I’m Graham Falkner and in this edition of the Small Business Cyber Security Guy I walk you into the trenches of May 2026’s update cycle — the numbers, the new role AI is playing in vulnerability hunting, and the four bugs you can’t ignore. I tell the story of how an unpatched domain controller can become the pivot point for a full-blown takeover (think Zero Logon’s ghost), why every Windows endpoint’s DNS client suddenly matters again, and how an Atlassian single sign‑on plugin could let an attacker impersonate any user. These aren’t abstract CVEs on a spreadsheet; they’re concrete threats with reachable fixes.

You’ll hear exactly what to do, in the order to do it: find and patch on‑prem domain controllers in the next 48 hours (NetLogon — CVE‑2026‑41089, KBs by Windows Server version), push a small test ring for endpoint updates and watch for BitLocker recovery prompts (CVE‑2026‑41096), and treat on‑prem Dynamics 365 and Atlassian SSO as high‑priority if you run them locally. I give the KB numbers, realistic time estimates — an hour per domain controller — and a no‑hype deployment schedule that keeps your business running while you secure it.

The narrative also walks through an operational snag that will catch teams off guard: some devices may prompt for a BitLocker recovery key after reboot. I explain the three pre‑deployment checks to prevent a CEO‑level outage (adjust a TPM group policy, verify where recovery keys live, and reapply baselines later), and why you should demand a plan from your MSP before they push updates.

Along the way I bust headlines that distract — the CVE‑2026‑42826 “Perfect 10” in Azure DevOps is already mitigated by Microsoft, so there’s no customer action — and remind you that other vendors patched too: Adobe, SAP, AMD, Apple. Patch week is not a one‑vendor event.

By the end of the episode you’ll have a simple, prioritized checklist you can act on this week: identify DCs and patch them now, test endpoints tomorrow, roll out by week’s end, and verify Atlassian plugins separately. This is a story about practical choices under pressure — stop chasing every headline and start fixing what can actually hurt your business.

They walk you through a story many business owners will recognise — a colourful LinkedIn pitch that sells confidence and hides compromises. The cheap provider isn’t performing miracles; they’re quietly cutting controls: enforced MFA, disciplined patching, active monitoring, behaviour-based endpoint defence, security training, incident response and documented processes. Those missing pieces turn an attractive short-term saving into a long-term gamble.

Noel and Mauven do the arithmetic and show you the cold UK data: the DCIT survey found 43% of UK businesses suffered an incident in 2024, phishing hit 85% and even a 1% ransomware prevalence still means roughly 19,000 organisations were devastated. The average materially costly breach ran to about £8,260 in 2025 — already eclipsing that supposed annual IT saving — and real-world downtime, lost orders and reputational damage can push costs far higher.

They then lift the curtain on what a security-first MSP actually spends on the plumbing: remote monitoring, EDR, DNS filtering, email protection, application control, backups, SOC monitoring, documentation and professional tooling. Strip it down honestly and the true cost lands well above fantasy bargains — industry reality makes anything under roughly £50 per user per month alarming, and in London nearer £75.

Cyber insurance isn’t a free pass. Uptake has risen, but so have denials: missing MFA, poor patch evidence, misrepresented controls and late reporting regularly void claims. Insurers now demand proof — logs, timestamps and documented processes — and bargain providers rarely collect or produce that evidence. The result: a denied claim when you most need a payout.

Ransomware is the horror story that pulls everything together. Usually seeded through phishing and unpatched systems, ransom incidents produce recovery costs that dwarf the payment demand. Noel and Mova explain why the ransom is only the opening act — downtime, forensics, legal costs, client fallout and reconstruction push many small firms to the brink.

Regulators make the stakes worse. ICO fines and tougher technical expectations mean that skimping on controls isn’t just reckless, it can be an aggravating factor in enforcement. The cheapest IT quote won’t be an excuse in front of a regulator or in the aftermath of a client data breach.

The episode ends with practical, plain-English advice: seven questions every business should ask their provider about certification, enforced MFA, patching, EDR, proactive monitoring, incident response and insurance compliance. The message is simple — don’t buy the smallest number on a spreadsheet without understanding what you’ve agreed to carry. Spend wisely, not blindly.

On 5 May 2026, Germany's .de domain vanished from the internet for three hours. Amazon.de, Deutsche Bahn, Spiegel, DHL, major banks: all unreachable. Not hacked. Not ransomwared. One broken cryptographic record from the registry that manages 17.9 million domains.

The servers were perfectly healthy. Nobody could find them.

Corrine Jefferson and Graham Falkner break down what went wrong, why your business has the exact same invisible dependency, and what to do about it.

Read the full analysis: How a Broken DNSSEC Signature Knocked Out .de Sites

In this Hot Take, Noel breaks down why this is not an "AI is evil" story. It is a consent story. A governance story. And a vendor entitlement story that every UK small business needs to take seriously.

• Why a 4 GB background download is not a minor browser update
• What Google's own developer documentation confirms about model lifecycle management, background downloads, and full model updates
• Why "it was in the documentation" is not consent
• The governance mess this creates for managed business devices
• PECR and the ICO's guidance on storage and access technologies
• The environmental cost at Chrome scale (67.97% worldwide browser share)
• Why AI Mode in Chrome and on-device Gemini Nano are not the same thing, and why the confusion matters
• The embarrassingly simple fix Google has not implemented
• What UK small businesses should actually do about it right now

"We have somehow built frontier AI and still can't manage the radical engineering challenge of a bloody consent prompt."

The full article includes the complete source documentation, PECR regulatory detail, competitive advantage strategies, board-level talking points, and a step-by-step action list for UK small businesses.

Read the full article on the blog

All 14 primary sources, including Google's own developer documentation, ICO PECR guidance, and StatCounter market share data, are cited in the full blog post.

Full source table in the article

The numbers feel like a betrayal: risk assessments fell from 48% to 41%, formal cybersecurity policies from 59% to 52%, and business continuity plans covering cyber plunged from 53% to 44% — nine points lost in a year. Those figures land harder when you remember that 43% of businesses still reported a breach or attack in the last 12 months. This is not rare misfortune; it’s roughly 612,000 organisations experiencing harm, often more than once — the median victim suffered three crimes in a year.

What explains the gap between knowing and doing? The episode frames it as a human story of overload, inertia and the tilt of daily fires over preventative work. Small-business owners juggle payroll, inventory and phone calls; cyber becomes a preventative chore that slides down the to-do list until a miserable Tuesday forces theatre rather than true repair. Awareness rose because the news was loud; conversion into diaries, policies and tested routines didn’t.

Phishing is still the thief in the night: 69% of the most disruptive incidents, and for 51% of breached businesses phishing alone was the culprit. The old advice — spot the typos, spot the scam — is breaking down as AI writes believable bait. The human being is no longer the reliable last line. So the fight shifts to identity: two-factor authentication and other account protections stop one mistake becoming total catastrophe. Progress exists — MFA adoption climbed from 40% to 47% — but more than half of firms remain exposed.

The survey throws up other startling blindspots: 22% of the most senior people responsible for cyber didn’t know if their organisation had cyber insurance; only 15% formally review immediate suppliers and a tiny 6% review the wider supply chain; 31% of businesses are using or considering AI but only 24% of those have any controls in place. These are not theoretical gaps — they are the plumbing and the paperwork that determine whether a single clicked link turns into a multi-week catastrophe.

We refuse to finish on gloom. The episode turns evidence into a razor-sharp, do-able checklist you can act on this week. Five prioritised moves: turn on MFA everywhere that matters; get your cyber insurance confirmed in writing and save the policy where two people can find it; write a one-page breach list with names and first actions; institute three simple AI rules (don’t paste customer data into public tools, don’t feed contracts or financials into unknown models, and always human-check AI outputs before sending); and review the three suppliers who can touch your systems or customer data.

There’s also practical advice on when to DIY and when to pay. If you’re tiny and organised, you can implement the basics yourself. If your Microsoft tenancy, sensitive customer data, or backups are beyond your comfort, pay for competence — spend where mistakes are expensive. The point of each suggestion is the same: decisions, dated and tested, beat good intentions left on the sofa.

By the episode’s close Noel, Mauven, Lucy and Graham press the same ask: turn concern into calendar time. Pick one thing this week — MFA, insurance confirmation, a breach list, supplier questions or simple AI rules — and do it. These are small, affordable, and powerful first steps. The survey’s verdict is harsh but useful: the fixes are often obvious. The hard part is choosing to stop drifting.

Listen for the stories, the statistics and the practical push to act. If this episode rattles you, let it. Drift kills small firms. One decision, one scheduled action, can change the story from a miserable Tuesday to a business that survives the next headline.

In this episode, Noel Bradford is joined by Maurven and Graham, who attended Cyber UK 2026, to unpack what was said, what was left unsaid, and what it means for the small businesses quietly sitting inside UK supply chains.

The scale of the threat is no longer theoretical. Nationally significant cyber incidents are rising sharply. A single breach at Jaguar Land Rover reportedly cost nearly £2 billion across its supplier network. Nation state actors and ruthless criminal gangs are attacking faster, harder, and with greater precision. The old excuse of “we are too small to be targeted” is now dangerously out of date.

Noel, Maurven, and Graham break down the numbers, the reaction in the Glasgow conference hall, and the blunt reality behind the headlines. Government pledges may change the landscape, but they will not protect your business unless you act.

The episode also examines the government’s voluntary Cyber Resilience Pledge and why it matters. The most important part may be the supply chain effect. Large organisations that sign the pledge could start expecting their suppliers to hold Cyber Essentials certification. That may make Cyber Essentials a practical requirement for winning and keeping business, even if it is not yet written into law.

The team also explains why the £90 million funding commitment matters, but why small firms should not expect a sudden cash windfall. The immediate pressure will come from reputation, procurement, and customer expectations, not regulation.

There is also a reality check on AI. Powerful new models can now find deep, old vulnerabilities in hours. That gives attackers more speed and scale. But for most small businesses, the answer is not a six figure AI security platform. It is getting the basics right, faster.

Patch properly. Check whether your IT provider is ready for machine speed attacks. Start Cyber Essentials. Review AI use inside your business. Sign up to NCSC Early Warning.

By the end of the episode, you will have five practical, low cost actions you can take this week to move from passive hope to active defence.

If your business relies on larger customers, this episode gives you the timeline, the threat picture, and the checklist you need before the next procurement email lands.

For full show notes etc: see https://thesmallbusinesscybersecurityguy.co.uk/blog/patch-tuesday-april-2026-sharepoint-zero-day-uk-smb/

We pull the curtain back on how attackers pick the quietest path: mailbox rules that hide replies, forgotten connectors that bypass protections, OAuth prompts that invite parasites in, and session tokens that act like stolen wristbands. We show how MFA, while invaluable, is only one plank in a creaky bridge — and how adversary‑in‑the‑middle phishing, device‑code tricks, and consent abuse let threat actors walk straight across it.

Through vivid examples — a supplier invoice quietly altered, a payroll request that arrives at just the wrong time, an attacker living in a thread already trusted by your staff — the episode explains why ordinary-looking messages are the most lethal. We interview the patterns, the tiny settings that become permanent vulnerabilities, and the human moments where haste replaces verification. The drama is mundane; the impact is not.

We also look at the shiny things: Copilot and other productivity tools that can amplify both good work and a breach. If your permissions are messy, Copilot becomes a supercharged searchlight for attackers. If your tenant is tidy, it’s a time-saver. The story shows how the same feature can be helpful or harmful depending on the housekeeping behind it.

Finally, we turn tension into action with a clear, practical plan: check DMARC, hunt for forwarding rules, revoke suspicious app consents, remove unnecessary admins, and insist on a second verification channel for any money-moving requests. The episode closes with a simple promise — you do not need a fortress on a sandwich budget, you need fewer stupid gaps, better checks, and a bit more suspicion. Listen to this as a warning, a how‑to, and a Monday‑morning checklist for making your business noisier to attackers and faster to respond when things go wrong.

We tell the story through the eyes of small business owners — the manufacturer in Leeds, the dental practice in Cardiff — who thought they had done the right thing. You hear the panic calls, the blame-shifting over who completed the proposal form, and the slow, meticulous forensic process that turns your answers into evidence. This is not a lecture; it's a play-by-play of how a policy transforms from protection into an argument when paperwork and proof diverge.

Along the way we unpack the legal scaffolding that makes insurers act this way: the Insurance Act 2015 and the duty of fair presentation, the three flavours of misrepresentation (innocent, negligent, reckless), and why a single "yes" about multi-factor authentication can become Exhibit A in a claim dispute. We bring to life the tension between good intentions and hard evidence, and why the regulator expects a real connection between the breach and any policy condition.

We get technical without losing the plot. MFA becomes the episode's poster child; backups, patching, supported software and default admin accounts follow. You hear real examples of partial deployments, legacy carve-outs, and the kind of sloppy patching that turns an insurer's willingness to pay into a months-long negotiation. We explain how forensic teams reconstruct your environment and why the proposal form is no longer just a quote-getter — it's the baseline against which you will be judged.

Then we raise the stakes: Lloyd's model clauses and the state-backed cyber exclusion that can turn collateral damage from a global campaign into a denied claim. Attribution is messy, the wording can be sweeping, and even a small business can find itself arguing with the market if a headline-grabbing attack drags them into a wider campaign.

But this is a practical show as much as a cautionary tale. We hand you a pre-breach checklist you can act on this week: pull your proposal and policy, run a line-by-line reality check, harden MFA, tidy backups and patching, document tests and keep the proof. We explain what to do in the first 24–72 hours of a live incident — contain, preserve evidence, call the insurer or hotline, avoid freelance ransom payments, and keep a simple incident log that becomes priceless later.

By the time we close, you'll understand the ugly truth and the hopeful fix: cyber insurance can save your business, but only if you treat it as a living contract that matches the reality of your IT. This episode is a roadmap and a warning: prepare a little now, keep the evidence, ask awkward questions about your insurance, and you hugely increase the chance you get the support you paid for when it matters most.

Through real-world stories (from cafes and dental practices to corner shops and manufacturers) the hosts show how ‘still turns on’ is not the same as ‘still secure’. End-of-life and end-of-support dates are the invisible expiry stickers businesses ignore at their peril: when security updates stop, so does your defence. Graeme lays out pragmatic steps for a no-nonsense tech audit — list devices, note what they do, check support windows, then slap “used by” or “best before” labels on the kit that matters. For anything internet-facing, handling payments, or storing sensitive data, the rule is simple: if it’s out of support, replace it. For unavoidable legacy kit, segment it, lock it down, and plan its retirement.

Practical, urgent and often funny, this episode is a wake-up call for anyone running a small business: don’t let your tech go off the rails just because the lights still come on. Follow the simple 30-minute ‘milk check’ homework, colour-code your inventory by risk, and commit to one concrete fix this month — whether that’s replacing a router, budgeting for a refresh, or scheduling an audit. Share the episode with that friend still running a mystery Windows box. Your customers — and the regulator — will thank you.

We tell the story through small, human scenes: Davina from IT documenting a firewall hole and being ignored; a busy owner insisting the dashboards look fine; staff pasting customer notes into an AI co‑pilot because it saves time. Those moments feel ordinary, even sensible. But together they create an irresistible path for attackers — unpatched servers, excessive permissions, reused credentials, and shadow SaaS tools that no one thought to approve. The breach that looks sophisticated in a post‑incident writeup often starts with a password used in the wrong place, or a medium finding waved away until it can be chained with others.

We push back against comforting myths: that a tool equals a process, that your business is too unique to be targeted, or that a theoretical finding can safely wait. Instead, we reframe humility as a security control — a practical habit of updating your view when evidence changes, surfacing awkward truths quickly, and learning without scapegoating. Psychological safety isn’t a workshop buzzword here; it’s the difference between catching a problem early and making headlines.

The episode then moves into practical, bite‑size remedies you can use this week. Start by asking: what have we delayed because it’s inconvenient? who has more access than they need? what unsanctioned tools or AI are people using? and where do people raise concerns, and what happens when they do? Make a stop‑doing list: pick one convenience‑led risk and fix or formalize it. Give staff a boring, reliable route to flag risks — a 10‑minute slot in an ops call, a simple shared list, or a no‑blame MSP review — and reward the person who brings bad news early.

We finish with a quiet but powerful leadership practice: say out loud, “I might be wrong.” That sentence flips the dynamic. It turns performative certainty into honest curiosity, shrinks blast radius by encouraging early action, and makes resilience a habit rather than a purchase order. No giant security teams required — just cleaner permissions, timely patches, governed AI use, and the grit to listen when someone like Davina says, calmly, that something is off.

By the end of the episode the mood is hopeful. The hosts have had their Prosecco, given practical checklists, and reminded listeners that strong organizations don’t sound the most certain — they admit uncertainty early, correct course quickly, and make space for truth before convenience becomes a liability.

In this episode, Noel Bradford, Mauven MacLeod and Graham Falkner dig into SMB 1001, a five tier cyber security standard aimed at small and medium sized businesses. They break down what the bronze, silver, gold, platinum and diamond levels actually mean, where the framework came from, and whether it has any real value for UK firms.

The team also looks at how SMB 1001 compares with Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance and ISO 27001. More importantly, they ask the question many business owners should be asking already. Do you need another logo for the website, or do you need security controls that actually work?

Expect plain English, practical analysis, and a healthy level of scepticism about cyber theatre, vanity certifications and providers who still cannot get clients to the basics.

• What SMB 1001 is and who it is for

• How the five certification levels work

• Why it is not a replacement for Cyber Essentials in the UK

• Where it aligns with good practice and where it does not

• Which level is realistic for most UK SMEs

• Why good security matters more than collecting badges

If you run a UK small business, buy IT support, fill in supplier questionnaires, or keep hearing about standards and certifications, this episode will help you cut through the noise. What should you actually focus on first? And what is just expensive reassurance dressed up as strategy?

We trace the real playbook attackers follow: step one, land as an ordinary user; step two, chain an Elevation of Privilege. This month Microsoft shipped six EOP fixes — graphics, kernel twice, accessibility, SMB, and WinLogon — and slapped them with "exploitation more likely." In plain English, these are the exact plumbing pieces an intruder needs to turn a compromised laptop or RDS session into full environment control. You’ll hear why delaying the patch is an active, informed choice to leave those doors open.

Then the narrative sharpens into a thriller: Copilot in Excel. A critical CVE that reads like a very small script with an outsized punch — a near‑zero‑click XSS‑style flaw that can make Copilot agent mode obediently hand over internal secrets. Picture your finance lead or CEO, spreadsheets and Copilot live, and a crafted workbook quietly acting as an insider. No macros, no drama — just a nudge that sends data where it shouldn’t. The episode makes the risk vivid and personal, not academic.

We also unpack two more critical Office RCEs via the preview pane — the sort of everyday behavior (previewing mail, browsing SharePoint) that real people do all day. Microsoft says exploitation is less likely, but only if you’re patched. The episode forces you to confront the gap between marketing calm and the real-world tradeoffs IT teams make when budgets and reboot windows collide with executive convenience.

