise security (Intel, Disney, BBC) Direct, budget-conscious, solutions-focused Enjoys challenging conventional security wisdom Known for calling out vendor bollocks Mauven MacLeod - Ex-Government Cyber Analyst Government cybersecurity background (NCSC) Glasgow-raised, practical approach Translates national security threats into business reality Focuses on what actually works for UK SMBs Our Sponsorship Disclosure Policy We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it. Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because: They provide the phishing-resistant authentication we consistently advise UK SMBs to implement Pricing makes proper authentication accessible to small businesses FIDO Alliance Level 2 certification ensures they meet security standards They align with our core message: affordable IT security fundamentals over expensive security theatre Take Action Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there. Your Next Steps Listen to the episode - Understand the differences before spending money Download the risk assessment template - Available on our blog Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd) Get Cyber Essentials certified - £300-£500 addresses most common threats Implement IT Security fundamentals - £2K-£5K gets you real protection Review quarterly - Security isn't a one-time project Subscribe & Connect Never miss an episode - Hit subscribe wherever you get your podcasts Leave us a review - It genuinely helps other UK small business owners find these conversations Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com] Got specific questions? - Drop us a comment and we might cover it in a future episode Next Week's Episode "Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses" The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead. Remember The biggest security risk is doing nothing while you debate the perfect approach. Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff. Everything else can come later. Tags #Cybersecurity #InformationSecurity #ITSecurity #UKSmallBusiness #SMB #UKGDPR #CyberEssentials #DataProtection #ICO #BusinessSecurity #CyberThreats #SecurityBudget #NCSC #UKBusiness #SmallBusinessUK #FIDO2 #PhishingResistant #MFA #Authentrend #HardwareSecurityKeys #AuthenticationSecurity

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs. What we cover What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged. Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor. The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices. Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness. Why it matters to UK SMBs You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice. Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them. Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep. Key takeaways Do not collect what you can’t protect. Prefer attribute proofs over document uploads. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents. Action checklist for SMB owners Map every place you’re collecting ID or age proof today. Kill non-essential collection. Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity. Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control. Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly. Run DPIAs for onboarding, support and HR flows that touch identity documents. Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.” Chapter outline Setting the scene: a breach born in the support queue Why ID uploads are a liability multiplier The UK’s digital ID plan, without the spin Vendor risk is your risk Practical fixes you can implement before lunch Q&A and what to do if you uploaded ID to Discord If you think you’re affected Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links. Support the show Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk. Send questions or topic requests for future episodes.

Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours. Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today. Key Topics Covered The Scale of the Problem 172 total vulnerabilities patched across Microsoft's ecosystem Six zero-day flaws (actively exploited or publicly known before patches released) Eight critical vulnerabilities that could allow unauthorised code execution Elevation of privilege, remote code execution, and information disclosure threats Windows 10: End of an Era 15 October 2025 marks the final day of free security updates for Windows 10 Extended Security Updates (ESU) now required for continued protection Time to seriously plan your Windows 11 migration or budget for ESU costs Real-World Impact Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK. Windows 11 October 2025 Features Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2: Improved Phishing Protection Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox. Enhanced Device Control Settings Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.) Wi-Fi Security Dashboard No IT degree required. Plain-language summary of your network's safety status that anyone can understand. Built-in Password Manager Improvements Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best. AI Actions in File Explorer Smarter file organisation and quick task shortcuts Notification Centre on Secondary Monitors Finally works properly where you click it Moveable System Indicators Customise where volume and brightness indicators appear Administrator Protection Additional security layer for privileged accounts Passkey Support for Third-Party Providers More flexibility in authentication methods Practical Action Steps Immediate Tasks (This Week) Schedule Your Updates Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse. Verify Installation Success Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point. Back Up Before Updating Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly. Recovery Planning Know Your Rollback Options Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works. Document Your Process Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days. Long-Term Security Habits Regular Review Schedule Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?" Consider Automation Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist. Staff Training Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers. Key Quotes from the Episode "When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind." "These updates have real-world impact. I'm not talking theoretical." "Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind." "Not updating isn't just risky, it's old-fashioned." "The strongest business is the one that learns just a bit faster than the crooks." UK Business Context Why This Matters for Small Businesses Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust. Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates. Regulatory Considerations Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches: GDPR obligations require appropriate security measures ICO enforcement takes security seriously Professional indemnity insurers increasingly audit cybersecurity practices Client trust depends on demonstrating you protect their data properly Technical Details (For the IT-Minded) Vulnerability Breakdown 80 Elevation of Privilege vulnerabilities 31 Remote Code Execution flaws 28 Information Disclosure issues 11 Security Feature Bypass vulnerabilities 11 Denial of Service flaws 10 Spoofing vulnerabilities 1 Tampering vulnerability Notable Zero-Days Patched CVE-2025-24990: Agere Modem driver vulnerability (actively exploited) CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited) CVE-2025-24052: Agere Modem driver (publicly disclosed) CVE-2025-2884: TPM 2.0 implementation flaw CVE-2025-0033: AMD EPYC processor vulnerability CVE-2025-47827: IGEL OS Secure Boot bypass Removed Components Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update. Resources and Further Reading Official Microsoft Sources Microsoft October 2025 Patch Tuesday Security Update Guide Windows 11 Version 25H2 Known Issues Windows 10 Extended Security Updates Information Third-Party Analysis BleepingComputer: October 2025 Patch Tuesday Coverage Windows Central: 9 New Features in October Update Cybersecurity News: Detailed Vulnerability Analysis UK-Specific Resources NCSC Small Business Guide Cyber Essentials Scheme ICO Data Protection Guidance Episode Credits Host: Graham Falkner Production: The Small Business Cyber Security Guy Podcast Copyright: 2025 - All Rights Reserved Call to Action Help Other Small Businesses Stay Secure Like this Hot Take if you found it useful Subscribe to catch every episode as we release them Share with other UK small business owners who need to hear this Comment with your own update horror stories or success stories Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic. Stay Connected Visit thesmallbusinesscybersecurityguy.co.uk for: Complete episode archive Written guides and checklists Additional resources for UK small businesses Ways to submit questions for future episodes Related Episodes Looking for more context on topics mentioned in this Hot Take? Check out these related episodes: Episode 17: Social Engineering - The Human Firewall Under Siege Why staff training matters more than you think, and how attackers exploit human psychology Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI AI-powered attacks and how small businesses can defend against sophisticated threats Enhanced Supply Chain Security Understanding vendor dependencies and how updates fit into broader security strategy

Ministers have sent an urgent letter to UK business leaders after the NCSC handled 204 nationally significant cyber incidents in the past year, with 18 "highly significant" incidents – a 50% increase for the third consecutive year. Join Mauven MacLeod and Graham Falkner as they unpack the government's wake-up call and translate ministerial warnings into concrete actions every business leader can take today. What You'll Learn Why the Chancellor and three Cabinet Ministers personally co-signed an urgent letter to UK business leaders -  Ministerial letter on cyber security The shocking NCSC statistics: nearly half of all incidents were nationally significant, with highly significant incidents up 50% Real-world impact: empty supermarket shelves, healthcare disruption causing deaths, and £300m+ losses for single organisations The three specific government requests that will have an immediate impact on your cyber resilience  - Ministerial letter on cyber security Practical first steps you can take this week (most are free) Key Quotes "Any leader who fails to prepare for that scenario is jeopardising their business's future... It is time to act." - Richard Horne, CEO of NCSC "Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. There is a direct and active threat to our economic and national security." - Ministerial Letter, 13 October 2025 - Ministerial letter on cyber security "While you can plan meticulously, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse." - Shirine Khoury-Haq, CEO of The Co-op Group Resources Mentioned Ministerial Letter (13 Oct 2025) NCSC Annual Review 2025 Free Cyber Governance Training for Boards Early Warning Service (Free) - 13,000+ organisations already signed up Cyber Essentials - 92% reduction in insurance claims Cyber Action Toolkit - Free for small businesses Take Action This Week Sign up for NCSC Early Warning (free) Read the ministerial letter Add cyber security to your next Board agenda Check if MFA is enabled on critical systems About the Hosts Mauven MacLeod - Ex-NCSC cyber security expert with Glasgow roots who translates government-level threat intelligence into practical advice for small businesses. Graham Falkner - The unmistakable voice from UK cinema trailers, now bringing his theatrical gravitas and storytelling skills to demystify cybersecurity for business leaders. Connect Visit our blog: thesmallbusinesscybersecurityguy.co.uk Like the show? Subscribe, leave a review, and share with colleagues. Episode Length: ~8 minutes Bottom line: Nearly half of NCSC incidents are now nationally significant. It's time to act.