Finally, the show gives you a short, brutal checklist — what to do this week if you run a small business or juggle multiple clients: verify actual build numbers, identify who has Copilot agent mode, sanity‑check DLP and egress for AI tools, and roll in third‑party updates like Acrobat alongside Office and Windows. It’s not a six‑month project; it’s triage and discipline. The narration is urgent but practical, a call to action delivered with the weary authority of someone who’s patched one too many servers at 2 a.m.

Tune in for a tight, no‑fluff ride through what looks quiet on the surface but is dangerously loud under it — because the difference between a quiet month and a disaster is how long you choose to stay vulnerable. Hit the blog for scripts, guides, and the deeper dive promised at the end of the episode.

Join Graham Falkner, Noel Bradford and our resident translator of tech, Lucy Harper as they pull apart the new Cyber Essentials changes and stitch the pieces back together into something a small business can actually use.

We start with the simple truth: the requirements document (V3.2, V3.3 and whatever comes next) is the standard you must meet, and the Willow and Danzel question sets are the forms you fill in when you buy certification. Get the wrong combination, or try to recycle last year’s answers, and assessors will fail you — quietly at first, then painfully when a tender or a claim comes along.

From there we map the conflict: scope, cloud and asset management. V3.3 pulls the rug on the old ‘that’s someone else’s problem’ attitude — cloud services, BYOD devices that touch organisational data, and remote workers are in the frame. If your asset list is a half-dead spreadsheet and some post-it notes, you cannot honestly answer whether you are compliant. The drama here is avoidable, but only if you stop pretending the messy bits aren’t part of your estate.

We decode the five controls — firewalls, secure configuration, security update management, user access control and malware protection — and translate them into Monday-morning tasks: lock down admin interfaces, remove default accounts, document inbound firewall rules, treat vendor configuration changes as security fixes, and make sure anti-malware actually blocks things rather than sitting in the tray.

Authentication gets a starring role. V3.3 clarifies passwordless (hello FIDO2 and passkeys) and treats modern approaches as valid multi-factor methods. SMS is grudgingly still acceptable, but it’s the floor, not the ceiling. If your tenant runs on Microsoft 365 or Google Workspace, we give concrete examples of what ‘good enough’ looks like for normal users and admins.

We don’t stop at problems — we hand you a plan. Nail your scope and inventory; map assets to the five controls; enable MFA everywhere; clean up admin accounts; ensure critical vendor fixes are applied within the 14‑day window; and prepare evidence in a spreadsheet before you pay for the portal. Treat certification as a living process, not a sticker you won once.

For the procrastinators, we lay out a rapid action plan: days 1–10 define scope and update your asset list; days 11–30 enable MFA, tidy accounts and prove you can hit 14‑day patches; days 31–60 tighten firewall rules, confirm anti-malware and run a dry self-assessment against Willow or Danzel depending on your purchase date.

This episode is equal parts wake-up call and field guide — built for business owners who don’t have a security department but do have customers, contracts and reputations to protect. Listen for the practical checklist, the red flags that bite in tenders and post-breach enquiries, and the honest reassurance that Cyber Essentials will help you — if you stop gaming the edges and start being truthful about what you actually run.

By the end you’ll either feel the pressure to act or you’ll be able to explain your scope in 30 seconds. Either way, we give you the first steps: patch your systems, turn on MFA, and stop pretending the cloud is somebody else’s problem.

Grounded in Palo Alto Networks Unit 42's Global Incident Response Report 2026, our conversation is built on more than 750 serious, real-world investigations from October 2024 to September 2025. Not theory. Not vendor marketing. Actual cases. The numbers are stark: identity weaknesses featured in nearly 90% of incidents, and 65% of all initial access was identity-driven.

We start by setting the scene: your people live in the browser. Outlook, payroll, Teams, your CRM, and a pile of SaaS tools. That ordinary click is the battleground. Attackers buy credentials, harvest session tokens, and exploit OAuth grants. Once they have a valid login, they blend into normal traffic and move silently. Corrine brings these statistics to life with vivid examples of reused passwords, push-MFA fatigue, shared admin accounts, and contractors who still have permanent access three years after leaving.

The stakes are immediate. Unit 42 found that the fastest quarter of intrusions reached data theft in just 72 minutes, down from 285 minutes the previous year. A simulated AI-assisted attack did it in 25 minutes. That means from one careless click to your customer data being packaged for extortion can happen faster than a cup of tea.

This episode guides you away from romantic myths about firewalls and sophisticated exploits and toward the uncomfortable truth: most breaches are enabled by preventable exposure and excessive identity trust.

We walk through the failure modes that make small businesses attractive targets: recycled passwords, MFA that's easy to social-engineer, standing global admin accounts, and forgotten integrations that act like zombie doors. Corrine explains why these aren't technical puzzles for nation-states. They are human, operational, and fixable. She also lays out how attackers exploit browser-based OAuth flows and session cookies to live off long-lived access without ever triggering an alert.

This is not just a lecture. It is a plan.

If you do one thing this quarter, make it identity. If you do one thing this week, do these three: deploy phishing-resistant MFA for admins and finance roles; remove or disable all ex-employee and contractor accounts across Microsoft 365, your VPN, and remote support tools; and cut standing admin rights while shortening session lifetimes on sensitive applications.

By the end of the episode you will see the difference between spending on another perimeter box and actually locking the doors that matter. This is a call to action for small businesses: stop hoping you will not be targeted and start hardening the identities attackers are already using.

What: FIDO2 hardware security keys or passkeys. Not SMS codes. Not basic push notifications.

Where to start: Administrators, finance roles, and anyone with access to sensitive data or privileged systems.

Why it matters: Standard push-based MFA is vulnerable to adversary-in-the-middle attacks and push-bombing. FIDO2 provides phishing resistance, guessing resistance, and theft resistance.

NCSC guidance: FIDO2 is recommended by the NCSC as the strongest available MFA type for UK organisations. Hardware options include Authentrend, Keys, Platform options include Windows Hello for Business and Apple Touch ID.

What to audit and disable:

• All accounts belonging to former employees
• All accounts belonging to former contractors
• Unused service accounts
• Dormant OAuth integrations and app permissions

Where to look: Microsoft 365 Admin Centre, your VPN gateway, remote support tools, and any SaaS platform connected to your business.

Why it matters: Unit 42 found that 99% of 680,000 cloud identities had excessive permissions, many unused for 60 days or more. Each one is an unlocked back door.

How to find OAuth zombies: In Microsoft 365, go to Azure Active Directory > Enterprise Applications > All Applications. Sort by last sign-in date. Revoke anything unrecognised or unused.

What: Move from permanent administrator accounts to just-in-time (JIT) privilege elevation.

How:

• Remove persistent administrator role grants
• Require time-bound elevation through Microsoft Entra Privileged Identity Management or equivalent
• Shorten session lifetimes on sensitive applications
• Enable strong logging on all privilege escalation events

Why it matters: A compromised account with no standing privileges yields nothing. JIT elevation changes the attacker's calculation from "I have the keys" to "I have nothing."

#CyberSecurity #SmallBusinessSecurity #IdentitySecurity #MFA #FIDO2 #Passkeys #UKBusiness #CyberEssentials #CyberSecurityPodcast #SecurityAwareness #TechPodcast #NoBS #SmallBizTech #CyberResilience #DirectorAccountability #BusinessRisk #DataProtection #GDPR #ZeroTrust #CloudSecurity #SaaSSecurity #IncidentResponse #ThreatIntelligence #IdentityManagement #SessionSecurity #Unit42 #PaloAltoNetworks #NCSC #CyberAware #UKCyber

This podcast provides general cybersecurity guidance based on publicly available research and industry best practices. It is not a substitute for professional security assessment or legal advice. Organisations should consult qualified security professionals and legal counsel to address their specific circumstances and regulatory requirements.

All statistics cited from the Unit 42 Global Incident Response Report 2026, published by Palo Alto Networks, covering incident response engagements between 1 October 2024 and 30 September 2025. NCSC guidance referenced is published by the UK National Cyber Security Centre. All URLs verified at time of publication.

We set the scene as a crime thriller: silent malware skimming payment data across 5,390 tills for nine months, basic security absent where it mattered most, and a regulator reaching for the only enforcement tool it had under an older statute. Then the plot thickens. DSG fights back, tribunals slice and dice the ICO’s case, and years of appeals stretch this into a slow-motion moral fable about who the system really protects.

But this isn’t just legal theatre — it’s human fallout. We follow the people on the receiving end: anxious customers, stalled group claims, and a lone litigant whose attempt at compensation is bounced between courts and stays. By the time the Court of Appeal finally says the obvious — a retailer that can link card numbers to people must treat them as personal data — most victims are already out of time to sue. The episode shows how the machinery of justice can leave ordinary people stranded.

Alongside the outrage, we pull apart the courtroom arguments that nearly let a multinational off the hook: the dangerous idea of judging identifiability from a hacker’s viewpoint, and the peril of treating data fragments as harmless. The Court of Appeal’s eventual clarity is legally important, but the delay exposes a chilling truth — if you’ve got deep pockets, you can litigate and wait out consequences while victims go uncompensated.

This is also a playbook episode for anyone who runs a small or mid-sized business. We translate the Court of Appeal’s ruling into a simple controller’s-eye test you can run on Monday morning: if you, as the organisation, can link data to a person, it’s personal and worth protecting. From that test we give concrete, low-cost actions: map your data, cut unnecessary access, name who watches your logs, patch and MFA the essentials, and keep a one-page accountability pack that proves you took reasonable steps.

We don’t just point fingers — we hand you a route out. The Currys' saga becomes the cautionary tale that makes the normal business case for basics suddenly urgent: monitoring that notices intrusions, access reviews that kill zombie accounts, and documentation that shows you’re not winging it. Do these things and you move from case study risk to trusted steward of customer data.

Finally, the episode is a story of how law, business and people collide — a vivid reminder that prevention matters more than litigation, and that the protections for customers are only as strong as the choices organisations make before the breach. Tune in to feel the outrage, understand the legal twists, and walk away with practical steps to stop your business from becoming headline fodder nine years from now.

We meet the players: Noel Bradford, the Small Business Cybersecurity Guy, who’s spent four decades turning tape backups into survival tactics; Corinne Jefferson, an ex-US intelligence officer who refuses to say “told you so”; Mauven MacLeod, the ex-UK government cyber analyst with biscuits and sarcasm; and Graham Falkner, whose voice narrates the creeping, bureaucratic apocalypse with unnerving charm. Together they pull the camera tight on Palantir — a firm born with CIA-connected funding, hardened in intelligence use, repackaged for civilian life — and show how its DNA matters for everyone from governments to your local charity.

The episode walks you through the high-stakes decisions: Switzerland’s 2024 risk assessment that warned data could be reached by American authorities and that leaks from Palantir are architecturally unavoidable; the UK’s contrasting embrace of the same tools across NHS, the MOD and border planning; and how this divergence should set off alarms for every organization that has leaned on US SaaS as neutral plumbing.

We translate the legal jargon into a human story. Think of the Cloud Act like an American landlord who can be ordered to open a warehouse — even if your files are stored in London. Encryption doesn’t save you unless you control the keys. UK and EU data rules complicate the picture but don’t yet provide a clean escape. That legal murk leaves businesses and charities sitting on unquantified exposures — not because they’re spies, but because convenience and market share created choke points that politics or courts can exploit.

This isn’t fearmongering; it’s a practical wake-up call. Noel guides you through what to do next: a simple Cloud Act exposure audit, naming your crown-jewel data, and deciding which systems deserve extra protection or customer-managed keys. The episode offers concrete, manageable steps — split sensitive fields, demand clear vendor answers, build exit plans — so your small firm isn’t left exposed if geopolitics changes the rules.

By the end you’ll see the world differently: your email and CRM aren’t just tools, they’re legal and geopolitical choices. The narrative closes on an urgent but solvable note — map your dependencies, protect what matters, and start asking the awkward questions. The story lands as both a warning and a roadmap: serious, fixable, and essential for anyone who cares where their data really lives.

Topics covered include clear definitions (APT, UNC), the distinction between edge devices and endpoints, why firewalls and VPN appliances are attractive, under-monitored targets, and why EDR often misses the real entry points. They discuss documented campaigns (UNC-3886, UNC-5221/Brickstorm) and how multiple zero-day exploits against edge vendors have been used to gain long-term access and persistence.

The episode also examines other nation-state tradecraft: Russian actors targeting messaging apps and device-linking features, North Korean operatives obtaining remote jobs inside companies, and sophisticated recruitment-themed phishing using AI-generated reconnaissance. Maurven and Dr Jefferson highlight how attackers map supply chains professionally — meaning you can be a target even if you don’t self-identify as a defence contractor — and how ransomware and dual-use manufacturing create huge blast radii that can stop production and bankrupt small firms.

Most importantly, the hosts give a pragmatic, non-bankrupting 90-day plan for SMEs: an immediate “Edge Reality Check” to interrogate MSP visibility on VPNs/firewalls, a short-term segmentation win to reduce blast radius, and phased rollout of phishing-resistant MFA for key admin and finance accounts. They offer exact questions to ask your MSP, the metrics and controls procurement teams will soon demand, and how to frame the business case to your board.

Listeners should expect a mix of blunt intel, real-world examples, and actionable next steps to reduce risk without breaking the bank — plus a call to assume compromise, improve edge monitoring, and stop treating VPNs as magic shields. Tune in for practical guidance, concrete conversation starters for your MSP, and the motivation to make measurable security improvements this quarter.

Coverage includes the six confirmed actively exploited vulnerabilities (triple January’s count): three security‑feature bypasses that remove user protections (including a Word document bypass that is not triggered by Outlook preview), Desktop Window Manager (DWM) flaws that allow privilege escalation — and are being exploited for a second month — a Remote Desktop Services elevation issue found by CrowdStrike, and a Remote Access Connection Manager VPN crash vulnerability with a ready‑made exploit tool in criminal circulation. CISA has added all six to its known exploited list, with federal agencies required to patch by March 3.

The episode also highlights developer‑focused risks: three serious GitHub Copilot flaws that let hidden malicious instructions run commands on a developer’s machine, and a 9.8‑severity flaw in Microsoft’s Azure Cloud Tools for Python. Faulkner explains why developers are high‑value targets and why organizations that build or buy software must prioritize these fixes.

Other major items: January’s three out‑of‑band patches rolled into February’s cumulative update; Microsoft’s upcoming certificate updates that begin expiring from June (important for old or rarely‑connected hardware); SAP’s 26 security notes including a 9.9 remote‑command vulnerability and multiple high‑risk issues that can impact supply chains; Adobe’s 40+ fixes (27 critical), and updates from BeyondTrust, Ivanti, Cisco, Fortinet and others. Note: Google’s Android bulletin for February reported no security fixes.

Special callouts: an Outlook vulnerability that can capture credentials just by previewing a crafted email in the reading pane (apply all related Outlook patches), and Microsoft’s gradual retirement of NTLM which may break legacy business apps unless you plan ahead.

Actionable priorities and patch playbook: First wave (within 24 hours) — apply all six actively exploited fixes, the Azure Python tool patch for developer teams, and all Outlook fixes. Second wave (within 72 hours) — SAP (if you run it), Exchange Server, GitHub Copilot mitigations for developer teams, BeyondTrust remote‑support fixes. Third wave (within one week) — remaining SAP and Adobe updates, Cisco, Fortinet, and other important but not‑yet‑exploited updates. Faulkner stresses verifying deployment, testing remote desktop and Office workflows, and building patch management into incident response playbooks.

Who should listen: IT managers, small business owners, developers, MSPs, and security teams responsible for patching and remote access. The episode gives clear, prioritized guidance to reduce exposure quickly and recommends sharing the full CVE tables and patch tiers with your IT team or managed service provider.

Find the Blog Post here: - https://noelbradford.squarespace.com/blog/patch-tuesday-february-2026-six-zero-days-uk-smb-guide-2026

podscan_adfmJQJllh7XQBrNPLHkG9va1aIn6VKo

We open with APT28 (Fancy Bear) exploiting CVE‑2026‑21509: a weaponised Office document that triggers on open, drops an Outlook backdoor (MiniDoor/NotDoor) and a C++ implant (Beardshell) injected into svchost.exe, exfiltrating email and system data while blending traffic into legitimate cloud services.

Next, Securonix’s “Dead Vax” campaign shows how commodity criminals now match nation‑state tradecraft. Phishing delivers VHD files that mount like drives, bypass mark‑of‑the‑web warnings and execute fileless loaders that ultimately deploy AsyncRAT — giving attackers remote control, keylogging and full data access.

Rapid7’s analysis of the Chrysalis backdoor reveals a supply‑chain compromise of Notepad++ hosting infrastructure: poisoned installers selectively targeted victims, abused DLL side‑loading and trusted signed binaries to achieve persistent, encrypted backdoors and lateral movement tools. This is supply‑chain risk in practice.

Microsoft’s macOS research details multiple Stealer campaigns (Digit Stealer, Mac Sync, ClickFix, Atomic Stealer and more) distributed through poisoned Google Ads, fake AI tools and messaging apps. These attacks live off native macOS utilities, use AppleScript and Python, and harvest passwords, crypto wallets, SSH keys and cloud credentials — exposing the myth that Macs are immune.

We connect the dots: all four campaigns abused legitimate platforms and native features, used memory‑resident or fileless techniques that bypass signature AV, injected into trusted processes, and moved faster than patch cycles. The real victims are not random users but procurement staff, developers and privileged employees. Small businesses face the same capabilities for a fraction of the cost via malware-as-a-service.

On the regulatory front we cover the Data Use and Access Act (DUAA) changes that took effect in February 2026: cookie and e‑marketing fines jump to £17.5m or 4% of global turnover, new rules around children’s higher protection matters, a new lawful basis for limited public interest processing, and mandatory complaints handling procedures coming into effect on June 19. We explain why a breach today risks vastly larger financial and compliance consequences.

Finally, we give practical, prioritized guidance for small businesses: immediate zero‑cost steps (patch Office, verify Notepad++ versions, show file extensions, audit cookie banners, start a complaints procedure), technical controls to adopt (EDR/behavioral monitoring, managed email security, Mac MDM/EDR, fractionally engaged CISO/CIO), and realistic budgets and trade‑offs for a 20‑person company. Links to all source research and a detailed blog post are in the show notes for listeners who want the technical deep dive.

Dr. Sarah Chen explains passkeys in plain English: how they remove the shared secret that makes passwords vulnerable, why they defeat phishing, credential stuffing and most brute-force attacks, and exactly how small businesses should pilot them this week. She outlines a three-step rollout (check your identity platform, pilot with five users, support them through setup), recovery and accessibility considerations, device and cost guidance, and the measurable benefits — including dramatically fewer password reset tickets.

Former US government cyber analyst Corinne Jefferson unpacks the CISA ChatGPT incident, where the acting director uploaded sensitive government contracting documents to public ChatGPT despite an approved internal alternative. Corinne explains how exceptions become normalized, why convenience often defeats policy, how this damages security culture, and what organizations should do: enforce technical controls, require documented risk assessments for privileged exceptions, and ensure detection is coupled with a consistent response regardless of who triggers the alert.