We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make." So we grabbed another cup of tea, broke out the custard creams, and kept recording. Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun. In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen. This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure. Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions. Currently ranked in the Top 100 Apple Business Podcasts (US) This episode is sponsored by Authentrend Biomentric Hardware  Why Listen to Part 2? If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind. The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore. The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about. The corrections: What we got wrong in Part 1, and why the reality is even more serious. What You'll Learn The Major Revelations Cyber Security = Safeguarding (2025 Guidance) First time explicitly linked in statutory guidance Changes everything about how schools must respond Makes Kido a safeguarding failure, not just IT breach Gives cyber the legal teeth it's never had The Repository Screenshot VX-Underground documented what appears to be Kido's code Files that typically contain credentials visible Repository has since been removed Suggests how breach may have occurred Partial MFA = No MFA Schools enable MFA for head teachers but not everyone Like "locking doors but leaving windows open" Must be ALL staff with system access or it's useless The Third Party Illusion Schools think IT providers handle compliance DfE Standards explicitly say schools must verify Cannot outsource responsibility Practical Takeaways Why phone-based MFA conflicts with safeguarding policies (and what to do) The NCSC Cyber Assessment Framework for schools Questions to ask developers about code repositories How to audit custom software What "Time Off In Lieu" means for training   The VX-Underground Discovery (Important Context) What We Can Confirm On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository: Repository name: kido-fullstack/mykido-api Files visible: Including mail.py (typically contains email credentials in Python apps) Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks Current status: Repository has been removed VX-Underground's assessment: Called it "f**king slop piece of s**t" See: https://www.instagram.com/reel/DPUjd9mj2tG/ What We Cannot Independently Verify The actual contents of the files (repository is down) Whether repository was public or had limited visibility That this definitively caused the breach What specific credentials may have been present Why It Matters This screenshot shows the exact type of vulnerability cybersecurity experts warn about: Custom code pushed to repositories without proper security review Files that typically contain credentials visible in structure Pattern common in education sector (confirmed by Tammy) Explains how Famly data could be accessed without Famly infrastructure breach We present this as a plausible explanation based on professional analysis, not as a confirmed fact. The Safeguarding Game-Changer 2025 Keeping Children Safe in Education Guidance For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard. What this means: Cybersecurity is no longer optional IT work It's a safeguarding responsibility with Ofsted implications Schools respond to safeguarding requirements (unlike IT recommendations) Governors have safeguarding oversight duties that now include cyber The Kido breach is officially a safeguarding failure When it takes effect: The 2025 guidance is already in force. Schools should be implementing now. Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem. Critical Corrections from Part 1 1. The MFA Misconception What we said in Part 1: "Only 50% of schools have MFA enabled" What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs. The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest. The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices. Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications). 2. The Compliance Responsibility Myth The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us." The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?" What IT providers should do: Help implement technical controls What schools must do: Verify compliance is actually happening Who's responsible: School leadership, governors, senior management - not outsourceable 3. Training and TOIL Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours. Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs. Resources Mentioned Statutory Guidance and Standards Keeping Children Safe in Education 2025 Statutory safeguarding guidance for schools First explicit link between cybersecurity and safeguarding Available: UK Government website / DfE publications ACTION: Read Section on Cyber Security Standard DfE Digital Standards for Schools Sets out cyber security requirements Six standards schools should meet by 2030 Schools must actively verify compliance ACTION: Ask your school "Are we meeting these?" Free Security Resources NCSC Cyber Assessment Framework (CAF) Designed specifically for small businesses and schools Written in accessible language (not technical jargon) Covers: access control, incident management, supply chain security Free to use LINK: ncsc.gov.uk NCSC Early Years Settings Guidance Bespoke guidance for nurseries Practical steps for settings without IT expertise LINK: ncsc.gov.uk GitHub Secret Scanning Free for public repositories Detects exposed credentials in code Schools should use if they have repositories ACTION: Enable on all repositories Tammy's Resources DfE Digital Standards Webinars Regular sessions explaining standards in simple terms How to track progress and implementation Contact Tammy for upcoming dates Guest Expert Tammy Buchanan Title: Senior Data Protection Consultant Organisation: Data Protection Education Background: 15 years in UK education sector 12 years working directly in schools (8 years technician, 4 years IT manager) "Recovering Dave from IT" What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience. Expertise: Data protection compliance in education Information security for schools and MATs DfE Digital Standards implementation GDPR for the education sector Cyber resilience on school budgets Contact Tammy Email: info@dataprotection.education LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page) Services: Compliance assessments DfE Digital Standards webinars Data protection consultancy for schools and MATs Incident response support   Questions Parents Should Ask Their School Copy these questions and email them to your head teacher: Security Basics Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)? How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training? Where is your incident response plan, and when was it last tested? Custom Software and Code Do we have any custom-built software, integrations, or scripts? If yes: Where is the source code stored? (GitHub, GitLab, etc.) Who has access to our code repositories? Have repositories been scanned for exposed credentials? Do former developers or contractors still have access to our systems? Compliance and Governance Are we meeting the DfE Digital Standards, and how is this verified? Who on the governing body is responsible for data protection and cyber resilience? How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance? Third Party Platforms Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.) How do you verify these platforms are securely configured? Does our IT provider handle compliance verification, or do you verify it yourselves? Don't accept: "We have an IT company, they handle all this." Do accept: Specific answers with evidence of verification. Questions Schools Should Ask Developers If you have any custom software, ask your developer: Where is the source code stored? Is the repository public or private? Who currently has access to the repository? Are there any credentials, API keys, or connection strings in the code? How are secrets managed? (Environment variables, secret management tools?) When was the code last security reviewed? Has the repository been scanned for exposed secrets? What happens if you're not available? Who else can access/maintain this? Red flags: "What do you mean by credentials in the code?" "It's a private repo, it's fine." "I'll get round to moving those credentials out eventually." Cannot answer who else has access The Bigger Picture Why This Matters Beyond Kido The pattern Tammy sees constantly: School needs custom integration between systems Hire developer (staff, parent volunteer, local contractor) Developer builds something functional Developer has zero security training Code pushed to GitHub/GitLab for convenience No security review, no secrets management Repository sits there for months/years Former contractors still have access No documentation of what exists or where School doesn't know to check One credential compromise = full breach The Education Sector Reality Constraints schools face: No dedicated IT staff (part-time technician comes twice a week) No cybersecurity budget Volunteer governors with no technical expertise Staff expected to train in unpaid time Third-party providers without clear responsibility Safeguarding policies that conflict with security best practice An overwhelming number of platforms and systems Turnover of staff and contractors What needs to change: Make cyber security statutory with Ofsted oversight Provide funding for proper implementation Link explicitly to safeguarding (now happening!) Require IT providers to verify compliance Train governors on cybersecurity oversight Make DfE Digital Standards non-negotiable The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements. Key Quotes Tammy on partial MFA: "It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled." Tammy on the safeguarding link: "Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable." Tammy on the repository: "This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security." Tammy on compliance responsibility: "Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that." Noel on the repository screenshot: "The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'" What's Next? If You're a Parent Email your school the questions above Don't accept vague reassurances Ask for specific evidence that they're meeting DfE Digital Standards Remember: you're asking about safeguarding, not just IT If You're a School Leader Read the 2025 Keeping Children Safe in Education guidance Audit all custom software and code repositories Enable MFA for ALL staff (find solutions for phone conflict) Document what you have and who has access Verify DfE Digital Standards compliance yourself Contact Tammy or similar experts for gap analysis If You're a Governor Add cyber security to safeguarding oversight Ask the head teacher the same questions parents should ask Don't accept "our IT company handles it" Consider appointing a digital lead on the governing body Ensure cyber security is a standing agenda item Social Media Sharing Share this episode if: You're a parent with kids in nursery or school You're a school governor or school leader You work in education You're concerned about children's data protection You want schools to take cyber security seriously Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything." Connect With The Show Website: thesmallbusinesscybersecurityguy.co.uk Blog: Full breakdown of repository screenshot analysis Subscribe: Available on all major podcast platforms Review: Leave us a review and tell us what you think Comment: What security topic should we cover next? Currently ranked Top 100 Apple Business Podcasts (US) Related Episodes Part 1: The Education Data Protection Gap (listen first) Main interview with Tammy Buchanan Overview of Kido breach Systematic failures in education security 35-40 minutes The Kido Hot Take  Initial reaction to breach announcement Why nurseries are targets Immediate implications Episode Credits Hosts: Noel Bradford (The Veteran Solution Provider) Mauven MacLeod (The Government-Trained Practitioner) Graham Falkner (Producer/Researcher) Guest: Tammy Buchanan (Data Protection Education) Production: Same session recording as Part 1 Tea break transition edited Cold open recorded post-session Natural conversation maintained Special mention: Custard creams (the real MVPs) VX-Underground (for documenting the repository before it vanished) Legal Disclaimer This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation. Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism. The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team. Transcript Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts Accessibility: Contact us for alternative formats Next Episode Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not! Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it. Published: 13 October 2025 Duration: ~30 minutes Format: MP3 Copyright: © 2025 The Small Business Cyber Security Guy License: All rights reserved Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.

Episode Description Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security. Currently ranked in the Top 100 Apple Business Podcasts (US) What You'll Learn Why only 50% of schools have multi-factor authentication enabled The difference between early years providers and mainstream schools How photo-rich platforms create unique vulnerabilities for nurseries Why DFE digital standards remain unknown to most schools The governance problem: volunteers without power Who actually gets things done when head teachers won't prioritise security Why schools keep breaches quiet and what that means for parents Practical steps parents can demand from their child's school today The Cyber Essentials challenge for small schools with limited budgets How COVID pushed schools years ahead without proper security foundations Guest Contact Details Tammy Buchanan Senior Data Protection Consultant Data Protection Education Email: info@dataprotection.education LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page Website: Data Protection Education Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.   Resources Mentioned Government and Regulatory: DFE Digital Standards (Department for Education) NCSC (National Cyber Security Centre) staff training resources ICO (Information Commissioner's Office) breach log and guidance Ofsted inspection framework Safeguarding regulations Platforms Discussed: Famly (early years learning journey platform) Tapestry (early years learning journey platform) Arbor (school management information system) Bromcom (school management information system) Security Standards: Cyber Essentials certification Multi-factor authentication (MFA) implementation Incident response planning Additional Resources: The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk Data Protection Education news page (free resources for schools) Key Statistics from This Episode 50% or less of schools have MFA enabled 8,000 children's photos stolen in the Kido breach 12 years Tammy worked directly in schools before consulting 15 years Tammy has been in the education sector overall 2030 target date for schools to meet six DFE digital standards Questions Parents Should Ask Their School Do you have multi-factor authentication enabled on all systems? How often do staff receive cybersecurity training? Where is your incident response plan and when was it last tested? Who on the governing body is responsible for data protection and cyber resilience? Are you working towards the DFE digital standards? Which third-party platforms hold my child's data and photos? How do you monitor and configure security settings on these platforms? Key Takeaways For Parents: Schools are having breaches regularly but keeping them quiet Most schools lack basic security like MFA Your child's photos on learning journey apps create unique risks You have the right to ask questions about data protection Schools respond to parental pressure For School Leaders: Documentation matters for ICO compliance Training needs updating regularly, not the same video for three years Incident response plans are useless if nobody knows where they are School business managers need authority, not just responsibility Other schools' examples work better than external expert advice For Governors: Cybersecurity needs to be statutory to get real traction Digital lead on governing body remains unfilled at many schools You need both knowledge and authority to make change happen Physical security analogies help boards understand cyber risks The Big Picture This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow. Connect With The Show Website: thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on all major podcast platforms Social Media: Find us on LinkedIn Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

Host Graham Faulkner dives into Windows 11 25H2 in this solo episode, explaining why this understated update matters for security, stability, and small-business productivity. He breaks down how 25H2 arrives as an Enablement Package (EKB), what that means if you’re already on 24H2, and why the streamlined rollout keeps disruptions to a minimum. The episode covers key technical and practical changes: removal of legacy components like PowerShell 2.0 and WMIC, continued performance improvements (CPU scheduling, memory management, faster startups), and expanded Wi‑Fi 7 support. Graham highlights Microsoft’s shift toward continuous monthly innovation and why that helps maintain a more secure, reliable environment without waiting for big yearly releases. Security is a major focus: Graham explains Microsoft’s Secure Future initiative, which brings AI-assisted secure coding and enhanced vulnerability detection into the development and post-release lifecycle. He frames these advances for small business owners, showing how better detection and automated security practices reduce risk and downtime. Practical deployment and lifecycle details are explained clearly: support-cycle resets (24 months for Home/Pro, 36 months for Enterprise/Education), how to get 25H2 via the “Get the Latest Updates” toggle, controlled rollouts and device holds, and enterprise deployment options like Windows AutoPatch and the Microsoft 365 Admin Center. He also covers admin-friendly improvements such as removing preinstalled Microsoft Store apps with Intune or Group Policy. The episode closes with hands-on advice: check the Windows Release Health Hub for known issues, back up critical machines before upgrading, verify driver and app compatibility, and prepare rollback plans for important systems. Graham adds a personal anecdote about preparing his vinyl-catalog PC for the update and stresses that 25H2 is about steady, practical improvements—safer, faster, and less disruptive for both single machines and fleets.

In 40 years of Information Technology work, Noel Bradford has never been this angry. On September 25th, 2025, the Radiant ransomware gang stole personal data from 8,000 children at Kido International nurseries, posted their photos and medical records online, and then started calling parents at home to demand ransom payments. This isn't just another data breach. This is the moment cybercrime lost whatever soul it had left. In this raw, unfiltered episode, Noel breaks down exactly what happened, why the security failures that enabled this attack exist in thousands of UK small businesses right now, and what you need to do immediately to protect your organisation from becoming the NEXT headline. WARNING: This episode contains strong language and discusses disturbing tactics used by cybercriminals. Parental guidance advised. What You'll Learn The complete timeline of the Kido ransomware attack and how it unfolded Why hackers spent weeks inside the network before striking The new escalation tactic of directly contacting victims' families Five critical security failures that allowed 8,000 children's records to be stolen Why "we're too small to be targeted" is the most dangerous lie in business The regulatory consequences Kido faces under UK GDPR Immediate action steps every small business must take NOW Why does this attack signal a fundamental shift in cybercrime tactics   Key Takeaways The Five Critical Failures Initial Access Was Preventable - Likely phishing, weak passwords, or unpatched vulnerabilities No Monitoring - Weeks of dwell time with zero detection No Network Segmentation - Hackers accessed everything once inside No Data Loss Prevention - 8,000 records exfiltrated without triggering alarms Inadequate Backups - No mention of restoration from clean backups New Threat Landscape Reality Ransomware gangs now directly contact victims' families Children's data is being weaponised for psychological pressure Moral boundaries in cybercrime have completely dissolved Attack tactics proven successful will be replicated by other groups Business Impact Statistics 43% of UK businesses suffered a breach in the past year Nearly 50% of primary schools reported cyber incidents 60% of secondary schools experienced attacks The education sector is particularly vulnerable Featured Experts & Sources Government & Law Enforcement: Metropolitan Police Cyber Crime Unit Information Commissioner's Office (ICO) Jonathon Ellison, Director for National Resilience, National Cyber Security Centre Cybersecurity Experts: Rebecca Moody, Head of Data Research, Comparitech Anne Cutler, Cybersecurity Expert, Keeper Security Mantas Sabeckis, Infosecurity Researcher, Cybernews Direct Victims: Stephen Gilbert, Parent with two children at Kido nursery Threat Actors: Radiant Ransomware Gang (claims to be Russia-based) Immediate Action Checklist Do These TODAY: Enable multi-factor authentication on ALL business accounts Check that all software is updated to the latest versions Review who has access to sensitive data Verify backups exist and are stored offline Schedule staff phishing awareness training Do These This Week: Audit your network segmentation Implement monitoring and alerting systems Review password policies across the organisation Create an incident response plan Assess cyber insurance coverage Do These This Month: Conduct a full security audit Test backup restoration procedures Implement data loss prevention tools Review vendor and third-party security Schedule penetration testing Resources Mentioned Government Resources National Cyber Security Centre: https://www.ncsc.gov.uk/ Information Commissioner's Office: https://ico.org.uk/ Met Police Cyber Crime Unit: https://www.met.police.uk/advice/advice-and-information/fa/fraud/online-fraud/cyber-crime/ UK Cyber Security Breaches Survey: https://www.gov.uk/government/collections/cyber-security-breaches-survey Cybersecurity Companies Comparitech: https://www.comparitech.com/ Keeper Security: https://www.keepersecurity.com/ Cybernews: https://cybernews.com/ Legal & Compliance UK GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/ Children's Data Protection: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/ Episode Quotes "What happened to Kido International this week represents the absolute lowest point I've witnessed in 40 years of cybersecurity." "These hackers didn't just encrypt some files and demand payment. They actively posted samples of children's profiles online. Then they started ringing parents directly." "You're not special. You're not too small. You're not immune. You're just next on the list unless you take action." "The hackers claim they 'deserve some compensation for our pentest.' Let that sink in. They're calling this a penetration test." "A child's photo, name, and home address in criminal hands. This data doesn't expire. It doesn't get less valuable. It just sits there, a permanent risk to these families." "None of these failures are unique to nurseries or large organizations. I see the same problems in small businesses every single week." "You're making the same mistakes that led to 8,000 children's data being posted on the dark web. The only difference is scale." Discussion Questions How would you respond if your business were to experience a similar attack? What security measures do you currently have in place? Do you know where your most sensitive data is stored and who can access it? When was the last time you tested your backup restoration? How would you handle direct contact from threat actors? Connect With Noel Bradford Website: The Small Business Cyber Security Guy Email: hello@thesmallbusinesscybersecurityguy.co.uk LinkedIn: Noel Bradford Need Help With Your Cybersecurity? Equate Group Support The Podcast If this episode made you think differently about cybersecurity, please: ⭐ Leave a 5-star review on Apple Podcasts 📢 Share this episode with other business owners 📧 Subscribe to get every new episode 💬 Join the conversation on social media using #KidoHack   Legal Disclaimer The information provided in this podcast is for educational and informational purposes only. It does not constitute legal, financial, or professional cybersecurity advice. Always consult with qualified professionals regarding your specific situation. Opinions expressed are those of the host and do not necessarily reflect the views of any organisations mentioned. Transcript Full episode transcript available at: TBC Episode Tags #Cybersecurity #Ransomware #DataBreach #SmallBusiness #KidoHack #UKBusiness #CyberCrime #DataProtection #GDPR #InformationSecurity #CyberAwareness #ThreatIntelligence #BusinessSecurity #RansomwareAttack #ChildSafety © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Join hosts Noel Bradford and Mauven McLeod in this Back-to-School special of the Small Business Cybersecurity Guy podcast as they trace a line from 1980s schoolroom mischief to modern, large-scale breaches that put millions of students and small organisations at risk. Through recollections of early BBC Model B and Novell-era antics, the episode uses real recent incidents to expose how weak passwords, written credentials and opportunistic insiders create systemic security failures. The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses. Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout. Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them. Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management. Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

Co-op's CEO has just confirmed that their cybersecurity disaster cost £80 million. The attackers? Teenagers are using basic social engineering. In this Hot Takes episode, we break down how "We've contained the incident" turned into an £80 million earnings wipeout, and why the final bill could reach £400-500 million once legal claims are settled. This isn't just another breach story - it's a wake-up call for every UK business owner who thinks "it won't happen to us." Key Topics Covered The Attack Breakdown [0:30] April 2024 attack by the Scattered Spider group Social engineering, not sophisticated exploits 6.5 million members affected (100% of Co-op members) 2,300 stores disrupted, 800 funeral homes on paper systems The Real Cost [1:45] £80 million confirmed earnings impact £206 million total sales impact £20 million in direct incident costs Zero cyber insurance coverage Why It Could Get Much Worse [2:30] Pending ICO fine: £15-20 million likely Individual GDPR compensation claims: £25-£150 per person Potential £325 million member compensation exposure Final bill estimate: £400-500 million Lessons for UK Small Businesses [3:15] Social engineering beats technical defences Cyber insurance is essential, not optional Business continuity failures amplify costs Training matters more than firewalls Key Statistics £80 million - Confirmed earnings impact 6.5 million - Customers affected (every single member) £12 - Cost per affected customer (low by UK standards) £325 million - Potential member compensation exposure 17-20 years old - Age of arrested suspects 2,300+ - Stores affected by operational disruption Resources & Links Full Analysis: Read the complete breakdown: Link  Key Sources Cited: ICO Statement on Retail Cyber Incidents Computer Weekly: Co-op breach coverage Insurance Insider: Co-op's lack of cyber coverage UK Government Cyber Security Breaches Survey 2025 Action Items for Listeners Check your cyber insurance policy - Do you have coverage? Is it adequate? Review employee training - When was the last time your team received social engineering awareness training? Test business continuity - Can your operations survive 2 weeks offline? Read the full blog post - Get all the details and cost breakdowns Quote of the Episode "Co-op's disaster isn't a cybersecurity failure. It's a business leadership failure. And if you're listening to this thinking your business is different, you're next."