Seamus O’Leary shares a practical small-business win: after realising he’d never introduced himself to his insurer’s incident response team, he discovered £18,000+ of pre-incident services already included in his cyber policy — IR plan templates, tabletop exercises, forensics retainers, quarterly scans and a 24/7 breach hotline. The episode walks through the five-week process he used to onboard the insurer’s IR team, fix gaps, run a tabletop, uncover critical weaknesses (unverified backups, unclear ransomware authority, GDPR notification issues) and win board-level funding to replace vulnerable infrastructure.

Noel and the team close with a structural look at cloud sovereignty and vendor concentration: why relying on US cloud providers (AWS, Azure, Google) creates real legal and operational risk regardless of where data is physically stored, how the Cloud Act and post‑Schrems II rules change transfer obligations, and practical mitigation options — encryption with external key control, transfer impact assessments, supplementary measures, vendor diversification and multi‑cloud planning.

Key takeaways for listeners: enable and pilot passkeys to eliminate credential-based attacks; enforce technical controls and documented approvals so seniority doesn’t become an exception to security; call your insurer’s IR contacts and use the services you’ve already paid for; treat cloud region selection as latency choice, not legal sovereignty, and perform real transfer impact assessments and mitigation. The episode mixes concrete how-to steps, governance advice, and real-world examples — from phishing-defeating authentication to saving thousands by activating policy services — all aimed at helping small businesses turn security theatre into dependable protection.

Topics covered include the four core incident roles (external incident manager, technical lead, business continuity coordinator, communications lead), how to find and contract an external IM (insurance, IT referrals, retainer vs pay-per-incident), what an IM can and cannot do, authority and spending limits, and realistic costs and timelines. The hosts explain a simple, achievable four-week setup plan that takes roughly four hours of actual work, and they share templates for team structure, external contacts, authority scripts, implementation timelines, and validation checklists.

Key points and takeaways: why impartial coordination matters, how to avoid common provider cover-up biases, the practical steps Katie used to stabilise her business, a real case study of an architecture firm saved from a Friday-afternoon ransomware attack, and concrete homework: find your IM, assign three internal roles, document everything on a single page, brief and validate your team. Listeners will leave with a clear, actionable plan, links to downloadable templates, and the promise that preparation reduces cost, stress, and downtime.

The show covers the one vulnerability already being actively exploited (CVE‑2026‑2805 in Desktop Window Manager) and two other high‑risk items used in targeted attacks, plus three zero‑day bugs. Graham takes a deep dive into the critical on‑premises SharePoint emergency (Toolshell campaign, CVE‑2025‑53‑700‑70 and related issues), urging immediate patching and incident response for exposed servers. He also explains the severe Kestrel/ASP.NET Core HTTP request smuggling flaw (CVE‑2025‑55315) and the practical impact on web apps and deployment teams.

The episode reviews other major vendor fixes: SAP’s 16 security updates (including four critical vulnerabilities), Apple’s two WebKit zero days, Adobe’s 32 patches (eight critical affecting Acrobat, Reader and creative apps), HPE OneView’s unauthenticated RCE (CVE‑2025‑37164), and ongoing VMware ESXi risks. Graham calls out long‑delayed Fortinet SSL‑VPN vulnerabilities (including CVE‑2020‑12812) and newer FortiCloud SSO bypasses, stressing that overdue patching still causes widespread compromises.

Practical guidance and priorities are clear and actionable: patch Windows cumulative updates, exposed SharePoint servers, Fortinet edge devices and HPE OneView within 24 hours; address .NET/web app fixes and SAP critical patches within the next 72 hours to one week; then continue with routine maintenance for browsers, Adobe, Cisco and other software. The episode also flags upcoming deadlines and logistics—Oracle’s critical patch update on January 20 and the end of Windows 10 support—so listeners can plan maintenance windows and migrations.

Key takeaways: assume compromise if you haven’t patched exposed services, verify systems after applying updates, assign owners who can patch and redeploy quickly, and treat cumulative Windows updates as all‑or‑nothing. There are no external guests—this episode is hosted solo by Graham Faulkner and aimed at helping small organizations act fast and reduce risk in the wake of an intense Patch Tuesday.

Key revelations from the Plan covered in the episode include: roughly 28% of government IT is legacy and cannot be defended with modern tools; repeated systemic failures across departments (poor patching, weak passwords, lack of monitoring); high‑cost incidents such as the British Library ransomware recovery and the CrowdStrike outage that cost the UK economy billions; and the Electoral Commission breach that exposed millions of voter records. The hosts explain the language the report uses — from “historical underinvestment” to “not achievable” targets — and what those admissions mean in plain English.

The episode also examines the Cabinet Office’s proposed response: new accountability rules giving accounting officers (permanent secretaries) personal responsibility for cyber risk, routine cyber risk reporting to boards, escalation mechanisms, and potential consequences including removal or public parliamentary scrutiny. The hosts discuss how this mirrors the health & safety/HSE accountability model and why public‑sector reform will likely set the precedent for private‑sector regulation (including implications of forthcoming cyber security and resilience legislation).

Financing and timelines are analysed too: the government has allocated around £210 million to kickstart a central cyber transformation unit with milestones through 2029, but the hosts stress this is a down payment — true remediation will take years and likely billions. The Plan’s investment priorities (visibility/monitoring, accountability, supply‑chain assurance, incident response and skills) form a checklist for businesses to adopt now.

Supply‑chain requirements are a central takeaway: departments will require security schedules, certification (Cyber Essentials, Cyber Essentials Plus, ISO 27001 where appropriate), and documented evidence of controls. These requirements will cascade down through primes to second‑ and third‑tier suppliers, so small businesses should expect tightened demands for proof of security and that compliance will become a competitive advantage.

The hosts finish with practical, actionable advice for small businesses: treat cyber risk as board‑level risk; establish personal accountability and clear escalation; prioritise visibility and monitoring; inventory and pragmatically manage legacy systems; obtain appropriate certifications (Cyber Essentials Plus, ISO etc.) if you have or might have public‑sector exposure; segregate and protect government work; build or improve incident response capability; and use this moment to push cultural change so security is embedded across the organisation.

Throughout the episode Noel, Mauven and Graham provide candid analysis, real examples from recent government failures, and specific steps SMBs can take now to reduce risk and gain a competitive edge as regulation and procurement expectations tighten. Listeners are pointed to the full Government Cyber Action Plan on gov.uk and the podcast blog for a detailed breakdown and sources.

The hosts explain, in plain technical terms, why SMS codes, authenticator app push prompts and one‑time codes fail against these attacks and why the stolen session token becomes a single‑factor credential for attackers. They describe what attackers typically do after compromise — mailbox reconnaissance, forwarding rules, OAuth app persistence, and registering new authentication methods — and highlight the scale of automated phishing‑as‑a‑service tools that make these attacks cheap and fast.

The episode then walks through the practical, phishing‑resistant solutions every small business should consider: Windows Hello for Business, hardware security keys (YubiKey, Authentrend and similar), and passkeys on mobile devices. For each option they cover how it works, deployment requirements, licensing or purchase costs, user experience trade‑offs, and which users to prioritize for rollout.

Mauven and Graham recommend a tiered, risk‑based rollout strategy: protect admin and privileged accounts first, then finance/HR/executives, and finally the wider workforce over months. They discuss real‑world gotchas — legacy apps that don’t support modern auth, BYOD complications, mobile workflows, and the need for a secured “break glass” account — plus expected labour, training and hardware costs for a typical 30‑user small business.

Beyond replacing or upgrading MFA, the hosts cover essential complementary controls: conditional access policies, continuous access evaluation (CAE) to shorten token windows, blocking legacy authentication (SMTP/IMAP/POP), impossible‑travel detection, and concrete incident response steps (revoking sessions, removing rogue MFA methods and OAuth apps, checking forwarding rules and mailbox rules, and doing forensics on accessed data).

The episode closes with an immediate to‑do list for small businesses: verify MFA is actually enabled, remove SMS/email MFA methods, plan a phishing‑resistant rollout starting with tier‑1 users, enable conditional access and CAE, and budget for training and support. They also preview an upcoming multi‑episode series to help businesses build a practical incident response plan.

Listeners can expect a technically grounded but actionable discussion aimed at business owners and IT staff: why traditional MFA is still valuable, why it’s not enough against AITM, and exactly how to adopt phishing‑resistant authentication to close that gap.

Three in the morning. Your phone's ringing. Someone's encrypted your customer database. What do you do?

This trailer launches our most ambitious series yet: a six-module programme running January through March 2026 that transforms panic into a complete, tested incident response plan. Each module drops every two weeks, giving you time to implement before the next one arrives. Between modules, normal episodes continue covering current threats, breaches, and patches.

This Series Will Give You:

• Complete incident response framework for small businesses
• Communication templates you can use during an actual incident
• Threat-specific playbooks for ransomware, data breaches, and system compromises
• Testing procedures that prove your plan works under pressure
• Implementation time built into the schedule
• Practical guidance for teams with real constraints

What You'll Build:

• Clear decision tree for incident classification
• Role definitions (even if your team is three people)
• Initial response procedures
• Documentation requirements
• Escalation pathways

Practical Outputs:

• Who does what, when, and how
• Your first response checklist
• Contact list template

What You'll Build:

• Response team structure for small businesses
• Role assignments that work with limited staff
• External contact management
• Vendor coordination procedures
• Backup personnel plans

Practical Outputs:

• Team roster with responsibilities
• External contacts database
• Succession planning for key roles

What You'll Build:

• Internal notification procedures
• Customer communication templates
• Regulatory reporting guidance
• Media handling basics
• Stakeholder management

Practical Outputs:

• Communication templates ready to use
• Notification timelines
• Contact escalation matrix

What You'll Build:

• Ransomware response procedures
• Data breach protocols
• System compromise workflows
• Phishing incident handling
• Insider threat procedures

Practical Outputs:

• Step-by-step playbooks for each threat type
• Decision trees for common scenarios
• Evidence preservation guides

What You'll Build:

• Tabletop exercise framework
• Simulation scenarios
• Assessment criteria
• Continuous improvement process
• Lessons learned documentation

Practical Outputs:

• Test schedule
• Simulation scripts
• Improvement tracking system

What You'll Build:

• Your complete, customised IR plan
• Integration with existing processes
• Maintenance schedule
• Annual review procedures
• Staff training programme

Practical Outputs:

• Final incident response plan document
• Ongoing maintenance checklist
• Training materials for your team

Every other week between module releases, you'll get:

• Latest Breach Analysis: What happened, how it happened, what you can learn
• Critical Security Patches: What you need to apply and why (see our December 2025 Patch Tuesday analysis)
• Emerging Threat Intelligence: Current attacks targeting UK small businesses
• Practical Implementation Guides: Hands-on advice for immediate action

Because security doesn't pause whilst you're building your plan.

Week 1: Module episode drops Week 2: Implementation time + normal episode Week 3: Next module episode drops Week 4: Implementation time + normal episode

This cadence gives you:

• Time to actually implement each module
• Space to ask questions and refine
• Current threat intelligence throughout
• Sustainable pace for resource-constrained teams

Current State:

• 43% of UK small businesses experienced cyber breaches last year (DSIT 2025)
• Average breach cost: £250,000
• Some breaches exceed £7 million
• 60% of small businesses close within six months of a major cyber incident
• NCSC estimates 50% of UK SMBs will experience a breach annually

The Gap:

• 73% have no board-level cybersecurity responsibility (see Episode 31: The Risk Register Argument)
• Most have no documented incident response plan
• Existing plans are often enterprise frameworks that don't work for SMBs
• When incidents occur, response is reactive panic rather than systematic procedure

The Opportunity:

• Having a tested incident response plan can reduce breach impact by up to 70%
• Cut recovery time significantly
• Minimise business disruption
• Demonstrate due diligence for cyber insurance
• Meet regulatory requirements
• Protect customer trust

Traditional incident response planning assumes you have:

• Dedicated security team
• 24/7 SOC coverage
• Unlimited budget
• Complex organisational structure
• Enterprise-grade tools

This series assumes you have:

• Limited staff wearing multiple hats
• Constrained budget
• Time pressure
• Real business to run
• Practical need for procedures that actually work

Every recommendation is:

• Tested in actual small business environments
• Budget-conscious
• Time-realistic
• Scalable as you grow
• Focused on high-impact, low-cost implementations

This series is particularly relevant for:

• UK small business owners (5-50 employees) who need incident response capability
• Startup founders building security from the ground up
• SME managers responsible for cybersecurity without security backgrounds
• Solo IT staff who handle everything
• Business owners who've invested in prevention but lack response capability
• Anyone who thinks "we're too small to need an incident response plan"
• Directors concerned about personal liability under the Companies Act
• Businesses pursuing Cyber Essentials or cyber insurance
• Professional services firms handling sensitive client data

You'll especially benefit if:

• You've asked "what happens if we get breached?" and had no good answer
• Your current plan is "call the IT guy and hope"
• You've got prevention sorted but no response capability
• You need to demonstrate due diligence for insurance or compliance
• You're responsible for security but lack formal training
• Your team is small and you can't afford enterprise solutions

Not theoretical frameworks or consultant waffle. Every module produces concrete, usable outputs you can implement on a Tuesday afternoon between customer calls.

Built for teams of 3-50 people, not Fortune 500 enterprises. Acknowledges real constraints around time, money, and expertise.

Every procedure comes from actual small business implementations. No academic theory or enterprise assumptions.

Two-week rhythm gives you time to implement, refine, and ask questions before the next module arrives.

Normal episodes between modules keep you current on threats, breaches, and patches whilst you're building your plan.

Six modules build into one cohesive incident response capability, not disconnected tips.

January 2026:

• Week 1: Module 1 - Incident Response Foundations
• Week 2: Normal Episode (current threats)
• Week 3: Module 2 - Building Your Response Team
• Week 4: Normal Episode (current threats)

February 2026:

• Week 1: Module 3 - Communication Plans
• Week 2: Normal Episode (current threats)
• Week 3: Module 4 - Threat-Specific Playbooks
• Week 4: Normal Episode (current threats)

March 2026:

• Week 1: Module 5 - Testing Your Plan
• Week 2: Normal Episode (current threats)
• Week 3: Module 6 - Complete System Integration
• Week 4: Normal Episode (current threats)

Don't miss any module in this series. Subscribe on your preferred platform:

Apple Podcasts: Currently ranked #13 in Management category worldwide Spotify: New episodes every week All Major Podcast Platforms: Search for "The Small Business Cyber Security Guy" RSS Feed: Direct feed link

If you need direct assistance with incident response planning or any cybersecurity topic we cover:

Email: hello@thesmallbusinesscybersecurityguy.co.uk Website: thesmallbusinesscybersecurityguy.co.uk

Visit our website for:

• Detailed implementation guides
• Template downloads
• Step-by-step walkthroughs
• All episode show notes and transcripts
• Blog articles expanding on episode topics

"No BS Cyber for SMBs" on LinkedIn - practical cybersecurity advice delivered weekly by Noel Bradford

Know someone who needs this? Share with:

• Business owners without incident response plans
• IT managers dealing with limited resources
• Directors concerned about cyber liability
• Anyone responsible for small business security

With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses.

Former UK Government cyber analyst, Mauven brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered.

• Episode 17: Social Engineering - The Human Firewall Under Siege
• Episode 30: The Printer Is Watching - IoT Security
• Episode 29: Reverse Benchmarking - Learning from Disasters
• Episode 31: Boards, Breaches and Accountability - Risk Registers

• Reverse Benchmarking: Why Studying Cyber Failures Beats Copying Best Practices
• The Risk Register Argument - When Your Co-Host Says You're Wrong About Governance
• How to Build a Cyber Risk Register That Actually Works
• Your First Cyber Risk Register: 2-Hour Implementation Guide
• Your £15,000 Security Investment Just Got Defeated by a £300 Printer
• Three Zero Days And A Christmas Timebomb: December Patch Tuesday Analysis

If this series provides real value to your business:

1. Leave a Review on Apple Podcasts or Spotify - tell us what you're implementing
2. Share Episodes with other business owners who need this
3. Tell Us What's Landing - your feedback helps us create more useful content
4. Subscribe so you don't miss any modules

Everything discussed in this series is for general guidance and educational purposes. It's meant to point you in the right direction but absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What works brilliantly for one business might be completely inappropriate for another.

We do our very best to keep everything accurate and current, but the cybersecurity world moves quickly. Things can change between when we record and when you're listening, so always double-check critical technical details with qualified professionals before making major changes to your systems.

If we mention websites, products, or services, we're giving you information, not necessarily endorsing them. We can't be responsible for what happens on their end or if things go sideways when you use them.

If you're dealing with serious cybersecurity incidents, actual data breaches, or complex compliance issues, please talk to proper professionals rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team.

Think of us as your knowledgeable mates down the pub who work in cybersecurity, not your official contracted consultants. We care about your business, but we're not your insurance policy.

Stay safe out there, keep learning, and remember: when in doubt, get a second opinion from someone who can see your specific situation.

This has been a Small Business Cyber Security Guy production. Copyright 2025, all rights reserved.

Series Preview | December 2025 | The Small Business Cyber Security Guy Podcast

#IncidentResponse #CyberSecurity #SmallBusiness #UKBusiness #SMBSecurity #CyberEssentials #BusinessContinuity #DisasterRecovery #NCSC #InfoSec #RiskManagement #DataProtection #GDPR #CyberInsurance #BusinessResilience #ThreatResponse #SecurityPlanning #UKCyber #EnterpriseSecurity #PracticalSecurity

We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA.

Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene.

We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences.

The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution.

In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents.

Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly.

The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.

#Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice

This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers.

UK cyber security statistics that changed Graham's mind:

• 43% of UK small businesses experienced cyber breaches last year (DSIT 2025)
• 73% have no board-level cyber security responsibility
• 28% of SMEs say one cyber attack could close them permanently (Vodafone 2025)
• Average UK small business breach costs £3,398

Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed.

Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability.

Practical cyber risk register implementation:

✓ Minimum viable cyber risk register template (8 columns, single spreadsheet)

✓ Board-level cyber security governance framework

✓ Quick remediation: enable MFA, test backup restoration, implement payment verification

✓ NCSC Board Toolkit guidance for UK SMEs

✓ Cyber insurance risk assessment requirements

Perfect for UK small business owners, SME directors, startup founders, business managers responsible for cyber security compliance, GDPR, and corporate governance.

Listen to this cyber security governance debate and learn why risk registers aren't bureaucracy - they're legal protection for directors and businesses.

December 2025 just shipped the last Microsoft security fixes of the year. Fifty seven vulnerabilities, three zero days, and one actively exploited Windows privilege escalation that hits almost every supported build. Are you patched before the Christmas break, or are you leaving a present for attackers in January?

In this episode, Graham walks through the December Patch Tuesday release for 2025, with a focus on what actually matters for small and medium businesses. You will hear how CVE 2025 62221 in the Windows Cloud Files driver turns a low level account into full system compromise, why Office Preview Pane is once again a risk, and how AI powered tools like GitHub Copilot for JetBrains and PowerShell changes introduce new attack paths. Does your team know about any of that?

You also get a fast tour of Adobe and other vendor updates, including ColdFusion, Android, Ivanti, Fortinet, React server components and SAP. Graham then zooms out to review the full year, with more than one thousand one hundred Microsoft vulnerabilities in 2025 and privilege escalation bugs leading the pack. Finally, he explains why the five week gap before the next Patch Tuesday on thirteen January 2026 makes December patching non negotiable.

By the end of the episode you will know:

1. Which patches you must treat as emergency work, especially CVE 2025 62221

2. How Office, Copilot and PowerShell changes affect day to day risk

3. Why Windows 10 without Extended Security Updates is now a business liability

4. What to ask your IT team or provider before everyone disappears for the holidays

Are you confident your estate will survive the festive period, or do you need to push patching to the top of the list?

This episode reveals the uncomfortable truth about Internet of Things (IoT) devices in your business. We're talking about printers, CCTV systems, smart thermostats, networked door locks, and every other "smart" device you've stopped thinking about as a computer. These forgotten devices are giving attackers a free pass into networks that are otherwise properly secured.

We share a real case study from our recent emails about a marketing agency that spent £15,000 on security, passed their audit with flying colours, and still got breached through their office printer. This isn't theoretical paranoia. This is happening right now to businesses that think they've got security sorted.

• Why your office printer is possibly the biggest security risk in your building
• How default passwords on "forgotten" devices create easy access points for attackers
• The real story of a £15,000 security investment defeated by a £300 printer
• What network segmentation actually means and why it matters for small businesses
• How to create and maintain an accurate device inventory
• Practical steps to secure IoT devices without enterprise budgets
• Why your CCTV system might be livestreaming to the internet right now
• How smart thermostats become backdoors into your network

Modern offices are full of computers disguised as other things. Every printer, every CCTV camera, every smart thermostat, and every networked door lock is actually a computer connected to your network. Most businesses secure their obvious computers whilst completely forgetting about these devices, creating perfect entry points for attackers who aren't bothering with sophisticated social engineering when they can just log in with "admin/admin".

A 30-person marketing agency listened to our ransomware and authentication episodes, then invested £15,000 in proper security: new firewalls, endpoint protection, hardware authentication keys for every staff member, and a security audit that came back clean. Two months later, they discovered someone had been accessing their client files for weeks through their HP printer that still used factory default credentials. The printer had full network access and stored copies of everything printed. Nobody had changed the password. Nobody had checked it during the audit. Nobody even thought about it.

Attackers maintain databases of default passwords for thousands of devices. They don't need to crack complex passwords when they can try "admin/admin" or "admin/password" and gain access to printers, cameras, or thermostats within seconds. These devices often ship with administrative interfaces accessible from the network, and most businesses never change the defaults because they don't think of these devices as security concerns.

Network segmentation sounds enterprise-level complicated, but the basic concept is simple: not everything on your network should be able to access everything else. Your printer doesn't need access to your accounting server. Your CCTV system doesn't need to reach your customer database. Creating separate network zones for different device types means a compromised printer can't become a stepping stone to your sensitive data.

Most small businesses have no accurate list of what's actually connected to their network. They know about the laptops and servers but often forget about the smart coffee machine someone plugged in last year, the wireless access points in the meeting rooms, or the networked thermostat the facilities team installed. Without knowing what's connected, you can't secure it. We discuss practical methods for discovering and documenting every device on your network.

We break down actionable steps that don't require enterprise budgets or dedicated security teams. This includes conducting device audits, changing default passwords, implementing basic network segmentation, regular firmware updates, and creating ownership responsibility for every connected device. The goal is proportionate security that's actually achievable for small businesses.

1. Every connected device is a computer. If it has an IP address, it's a potential security risk that needs management and protection.
2. Default passwords are attackers' best friends. The first thing to do with any new device is change the administrative password. Never assume factory defaults are acceptable.
3. Network segmentation isn't optional anymore. IoT devices should be isolated from your main business network, even if that means starting with basic VLAN separation.
4. Device inventory is fundamental. You can't secure what you don't know exists. Conduct regular network scans to discover forgotten devices.
5. Ownership matters. Every device needs someone responsible for its security. Don't let devices become "nobody's problem" because that's when they become everyone's problem.
6. Security audits miss IoT devices. Standard security assessments often focus on servers and workstations whilst completely overlooking printers, cameras, and other IoT equipment.
7. Firmware updates apply to everything. IoT devices need security patches just like computers. Many businesses forget this entirely.
8. Your £15,000 security investment can be defeated by a £300 printer. Security is only as strong as your weakest link, and IoT devices are often the weakest links because they're forgotten.

• Previous Episodes Referenced:
  • Episode 17: Social Engineering - The Human Firewall Under Siege
  • Ransomware episodes (multiple)
  • Authentication episodes featuring Mark Bell
  • Cyber Essentials episodes
  • Electoral Commission accountability episode
• Hardware Authentication: AuthenTrend hardware keys (mentioned as sponsor)
• Case Studies: Marketing agency breach via printer (anonymized client)

• NCSC Guidance: National Cyber Security Centre - IoT security guidance
• Network Discovery Tools: Fing, Advanced IP Scanner, or similar free network scanning utilities
• Device Documentation: Spreadsheet templates for device inventory available on our website

1. Find your printer's admin interface. Log in. If you can't remember the password, that's probably because it's still set to "admin". Change it. Now.
2. List five connected devices that aren't computers or phones. These are your starting inventory.
3. Check one device's firmware. Is it up to date? When was it last updated? Who's responsible for keeping it current?

1. Complete device inventory. Use network scanning tools to discover everything connected to your network. Document it all.
2. Change all default passwords. Every printer, camera, thermostat, and access point needs unique, strong credentials.
3. Assess your network segmentation. Can your printer access your file server? It shouldn't. Start planning basic network separation.
4. Assign device ownership. Every device needs someone responsible for its security, updates, and maintenance.

1. Implement basic network segmentation. Even simple VLAN separation is better than everything on one network.
2. Create update schedules. IoT devices need regular firmware updates just like computers.
3. Review and test. Verify your device inventory is accurate. Check that passwords actually changed. Confirm segmentation works.

This episode is particularly relevant for:

• Small business owners who've invested in cybersecurity but may have overlooked IoT devices
• IT managers and solo IT staff responsible for securing business networks with limited resources
• Office managers who purchase and install connected devices without considering security implications
• Business owners who think they've "done security" but haven't considered printers, cameras, and similar devices
• Anyone who's ever said "it's just a printer" when security concerns were raised

We've covered passwords, multi-factor authentication, ransomware, supply chain attacks, shadow IT, and social engineering across 30 episodes. We've discussed major breaches at household names and examined what it takes to protect heads of state. But we've deliberately avoided IoT security until now because we knew it would make people uncomfortable, possibly angry, and definitely worried.

The uncomfortable truth is that whilst you've been securing laptops and servers, your office printer has had full network access, stores every document you print, and still uses the password it shipped with. The CCTV system protecting your premises might be livestreaming to the internet because nobody changed the default settings. The smart thermostat saving you money on heating is potentially giving attackers a way into your network.

This isn't theoretical paranoia. We're seeing breaches through IoT devices happen to businesses that have otherwise invested properly in cybersecurity. The marketing agency case study we discuss spent £15,000 on security and still got breached through a printer nobody thought to check during the security audit.

IoT security is the blind spot in small business cybersecurity. This episode gives you the knowledge and practical steps to finally address it without enterprise budgets or dedicated security teams.

This milestone episode also marks an important achievement for the podcast. Since launching in June 2025, we've:

• Reached Top 12 in Apple Podcasts Management category worldwide
• Peaked at 3,500 daily downloads
• Built an audience that's 47% US, 37% UK despite being a UK-focused show
• Made cybersecurity almost entertaining whilst maintaining technical accuracy
• Helped businesses actually implement security improvements, not just understand threats

We're genuinely grateful to everyone who's been listening, sharing, and most importantly, doing the work. The chart positions and download numbers are nice, but what matters more is when someone emails to say they've finally sorted Cyber Essentials or retired Dave from IT as a single point of failure.

Episode 31 (Next Week): Regular episode format continues with another crucial small business cybersecurity topic

Episode 32 (22nd December): Christmas Special - a festive take on cybersecurity for small businesses

If you need direct assistance with IoT device security, Cyber Essentials, network segmentation, or any topic we've covered, contact us at: hello@thesmallbusinesscybersecurityguy.co.uk

Visit thesmallbusinesscybersecurityguy.co.uk for:

• Detailed guides on everything we've discussed
• Step-by-step walkthroughs for printer security, camera configuration, and network segmentation
• Device inventory templates and checklists
• All episode show notes and transcripts

• Apple Podcasts: Currently Top 12 in Management category worldwide
• Spotify: New episodes every week
• All major podcast platforms: Search for "The Small Business Cyber Security Guy"

Know someone who's ever said "it's just a printer"? They need this episode in their life. Share it with:

• Business owners who think they've got security sorted
• IT managers dealing with limited budgets and forgotten devices
• Office managers who purchase connected devices
• Anyone responsible for small business network security

If you've had real value from this podcast:

1. Leave a review on Apple Podcasts or Spotify - tell us what you've actually changed in your business
2. Share episodes with other business owners who need to hear this
3. Tell us what's landing - your feedback helps us create more useful content
4. Subscribe so you don't miss episodes

With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses.

Former government cyber analyst, Mauven, brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered.

Regular contributor and co-host for special episodes, Graham adds additional perspective and helps make complex cybersecurity topics accessible to small business audiences. His role includes managing the legal disclaimers and ensuring content remains grounded in practical business reality.

Everything discussed in this episode is for general guidance and educational purposes. It's meant to point you in the right direction but absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What worked brilliantly for one business might be completely inappropriate for another.

We do our very best to keep everything accurate and current, but the cybersecurity world moves faster than a caffeinated squirrel. Things can change between when we record and when you're listening, so always double-check critical technical details with qualified professionals before making major changes to your systems.

If we've mentioned any websites, products, or services, we're giving you information, not necessarily endorsing them. We can't be responsible for what happens on their end or if things go sideways when you use them.

If you're dealing with serious cybersecurity incidents, actual data breaches, or complex compliance issues, please talk to proper professionals rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team.

Think of us as your knowledgeable mates down the pub who work in cybersecurity, not your official contracted consultants. We care about your business, but we're not your insurance policy.

Stay safe out there, keep learning, and remember: when in doubt, get a second opinion from someone who can see your specific situation.

This has been a Small Business Cyber Security Guy production. Copyright 2025, all rights reserved.

Episode 30 | December 2025 | The Small Business Cyber Security Guy Podcast

In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses.

You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones.

This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works.

One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident.

Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast.

1. Traditional Benchmarking Often Fails SMBs

• Copying FTSE 100 security on a shoestring budget is a losing game
• Enterprise solutions don't scale down effectively
• By the time you copy last year's "best practice," threats have evolved
• Context matters more than copying

2. Compliance ≠ Security

• Being compliant doesn't mean you're secure
• Compliance is like passing your driving test - it proves you know the rules, not that you'll never crash
• Checkbox culture creates dangerous complacency
• Attackers don't check your certifications before striking

3. The Statistics Are Sobering

• One third of SMBs hit by cyberattacks annually
• Average breach cost: £250,000
• Some breaches: £7 million
• 60% of small businesses close within six months post-attack
• NCSC estimates 50% of UK SMBs will experience a breach each year

4. Real-World Disasters Teach Practical Lessons

• Target breach: Lost $162 million because HVAC vendor credentials weren't properly segmented
• Colonial Pipeline: Shutdown of major US fuel infrastructure from weak VPN password
• UK holiday park ransomware: Peak season attack forced cash-only operations
• Common thread: Basic security fundamentals ignored

5. Third-Party Risks Are Existential

• 61% of breaches involve third-party access
• Small vendors create backdoors into larger networks
• Your security is only as strong as your weakest supplier
• Segment vendor access ruthlessly

6. Practical Implementation Steps

• Build your own "disaster library" of relevant failures
• Hold quarterly "what went wrong" review sessions
• Map your business to failed case studies
• Ask "could this happen to us?" for every breach you read about
• Create no-blame culture for reporting near-misses

Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls.

Key Quote: "Learn from other people's face-plants so we don't repeat them."

Traditional benchmarking means copying what successful companies do. Reverse benchmarking flips this around: study the worst failures in your industry and make certain you don't repeat them.

The Problem with Traditional Benchmarking:

• Big enterprises have massive IT teams and unlimited budgets
• Trying to copy enterprise security on SMB resources is futile
• Benchmarking looks backwards - by the time you implement, hackers have moved on
• If everyone in your industry has the same gap, benchmarking won't reveal it

Why It Matters Now:

• One third of SMBs were hit by cyberattacks in the past year
• Average cost: £250,000, with some reaching £7 million
• 60% of small businesses close within six months of a cyberattack
• Most small business owners still think they're too small to be targeted

UK Context: The National Cyber Security Centre (NCSC) estimates around half of UK SMBs will experience a breach each year. Coin flip odds. If you're sitting in a board meeting saying "hackers won't bother with us," you might as well hang a sign reading "free Wi-Fi, no password."

Many businesses believe being compliant means they're secure. This is cybersecurity's biggest misconception.

Compliance vs Security:

• Compliance is like passing your driving test - it means you know the rules, not that you'll never crash
• Or that you're a good driver
• Microsoft's security GM: "Some SMBs believe being compliant means they're safe. It doesn't."
• Hackers don't check whether you've got ISO certification before attacking

The Checkbox Culture:

• "We did our annual password change. Job done."
• Hackers respond: "Challenge accepted."
• Following checklists creates false sense of security
• Real security requires ongoing vigilance, not annual tick-boxes

The Hidden Risk: If everyone in your industry has the same security gap but meets the same compliance standards, benchmarking against them won't reveal your shared vulnerability. You're all vulnerable together, congratulating each other on your certifications.

One of retail history's most infamous breaches demonstrates how third-party access becomes a catastrophic liability.

What Happened:

• December 2013: Hackers stole 40 million credit card numbers and 70 million customer records
• Entry point: HVAC contractor with network access
• Attackers used vendor credentials to access Target's corporate network
• Then moved laterally to payment systems

The Aftermath:

• Direct losses: $162 million
• CEO resigned
• CIO resigned
• Board chairman resigned
• Countless hours dealing with breach response, forensics, legal battles

The Lesson: Your security is only as strong as your weakest supplier. That HVAC company, plumber, or IT consultant with network access? They're potential backdoors. Target's enterprise-grade security was bypassed through a small contractor's weak credentials.

For Small Businesses:

• 61% of breaches involve third-party access
• Small businesses often provide services to larger enterprises
• Your compromise becomes their breach
• Vendor management isn't optional

Practical Actions:

• Segment vendor access ruthlessly
• No contractor needs access to your entire network
• Use separate credentials for third parties
• Monitor vendor access continuously
• Regular vendor security audits

In May 2021, a single compromised password shut down a major fuel pipeline supplying 45% of the US East Coast's fuel.

What Happened:

• Ransomware attack forced shutdown of 5,500-mile pipeline
• Entry point: Weak VPN password
• No multi-factor authentication (MFA) on VPN access
• Company paid $4.4 million ransom (partially recovered later)

The Impact:

• Fuel shortages across southeastern United States
• Panic buying, price spikes
• Emergency government declarations
• Week-long shutdown of critical infrastructure

The Lesson: Credentials are your front door. If you're not protecting them properly, you've left the door unlocked with a welcome mat out for attackers.

For Small Businesses: The Colonial Pipeline didn't fail because of sophisticated zero-day exploits or nation-state malware. They failed because they didn't have MFA enabled on remote access.

Your Action Items:

• Enable MFA everywhere, particularly VPN access
• Enforce strong password policies
• Monitor for credential compromise
• Phishing-resistant MFA (hardware tokens or biometrics) for privileged access
• Regular access reviews

The Cost-Benefit Reality:

• Hardware security keys: £40-70 per user
• Potential breach cost: £250,000 average
• MFA prevents 99.9% of automated credential attacks
• The mathematics are straightforward

Closer to home, a UK holiday park discovered that timing matters when ransomware strikes.

What Happened:

• Ransomware attack during peak summer season
• All booking systems encrypted
• Payment processing down
• Guest check-ins disrupted

The Business Impact:

• Had to operate cash-only during busiest period
• Couldn't process new bookings
• Lost revenue during most profitable weeks
• Guest experience severely compromised
• Reputation damage

The Lesson: Attackers choose timing deliberately. They struck during peak season when the business would be most desperate to restore operations quickly and most likely to pay the ransom.

For Small Businesses: Seasonal businesses are particularly vulnerable during peak periods. That's precisely when attackers strike, knowing you can't afford downtime.

Your Defence Strategy:

• Offline, air-gapped backups tested regularly
• Incident response plan practiced before peak season
• Alternative payment processing methods ready
• Staff trained on ransomware procedures
• Crisis communication templates prepared

The Backup Reality: Having backups isn't enough. You need to test restoration procedures. The middle of a ransomware attack is not the time to discover your backups don't work or take three weeks to restore.

Traditional approaches focus on aspirational goals. Reverse benchmarking focuses on avoiding catastrophic failures.

The Psychological Advantage:

• Failures provide concrete examples of what not to do
• Success stories often omit the messy details
• Disasters reveal the actual attack patterns you'll face
• Real consequences make lessons stick

The Practical Advantage:

• You learn what actually breaks in the real world
• Not theoretical best practices that might work
• Understand attack chains step by step
• See how small gaps become massive breaches

The Cost Advantage:

• Avoiding one disaster pays for years of modest security investment
• You don't need enterprise budgets to avoid enterprise mistakes
• Focus resources on genuine vulnerabilities
• Not on impressive-sounding but irrelevant controls

The Timeliness Advantage:

• Recent failures reflect current threat landscape
• More relevant than last year's "best practices"
• See how threats evolve in real-time
• Adapt defences to actual attack methods

Practical implementation of reverse benchmarking for your business.

Step 1: Collect Relevant Failures

• Focus on breaches in similar-sized businesses
• Same industry or adjacent sectors
• Similar technology stack
• Geographic relevance (UK regulations, threat actors)

Step 2: Quarterly Review Sessions

• "What went wrong" meetings with your team
• Review recent breaches systematically
• Ask: "Could this happen to us?"
• Identify similar vulnerabilities in your environment

Step 3: Map to Your Environment

• For each breach, trace the attack path
• Identify which elements exist in your business
• Where are your equivalent vulnerabilities?
• What would the impact be if it happened to you?

Step 4: Prioritise Actions

• Not every lesson requires immediate implementation
• Focus on high-probability, high-impact scenarios first
• Quick wins vs long-term projects
• Balance cost against realistic risk

Step 5: Create Your "Anti-Playbook"

• Document what you'll never do based on failure analysis
• Share with team so everyone knows the "forbidden" approaches
• Update as new disasters emerge
• Make it living document, not static policy

Resources to Monitor:

• NCSC Weekly Threat Reports
• Information Commissioner's Office (ICO) breach reports
• Industry-specific security bulletins
• UK Cyber Security News
• Global breach databases with UK filter

If people hide mistakes, you lose the chance to fix vulnerabilities before an actual breach occurs.