Date: 23 September 2025 — Host Mauven McLeod delivers a furious, fast-paced analysis of two seismic cyber incidents and what they mean for UK and global businesses. This episode examines the Jaguar Land Rover and Collins Aerospace ransomware attacks, the human-driven methods that enabled them, and why they represent the first significant test of the EU's Digital Operational Resilience Act (DORA). Topics covered include the scale of the damage (JLR reportedly losing up to £5 million per day and sector-wide losses potentially exceeding £1 billion), the criminal methodology (simple social engineering and help-desk manipulation by groups linked to Lapsus-style actors), and the cascading supply-chain impacts across automotive and aviation sectors. The episode references confirmations from Anissa about Collins’ ransomware compromise and notes reactions from industry figures such as Chris MacDonald at the Department for Business and Trade, as well as large providers like Tata Consultancy Services, Microsoft and RTX/Collins Aerospace. Key points you’ll take away: these attacks were largely preventable with basic controls — MFA (hardware keys), formal helpdesk identity verification, callback confirmation, network segmentation and focused security training — yet failures persist even at well-resourced organisations. Crucially, the episode explains DORA’s cross-border reach (applicable since 17 January 2025), how EU authorities can designate critical ICT third-party providers (including non-EU firms), the reporting and continuity obligations this triggers for financial entities, and the potential penalties (including fines up to around 1% of global turnover) and oversight mechanisms now coming into play. Practical guidance for listeners covers immediate steps: map vendor dependencies and identify any providers serving EU financial entities; review and update contracts for DORA alignment; update incident response and continuity plans to reflect DORA reporting requirements; and deploy low-cost, high-impact controls like hardware MFA, strict helpdesk processes and segmentation. The episode also critiques the UK government’s reactive crisis management during these incidents and warns of an accelerating enforcement wave: designations, cross-border scrutiny and contractual overhauls are expected to intensify through 2025. Ultimately, Moven argues this is the start of a new era — one where regulatory exposure flows through vendor dependencies and where organisational will, not technical capability, is the biggest barrier to resilience. Listeners will finish with a clear sense of urgency, the regulatory risks to assess, and concrete next steps to reduce operational and regulatory fallout from future incidents.

This episode explores the risks of relying on a single IT manager as an entire IT department. Hosts Noel Bradford and Mauven MacLeod unpack why paying one person a modest salary is not the same as buying a full team of specialists, and they share vivid real-world horror stories — from a sudden resignation that paralysed a 40-person engineering firm, to a ruined holiday when backups failed, to a marketing agency locked out by a burnt-out IT manager. Key topics include the cost mismatch between expectations and reality, how knowledge concentration creates critical single points of failure, signs that your IT lead is drowning (long hours, no lunch breaks, defensiveness, lack of documentation), and how poor management decisions can make things worse. Practical solutions are given: document everything, hire a competent number two rather than a trainee, engage managed service providers for specialist and 24/7 support, move critical services to cloud platforms to reduce on-site burden, and start with small, affordable steps like basic support contracts or break-fix services. The episode includes personal anecdotes from Noel (the "Donny" and zoo-day stories) and a discussion of when to involve external help, how to create continuity plans, and three immediate actions business owners can take today. Listeners are encouraged to have an open conversation with their IT person, assess real costs and risks, and take steps to protect both their systems and their staff from burnout and catastrophic failure.

Most small business owners think CIO stands for "Chief I-Fix-Everything Officer" and CISO means "Chief I-Worry-About-Security Officer." In this episode, Noel Bradford (actual CIO/CISO) breaks down what these executive roles actually do and why your business desperately needs this strategic thinking - without the six-figure salary. Discover how fractional CIO/CISO services let 20-100 employee businesses access Fortune 500 expertise for £15,000-35,000 annually instead of £120,000+ for full-time hiring. What You'll Learn The Real Difference Between CIO and CISO: Technology strategy vs security strategy (and why one person can do both). Why Dave from IT Needs Help: The unfair burden of strategic decisions on operational staff. Fractional Services Explained: How to get executive-level guidance for 8-12 hours per month. ROI Reality Check: Technology inefficiencies probably cost you more than £15k annually Finding Quality Providers: Red flags vs genuine executive experience. Integration Strategy: Treating fractional executives like Non-Executive Directors. Key Takeaways Strategic technology and security leadership isn't just for large corporations. Fractional services cost £15,000-35,000 annually vs £120,000+ for full-time hiring Sound fractional executives enhance internal capabilities rather than replacing them. Treat fractional CIO/CISO like Non-Executive Directors - invite them to board meetings. Start with a current state assessment (£3,000-6,000) before ongoing engagement. Diagnostic Questions You probably need fractional CIO/CISO services if you answer "yes" to several of these: Technology decisions are made reactively rather than strategically Increasing tech spending without clear ROI visibility Security/compliance concerns are constantly pushed down the priority list Internal IT person making strategic decisions while handling operations Current systems won't scale with business growth plans Regulatory compliance anxiety about technology approaches Episode Highlights Real-World Example: A 15-person marketing agency saved £300/month and improved security by consolidating from multiple cloud storage solutions to a single strategic platform. Cost Comparison: Fractional services at £150-350/hour for 8 hours monthly vs full-time CIO/CISO at £100,000-180,000 annually plus benefits and normal staffing costs. Next Steps Honest self-assessment of current technology/security decision-making Calculate the annual cost of technology inefficiencies and security risks Research fractional providers with genuine senior executive experience Consider starting with the current state assessment project Connect With Us Hit subscribe, leave a review mentioning whether you're considering fractional services, and share with business owners making technology decisions without strategic guidance. Remember: You don't need enterprise budgets to get enterprise thinking. And be kind to Dave - he's doing his best. #FractionalCIO #FractionalCISO #CIO #CISO #ChiefInformationOfficer #ChiefInformationSecurityOfficer #FractionalExecutive #ITLeadership #TechnologyStrategy #SecurityStrategy #SmallBusiness #SMB #SmallBusinessOwners #Entrepreneurs #BusinessOwners #StartupLife #GrowingBusiness #ScaleUp #BusinessGrowth #SMBTech #ITStrategy #TechnologyLeadership #BusinessTechnology #ITManagement #DigitalTransformation #TechStack #CloudStrategy #ITBudget #TechnologyRoadmap #SystemsIntegration

September 2025 Patch Tuesday: Critical Business Update Special Edition with Graham Falkner Microsoft's September Patch Tuesday brings 81 security fixes, including 9 critical vulnerabilities already being exploited by attackers. This episode provides essential business guidance for small business owners navigating these updates safely and efficiently. Key Topics Covered: Business impact of 81 security vulnerabilities Four critical threats affecting small businesses SharePoint Server active exploitation campaigns Network authentication bypass vulnerabilities 7-day practical deployment strategy Windows 10 end-of-life planning (October 14th deadline) Cyber Essentials compliance requirements Critical Action Items: Days 1-2: Assess SharePoint installations and document processing systems Days 3-7: Deploy controlled testing and priority system updates Days 8-14: Complete production environment deployment Immediate: Audit all Windows 10 devices and plan migration Windows 10 Urgent Notice: Support ends October 14th, 2025. This may be the final security update for Windows 10 systems. Extended Security Updates available at significant cost. Migration planning required immediately. Compliance Requirements: Cyber Essentials certified organisations must deploy updates by September 23rd, 2025. Earlier deployment recommended for business risk management. Vulnerable Systems Requiring Priority Attention: SharePoint Server installations (under active attack) Systems processing external documents and email attachments Network authentication infrastructure Customer data handling environments Known Compatibility Issues: PowerShell Direct connection failures in virtualised environments SMB signing requirements affecting older network storage MSI installer UAC prompt changes Sources: Microsoft Security Response Center - September 2025 Security Updates Verizon 2024 Data Breach Investigations Report UK GDPR Article 32 - Security of Processing Requirements Cyber Essentials Certification Guidelines Resources: Comprehensive deployment guides, compatibility checklists, and Windows 11 migration planning available at: thesmallbusinesscybersecurityguy.co.uk Technical support documentation: Microsoft KB5065426, KB5065431, KB5065429 Next Steps: Subscribe for regular cybersecurity updates. Share with business owners who need this information. Visit our website for detailed implementation guidance. This episode provides educational information only. Always implement cybersecurity measures appropriate to your specific business needs and risk profile. Hashtags: #CyberSecurity #SmallBusiness #Windows10 #PatchTuesday #Microsoft #BusinessSecurity #ITSecurity #CyberEssentials #Windows11 #SecurityUpdates #BusinessContinuity #UKBusiness #Compliance #GDPR #CyberInsurance #NetworkSecurity #SharePoint #BusinessTech #InfoSec #DigitalSecurity