The Aviation Model: Airlines improve safety by fostering no-blame culture for near-misses. They want to hear about every close call so they can fix systemic issues before disaster strikes.

Applying This to Cybersecurity: If Janet in accounting falls for a phishing test, berating her is counterproductive. Instead, make it a learning opportunity for everyone. Next time, she might be the one to spot a real phishing attempt and save your business.

Practical Implementation:

• "Lessons learned" sessions, not "who screwed up" meetings
• Focus on systems and processes, not individuals
• Reward reporting of near-misses
• Share failures anonymously when needed
• Celebrate catches of suspicious activity

The Payoff: Fear doesn't work. Education does. When people feel safe reporting potential issues, you catch problems early before they become breaches.

Sometimes the best way to secure your business is by studying the worst failures out there and doing the opposite.

Key Principles:

• Traditional benchmarking can lead you astray for SMBs
• Reverse benchmarking provides genuine security advantage
• Study disasters: Target, Colonial Pipeline, holiday park ransomware
• Build it into regular practice, not one-off exercise

Your Mindset Shift: Think of yourself as Sherlock Holmes of cyber failures. Every incident is a case study that makes your business smarter. In cybersecurity, boring is good. If nothing's happening, it means your defences are working.

Immediate Actions:

1. Start your disaster library this week
2. Schedule your first quarterly review session
3. Map one recent breach to your business environment
4. Implement one lesson learned from this episode
5. Share this approach with your team

• National Cyber Security Centre (NCSC): UK SMB breach probability estimates
• Microsoft Security: Compliance vs security research
• Industry reports: 61% of breaches involve third-party access
• Bernard Ma: Quote on benchmarking limitations

• Target Corporation data breach (2013): HVAC vendor compromise, 40 million cards stolen, $162 million loss
• Colonial Pipeline ransomware (2021): VPN password compromise, $4.4 million ransom, critical infrastructure shutdown
• UK holiday park ransomware: Peak season attack, cash-only operations

• National Cyber Security Centre (NCSC): www.ncsc.gov.uk
• Information Commissioner's Office (ICO): www.ico.org.uk

• NCSC Weekly Threat Reports
• ICO breach notifications and enforcement actions
• Industry-specific security bulletins
• UK Cyber Security News aggregators

This Week:

• Create a folder or document for your "disaster library"
• Sign up for NCSC weekly threat report emails
• Identify three recent breaches in businesses similar to yours
• Schedule your first quarterly "what went wrong" review meeting

This Month:

• Map one major breach to your business environment
• Identify your equivalent vulnerabilities to the mapped breach
• Implement one quick-win lesson from disaster analysis
• Share this approach with your leadership team

This Quarter:

• Hold your first formal reverse benchmarking session
• Build your "anti-playbook" of forbidden approaches
• Establish no-blame reporting culture for near-misses
• Review and update third-party access controls

Ongoing:

• Weekly review of new breach reports
• Monthly check: "Could this happen to us?"
• Quarterly team review sessions
• Annual comprehensive vulnerability mapping

Use these discussion prompts in your quarterly review sessions:

1. Which recent breach in our industry most closely resembles our business model?
2. Do we have the same entry points that attackers used in [specific breach]?
3. What would be our equivalent business impact if we experienced this type of attack?
4. Which quick fixes could we implement this month to avoid similar failures?
5. What systemic vulnerabilities do we share with failed organisations?
6. Are we making the same assumptions that led to their breach?
7. Would our backup and recovery process work in a real crisis?
8. Do our third-party vendors have access they don't need?
9. Where are we relying on compliance rather than actual security?
10. What's our single point of failure that resembles their weakness?

Episode 30: The Office Printer Hacker Saga

Yes, office printers are a genuine security risk. Sounds hilarious, but it's genuinely scary. We'll explore why that seemingly innocent device in the corner is actually a network-connected computer with hard drives, stored documents, and often the same default admin password it shipped with.

You'll discover the printer botnet that attacked an entire city, the university students who made campus printers output memes, and why your MFP (multi-function printer) knows more about your business than you'd be comfortable with.

If you think printers are just about paper jams and toner costs, this episode will open your eyes to why printer security belongs in your threat model. Subscribe so you don't miss it.

Have you learned from a cybersecurity blunder, either your own or someone else's? We'd love to hear about it. Send your story to us (anonymously if you prefer), and we might feature it in a future episode.

Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming episodes.

Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms

Leave a Review: Your reviews help other small business owners find practical cybersecurity advice

Website: thesmallbusinesscybersecurityguy.co.uk

Email: hello@thesmallbusinesscybersecurityguy.co.uk

The views and opinions expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of any organisations they work for, employers, advertisers, sponsors, or any other entities connected to the show.

This podcast is for general educational and informational purposes only. It should not be treated as professional advice tailored specifically to your business circumstances. Your situation is unique, and you should consult with qualified cybersecurity professionals before implementing significant changes to your systems.

Whilst we strive to keep all information accurate and current, the cybersecurity landscape evolves rapidly. Always verify critical technical details with qualified professionals before making major decisions.

We cannot accept liability for any losses or problems that may result from following the suggestions in this podcast. Please think of us as knowledgeable colleagues sharing insights, not contracted consultants providing formal advice. When in doubt, get a second opinion from someone who can assess your specific situation.

Copyright © 2025 The Small Business Cyber Security Guy. All rights reserved.

#Cybersecurity #SmallBusiness #ReverseBenchmarking #CyberThreats #DataBreach #UKBusiness #SMBSecurity #InformationSecurity #ThreatIntelligence #SecurityStrategy #BusinessProtection #CyberResilience #RiskManagement #SecurityPodcast #UKCyber #NCSC #ThirdPartyRisk #ComplianceVsSecurity #CyberEducation #BusinessContinuity

The episode explains a three-tier framework: Tier 1 (micro and small businesses) protected by Cyber Essentials and criminal liability only for gross negligence; Tier 2 (25–250 employees) required to follow industry-reasonable practice with qualified oversight and documented policies; and Tier 3 (large organisations and public sector) held to the highest standards (ISO/SOC) with lower thresholds for prosecution. The hosts walk through concrete, measurable standards, outcome-based testing, and safe-harbour defences for businesses that engage accredited advisors.

Key technical and organisational measures discussed include Cyber Essentials, MFA, patching and backups, incident response plans, staff training, qualified security oversight (fractional CISOs or accredited MSPs), and government-approved lists of assessors. The episode stresses practical testing — inspectors verifying controls actually work — to prevent compliance theatre and ensure certificates match reality.

Noel and Mauven outline a phased five-year implementation pathway: publication and guidance, data collection and mandatory reporting, staged enforcement beginning with large organisations, then medium businesses, and finally full enforcement — all accompanied by funded support programs, subsidies, and free advisory services to help firms comply.

Costs, benefits and market effects are examined: basic Tier 1 protections are framed as affordable (Cyber Essentials, free MFA), while stronger governance yields lower insurance premiums, preferential procurement, and overall reduced breach costs. The hosts discuss the need to upskill the ICO into a technically capable enforcement agency, political and industry pushback, and international alignment with EU, Singapore and Australia precedents.

The episode closes with a call to action for listeners: implement the basics now (Cyber Essentials, MFA, updates), pressure MPs and industry bodies for proportionate enforcement, and spread the conversation. Expect debates about proportionality, false positives, and safeguarding SMEs, but the central case is clear: a calibrated, evidence-based accountability regime could dramatically reduce breaches and force cybersecurity into the boardroom.

In this provocative first episode of our two-part series, Noel and Mauven examine the shocking disparity between health and safety enforcement and cybersecurity regulation in the UK. We compare the HSE's tough approach (prison sentences, director liability, millions in fines) with the ICO's gentle touch (guidance, occasional fines, zero criminal consequences).

With 40 million voter records compromised at the Electoral Commission resulting in just a formal reprimand, whilst construction directors regularly face 18-month prison sentences for single workplace accidents, we ask the uncomfortable question: why is cybersecurity enforcement essentially performative?

This isn't anti-business rhetoric. This is an evidence-based examination of a broken system that fails to protect either businesses or the public, presented through statistics, case studies, and historical precedent, which demonstrates that personal accountability is effective.

• Why HSE directors face up to 2 years imprisonment, whilst the ICO never imposes criminal penalties
• How HSE issued 13,424 enforcement notices and 399 prosecutions in 2023-24
• Why the ICO issued just £2.7 million in total UK fines, whilst EU regulators issued over £1 billion
• The legal frameworks that create this enforcement gap

• Electoral Commission breach: 40 million records compromised, 14 months of hostile state access, consequence: formal reprimand
• Construction site failures: single injuries lead to prison sentences and director disqualifications
• Why do government organisations face minimal consequences for security failures
• The message this sends about who matters and who doesn't

• 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974
• How personal criminal liability changed director behaviour overnight
• The construction industry transformation from dangerous to safety-conscious
• Evidence that accountability actually works when properly enforced

• "Security is too complex for criminal standards" - why doesn't this hold up
• "Small businesses can't afford proper security" - HSE already handles proportionate enforcement
• "Innovation will suffer" - data showing the opposite effect in the safety sector
• "Current system works fine" - statistics proving it demonstrably doesn't

• Why ICO enforcement focuses on "guidance and support" over punishment
• Political pressure keeps cybersecurity consequences minimal
• Business lobby resistance to accountability measures
• The broken incentive structure that rewards negligence

• HSE Enforcement 2023-24:

  • 13,424 enforcement notices issued
  • 399 prosecutions brought
  • £73.8 million in fines
  • Regular prison sentences (average 12-18 months for serious breaches)

• ICO Enforcement 2023-24:

  • £2.7 million total fines across all UK GDPR violations
  • Zero prison sentences imposed
  • Zero director disqualifications
  • Focus on "guidance and support" over punishment

• Electoral Commission Breach:

  • 40 million UK voter records compromised
  • The hostile state actor maintained access for 14 months
  • Basic security failures: poor patching, weak passwords, inadequate monitoring
  • Consequence: Formal reprimand only

• Impact Statistics:

  • 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974
  • EU regulators issued over £1 billion in GDPR fines (vs the UK's £2.7 million)
  • Keymark Construction director: 18 months' prison for fatal fall (2023)

• Keymark Construction (2023): Director sentenced to 18 months imprisonment following fatal fall due to inadequate safety measures
• Corporate Manslaughter Act 2007: Multiple organisations convicted when management failures caused death

• Electoral Commission (2023-24): 40 million voter records compromised by hostile state actor, 14 months of system access, consequence was formal reprimand with no financial penalty or personal liability
• British Airways GDPR Fine: Initially £183 million, reduced to £20 million, no director consequences despite preventable security failures

This isn't about attacking business owners. It's about exposing a system that fails everyone:

• Honest businesses suffer when competitors cut security corners without consequences
• Directors lack incentive to invest in security when breaches only result in fines the company pays
• Small businesses become collateral damage when larger organisations treat security as optional
• The current approach demonstrably doesn't work - breaches increase year on year despite ICO "guidance"

Understanding this enforcement gap helps you see why cybersecurity culture hasn't undergone the same transformation as workplace safety culture. Part 2 will explore what accountability with teeth would actually look like, and how to protect SMEs whilst implementing it.

• HSE Annual Report 2023-24: Full enforcement statistics and prosecution details
• ICO Enforcement Data: Annual reports showing UK GDPR fine totals
• Health and Safety at Work Act 1974: Foundation legislation that transformed UK workplace safety
• Corporate Manslaughter and Corporate Homicide Act 2007: Criminal liability framework for organisations
• Electoral Commission Breach Report: Technical details of 14-month compromise
• EU GDPR Enforcement Tracker: Comparison of UK vs European enforcement approaches

Noel Bradford 40+ years in IT/Cybersecurity across enterprise and SMB sectors. Former Intel, Disney, BBC. Current CIO/Head of Technology for boutique security-first MSP. Brings enterprise-level knowledge to small business constraints.

Mauven MacLeod Ex-NCSC Government Cybersecurity Analyst with deep threat intelligence expertise. Glasgow-based security professional who translates complex government-level security concepts into practical SMB advice.

"What If Cyber Had Corporate Manslaughter? The Case for Personal Liability"

We'll explore:

• Specific legislative framework for "Corporate Cyber Manslaughter"
• SME protection mechanisms (proportionate thresholds)
• How other countries successfully implement director liability
• Expected cultural transformations
• Practical compliance guidance
• What "reasonable care" actually means for small businesses

1. Share Your Thoughts: Should directors face criminal liability for gross cybersecurity negligence? Comment on our website or social media.

2. Prepare for Part 2: Start thinking about what security measures you currently have in place. Could you demonstrate "reasonable care" if asked?

3. Review Your Security: Whilst we wait for better enforcement, don't wait to improve your security. Free resources available from NCSC.

4. Subscribe: Make sure you don't miss Part 2, where we build the case for what enforcement with teeth would actually look like.

5. Forward This Episode: Every business owner needs to understand why the current system fails them.

Runtime: 42 minutes

Release Date: November 17th 2025

Series: Part 1 of 2

Category: Cybersecurity, Business, Technology, Policy

Content Warning: Discussion of regulatory failures, system criticism, and calls for significant policy change. Evidence-based but provocative examination of current enforcement approaches.

Website: thesmallbusinesscybersecurityguy.co.uk

LinkedIn: [The Small Business Cyber Security Guy]

Email: hello@thesmallbusinesscybersecurityguy.co.uk

#Cybersecurity #SmallBusiness #UKBusiness #DataProtection #ICO #HSE #RegulatoryEnforcement #DirectorLiability #GDPR #BusinessSecurity #CyberAccountability #SecurityPolicy #UKRegulation #DataBreach #ElectoralCommission #CorporateManslaughter #BusinessCompliance #CyberGovernance #SecurityLeadership #RiskManagement

Full episode transcript available on our website at thesmallbusinesscybersecurityguy.co.uk

If this episode opened your eyes to the enforcement gap, please:

• Leave a 5-star review on Apple Podcasts
• Share with business owners in your network
• Follow us on LinkedIn for ongoing discussion
• Subscribe to ensure you catch Part 2

Next Episode: Part 2 - What If Cyber Had Corporate Manslaughter?

All Episodes: thesmallbusinesscybersecurityguy.co.uk/podcasts

The Small Business Cybersecurity Guy Podcast offers practical, actionable cybersecurity advice for UK small businesses. We translate enterprise-grade security into affordable, implementable solutions for businesses with 5-50 employees.

Disclaimer: This podcast provides general information and discussion about cybersecurity and business topics. This is not intended as legal, regulatory, or professional advice. Listeners should consult qualified professionals for personalised guidance tailored to their specific circumstances.

© 2025 The Small Business Cyber Security Guy. All rights reserved.

• 89 total vulnerabilities patched (12 critical, 4 zero-days)
• CVE-2025-0445: Windows Kernel privilege escalation (actively exploited)
• CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited)
• CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022)
• CVE-2025-1789: MSHTML remote code execution via Office documents
• CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release)
• 23 remote code execution vulnerabilities across Windows, Office, and developer tools

• 35+ vulnerabilities patched across multiple products
• CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1)
• CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS)
• Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D

• 374 new security patches addressing ~260 unique CVEs
• CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups)
• 73 patches for Oracle Communications (47 remotely exploitable without authentication)
• 20 patches for Fusion Middleware (17 remote unauthenticated)
• 18 fixes for MySQL
• Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server

• 18 new security notes plus 1 updated note
• CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE)
• CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS)
• CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch)
• CVE-2025-42940: CommonCryptoLib memory corruption

• Firefox 145.0 released November 11th
• 15 security vulnerabilities fixed (8 high impact)
• New anti-fingerprinting measures halving trackable users
• Memory safety and sandbox escape prevention

• iOS/iPadOS 17.1 and macOS 14.1 released
• 100+ vulnerabilities patched across iPhones, iPads, Macs
• Critical kernel and WebKit bugs fixed
• Zero-click exploit prevention

• Chrome 142 with 5 security bug fixes
• Android November 2025 bulletin (patch level 2025-11-01)
• CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16

• WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected)
• WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed)
• Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment)

1. Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers
2. Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento
3. Windows Kernel - Patch CVE-2025-0445 zero-day exploit
4. Edge/Chrome - Update browsers to address CVE-2025-0334
5. Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed
6. WordPress Post SMTP - Update to v3.6.1 or remove plugin
7. Cisco routers - Apply CVE-2025-20352 patches and check for compromise

1. SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887
2. WSUS servers - Verify CVE-2025-59287 patch installed correctly
3. Adobe Connect - Update to version 12.10
4. Firefox, Chrome, Edge - Deploy browser updates organisation-wide
5. Android devices - Deploy November 2025 security bulletin
6. WatchGuard Firebox - Apply CVE-2025-9242 patch

1. All other Microsoft patches - Complete Windows and Office updates
2. Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc.
3. Oracle - Complete October CPU deployment across all Oracle products
4. SAP - Apply remaining security notes across SAP landscape

• Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide
• Adobe Security Bulletins: https://helpx.adobe.com/security.html
• Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/
• SAP Security Notes: https://support.sap.com/securitynotes
• Mozilla Security Advisories: https://www.mozilla.org/security/advisories/
• CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• Microsoft Tech Community: https://techcommunity.microsoft.com/
• Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/
• Security Week Patch Tuesday Coverage: https://www.securityweek.com/

• Blog: https://thesmallbusinesscybersecurityguy.co.uk
• NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness
• Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials

• 89 Microsoft vulnerabilities patched
• 4 actively exploited zero-days (Microsoft)
• 23 remote code execution flaws (Microsoft)
• 35+ Adobe vulnerabilities fixed
• 374 Oracle security patches
• 18 SAP security notes
• 200,000+ WordPress sites affected by Post SMTP bug
• 75,000 WatchGuard devices exposed online

Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions.

The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining.

Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints.

• Website: https://thesmallbusinesscybersecurityguy.co.uk
• Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms
• Social Media: Follow us on LinkedIn for daily cybersecurity insights
• Contact: hello@thesmallbusinesscybersecurityguy.co.uk

Help us spread the word about practical cybersecurity for small businesses:

• ⭐ Subscribe to never miss an episode
• ⭐ Leave a review on Apple Podcasts or Spotify
• ⭐ Share this episode with other business owners who need to hear this
• ⭐ Comment below with topics you'd like us to cover next
• ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources

This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile.

Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately.

Episode Length: 10-11 minutes Difficulty Level: Intermediate to Advanced Best For: IT managers, business owners, MSP clients, anyone responsible for patching

The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools.

In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone.

Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme?

We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes.

If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide.

• Ofcom confirms use of unnamed third-party AI monitoring tool
• TechRadar exclusive: "We use a leading third-party provider" with zero transparency
• Government surveillance of privacy tools sets a dangerous precedent
• Comparison to authoritarian regimes (China, Russia, UAE, Iran)

• 1.5 million daily VPN users claim appears nowhere in official Ofcom documents
• No published methodology or verification
• VPN detection cannot determine the intent or legitimacy of use
• Analytics show VPN use is lower in countries with greater online freedom

• The UK Online Safety Act child safety duties became fully enforceable
• Mandatory "highly effective age assurance" replaced simple checkbox verification
• Proton VPN: 1,400% surge in UK signups within hours
• NordVPN: 1,000% increase in downloads
• ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store

• Business VPNs are essential security hygiene for remote work
• Ofcom's monitoring cannot distinguish legitimate business use from circumvention
• Undisclosed data collection creates unknowable privacy risks
• GDPR compliance implications when the government monitors your security tools

• Powers to require client-side scanning of encrypted communications
• Government promises not to use "until technically feasible"
• Cryptography experts: impossible without destroying encryption
• Apple shelved similar plans in 2021
• Signal and WhatsApp threatened to leave the UK market

• Scope creep within days: blocking parliamentary speeches, news coverage, forums
• A cycling forum shut down due to compliance costs
• Small platforms are closing rather than face a compliance nightmare
• Chilling effect on legitimate content and discussion

• 25 US states passed similar age verification laws
• EU debating Chat Control (mandatory encrypted message scanning)
• Australia is implementing age verification for search engines
• Legislative arms race using "protecting children" as a universal justification

• Document all VPN usage for legitimate business purposes
• Maintain VPN security protocols despite surveillance theatre
• Get legal advice if operating any platform with user-generated content
• Fines up to £18 million or 10% of global revenue
• Criminal liability for senior managers

• How do you assess data protection risks from secret surveillance tools?
• Opacity makes compliance verification impossible
• Government monitoring creates unassessable risks to customer data

• TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act

• Open Rights Group - James Baker's comments on surveillance precedent
• Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran

• Online Safety Act 2023 - UK Government legislation
• Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements
• Section 121 - Client-side scanning provisions ("spy clause")

• Proton VPN: 1,400% surge report
• NordVPN: 1,000% increase report
• Apple UK App Store rankings: July 25-27, 2025

• Petition to Repeal Online Safety Act: 550,000+ signatures
• Peter Kyle (UK Technology Secretary) statement on critics
• Parliamentary debate triggered by petition threshold

• GDPR compliance implications of government surveillance
• Cryptography expert analysis of client-side scanning
• Apple's 2021 decision to shelve client-side scanning plans
• Signal and WhatsApp statements on Section 121

Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?"

Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it."

Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics."

Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent."

Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'"

Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties."

Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'"

1. Document VPN Usage

   • List which employees use VPNs
   • Document business purposes for encrypted connections
   • Maintain evidence of legitimate use for potential regulatory action

2. Maintain Security Protocols

   • Continue using VPNs for remote work security
   • Don't let surveillance theatre compromise actual cybersecurity
   • Protect against real threats (ransomware, phishing, etc.)

3. Assess Platform Compliance

   • If you operate any online platform, forum, or user-generated content site
   • Get legal advice immediately
   • Understand massive fines (£18m or 10% global revenue) and criminal liability.

1. Stay Informed

   • Section 121 could be activated at any time
   • EU Chat Control could affect European operations
   • US state laws are proliferating rapidly
   • Monitor regulatory developments actively

2. Engage Politically

   • Contact your MP about the surveillance of privacy tools
   • Reference the 550,000+ signature petition
   • Make it clear that this is unacceptable in a democracy
   • Push back before surveillance becomes normalised

3. GDPR Compliance Review

   • Assess how government VPN monitoring affects data protection obligations
   • Document that opacity makes risk assessment impossible
   • Consult legal counsel on compliance implications

• Screenshot: TechRadar exclusive article headline
• On-screen text: "1.5 million daily VPN users" with question mark
• Comparison graphic: VPN use in free vs. authoritarian countries
• Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring
• Text overlay: Section 121 "spy clause" powers
• Map graphic: International surveillance legislation spread (UK, US, EU, Australia)
• Infographic: Small business action checklist

• Government surveillance of privacy tools in supposed liberal democracy
• Technical limitations make monitoring ineffective at stated purpose
• Scope creep from child protection to political content blocking within days
• Small business caught in surveillance net designed for age verification
• International trend toward authoritarian internet regulation models
• GDPR compliance paradox when government creates unknowable privacy risks
• Practical cybersecurity must continue despite surveillance theatre
• Political engagement essential before normalization occurs

• Heavy sarcasm throughout - serious WTF tone without profanity
• Incredulous questioning of government logic and transparency
• Dark humour about dystopian surveillance implications
• Technical precision in explaining what monitoring can/cannot do
• Practical focus on small business implications
• Political urgency without becoming preachy
• Professional skepticism balanced with actionable guidance

1. Subscribe wherever you get your podcasts
2. Share with other small business owners who need this information
3. Leave a review if you found this episode useful (or terrifying)
4. Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources

1. Drop a comment with questions about VPN security or regulatory compliance
2. Contact your MP about surveillance of privacy tools
3. Sign the petition to repeal the Online Safety Act (if not already done)
4. Document your VPN usage for legitimate business purposes starting today

• #OnlineSafetyAct
• #VPNSurveillance
• #CyberSecurity
• #SmallBusinessSecurity
• #DigitalPrivacy
• #GDPR
• #UKTech
• #Section121

[To be determined based on episode schedule]

Potential follow-ups:

• Deep dive on Section 121 and encryption threats
• GDPR compliance strategies in surveillance environment
• International comparison: UK vs. other countries' approaches
• Interview with digital rights expert on fighting surveillance creep
• Practical VPN selection and configuration for small businesses

• Duration: Approximately 10 minutes
• Word Count: 1,847 words
• Format: Two-host conversation (Mauven & Graham)
• Tone: Punchy, sarcastic, serious WTF energy
• Language: UK spelling and grammar throughout
• Profanity: None (despite heavy sarcasm)

• All statistics verified against multiple sources
• TechRadar article quotes confirmed accurate
• Government legislation references checked
• VPN provider surge numbers from official company statements
• Expert quotes verified from named sources
• No unverified claims included

• Mauven MacLeod: Ex-NCSC analyst, brings government cybersecurity expertise
• Graham Falkner: Former actor/narrator, handles research segments
• Natural professional banter with pub conversation energy
• Shared incredulity at government surveillance overreach
• Complementary expertise: technical precision + narrative delivery

• Small business cybersecurity focus maintained throughout
• Practical implications prioritized over abstract privacy philosophy
• Action items clear and immediately implementable
• Balances outrage with constructive guidance
• Positions podcast as authoritative voice on UK cybersecurity policy

• Ofcom VPN monitoring
• Online Safety Act surveillance
• UK VPN usage 2025
• Business VPN security
• Section 121 encryption
• Small business cybersecurity UK
• GDPR VPN compliance
• Government VPN tracking
• Age verification VPN
• UK internet surveillance

[To be linked as series develops]

Potential related content:

• Online Safety Act initial coverage (if previously covered)
• GDPR compliance series
• VPN security best practices
• Encryption fundamentals
• Remote work security

Topics: VPN Surveillance, Online Safety Act, Ofcom, Government Monitoring, Privacy, Encryption, Section 121, Age Verification, GDPR, Small Business Security

Category: Technology, Cybersecurity, Privacy, Government Policy, Business

Difficulty Level: Intermediate (technical concepts explained accessibly)

Target Audience: Small business owners (5-50 employees), IT managers, privacy advocates, UK businesses

Geographic Focus: United Kingdom (with international context)

Hosts: Mauven MacLeod, Graham Falkner Research: Advanced web research on Ofcom VPN monitoring Script: Based on TechRadar exclusive and verified sources Production: Graham Falkner Music: The Small Business Cyber Security Guy

This podcast episode provides commentary and analysis on publicly reported information about UK government surveillance policies. Nothing in this episode constitutes legal advice. Small business owners should consult qualified legal counsel regarding compliance with the Online Safety Act and related regulations. The opinions expressed are those of the hosts and do not represent legal or professional advice.

All statistics and quotes have been verified against multiple sources and represent information available as of the episode recording date. The regulatory landscape continues to evolve rapidly.

Full written breakdown available at: thesmallbusinesscybersecurityguy.co.uk

Blog post should include:

• Complete source list with hyperlinks
• Detailed analysis of Section 121 implications
• Step-by-step VPN documentation guide for businesses
• GDPR compliance checklist
• Template for MP correspondence
• Updated information on the petition and parliamentary response
• International comparison chart
• Technical explainer: How VPN detection works (and doesn't work)
• Additional expert commentary
• Community discussion forum

Last Updated: [Date] Version: 1.0 Status: Ready for production

Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers.

The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites.

Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers.

The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts.

Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice.

Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend

The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade.

In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032.

This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right.

Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed.

1. The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems.
2. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence.
3. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources.
4. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption.
5. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture.
6. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning.
7. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response.

• Incident: €102 million in French crown jewels stolen in 7 minutes
• Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points
• Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations
• Accountability: Director retained position, no terminations, Culture Minister initially denied security failure
• Timeline: Security upgrades recommended in 2015 won't complete until 2032

• Industry: East Yorkshire haulage firm
• Incident: Ransomware attack, £850,000 ransom demand
• Outcome: Couldn't pay, business entered administration, 70 jobs lost
• Contrast: Small business faces closure; national institution faces no consequences

• Incident: Data breach affecting 40 million UK voters
• Outcome: No job losses, no significant consequences
• Relevance: Government accountability gap vs private sector enforcement

• Incident: €102 million in French crown jewels stolen in 7 minutes
• Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points
• Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations
• Accountability: Director retained position, no terminations, Culture Minister initially denied security failure
• Timeline: Security upgrades recommended in 2015 won't be completed until 2032

• Industry: East Yorkshire haulage firm
• Incident: Ransomware attack, £850,000 ransom demand
• Outcome: Couldn't pay, business entered administration, 70 jobs lost
• Contrast: Small business faces closure; national institution faces no consequences

• Incident: Data breach affecting 40 million UK voters
• Outcome: No job losses, no significant consequences
• Relevance: Government accountability gap vs private sector enforcement

Noel Bradford brings over 40 years of IT and cybersecurity experience across enterprise and SMB sectors, including roles at Intel, Disney, and BBC. Currently serving as CIO and Head of Technology for a boutique security-first MSP, Noel specialises in translating enterprise-grade cybersecurity expertise into practical, affordable solutions for UK small businesses with 5-50 employees.

His philosophy centres on "perfect security is the enemy of any security at all," focusing on real-world constraints and actionable advice over theoretical discussions. Noel's direct, no-nonsense approach has helped "The Small Business Cyber Security Guy Podcast" achieve Top 90 Business Podcast status in the USA and Top 170 in the UK, with a unique cross-Atlantic audience (47% American, 39% British).

The information provided in this podcast is for educational and informational purposes only and should not be construed as professional cybersecurity, legal, or financial advice. Listeners should consult qualified professionals for guidance specific to their circumstances.

Product and service mentions, including sponsors, are provided for informational purposes. The host and podcast do not guarantee results from implementing suggested strategies or using mentioned products.

All case studies and incidents discussed are based on publicly available information and reporting. Facts are verified against multiple authoritative sources before publication.

© 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Host: Noel Bradford Production: The Small Business Cyber Security Guy Productions Editing: Noel Bradford Research: Graham Falkner Show Notes: Graham Falkner

Special Thanks: ANSSI (for their audit work that we wish the Louvre had acted upon), Libération journalist Brice Le Borgne (for his investigative reporting), and UK small businesses everywhere who take security more seriously than world-famous museums apparently do.

#Cybersecurity #SmallBusiness #UKBusiness #PasswordSecurity #Louvre #DataBreach #HardwareAuthentication #FIDO2 #CyberAccountability #InformationSecurity #RiskManagement #SMBSecurity #CyberNews #HotTake #BusinessPodcast

Next Episode: Coming Soon - Criminal Accountability for Cybersecurity Negligence (Two-Part Series)

Average Episode Downloads: 3,000+ per day at peak Listener Demographics: 47% USA, 39% UK, 14% Other Target Audience: UK SMBs with 5-50 employees

Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free.

Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain.

Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

• Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal
• Providing free access to 10 universities worldwide (36 applications received)
• Created APIs and documentation for remote access
• Built Discord community with 1,200+ members discussing biocomputing

• University of Michigan
• Free University of Berlin
• University of Exeter
• Lancaster University
• Leipzig University
• University of York
• Oxford Brookes University
• University of Bath
• University of Bristol
• Université Côte d’Azur (France)
• University of Tokyo

• Data centres consumed 1.5% of global electricity as of 2024
• Projected to reach 3% by 2030
• AI is accelerating growth exponentially
• Meta, Google, and OpenAI are talking about building nuclear power stations

• Human brain runs on 20 watts
• Modern AI data centres use megawatts (millions of watts)
• FinalSpark claims million-times efficiency (99.9999% reduction)
• Some sources cite up to billion-times more energy efficient

• 10,000 living neurons per organoid
• 16 organoids total
• Approximately 160,000 neurons system-wide
• Neurons survive up to 100 days in active use
• Accessible remotely by researchers worldwide

1. Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions
2. AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy
3. Every interaction costs carbon, and those costs eventually reach small businesses

1. If biocomputing proves viable, benefits arrive through infrastructure improvements
2. Your cloud providers incorporate biological processors
3. Your costs decrease, capabilities increase
4. You won’t buy biocomputers any more than you buy specific processor architectures now

1. Secure current systems properly (multi-factor authentication, proper backups)
2. Train staff on cybersecurity basics
3. Achieve Cyber Essentials certification
4. Build adaptable IT infrastructure

1. Subscribe to technology news sources
2. Spend 15 minutes monthly reading about emerging tech
3. Build mental models of where technology might head
4. Prepare for paradigm shifts

1. Commercial partnerships with major tech companies
2. Published benchmarks proving practical advantages
3. Scaling demonstrations (thousands of neurons for months)
4. Security framework development
5. Independent energy validation studies

• Mad ideas sometimes win (iPhone, Netflix, electric cars)
• Companies that survive aren’t the ones that predicted the exact future
• They’re the ones who built adaptable systems that could pivot
• Focus on fundamentals whilst keeping awareness of emerging tech

• Company website and Neuroplatform information
• FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons)
• Discord community (1,200+ members)
• Academic publications in Frontiers journal

• Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk
• Research papers on biological computing
• Energy consumption studies for AI and data centres

• How do you secure computers made from living cells?
• Can you hack biological neural networks?
• Do you need neuroscience expertise to exploit vulnerabilities?
• Is a breach a cyber attack or biological warfare?
• How do you wipe a neuron’s memory?
• Can you verify data deletion?
• How do you conduct forensic analysis on biological substrates?

Ethical considerations:

• These neurons aren’t conscious or sentient (they’re biological cells performing functions)
• But they’re human neurons grown from human stem cells
• Where’s the ethical line if we can grow larger collections?
• How large before we worry about experiences or consciousness?
• How do we measure consciousness in biological systems grown for computation?
• Should these conversations happen now, before ubiquity?

1. Secure your current systems properly
2. Implement proper backup strategies
3. Train your staff on cybersecurity basics
4. Achieve Cyber Essentials certification
5. Build IT infrastructure that serves your business objectives

• Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO)
• Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality)
• Mauven MacLeod (ex-government cybersecurity background)

The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale.

Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised.

The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business.

There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean.

Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count.

Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions.

• What the Doorman Fallacy is and why it matters for cybersecurity
• The difference between nominal functions (what something obviously does) and actual functions (what it really does)
• Why efficiency optimisation without a complete understanding is just expensive destruction
• The five-question framework for avoiding Doorman Fallacy mistakes

1. The Security Training Fallacy (Chapter 2)

• How cutting £12,000 in training led to a £70,000 Business Email Compromise attack
• Why training isn't about delivering information—it's about building culture
• The invisible value: shared language, verification frameworks, psychological safety
• What to measure instead of cost-per-employee-hour

2. The Cyber Insurance Fallacy (Chapter 3)

• The software company that saved £18,000 and lost £200,000 in client contracts
• Why insurance isn't just financial protection—it's a market signal
• Hidden benefits: third-party validation, incident response capability, customer confidence
• How cancelling coverage destroyed vendor relationships and sales opportunities

3. The Dave Automation Fallacy (Chapter 4)

• Insurance broker spent £100,000+ replacing a £50,000 IT person
• The £15,000 server upgrade that Dave would have known was unnecessary
• Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics
• Why ticketing systems can't replace anthropological understanding

4. The MFA Friction Fallacy (Chapter 5)

• Fifteen seconds of "friction" versus three weeks of crisis response
• The retail client who removed MFA and suffered £65,000 in direct incident costs
• Why attackers specifically target businesses without MFA
• The reputational damage you can't quantify until it's too late

5. The Vendor Relationship Fallacy (Chapter 6)

• Solicitors saved £4,800 annually, lost a £150,000 client
• Why "identical services" aren't actually identical
• The difference between contractual obligations and genuine partnerships
• What happens when you need flexibility and you've burned your bridges

• 42% of business applications are unauthorised Shadow IT (relevant context)
• £47,000 BEC loss vs £12,000 annual training savings
• £200,000 lost revenue vs £18,000 insurance savings
• £100,000+ replacement costs vs £50,000 salary
• £65,000 incident costs vs marginal productivity gains
• £150,000 lost client vs £4,800 vendor savings

Common pattern: Small measurable savings, catastrophic unmeasurable consequences.

Before cutting any security costs, ask yourself:

1. What's the nominal function versus the actual function?
   • What does it obviously do vs what does it really do?
2. What invisible benefits will disappear?
   • Be specific: not "provides value" but "provides priority incident response during emergencies"
3. How would we replace those invisible benefits?
   • If you can't answer this, you're making a Doorman Fallacy mistake
4. What's the actual cost-benefit analysis, including invisible factors?
   • Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk"
5. What's the cost of being wrong?
   • In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection

Review your most recent efficiency or cost-cutting decision. Ask:

• Did we define this function too narrowly?
• What invisible value might we have destroyed?
• Are we experiencing consequences we haven't connected to that decision?

Instead of measuring cost-per-hour or savings-per-quarter, measure:

• Incident reporting rates (should go UP with good training)
• Verification procedure usage frequency
• Time-to-report for security concerns
• Vendor response times during emergencies
• Employee confidence in raising concerns

Budget constraints are legitimate. The solution isn't "never cut anything." It's:

• Acknowledge what you're sacrificing when you cut
• Admit the risks you're accepting
• Have plans for replacing invisible functions
• Make consequences visible during decision-making
• Ensure decision-makers bear some responsibility for outcomes

"The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel

"Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel

"We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel

"You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven

"The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel

• 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision
• 02:15 - Intro: Why Marketing Books Matter for Cybersecurity
• 05:30 - Chapter 1: The Book, The Fallacy, The Revelation
• 12:00 - Chapter 2: The Security Training Fallacy
• 19:30 - Chapter 3: The Cyber Insurance Fallacy
• 27:00 - Chapter 4: The Dave Automation Fallacy
• 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message)
• 42:00 - Chapter 6: The Vendor Relationship Fallacy
• 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework
• 58:00 - Outro: Action Items & CTAs

Total Runtime: Approximately 62 minutes

Authentrend - Biometric FIDO2 Security Solutions

This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity.