Episode Summary The Electoral Commission suffered a 14-month data breach affecting 40 million UK voters, yet faced zero ICO enforcement action. Meanwhile, small businesses receive crushing GDPR fines for minor infractions. This explosive episode exposes dangerous double standards leaving SMBs vulnerable while government bodies escape accountability. The Shocking Facts Breach Duration: 14 months (August 2021 - October 2022) Affected People: 40 million UK voters' data accessible Attack Method: ProxyShell vulnerabilities - patches available months before breach Attribution: Chinese state-affiliated actors (APT31) ICO Response: "No enforcement action taken" Security Failures That Would Destroy Small Businesses Default passwords still in use No password policy Multi-factor authentication not universal Critical security patches ignored for months One account used original issued password ICO's Dangerous Double Standard While the Electoral Commission faces zero consequences for exposing 40 million people's data, small businesses routinely receive thousands in fines for single email attachment breaches. This regulatory hypocrisy creates false security expectations and leaves SMBs as easy targets for cybercriminals and regulators. Immediate Action Required: Patch Tuesday Compliance The Electoral Commission's breach used ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) patched months earlier. Every day you delay Microsoft updates increases breach risk and regulatory exposure. Critical Steps Today: Apply Microsoft Updates Now: Stop reading, patch systems, then continue Audit Password Security: Eliminate default, weak, or original passwords Implement Universal MFA: Multi-factor authentication on all accounts Key Takeaways Government bodies receive preferential ICO treatment despite massive failures Small businesses face disproportionate scrutiny and penalties Basic security hygiene prevents most cyberattacks Professional cybersecurity help costs less than ICO fines Regulatory consistency doesn't exist - protect yourself accordingly Why This Matters for Your Business If the Electoral Commission can ignore basic cybersecurity for 14 months without consequences, imagine what happens when your business makes similar mistakes. The ICO needs examples - and it won't be government bodies. Resources Microsoft Security Updates Portal NCSC Small Business Guidance ICO Data Protection Guidelines ProxyShell Vulnerability Database Get Help Need cybersecurity basics, patch management, or GDPR compliance help? Don't become the ICO's next small business example. Email: help@thesmallbusinesscybersecurity.co.uk Website: thesmallbusinesscybersecurity.co.uk Related Episodes Episode 8: White House CIO Insights - Government Security Episode 9: Cyber Essentials Framework Episode 6: Shadow IT Risks Keywords #ElectoralCommissionhack, #ICO #doublestandards, #GDPR, #PatchTuesday, #Microsoftupdates, #ProxyShellvulnerability

🚨 SHOCKING: 60% of Small Businesses Shut Down Forever After Cyberattacks 96% of hackers target YOUR business, not big corporations. Think you're too small to be a target? Think again. Noel and Mauven reveal the brutal truth about cybersecurity that could save your business - or expose why you're already at risk. 💀 The Terrifying Reality: ​82% of ransomware attacks target businesses under 1,000 employees ​Small business employees face 350% MORE attacks than enterprise workers ​Average cyber incident costs UK businesses £362,000 ​Only 17% of small businesses have cyber insurance 🛡️ What You'll Discover: ​The FREE security fix that stops most attacks (costs nothing, takes 30 seconds) ​Why Multi-Factor Authentication is your business lifeline ​How Cyber Essentials certification makes you 92% less likely to get attacked ​Government programs most business owners don't know exist ​Why this is a BUSINESS issue, not an IT problem 🎯 Perfect For: ​Small & medium business owners ​Anyone worried about cyber threats ​Business leaders who think they're "too small" to be targeted ​Companies looking for practical, affordable security solutions 💡 Key Takeaways: ​Multi-Factor Authentication everywhere - Enable it on email, accounting systems, cloud storage, and remote access. This one change stops the vast majority of attacks. ​Cyber Essentials certification - Organizations with this UK government scheme are 92% less likely to make insurance claims. Plus, Noel's preferred certification body includes up to £250,000 in cyber insurance coverage as part of the package! ​Staff training that actually works - Monthly 5-minute team discussions about real threats, not boring annual presentations. ​The 3-2-1 backup rule - Three copies of data, two different storage types, one completely offline. ⚡ Real Talk: This isn't fear-mongering - it's business reality. Every day you delay basic cybersecurity is another day you're gambling with everything you've built. The cost of prevention is ALWAYS less than the cost of recovery. 🔗 Take Action: Start this week: Enable MFA on your email, research Cyber Essentials, schedule team security discussions. Your future self will thank you. Want to know more about Cyber Essentials certification with included insurance? Reach out to Noel directly. Like what you heard? Subscribe, leave a review, and share with other business owners who need to hear this. #Cybersecurity #SmallBusiness #CyberEssentials #BusinessSecurity #UKBusiness

K&P Logistics — 158 years in business — wiped out in 48 hours by ransomware. Noel Bradford and Maurven MacLeod unpack that real-world catastrophe to show small businesses how the same fate can be avoided. If you run a local shop, agency or family firm and think cybersecurity is either incomprehensible or unaffordable, this episode is for you. Noel Bradford, with 40 years of experience in corporate security, and Maurven MacLeod, a former government cyber analyst who tracked nation-state actors, introduce themselves and explain why attackers are increasingly targeting customer databases and other easy-to-access systems. They describe common threat vectors and the mistakes that turn manageable incidents into business-ending disasters. Topics covered include ransomware timelines, authentication failures, shadow IT risks, social engineering and real breach case studies. The hosts translate enterprise-level controls into simple, low-cost actions you can implement between customer calls — covering backups, multi-factor authentication, software hygiene, incident response basics and how to spot a phishing scam before it’s too late. Key takeaways: perfect security is unattainable, but practical, layered defences dramatically reduce risk; small changes can stop most attacks; and preparation (not panic) is the difference between a blip and a shutdown. Expect clear, jargon-free advice, step-by-step recommendations and real lessons from the trenches. Tune in for a fast, actionable guide to protecting your business assets and customer data. Subscribe to the Small Business Cybersecurity Guide for weekly episodes that make good security affordable and straightforward — because good security doesn't have to cost a fortune, but stupidity always does.

💀 Welcome to the UK's Cyber Graveyard 💀 Over 2,000 jobs GONE. Centuries of business history DELETED. All because of weak passwords and basic security failures that could have been prevented for FREE. 🚨 THE VICTIMS: KNP Logistics: 158 years old, £94.5M revenue → 730 redundancies Travelex: Global currency giant → 1,309 UK job losses NRS Healthcare: NHS supplier → Currently liquidating after 16 months 💣 THE KILLER: Simple password attacks that Multi-Factor Authentication would have STOPPED 🛡️ WHAT YOU'LL LEARN:✅ The 5 fatal security failures that killed these companies✅ Why MFA blocks 99.9% of credential attacks (and costs nothing)✅ 30-60-90 day action plan to bulletproof your business✅ How to get leadership buy-in without breaking the bank✅ Real case studies from BBC Panorama investigations ⚡ TAKE ACTION NOW:Stop listening and enable MFA on your email systems RIGHT NOW. Your future self will thank you when you're not explaining redundancies to your staff. Don't become the next cautionary tale in the UK's growing cyber graveyard. #CyberSecurity #SmallBusiness #Ransomware #DataBreach #MFA #CyberAttack #BusinessSecurity #PasswordSecurity #UKBusiness #BusinessFailure

After 17 episodes covering everything from basic password security to nation-state threats targeting corner shops, Noel and Mauven reveal what actually works, what consistently fails, and why most businesses are fighting 2019 threats with 2015 thinking while facing 2025 attack methods. 🎯 Shocking Revelations: 42% of business applications are unauthorised Shadow IT - Your parallel digital infrastructure you never knew existed Multi-factor authentication stops 90% of credential attacks - Yet businesses still resist this free silver bullet AI systems now write custom malware faster than humans can patch - Deepfakes fool CEOs, psychological manipulation targets individuals Supply chain attacks make YOU liable for everyone - Protecting clients, suppliers, and partners becomes your responsibility Most successful attacks still exploit basic failures - Unpatched systems, weak passwords, untested backups 🔥 Real Listener Questions Answered: "My IT budget is three pounds fifty and digestives - how do I justify £8/month for security?" "Staff revolt against MFA - how do I implement without workplace mutiny?" "Found 17 project management tools in use - how do I consolidate without chaos?" "Completely overwhelmed by 17 episodes - where do I actually start?" "Client angry about payment verification - how do I explain without damaging relationships?" ⚡ What Actually Works : Systematic thinking over panic-buying security products, modern endpoint protection with AI detection, verification procedures that defeat deepfakes, documentation that survives when Dave from IT leaves, regular testing cycles, and risk-based prioritisation focusing on high-impact areas first. 💥 What Consistently Fails: "Set it and forget it" security measures, relying on users to spot sophisticated AI-crafted threats, compliance theatre without genuine implementation, single-solution approaches, the "we're too small to be targeted" delusion, and treating cybersecurity as IT-only responsibility. 🎯 Three Things to Implement Immediately: Enable MFA everywhere - Free protection against 90% of credential attacks Implement payment verification procedures - Call back on known numbers before acting Test your backups regularly - Having backups ≠ having working backups 🎧 Perfect For: Business owners feeling overwhelmed by cybersecurity complexity, IT managers defending security budgets to sceptical accountants, professionals tired of vendor marketing promising magic solutions, and anyone who thinks antivirus software equals comprehensive security. From basic concepts to AI threats - the complete cybersecurity education in one retrospective episode. Subscribe for weekly episodes making enterprise-level security thinking accessible for small business budgets. Real solutions, no vendor fluff, practical advice that actually works in the real world. #SmallBusinessSecurity #CyberSecurity #MFA #ShadowIT #AIThreats #CyberEssentials #DataProtection #BusinessSecurity #TechSecurity #CyberDefense