Learn more: authentrend.com

Mentioned in This Episode:

• Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life"
• Authentrend ATKey Products: authentrend.com
• Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4)

Useful Tools & Guides:

• Download our Doorman Fallacy Decision Framework (PDF)
• Template: Articulating Invisible Value in Budget Meetings
• Checklist: Five Questions Before Cutting Security Costs
• Case Study Library: Real-World Doorman Fallacy Examples

UK-Specific Resources:

• ICO Guidance on Security Measures
• NCSC Small Business Cyber Security Guide
• Cyber Essentials Scheme Information

Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints.

Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints.

New episodes every Monday at Noon UK Time!

Never miss an episode! Subscribe on your favourite podcast platform:

• Apple Podcasts
• Spotify
• Google Podcasts
• RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml

Help us reach more small businesses:

• ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home)
• 💬 Comment with your own efficiency optimisation horror stories
• 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions
• 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences

Connect with us:

• Website: thesmallbusinesscybersecurityguy.co.uk
• Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates
• LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/
• Email: hello@thesmallbusinesscybersecurityguy.co.uk

#Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication

The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs.

Copyright © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Got a question or topic suggestion? Email us at hello@thesmallbusinesscybersecurityguy.co.uk or leave a comment below!

The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault.

Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo).

Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business.

Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now.

No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs.

Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025

We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag.

Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works.

Learn more: authentrend.com

• What Information Security actually covers (hint: it's not just digital)
• Why Cybersecurity isn't the same as IT Security (despite what vendors claim)
• The CIA triad explained without the jargon
• Real-world examples showing when each approach matters

• Current threat landscape: 43% of UK businesses breached in 2025
• Why small businesses (10-49 employees) face 50% breach rates
• Average incident costs: £3,400 (but the real number is much higher)
• UK GDPR, Data Protection Act 2018, and what actually applies to you

• Starting from scratch: £5,000-£15,000 annually for 10-20 employees
• Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys)
• Cyber Essentials: £300-£500 (your best bang for buck)
• Managed security services: £300-£450/month realistic pricing
• When £2,000-£3,500/month managed detection makes sense
• Free government resources you're probably ignoring

• Why SMS codes and app-based MFA still get phished
• How FIDO2 hardware security keys cryptographically prevent credential theft
• Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually
• Special offer mentioned in episode: Authentrend keys at £40 until December 22nd

• Why IT Security basics beat fancy cybersecurity tools every time
• The five controls that address 90% of UK SMB threats
• Common mistakes that waste your security budget
• How to prioritise when you can't afford everything
• Vendor red flags and what to actually look for

• ICO data protection fees: £40-£60/year (mandatory)
• What "appropriate technical and organisational measures" really means
• Why recent enforcement shows reprimands over fines for SMBs
• Insurance requirements and how to reduce premiums
• How phishing-resistant authentication affects cyber insurance premiums

• 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025
• £3,400 average cost per cyber incident (excluding business impact)
• 60% of small businesses close within 6 months of serious data loss
• 85% of cyber incidents involve phishing attacks
• 43% of all UK businesses experienced breaches in 2025
• Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification
• 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords)

Authentrend ATKey Series (Episode Sponsor)

• ATKey.Pro: USB-A/USB-C with NFC support
• ATKey.Card: Contactless card format
• Pricing: £45 regular, £40 special offer until December 22nd
• FIDO Alliance Level 2 certified
• Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services
• Deployment cost: £80-90 per employee (2 keys for backup)

Why hardware security keys matter:

• Cryptographically bound to specific domains (phishing technically impossible)
• Works even when users make mistakes
• One-time purchase vs ongoing subscription costs
• Significantly reduces cyber insurance premiums

• Microsoft Defender for Office 365 Plan 1: £1.70/user/month
• Google Workspace Advanced Protection: £4.60/user/month
• Sophos Email Security: £2.50/user/month

• Microsoft Defender for Business: £2.50/user/month
• Sophos Intercept X: £3.50/user/month
• CrowdStrike Falcon Go: £7.00/user/month

• Cyber Essentials: £300-£500 annually
• ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs)

• NCSC Small Business Guidance: ncsc.gov.uk
• ICO Free Templates: ico.org.uk
• Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk
• NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations

• Authentrend: authentrend.com
• Special offer: £40 per key (regular £45) until December 22nd, 2025
• ATKey.Pro and ATKey.Card models
• UK distributor support available

• Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025"
• Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached"
• Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection"
• Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure"
• Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs"

1. Catalogue your information - 1 day exercise to understand what you have and where it lives
2. Register for ICO data protection fee - £40-£60 annual mandatory requirement
3. Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd)

4. Get Cyber Essentials certified - £300-£500, addresses 90% of common threats
5. Implement email security - £900-£1,800 annually for proper anti-phishing
6. Deploy phishing-resistant MFA - £80-90 per employee one-time investment
7. Configure endpoint protection - £1,200-£2,500 annually for 15-30 users

8. Test your backups - Don't assume they work, actually restore something
9. Basic staff training - Use free NCSC materials, focus on phishing recognition
10. Review and document - Simple policies using ICO templates

15-20 employee business, first year total: £6,200-£14,500

• Email security: £900-£1,800 annually
• Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400)
• Endpoint protection: £1,200-£2,500 annually
• Backup systems: £600-£1,200 annually
• Network security: £600-£1,800 (includes one-time hardware costs)
• Training: £0-£1,500 annually
• Testing: £500-£2,000 annually

Ongoing costs (Year 2+): £3,800-£11,100 annually

Noel Bradford - CIO/Head of Technology, Boutique Security First MSP

• 40+ years enterprise security (Intel, Disney, BBC)
• Direct, budget-conscious, solutions-focused
• Enjoys challenging conventional security wisdom
• Known for calling out vendor bollocks

Mauven MacLeod - Ex-Government Cyber Analyst

• Government cybersecurity background (NCSC)
• Glasgow-raised, practical approach
• Translates national security threats into business reality
• Focuses on what actually works for UK SMBs

We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it.

Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because:

• They provide the phishing-resistant authentication we consistently advise UK SMBs to implement
• Pricing makes proper authentication accessible to small businesses
• FIDO Alliance Level 2 certification ensures they meet security standards
• They align with our core message: affordable IT security fundamentals over expensive security theatre

Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there.

1. Listen to the episode - Understand the differences before spending money
2. Download the risk assessment template - Available on our blog
3. Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd)
4. Get Cyber Essentials certified - £300-£500 addresses most common threats
5. Implement IT Security fundamentals - £2K-£5K gets you real protection
6. Review quarterly - Security isn't a one-time project

• Never miss an episode - Hit subscribe wherever you get your podcasts
• Leave us a review - It genuinely helps other UK small business owners find these conversations
• Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com]
• Got specific questions? - Drop us a comment and we might cover it in a future episode

"Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses"

The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead.

The biggest security risk is doing nothing while you debate the perfect approach.

Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff.

Everything else can come later.

#Cybersecurity #InformationSecurity #ITSecurity #UKSmallBusiness #SMB #UKGDPR #CyberEssentials #DataProtection #ICO #BusinessSecurity #CyberThreats #SecurityBudget #NCSC #UKBusiness #SmallBusinessUK #FIDO2 #PhishingResistant #MFA #Authentrend #HardwareSecurityKeys #AuthenticationSecurity

• What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged.

• Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor.

• The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices.

• Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness.

• You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice.

• Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them.

• Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep.

1. Do not collect what you can’t protect. Prefer attribute proofs over document uploads.

2. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked.

3. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements.

4. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents.

• Map every place you’re collecting ID or age proof today. Kill non-essential collection.

• Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity.

• Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control.

• Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly.

• Run DPIAs for onboarding, support and HR flows that touch identity documents.

• Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.”

• Setting the scene: a breach born in the support queue

• Why ID uploads are a liability multiplier

• The UK’s digital ID plan, without the spin

• Vendor risk is your risk

• Practical fixes you can implement before lunch

• Q&A and what to do if you uploaded ID to Discord

• Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links.

• Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk.

• Send questions or topic requests for future episodes.

Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today.

• 172 total vulnerabilities patched across Microsoft's ecosystem
• Six zero-day flaws (actively exploited or publicly known before patches released)
• Eight critical vulnerabilities that could allow unauthorised code execution
• Elevation of privilege, remote code execution, and information disclosure threats

• 15 October 2025 marks the final day of free security updates for Windows 10
• Extended Security Updates (ESU) now required for continued protection
• Time to seriously plan your Windows 11 migration or budget for ESU costs

Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK.

Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2:

Improved Phishing Protection Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox.

Enhanced Device Control Settings Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.)

Wi-Fi Security Dashboard No IT degree required. Plain-language summary of your network's safety status that anyone can understand.

Built-in Password Manager Improvements Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best.

AI Actions in File Explorer Smarter file organisation and quick task shortcuts

Notification Centre on Secondary Monitors Finally works properly where you click it

Moveable System Indicators Customise where volume and brightness indicators appear

Administrator Protection Additional security layer for privileged accounts

Passkey Support for Third-Party Providers More flexibility in authentication methods

Schedule Your Updates Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse.

Verify Installation Success Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point.

Back Up Before Updating Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly.

Know Your Rollback Options Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works.

Document Your Process Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days.

Regular Review Schedule Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?"

Consider Automation Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist.

Staff Training Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers.

"When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind."

"These updates have real-world impact. I'm not talking theoretical."

"Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind."

"Not updating isn't just risky, it's old-fashioned."

"The strongest business is the one that learns just a bit faster than the crooks."

Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust.

Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates.

Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches:

• GDPR obligations require appropriate security measures
• ICO enforcement takes security seriously
• Professional indemnity insurers increasingly audit cybersecurity practices
• Client trust depends on demonstrating you protect their data properly

• 80 Elevation of Privilege vulnerabilities
• 31 Remote Code Execution flaws
• 28 Information Disclosure issues
• 11 Security Feature Bypass vulnerabilities
• 11 Denial of Service flaws
• 10 Spoofing vulnerabilities
• 1 Tampering vulnerability

• CVE-2025-24990: Agere Modem driver vulnerability (actively exploited)
• CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited)
• CVE-2025-24052: Agere Modem driver (publicly disclosed)
• CVE-2025-2884: TPM 2.0 implementation flaw
• CVE-2025-0033: AMD EPYC processor vulnerability
• CVE-2025-47827: IGEL OS Secure Boot bypass

Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update.

• Microsoft October 2025 Patch Tuesday Security Update Guide
• Windows 11 Version 25H2 Known Issues
• Windows 10 Extended Security Updates Information

• BleepingComputer: October 2025 Patch Tuesday Coverage
• Windows Central: 9 New Features in October Update
• Cybersecurity News: Detailed Vulnerability Analysis

• NCSC Small Business Guide
• Cyber Essentials Scheme
• ICO Data Protection Guidance

Host: Graham Falkner Production: The Small Business Cyber Security Guy Podcast Copyright: 2025 - All Rights Reserved

Like this Hot Take if you found it useful Subscribe to catch every episode as we release them Share with other UK small business owners who need to hear this Comment with your own update horror stories or success stories

Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic.

Visit thesmallbusinesscybersecurityguy.co.uk for:

• Complete episode archive
• Written guides and checklists
• Additional resources for UK small businesses
• Ways to submit questions for future episodes

Looking for more context on topics mentioned in this Hot Take? Check out these related episodes:

Episode 17: Social Engineering - The Human Firewall Under Siege Why staff training matters more than you think, and how attackers exploit human psychology

Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI AI-powered attacks and how small businesses can defend against sophisticated threats

Enhanced Supply Chain Security Understanding vendor dependencies and how updates fit into broader security strategy

• Why the Chancellor and three Cabinet Ministers personally co-signed an urgent letter to UK business leaders -  Ministerial letter on cyber security
• The shocking NCSC statistics: nearly half of all incidents were nationally significant, with highly significant incidents up 50%
• Real-world impact: empty supermarket shelves, healthcare disruption causing deaths, and £300m+ losses for single organisations
• The three specific government requests that will have an immediate impact on your cyber resilience  - Ministerial letter on cyber security
• Practical first steps you can take this week (most are free)

"Any leader who fails to prepare for that scenario is jeopardising their business's future... It is time to act." - Richard Horne, CEO of NCSC

"Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. There is a direct and active threat to our economic and national security." - Ministerial Letter, 13 October 2025 - Ministerial letter on cyber security

"While you can plan meticulously, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse." - Shirine Khoury-Haq, CEO of The Co-op Group

• Ministerial Letter (13 Oct 2025)
• NCSC Annual Review 2025
• Free Cyber Governance Training for Boards
• Early Warning Service (Free) - 13,000+ organisations already signed up
• Cyber Essentials - 92% reduction in insurance claims
• Cyber Action Toolkit - Free for small businesses

1. Sign up for NCSC Early Warning (free)
2. Read the ministerial letter
3. Add cyber security to your next Board agenda
4. Check if MFA is enabled on critical systems

Mauven MacLeod - Ex-NCSC cyber security expert with Glasgow roots who translates government-level threat intelligence into practical advice for small businesses.

Graham Falkner - The unmistakable voice from UK cinema trailers, now bringing his theatrical gravitas and storytelling skills to demystify cybersecurity for business leaders.

Visit our blog: thesmallbusinesscybersecurityguy.co.uk

Like the show? Subscribe, leave a review, and share with colleagues.

Episode Length: ~8 minutes

Bottom line: Nearly half of NCSC incidents are now nationally significant. It's time to act.

So we grabbed another cup of tea, broke out the custard creams, and kept recording.

Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun.

In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen.

This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure.

Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions.

Currently ranked in the Top 100 Apple Business Podcasts (US)

This episode is sponsored by Authentrend Biomentric Hardware 

If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind.

The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore.

The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about.

The corrections: What we got wrong in Part 1, and why the reality is even more serious.

1. Cyber Security = Safeguarding (2025 Guidance)
   • First time explicitly linked in statutory guidance
   • Changes everything about how schools must respond
   • Makes Kido a safeguarding failure, not just IT breach
   • Gives cyber the legal teeth it's never had
2. The Repository Screenshot
   • VX-Underground documented what appears to be Kido's code
   • Files that typically contain credentials visible
   • Repository has since been removed
   • Suggests how breach may have occurred
3. Partial MFA = No MFA
   • Schools enable MFA for head teachers but not everyone
   • Like "locking doors but leaving windows open"
   • Must be ALL staff with system access or it's useless
4. The Third Party Illusion
   • Schools think IT providers handle compliance
   • DfE Standards explicitly say schools must verify
   • Cannot outsource responsibility

• Why phone-based MFA conflicts with safeguarding policies (and what to do)
• The NCSC Cyber Assessment Framework for schools
• Questions to ask developers about code repositories
• How to audit custom software
• What "Time Off In Lieu" means for training

On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository:

• Repository name: kido-fullstack/mykido-api
• Files visible: Including mail.py (typically contains email credentials in Python apps)
• Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks
• Current status: Repository has been removed
• VX-Underground's assessment: Called it "f**king slop piece of s**t"
• See: https://www.instagram.com/reel/DPUjd9mj2tG/

• The actual contents of the files (repository is down)
• Whether repository was public or had limited visibility
• That this definitively caused the breach
• What specific credentials may have been present

This screenshot shows the exact type of vulnerability cybersecurity experts warn about:

• Custom code pushed to repositories without proper security review
• Files that typically contain credentials visible in structure
• Pattern common in education sector (confirmed by Tammy)
• Explains how Famly data could be accessed without Famly infrastructure breach

We present this as a plausible explanation based on professional analysis, not as a confirmed fact.

For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard.

What this means:

• Cybersecurity is no longer optional IT work
• It's a safeguarding responsibility with Ofsted implications
• Schools respond to safeguarding requirements (unlike IT recommendations)
• Governors have safeguarding oversight duties that now include cyber
• The Kido breach is officially a safeguarding failure

When it takes effect: The 2025 guidance is already in force. Schools should be implementing now.

Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem.

What we said in Part 1: "Only 50% of schools have MFA enabled"

What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs.

The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest.

The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices.

Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications).

The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us."

The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?"

What IT providers should do: Help implement technical controls

What schools must do: Verify compliance is actually happening

Who's responsible: School leadership, governors, senior management - not outsourceable

Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours.

Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs.

Keeping Children Safe in Education 2025

• Statutory safeguarding guidance for schools
• First explicit link between cybersecurity and safeguarding
• Available: UK Government website / DfE publications
• ACTION: Read Section on Cyber Security Standard

DfE Digital Standards for Schools

• Sets out cyber security requirements
• Six standards schools should meet by 2030
• Schools must actively verify compliance
• ACTION: Ask your school "Are we meeting these?"

NCSC Cyber Assessment Framework (CAF)

• Designed specifically for small businesses and schools
• Written in accessible language (not technical jargon)
• Covers: access control, incident management, supply chain security
• Free to use
• LINK: ncsc.gov.uk

NCSC Early Years Settings Guidance

• Bespoke guidance for nurseries
• Practical steps for settings without IT expertise
• LINK: ncsc.gov.uk

GitHub Secret Scanning

• Free for public repositories
• Detects exposed credentials in code
• Schools should use if they have repositories
• ACTION: Enable on all repositories

DfE Digital Standards Webinars

• Regular sessions explaining standards in simple terms
• How to track progress and implementation
• Contact Tammy for upcoming dates

Title: Senior Data Protection Consultant Organisation: Data Protection Education Background:

• 15 years in UK education sector
• 12 years working directly in schools (8 years technician, 4 years IT manager)
• "Recovering Dave from IT"

What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience.

Expertise:

• Data protection compliance in education
• Information security for schools and MATs
• DfE Digital Standards implementation
• GDPR for the education sector
• Cyber resilience on school budgets

Email: info@dataprotection.education LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page) Services:

• Compliance assessments
• DfE Digital Standards webinars
• Data protection consultancy for schools and MATs
• Incident response support

Copy these questions and email them to your head teacher:

1. Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)?
2. How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training?
3. Where is your incident response plan, and when was it last tested?

4. Do we have any custom-built software, integrations, or scripts?
5. If yes: Where is the source code stored? (GitHub, GitLab, etc.)
6. Who has access to our code repositories?
7. Have repositories been scanned for exposed credentials?
8. Do former developers or contractors still have access to our systems?

9. Are we meeting the DfE Digital Standards, and how is this verified?
10. Who on the governing body is responsible for data protection and cyber resilience?
11. How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance?

12. Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.)
13. How do you verify these platforms are securely configured?
14. Does our IT provider handle compliance verification, or do you verify it yourselves?

Don't accept: "We have an IT company, they handle all this." Do accept: Specific answers with evidence of verification.

If you have any custom software, ask your developer:

1. Where is the source code stored?
2. Is the repository public or private?
3. Who currently has access to the repository?
4. Are there any credentials, API keys, or connection strings in the code?
5. How are secrets managed? (Environment variables, secret management tools?)
6. When was the code last security reviewed?
7. Has the repository been scanned for exposed secrets?
8. What happens if you're not available? Who else can access/maintain this?