🎧 Latest Episode Alert | Fresh intelligence from DefCon 33 reveals how AI-enhanced cyber threats to small business are accelerating rapidly. Techniques demonstrated in Las Vegas are targeting UK businesses within weeks. 🚨 Critical Cyber Threats to Small Business AI-Powered Social Engineering 85% success rates against security professionals AI psychological profiling from social media Voice synthesis for CEO impersonation attacks Multi-month fake identity campaigns Supply Chain Cyber Threats Coordinated ecosystem attacks across suppliers AI mapping of business relationships MSP compromises affecting 200+ networks Hardware backdoors surviving firmware updates Automated Attack Evolution 6-hour vulnerability-to-exploit timeline 88% evasion of traditional antivirus Custom malware for each target Cybercrime-as-a-Service platforms 🛡️ Defending Against Modern Cyber Threats Immediate Actions (Free) Multi-channel verification for financial requests Independent contact verification procedures Staff training on systematic verification Essential Tech Upgrades (£3-8/user/month) AI-powered endpoint protection (Microsoft Defender for Business, CrowdStrike) Network segmentation via modern firewalls Air-gapped backup systems ThreatLocker "Deny All by Default" protection Cyber Essentials Framework Version 3.2 updates include 14-day critical vulnerability patching, passwordless authentication recognition, and enhanced remote working requirements. 💼 Business Benefits Beyond Security Better insurance rates Government contract access Supply chain partnership opportunities Competitive advantage demonstration 🔥 TRENDING & HASHTAGS Topics: DefCon 33 findings | AI cyber attacks | Small business vulnerabilities | Supply chain security Hashtags: #CyberSecurity #SmallBusiness #DefCon33 #AISecurity #CyberThreats #BusinessProtection #UKBusiness #CyberEssentials #InfoSec #ThreatIntelligence #CyberDefense #BusinessSecurity #SecurityFirst 🚀 ENGAGEMENT HOOKS 🔥 URGENT: AI attacks now target small businesses within 6 weeks of DefCon demos 💡 FREE defence strategies that stop 85% of social engineering ⚡ Why your antivirus is useless against 2025 threats 🎯 Turn cybersecurity into competitive advantage 👍 LIKE if this helped you understand modern cyber threats 🔔 SUBSCRIBE for weekly threat intelligence 💬 COMMENT your biggest security concern 📤 SHARE with business owners using outdated protection 🎧 Listen now before these threats target YOUR business! Subscribe for weekly cyber threat intelligence. Share with business owners still using basic antivirus protection against advanced threats.

🚨 Episode 11: When Your Safety Net Becomes the TargetBackup Security Under Fire + Business Email Compromise Reality Check Your backups aren't protecting you anymore—they're the primary target. In this explosive double-header episode, we expose why 94% of ransomware attacks now target backup systems first, and how Business Email Compromise enables these devastating attacks. 🎯 What You'll Learn:Backup Reality Check: Why "immutable" storage isn't, and cloud sync ≠ backup protection Cloud Provider Truth Bomb: Neither Microsoft nor Google guarantee your data integrity BEC Epidemic: How £35+ billion in global losses connect to backup destruction Modern Attack Chains: Email compromise → reconnaissance → backup annihilation What Actually Works: Third-party solutions, testing reality, budget truths 💡 Key Takeaways:Only 27% of businesses successfully recover all data after incidents 30-40% of cyber insurance claims denied due to backup inadequacies Proper backup solutions cost £20-100/month, not £500+ Process controls beat technical controls for BEC prevention Multi-channel verification saves businesses millions 🎙️ Hosts & Guests:Noel Bradford - The Small Business Cyber Security Guy Mauven MacLeod - Ex-NCSC Cyber Expert Oliver Sterling - Veteran IT & Cyber Specialist Lucy Harper & Graham Falkner - Announcing The 10-Minute Cyber Fix daily show! 📺 NEW: The 10-Minute Cyber FixStarting Monday! Daily cybersecurity news analysis with Lucy Harper. Perfect for commute listening—cutting through vendor panic and media hyperbole to deliver what actually matters for YOUR business. 🔗 Essential Resources:Veeam Ransomware Trends Report 2024 - 94% backup targeting statistics FBI IC3 BEC Report 2023 - £35+ billion global losses Microsoft Online Services Terms - "Commercially reasonable efforts" reality NCSC BEC Guidance - UK government protection advice Action Fraud BEC Statistics - UK-specific loss data Cyber Essentials Scheme - UK government backup guidance Google Cloud Terms of Service - Data responsibility clauses 💰 Vendor Solutions Mentioned:Third-Party Backup: Veeam Backup for Microsoft 365, Druva, Barracuda, Dropsuite, SkyKick Key Point: Your cloud provider's backup ISN'T enough—you need independent protection. ⚠️ Critical Actions:Implement multi-channel verification for all financial requests Test backup restoration regularly, not just backup completion Deploy third-party backup for cloud services Document procedures that work under pressure Train staff on BEC recognition and response 🎯 Next Week Preview:Advanced Persistent Threats targeting SMBs - How nation-state techniques filter down to everyday criminals. Special guest from UK's Cyber Security Agency. 📱 Connect With Us:💼 LinkedIn: Mauven's getting job offers—someone's listening! 📧 Consulting: Real-world security help for small businesses 🎧 Daily Fix: Subscribe for Monday's launch of The 10-Minute Cyber Fix ⚖️ Disclaimer: Educational content only. Consult qualified professionals for business-specific advice. Not affiliated with any government agency or vendor. 🔥 If this episode saved you from a backup disaster or BEC scam, hit subscribe and share with fellow business owners who still think "it's in the cloud" means "it's safe"!

In the final part of our White House CIO Insights series, we explore the cutting-edge AI-powered threats that are transforming cybersecurity. Our special guest Sarah Chen, who heads up AI threat research at a leading UK cybersecurity firm, reveals how artificial intelligence is being weaponized by criminals - and what small businesses can do to defend themselves. From deepfakes that fool CEOs to AI that writes custom malware in real-time, discover why traditional security approaches are failing and what you need to implement today to protect your business against tomorrow's threats. What You'll Learn How sophisticated deepfakes are targeting UK businesses right now Why AI-powered social engineering succeeds 30% of the time vs 3% for traditional phishing How criminals are using AI to generate custom malware faster than humans can patch it Practical defenses that work against AI threats without enterprise budgets What the future threat landscape means for small business cybersecurity Key Takeaways 🔐 Implement multi-channel verification for all financial transactions and sensitive requests 🔐 Upgrade to AI-powered endpoint protection - traditional antivirus is obsolete 🔐 Train staff on procedures, not threat recognition - create decision trees that work under pressure 🔐 Understand this is ongoing - build adaptive capabilities, not static defences Source Attribution This episode features insights from Theresa Payton's interview with the Scammer Payback podcast. Theresa served as the first female White House CIO under President George W. Bush and is a leading expert on cybersecurity threats and manipulation campaigns. Full Interview: We strongly encourage listening to the complete Theresa Payton interview on Scammer Payback for comprehensive coverage of nation-state threats, deepfakes, and digital privacy strategies. About Scammer Payback: Excellent podcast and YouTube channel dedicated to exposing cybercriminal tactics and protecting people from fraud. Essential viewing/listening for anyone interested in cybersecurity. Connect With Us 🎧 Subscribe for weekly cybersecurity insights for small business ⭐ Rate & Review - help other business owners find practical security advice 📱 Share with fellow business owners who need to understand AI threats 💬 Comment with your questions about AI security challenges What's Next Episode 11: Backup Security in the AI Age - When even your recovery procedures need defending against adaptive adversaries Coming Soon: Deep dives into email security, mobile security, and building comprehensive security cultures for small business Series Information This episode completes our White House CIO Insights trilogy: Episode 8: The Threat Landscape Small Business Faces Episode 9: Cyber Essentials - Enterprise Security for Small Business Episode 10: Advanced Threats & AI (this episode) Disclaimer: This podcast provides educational information about cybersecurity threats and defenses. Always consult with qualified cybersecurity professionals for specific advice about your business security needs. Copyright: © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

UK Ransomware Ban: Why Your SMB Just Became a Bigger Target Show: The Small Business Cyber Security Guy Hot Take Hosts: Graham Falkner & Noel Bradford Episode Length: 7:30 Category: Business, Technology Episode Description The UK Government just dropped the most aggressive ransomware policy in the world - and it's about to make your small business a much more attractive target for criminals. Join Graham and Noel as they break down the three shocking proposals that will reshape cyber threats for every British business by 2026. What You'll Learn: Why 72% of consultation respondents backed payment bans despite industry panic How the "essential supplier" loophole could snare thousands of unsuspecting SMBs The brutal mathematics: £3K prevention vs £300K+ ransomware losses Why Cyber Essentials is about to become a business survival tool, not just compliance Key Takeaway: With criminals pivoting from locked-down public sector to easier SMB prey, you have 18 months to get your cyber house in order. Don't wait - the attack frequency is about to explode. Key Statistics 72% Consultation support for payment ban £1B Global ransomware payments in 2023 80% Attack reduction with Cyber Essentials 18 Months to prepare before 2026 Key Topics Government Ransomware Proposals Payment bans for public sector and CNI (no exceptions) Mandatory 72-hour incident reporting for all sectors Government pre-approval required for private sector payments Implementation timeline: Late 2026 (if passed) The SMB Target Shift Global ransomware payments: $1 billion in 2023 UK victims doubled on leak sites since 2022 Attack displacement from public sector to private SMBs Volume strategy: 40 SMBs at £50K vs 1 NHS trust at £2M Cyber Essentials Reality Check 68% reduction in successful ransomware attacks Five controls that actually work (when implemented properly) Insurance discounts becoming business necessity "Badges don't stop hackers, controls do" Insurance Market Transformation Premium increases of 25-50% over next two years Claims denials for businesses without proper controls CE certification shifting from discount to baseline requirement Real-World Case Studies: Post-ransom betrayal: Attackers left backdoors, insurance refused payout Lost government contract: SMB couldn't prove basic cyber hygiene after small breach Regulatory tag scenario: Sourdough bakery subject to cyber law for prison deliveries Action Items Immediate (Next 30 Days) Map CNI/public sector client relationships Assess potential supply chain compliance exposure Calculate business-specific ransomware impact costs Review current cyber insurance coverage terms Short-term (90 Days) Begin Cyber Essentials certification process Implement five core security controls properly Establish professional security response relationships Test backup and recovery procedures monthly Strategic (18 Months) Prepare for potential "essential supplier" designation Budget for insurance premium increases Develop incident response and crisis communication plans Create alternative business operation procedures Blog Post: The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger TargetRelated Episodes Episode 2: "Compliance Theatre vs Real Security" Episode 6: "Supply Chain Security: Your Weakest Link" Rate and Review: Help other SMB owners discover critical cyber security insights by rating this episode on Spotify, Apple Podcasts, or your preferred platform. Questions? Email: hello@thesmallbusinesscybersecurityguy.co.uk Website: www.thesmallbusinesscybersecurityguy.co.uk Episode Credits Hosts: Graham Falkner, Noel Bradford Production: The Small Business Cyber Security Guy Copyright: © 2025 The Small Business Cyber Security Guy. All rights reserved. Content for educational purposes. Consult cybersecurity professionals for specific business advice.

Episode Description Join Noel Bradford and Graham Falkner for another cybersecurity hot take as they dive into the alarming world of help desk social engineering attacks. This episode exposes how the notorious Scattered Spider group has weaponized basic human helpfulness to devastating effect, turning your friendly IT support into the front door for ransomware attacks. From MGM's $100 million disaster to the recent wave of UK retail breaches (M&S, Co-op, Harrods), discover how teenagers armed with nothing more than convincing accents and sob stories are outsmarting million-pound security systems. Spoiler alert: it's not the tech that's failing us. Key topics The Scattered Spider Phenomenon: Meet the English-speaking teenagers who graduated from Roblox to ransomware Help Desk Horror Stories: Why your MFA reset process is probably easier than ordering a dodgy kebab The MGM Masterclass: How one phone call led to 10 days of casino chaos UK Retail Ransomware Wave: The domino effect that took down half the high street Sandra's 3AM Security Failures: Why verification questions like "favourite biscuit" aren't cutting it Real Solutions That Actually Work: Beyond useless training modules to proper phishing-resistant MFA Notable Quotes "You can get your entire digital life reset with less hassle than ordering a dodgy kebab after the pub." "The help desk culture these days - it's like the Wild West, but with more hold music and less gunfire." "If your help desk can be outwitted by someone who sounds like they're late for a Fortnite tournament, you've got bigger problems than patching Windows." "It's not hacking, it's just really, really good acting." What You'll Learn How Scattered Spider targets help desk processes with surgical precision Why traditional security questions are laughably inadequate The real-world impact of social engineering attacks on major retailers Practical defenses that actually work (hint: it's not more training) Why your business might be the stepping stone, not the target Solutions Discussed Video verification for all MFA resets Phishing-resistant MFA (FIDO2 keys, smart cards, PKI certificates) Proper RMM tool controls with device whitelisting and geographic restrictions Zero unauthenticated resets policy Monitoring for unusual authentication patterns Episode Hightlights The career trajectory from Minecraft to MGM hacking Why "favourite colour" security questions are a disaster waiting to happen The proposed "angry Scottish nans verification panel" security policy The legendary cat impression MFA reset incident How one help desk call can ransomware half the high street Perfect For Small business owners worried about cybersecurity IT professionals dealing with help desk security Anyone who's ever reset a password over the phone Security-conscious listeners who enjoy a good dose of British humor with their cyber threats #Cybersecurity #ScatteredSpider #Ransomware #SocialEngineering #HelpDesk #MFA #UKRetail #MGM #SmallBusiness #InfoSec #PhishingResistant #SecurityAwareness Remember: Security isn't about being perfect, it's about being better than the bloke next door. Don't let Sandra near the reset button after midnight! See - https://www.noelbradford.com/blog/scattered-spider-helpdesk-mfa-reset-attack-warning-uk-2025

1984 is here! Just 41 years late - Big Brother is watching and censorship is increasing. The UK's Online Safety Act went live July 25th, 2025. VPN usage exploded 1,400% overnight. Teenagers are using PlayStation screenshots to bypass age verification. Join Noel Bradford and Mauven MacLeod for an emergency breakdown of Britain's most expensive digital policy failure and why every tech-savvy teen is already laughing at it. Warning: Contains passionate commentary about government digital policy The Spectacular Failure (0:00-4:00) ​ProtonVPN's 1,400% UK signup surge in 48 hours ​Death Stranding character defeats government AI systems ​Why teenagers always win the circumvention game ​Digital cavity searches for legal content access The Authoritarian Agenda (4:00-7:00) ​Pattern of moral panics from rock music to the internet ​Surveillance infrastructure outlasts the panic that created it ​Ministers' unprecedented power to designate "harmful" content ​International platforms blocking UK users entirely The VPN Danger Zone (7:00-10:00) ​Millions of non-tech users suddenly need VPN services ​How to avoid data harvesting and malware traps ​Red flags in free VPN services ​Recommended providers with proven track records The Bottom Line (10:00-12:00) ​Why this was never about protecting children ​Essential digital literacy in the circumvention era ​The only rational response to broken digital policy ​1,400% increase in VPN signups within hours of enforcement ​Over 280,000 signatures on petition to repeal the Act ​6+ years from conception to failure by video game screenshots ​Zero responses from some platforms to compliance requirements

Part 2 of White House CIO Insights Series | ~38 minutes How do you implement White House-level security without White House-level budgets? Building on insights from former White House CIO Theresa Payton's interview with Scammer Payback, Noel and Mauven explore the UK's Cyber Essentials framework - translating enterprise security principles into achievable small business requirements. The Five Cyber Essentials Controls: Boundary Firewalls - Your digital perimeter defense Secure Configuration - Closing manufacturer security gaps Access Control & MFA - 90% credential attack prevention Malware Protection - Beyond traditional antivirus Security Update Management - Systematic patching Key Takeaways: Real implementation costs (£300+VAT basic certification, 2-4 weeks setup) Business benefits: insurance discounts, government contracts, supply chain compliance Why CE stops 80% of attacks targeting 80% of small businesses When you need more than basic frameworks Featured Content: Audio clips from Theresa Payton interview courtesy of Scammer Payback Podcast Building safety standards for cybersecurity MFA stopping 90% of credential attacks Systematic security thinking Highly recommend the full Theresa Payton interview on Scammer Payback - covers nation-state threats, manipulation campaigns, deepfakes, and digital privacy. Essential cybersecurity listening. Take Action This Week: Start Cyber Essentials self-assessment Enable multi-factor authentication everywhere Audit your third-party vendor list Resources: NCSC Cyber Essentials Scheme: ncsc.gov.uk/cyberessentials Self-Assessment Portal: cyberessentials.ncsc.gov.uk Scammer Payback Podcast Subscribe "Manipulated" by Theresa Payton - Buy Next Episode: Advanced Threats & AI The final White House CIO series episode tackles threats that challenge enterprise security teams: AI-powered attacks, executive-fooling deepfakes, and psychological social engineering. Subscribe & Review | Share with business owners who think cybersecurity requires unlimited budgets | Special thanks to Daniel and Scammer Payback team From White House situation rooms to your actual situation.

What's scarier - protecting the President or a small business in Manchester? Former White House CIO Theresa Payton says they face exactly the same sophisticated threats now. Runtime: 36 minutes | Series: Part 1 of 3 | Hosts: Noel Bradford & Mauven MacLeodKey Topics Covered Nation-state targeting: North Korea (vengeful), Iran (cyber mercenaries), Russia (everything), China (supply chains) "Verify and never trust" - Evolution from Reagan's "trust but verify" for modern threats Island hopping attacks - Small businesses as stepping stones to larger targets White House security principles scaled for small business budgets Multi-factor authentication - 90% effective against credential attacks Supply chain vulnerabilities - Every vendor is a potential attack vector Systematic security thinking - Enterprise mindset without enterprise costs Major Takeaways Same threats, different resources - SMBs face enterprise-level attacks without enterprise budgets Verification is critical - Modern threats require systematic verification of all requests MFA is transformative - 90% attack prevention for minimal cost - no excuse not to implement Process over products - Systematic thinking matters more than expensive technology Asymmetric warfare reality - Defenders must succeed daily; attackers need one breakthrough British politeness problem - Don't let politeness override security verification Featured Audio Clips Powerful segments from Theresa Payton's comprehensive interview courtesy of Scammer Payback podcast - essential listening for modern cybersecurity insights. Full Featured Interview: https://www.youtube.com/watch?v=ScammerPaybackTeresaPayton About Scammer Payback: Outstanding podcast and YouTube channel fighting cybercrime daily while educating about online threats. Resources & Links Theresa's Book: "Manipulated: Inside the Cyberwar to Hijack Elections" Our Website: thesmallbusinesscybersecurityguy.co.uk for practical small business cybersecurity resources Coming Next Episode 9: Cyber Essentials - How UK government turned White House security principles into achievable small business framework. Five controls addressing 80% of attacks affecting 80% of SMBs. Episode 10: Advanced Threats - AI, deepfakes, and social engineering that challenge even security professionals. Your Immediate Action Items Today: Implement multi-factor authentication on ALL business accounts This week: Create verification procedures for payment/change requests This month: Audit vendor security practices and supply chain dependencies Ongoing: Train staff on "verify and never trust" protocols Connect & Support Website: thesmallbusinesscybersecurityguy.co.uk for actionable cybersecurity resources Subscribe & Review: Help us reach more vulnerable businesses Share: With that business owner using "password123" wondering why systems act strangely From White House situation rooms to your actual business situation - if it's good enough for protecting the President, it's good enough for protecting your business. #Cybersecurity #SmallBusiness #InfoSec #WhiteHouse #NationState #MFA #SupplyChain #CyberThreats #BusinessSecurity #CyberEssentials #Podcast #UKBusiness #SecurityAwareness #CyberDefense Copyright 2025 The Small Business Cyber Security Guy Podcast - All rights reserved.

Show Notes Duration: 25:16 Hosts: Mauven MacLeod & Noel Bradford Technical debt isn't just old computers - it's a ticking time bomb in every UK business. When Noel discovers his local Oxford Council data was sitting in legacy systems for 21 years, things get personal. From NHS cyber deaths to £1.4 billion breaches, this episode reveals why "if it ain't broke, don't fix it" could destroy your business. Warning: Contains one epic Noel rant and brutal truths about preventable disasters. Shocking Statistics Revealed ​160,000 Microsoft Exchange servers still vulnerable 4 months after patch ​59% of UK public sector apps contain year-old security vulnerabilities ​Nearly half of £4.7 billion government IT spending just maintains aging systems ​Some organizations spend 75% of IT budget on legacy system life support Episode Highlights "Technical debt isn't just an IT problem - it's a business survival issue" "We're talking about digital decisions made when people were still using typewriters, and they're still causing security problems today" "Every shortcut has consequences. Every deferred update accumulates interest" Next Episode Preview We hear from Former White House CIO Theresa Payton about lessons from US government digital transformation that UK small businesses can actually use. Take Action Now: ​Audit your systems - What are you actually running? ​Budget 20% of IT spending for technical debt reduction ​Plan Windows 10 migration - Support ends October 2025 ​Document everything - Future you will thank present you Share Your Stories Tell us about your technical debt discoveries in the comments (minus the hacker-helpful details). Have you found systems you didn't know existed? Like, Subscribe and Follow 🎧 New episodes every Monday 🔔 Hit the follow button for notifications ⭐ Rate and review if this episode convinced you to finally address your technical debt Next: Episode 8 - White House CIO Insights (July 21-27)

Show Guide: When Basics Break - Special Bonus Episode Duration: 9 minutes | Type: Special Episode Episode Summary McDonald's password "123456" exposed 64 million job applications. M&S lost £300M to a phone call. Our full team dissects how basic security failures are destroying major brands and what small businesses must learn. Featured Team Noel Bradford - Lead Host Mauven MacLeod - Ex-NCSC Specialist Oliver Sterling - Cybersecurity Veteran Dr. Sarah Chen - AI Security Researcher Key Segments & Timestamps 🍟 McDonald's AI Disaster (0:00-3:00) Paradox.ai hiring bot secured with "123456" password IDOR vulnerability exposed all applicant data Vendor blamed "dormant 2019 test account" Lesson: AI features don't fix basic security 📞 M&S & Co-op Phone Scams (3:00-6:30) £300M lost at M&S, 20M records at Co-op Help desk reset admin passwords without verification Attackers gave BBC interviews while inside systems Lesson: Vendor security failures become yours 🌍 Global Security Catastrophes (6:30-9:00) AT&T: 73M accounts leaked Change Healthcare: $22M ransom, data still lost 23andMe: Genetic profiles exposed via credential stuffing Key Takeaways ✅ Do The Boring Stuff: Strong passwords + MFA everywhere Regular patching and updates Proper help desk procedures ✅ Vendor Due Diligence: Ask about password policies Implement call-back verification If they can't answer security questions, walk away ✅ AI Reality Check: Shiny features don't compensate for weak foundations Basic vulnerabilities still dominate breaches Episode Highlights "It's the old 'move fast and break things' mindset, but now it's people's personal data on the line." - Dr. Sarah Chen "A simple call-back to a registered number would've stopped the whole thing." - Mauven MacLeod Immediate Actions for Small Business Change any "123456" or "password" credentials NOW Enable MFA on all business accounts today Create help desk verification procedures Audit vendor security practices Content Notes Real company breaches discussed. Some strong language regarding security failures. Essential listening for business owners who think "it won't happen to us." Remember: If major corporations with unlimited budgets fail at basics, small businesses need to be even more vigilant. #Cybersecurity #DataBreach #SmallBusiness #PasswordSecurity

Shadow IT: The Unauthorised Technology Inside Your Business 42% of business applications are unauthorised Shadow IT. Your employees have built hackers a data highway while trying to be helpful. What You'll Learn ​Detection Methods: DNS monitoring, MDM, endpoint audits, ThreatLocker solutions ​GDPR Nightmare: Why Shadow IT makes data subject access requests impossible ​Real Examples: 17 project management tools in one 12-person company ​Management Strategies: Control without becoming a digital dictator Immediate Actions ​Audit DNS logs for unknown cloud domains ​Check business credit cards for unauthorised SaaS subscriptions ​Ask employees "How do you actually do this job?" Key Statistics ​ 65% of remote workers use non-approved tools• £80,000 potential GDPR fine for £2M turnover business• 52% of enterprise SaaS apps are unsanctioned Featured Solutions ThreatLocker: Application whitelisting, DNS filtering, complete visibility without complexity Expert Hosts Noel Bradford: 40+ years experience, MSP CIOMauven MacLeod: Ex-NCSC cybersecurity expert Next Episode Technical Debt: The shortcuts strangling your business infrastructure 🔗 Subscribe for weekly cybersecurity insights💡 Share with business owners who need this⭐ Leave a review to help others find practical security advice

What if hackers are already inside your business... and you invited them in? 63% of data breaches involve third-party vendors. Your payment processor, cloud storage, email provider - any could be the backdoor that destroys your business overnight. WHAT YOU'LL LEARN: Why small businesses are sitting ducks for supply chain attacks SolarWinds, Kaseya & Log4Shell disaster breakdowns Vendor vetting checklist that actually works Cloud dependency risks & escape strategies When software updates become malware delivery Your bulletproof defense framework KEY STATS: 63% of breaches involve third-party vendors Average business uses 50+ third-party services 18,000+ orgs compromised in SolarWinds £50M ransom in Kaseya attack THE ENVELOPE CHALLENGE:Listen to Mauven tackle supply chain security with ZERO prep time. Real expertise, genuine reactions, practical solutions. YOUR ACTION PLAN: This Week: Create vendor inventory This Month: Assess vendor risks Next Quarter: Implement monitoring NEXT EPISODE:Shadow IT: 42% of business apps are unauthorized. Discover the parallel IT infrastructure hiding in your business. CONNECT:Subscribe, review, share your vendor horror stories! Hosts: Noel Bradford (CIO) & Mauven MacLeod (Ex-NCSC)Sources: NCSC, NIST, industry reportsDuration: ~45 minutes

Five days ago, it was Israel versus Iran. Over the weekend, American B-2 bombers dropped 14 bunker-busters on Iranian nuclear facilities. Today, your small business became a target in a war you're not even fighting. If you run a UK business using American tech services, and almost certainly yours does, we are talking Microsoft 365 and Google Drive to name 2, this fifteen minute briefing could save you from digital destruction.

Noel and Morven explain why passwords are failing us, how bad habits put us at risk, and what small businesses can do about it today. From password overload to the rise of passkeys, this episode is your practical guide to ditching old security mistakes for good.

This episode unpacks the global impact of Patch Tuesday, its evolution, and the chaos it tamed in cybersecurity. Noel and Mauven explore why patch management matters now more than ever and how attackers are always just one step behind—or sometimes ahead. Real stories and practical insights make sense of updates that affect every device in your business.

This episode exposes why cyber certifications like ISO27001 and SOC 2 don’t guarantee real security. We break down the difference between frameworks and show how neglecting basic controls leaves even big brands open to attack.

Iranian cyber attackers aren’t just hacking—they’re outsmarting and outmaneuvering defenses through psychological cunning. Noel and Morven break down the real methods behind the headlines, exposing how these groups trick even the savviest users and why old-school security training just isn’t enough anymore.