Red flags:

• "What do you mean by credentials in the code?"
• "It's a private repo, it's fine."
• "I'll get round to moving those credentials out eventually."
• Cannot answer who else has access

The pattern Tammy sees constantly:

1. School needs custom integration between systems
2. Hire developer (staff, parent volunteer, local contractor)
3. Developer builds something functional
4. Developer has zero security training
5. Code pushed to GitHub/GitLab for convenience
6. No security review, no secrets management
7. Repository sits there for months/years
8. Former contractors still have access
9. No documentation of what exists or where
10. School doesn't know to check

One credential compromise = full breach

Constraints schools face:

• No dedicated IT staff (part-time technician comes twice a week)
• No cybersecurity budget
• Volunteer governors with no technical expertise
• Staff expected to train in unpaid time
• Third-party providers without clear responsibility
• Safeguarding policies that conflict with security best practice
• An overwhelming number of platforms and systems
• Turnover of staff and contractors

What needs to change:

• Make cyber security statutory with Ofsted oversight
• Provide funding for proper implementation
• Link explicitly to safeguarding (now happening!)
• Require IT providers to verify compliance
• Train governors on cybersecurity oversight
• Make DfE Digital Standards non-negotiable

The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements.

Tammy on partial MFA:

"It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled."

Tammy on the safeguarding link:

"Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable."

Tammy on the repository:

"This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security."

Tammy on compliance responsibility:

"Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that."

Noel on the repository screenshot:

"The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'"

1. Email your school the questions above
2. Don't accept vague reassurances
3. Ask for specific evidence that they're meeting DfE Digital Standards
4. Remember: you're asking about safeguarding, not just IT

1. Read the 2025 Keeping Children Safe in Education guidance
2. Audit all custom software and code repositories
3. Enable MFA for ALL staff (find solutions for phone conflict)
4. Document what you have and who has access
5. Verify DfE Digital Standards compliance yourself
6. Contact Tammy or similar experts for gap analysis

1. Add cyber security to safeguarding oversight
2. Ask the head teacher the same questions parents should ask
3. Don't accept "our IT company handles it"
4. Consider appointing a digital lead on the governing body
5. Ensure cyber security is a standing agenda item

Share this episode if:

• You're a parent with kids in nursery or school
• You're a school governor or school leader
• You work in education
• You're concerned about children's data protection
• You want schools to take cyber security seriously

Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards

Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything."

Website: thesmallbusinesscybersecurityguy.co.uk Blog: Full breakdown of repository screenshot analysis Subscribe: Available on all major podcast platforms Review: Leave us a review and tell us what you think Comment: What security topic should we cover next?

Currently ranked Top 100 Apple Business Podcasts (US)

Part 1: The Education Data Protection Gap (listen first)

• Main interview with Tammy Buchanan
• Overview of Kido breach
• Systematic failures in education security
• 35-40 minutes

The Kido Hot Take 

• Initial reaction to breach announcement
• Why nurseries are targets
• Immediate implications

Hosts:

• Noel Bradford (The Veteran Solution Provider)
• Mauven MacLeod (The Government-Trained Practitioner)
• Graham Falkner (Producer/Researcher)

Guest:

• Tammy Buchanan (Data Protection Education)

Production:

• Same session recording as Part 1
• Tea break transition edited
• Cold open recorded post-session
• Natural conversation maintained

Special mention:

• Custard creams (the real MVPs)
• VX-Underground (for documenting the repository before it vanished)

This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation.

Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism.

The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team.

Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts

Accessibility: Contact us for alternative formats

Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not!

Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it.

Published: 13 October 2025 Duration: ~30 minutes Format: MP3 Copyright: © 2025 The Small Business Cyber Security Guy License: All rights reserved

Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.

Currently ranked in the Top 100 Apple Business Podcasts (US)

• Why only 50% of schools have multi-factor authentication enabled
• The difference between early years providers and mainstream schools
• How photo-rich platforms create unique vulnerabilities for nurseries
• Why DFE digital standards remain unknown to most schools
• The governance problem: volunteers without power
• Who actually gets things done when head teachers won't prioritise security
• Why schools keep breaches quiet and what that means for parents
• Practical steps parents can demand from their child's school today
• The Cyber Essentials challenge for small schools with limited budgets
• How COVID pushed schools years ahead without proper security foundations

Tammy Buchanan Senior Data Protection Consultant Data Protection Education

Email: info@dataprotection.education LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page Website: Data Protection Education

Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.

Government and Regulatory:

• DFE Digital Standards (Department for Education)
• NCSC (National Cyber Security Centre) staff training resources
• ICO (Information Commissioner's Office) breach log and guidance
• Ofsted inspection framework
• Safeguarding regulations

Platforms Discussed:

• Famly (early years learning journey platform)
• Tapestry (early years learning journey platform)
• Arbor (school management information system)
• Bromcom (school management information system)

Security Standards:

• Cyber Essentials certification
• Multi-factor authentication (MFA) implementation
• Incident response planning

Additional Resources:

• The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk
• Data Protection Education news page (free resources for schools)

• 50% or less of schools have MFA enabled
• 8,000 children's photos stolen in the Kido breach
• 12 years Tammy worked directly in schools before consulting
• 15 years Tammy has been in the education sector overall
• 2030 target date for schools to meet six DFE digital standards

1. Do you have multi-factor authentication enabled on all systems?
2. How often do staff receive cybersecurity training?
3. Where is your incident response plan and when was it last tested?
4. Who on the governing body is responsible for data protection and cyber resilience?
5. Are you working towards the DFE digital standards?
6. Which third-party platforms hold my child's data and photos?
7. How do you monitor and configure security settings on these platforms?

For Parents:

• Schools are having breaches regularly but keeping them quiet
• Most schools lack basic security like MFA
• Your child's photos on learning journey apps create unique risks
• You have the right to ask questions about data protection
• Schools respond to parental pressure

For School Leaders:

• Documentation matters for ICO compliance
• Training needs updating regularly, not the same video for three years
• Incident response plans are useless if nobody knows where they are
• School business managers need authority, not just responsibility
• Other schools' examples work better than external expert advice

For Governors:

• Cybersecurity needs to be statutory to get real traction
• Digital lead on governing body remains unfilled at many schools
• You need both knowledge and authority to make change happen
• Physical security analogies help boards understand cyber risks

This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow.

Website: thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on all major podcast platforms Social Media: Find us on LinkedIn

Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

The episode covers key technical and practical changes: removal of legacy components like PowerShell 2.0 and WMIC, continued performance improvements (CPU scheduling, memory management, faster startups), and expanded Wi‑Fi 7 support. Graham highlights Microsoft’s shift toward continuous monthly innovation and why that helps maintain a more secure, reliable environment without waiting for big yearly releases.

Security is a major focus: Graham explains Microsoft’s Secure Future initiative, which brings AI-assisted secure coding and enhanced vulnerability detection into the development and post-release lifecycle. He frames these advances for small business owners, showing how better detection and automated security practices reduce risk and downtime.

Practical deployment and lifecycle details are explained clearly: support-cycle resets (24 months for Home/Pro, 36 months for Enterprise/Education), how to get 25H2 via the “Get the Latest Updates” toggle, controlled rollouts and device holds, and enterprise deployment options like Windows AutoPatch and the Microsoft 365 Admin Center. He also covers admin-friendly improvements such as removing preinstalled Microsoft Store apps with Intune or Group Policy.

The episode closes with hands-on advice: check the Windows Release Health Hub for known issues, back up critical machines before upgrading, verify driver and app compatibility, and prepare rollback plans for important systems. Graham adds a personal anecdote about preparing his vinyl-catalog PC for the update and stresses that 25H2 is about steady, practical improvements—safer, faster, and less disruptive for both single machines and fleets.

In this raw, unfiltered episode, Noel breaks down exactly what happened, why the security failures that enabled this attack exist in thousands of UK small businesses right now, and what you need to do immediately to protect your organisation from becoming the NEXT headline.

WARNING: This episode contains strong language and discusses disturbing tactics used by cybercriminals. Parental guidance advised.

• The complete timeline of the Kido ransomware attack and how it unfolded
• Why hackers spent weeks inside the network before striking
• The new escalation tactic of directly contacting victims' families
• Five critical security failures that allowed 8,000 children's records to be stolen
• Why "we're too small to be targeted" is the most dangerous lie in business
• The regulatory consequences Kido faces under UK GDPR
• Immediate action steps every small business must take NOW
• Why does this attack signal a fundamental shift in cybercrime tactics

1. Initial Access Was Preventable - Likely phishing, weak passwords, or unpatched vulnerabilities
2. No Monitoring - Weeks of dwell time with zero detection
3. No Network Segmentation - Hackers accessed everything once inside
4. No Data Loss Prevention - 8,000 records exfiltrated without triggering alarms
5. Inadequate Backups - No mention of restoration from clean backups

• Ransomware gangs now directly contact victims' families
• Children's data is being weaponised for psychological pressure
• Moral boundaries in cybercrime have completely dissolved
• Attack tactics proven successful will be replicated by other groups

• 43% of UK businesses suffered a breach in the past year
• Nearly 50% of primary schools reported cyber incidents
• 60% of secondary schools experienced attacks
• The education sector is particularly vulnerable

Government & Law Enforcement:

• Metropolitan Police Cyber Crime Unit
• Information Commissioner's Office (ICO)
• Jonathon Ellison, Director for National Resilience, National Cyber Security Centre

Cybersecurity Experts:

• Rebecca Moody, Head of Data Research, Comparitech
• Anne Cutler, Cybersecurity Expert, Keeper Security
• Mantas Sabeckis, Infosecurity Researcher, Cybernews

Direct Victims:

• Stephen Gilbert, Parent with two children at Kido nursery

Threat Actors:

• Radiant Ransomware Gang (claims to be Russia-based)

• Enable multi-factor authentication on ALL business accounts
• Check that all software is updated to the latest versions
• Review who has access to sensitive data
• Verify backups exist and are stored offline
• Schedule staff phishing awareness training

• Audit your network segmentation
• Implement monitoring and alerting systems
• Review password policies across the organisation
• Create an incident response plan
• Assess cyber insurance coverage

• Conduct a full security audit
• Test backup restoration procedures
• Implement data loss prevention tools
• Review vendor and third-party security
• Schedule penetration testing

• National Cyber Security Centre: https://www.ncsc.gov.uk/
• Information Commissioner's Office: https://ico.org.uk/
• Met Police Cyber Crime Unit: https://www.met.police.uk/advice/advice-and-information/fa/fraud/online-fraud/cyber-crime/
• UK Cyber Security Breaches Survey: https://www.gov.uk/government/collections/cyber-security-breaches-survey

• Comparitech: https://www.comparitech.com/
• Keeper Security: https://www.keepersecurity.com/
• Cybernews: https://cybernews.com/

• UK GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/
• Children's Data Protection: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/

"What happened to Kido International this week represents the absolute lowest point I've witnessed in 40 years of cybersecurity."

"These hackers didn't just encrypt some files and demand payment. They actively posted samples of children's profiles online. Then they started ringing parents directly."

"You're not special. You're not too small. You're not immune. You're just next on the list unless you take action."

"The hackers claim they 'deserve some compensation for our pentest.' Let that sink in. They're calling this a penetration test."

"A child's photo, name, and home address in criminal hands. This data doesn't expire. It doesn't get less valuable. It just sits there, a permanent risk to these families."

"None of these failures are unique to nurseries or large organizations. I see the same problems in small businesses every single week."

"You're making the same mistakes that led to 8,000 children's data being posted on the dark web. The only difference is scale."

1. How would you respond if your business were to experience a similar attack?
2. What security measures do you currently have in place?
3. Do you know where your most sensitive data is stored and who can access it?
4. When was the last time you tested your backup restoration?
5. How would you handle direct contact from threat actors?

• Website: The Small Business Cyber Security Guy
• Email: hello@thesmallbusinesscybersecurityguy.co.uk
• LinkedIn: Noel Bradford

Need Help With Your Cybersecurity? Equate Group

If this episode made you think differently about cybersecurity, please:

• ⭐ Leave a 5-star review on Apple Podcasts
• 📢 Share this episode with other business owners
• 📧 Subscribe to get every new episode
• 💬 Join the conversation on social media using #KidoHack

The information provided in this podcast is for educational and informational purposes only. It does not constitute legal, financial, or professional cybersecurity advice. Always consult with qualified professionals regarding your specific situation. Opinions expressed are those of the host and do not necessarily reflect the views of any organisations mentioned.

Full episode transcript available at: TBC

#Cybersecurity #Ransomware #DataBreach #SmallBusiness #KidoHack #UKBusiness #CyberCrime #DataProtection #GDPR #InformationSecurity #CyberAwareness #ThreatIntelligence #BusinessSecurity #RansomwareAttack #ChildSafety

© 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses.

Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout.

Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them.

Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management.

Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

This isn't just another breach story - it's a wake-up call for every UK business owner who thinks "it won't happen to us."

The Attack Breakdown [0:30]

• April 2024 attack by the Scattered Spider group
• Social engineering, not sophisticated exploits
• 6.5 million members affected (100% of Co-op members)
• 2,300 stores disrupted, 800 funeral homes on paper systems

The Real Cost [1:45]

• £80 million confirmed earnings impact
• £206 million total sales impact
• £20 million in direct incident costs
• Zero cyber insurance coverage

Why It Could Get Much Worse [2:30]

• Pending ICO fine: £15-20 million likely
• Individual GDPR compensation claims: £25-£150 per person
• Potential £325 million member compensation exposure
• Final bill estimate: £400-500 million

Lessons for UK Small Businesses [3:15]

• Social engineering beats technical defences
• Cyber insurance is essential, not optional
• Business continuity failures amplify costs
• Training matters more than firewalls

• £80 million - Confirmed earnings impact
• 6.5 million - Customers affected (every single member)
• £12 - Cost per affected customer (low by UK standards)
• £325 million - Potential member compensation exposure
• 17-20 years old - Age of arrested suspects
• 2,300+ - Stores affected by operational disruption

Full Analysis: Read the complete breakdown: Link 

Key Sources Cited:

• ICO Statement on Retail Cyber Incidents
• Computer Weekly: Co-op breach coverage
• Insurance Insider: Co-op's lack of cyber coverage
• UK Government Cyber Security Breaches Survey 2025

1. Check your cyber insurance policy - Do you have coverage? Is it adequate?
2. Review employee training - When was the last time your team received social engineering awareness training?
3. Test business continuity - Can your operations survive 2 weeks offline?
4. Read the full blog post - Get all the details and cost breakdowns

"Co-op's disaster isn't a cybersecurity failure. It's a business leadership failure. And if you're listening to this thinking your business is different, you're next."

Topics covered include the scale of the damage (JLR reportedly losing up to £5 million per day and sector-wide losses potentially exceeding £1 billion), the criminal methodology (simple social engineering and help-desk manipulation by groups linked to Lapsus-style actors), and the cascading supply-chain impacts across automotive and aviation sectors. The episode references confirmations from Anissa about Collins’ ransomware compromise and notes reactions from industry figures such as Chris MacDonald at the Department for Business and Trade, as well as large providers like Tata Consultancy Services, Microsoft and RTX/Collins Aerospace.

Key points you’ll take away: these attacks were largely preventable with basic controls — MFA (hardware keys), formal helpdesk identity verification, callback confirmation, network segmentation and focused security training — yet failures persist even at well-resourced organisations. Crucially, the episode explains DORA’s cross-border reach (applicable since 17 January 2025), how EU authorities can designate critical ICT third-party providers (including non-EU firms), the reporting and continuity obligations this triggers for financial entities, and the potential penalties (including fines up to around 1% of global turnover) and oversight mechanisms now coming into play.

Practical guidance for listeners covers immediate steps: map vendor dependencies and identify any providers serving EU financial entities; review and update contracts for DORA alignment; update incident response and continuity plans to reflect DORA reporting requirements; and deploy low-cost, high-impact controls like hardware MFA, strict helpdesk processes and segmentation. The episode also critiques the UK government’s reactive crisis management during these incidents and warns of an accelerating enforcement wave: designations, cross-border scrutiny and contractual overhauls are expected to intensify through 2025.

Ultimately, Moven argues this is the start of a new era — one where regulatory exposure flows through vendor dependencies and where organisational will, not technical capability, is the biggest barrier to resilience. Listeners will finish with a clear sense of urgency, the regulatory risks to assess, and concrete next steps to reduce operational and regulatory fallout from future incidents.

Hosts Noel Bradford and Mauven MacLeod unpack why paying one person a modest salary is not the same as buying a full team of specialists, and they share vivid real-world horror stories — from a sudden resignation that paralysed a 40-person engineering firm, to a ruined holiday when backups failed, to a marketing agency locked out by a burnt-out IT manager.

Key topics include the cost mismatch between expectations and reality, how knowledge concentration creates critical single points of failure, signs that your IT lead is drowning (long hours, no lunch breaks, defensiveness, lack of documentation), and how poor management decisions can make things worse.

Practical solutions are given: document everything, hire a competent number two rather than a trainee, engage managed service providers for specialist and 24/7 support, move critical services to cloud platforms to reduce on-site burden, and start with small, affordable steps like basic support contracts or break-fix services.

The episode includes personal anecdotes from Noel (the "Donny" and zoo-day stories) and a discussion of when to involve external help, how to create continuity plans, and three immediate actions business owners can take today.

Listeners are encouraged to have an open conversation with their IT person, assess real costs and risks, and take steps to protect both their systems and their staff from burnout and catastrophic failure.

Discover how fractional CIO/CISO services let 20-100 employee businesses access Fortune 500 expertise for £15,000-35,000 annually instead of £120,000+ for full-time hiring.

What You'll Learn

• The Real Difference Between CIO and CISO: Technology strategy vs security strategy (and why one person can do both).
• Why Dave from IT Needs Help: The unfair burden of strategic decisions on operational staff.
• Fractional Services Explained: How to get executive-level guidance for 8-12 hours per month.
• ROI Reality Check: Technology inefficiencies probably cost you more than £15k annually
• Finding Quality Providers: Red flags vs genuine executive experience.
• Integration Strategy: Treating fractional executives like Non-Executive Directors.

Key Takeaways

• Strategic technology and security leadership isn't just for large corporations.
• Fractional services cost £15,000-35,000 annually vs £120,000+ for full-time hiring
• Sound fractional executives enhance internal capabilities rather than replacing them.
• Treat fractional CIO/CISO like Non-Executive Directors - invite them to board meetings.
• Start with a current state assessment (£3,000-6,000) before ongoing engagement.

Diagnostic Questions

You probably need fractional CIO/CISO services if you answer "yes" to several of these:

• Technology decisions are made reactively rather than strategically
• Increasing tech spending without clear ROI visibility
• Security/compliance concerns are constantly pushed down the priority list
• Internal IT person making strategic decisions while handling operations
• Current systems won't scale with business growth plans
• Regulatory compliance anxiety about technology approaches

Episode Highlights

Real-World Example: A 15-person marketing agency saved £300/month and improved security by consolidating from multiple cloud storage solutions to a single strategic platform.

Cost Comparison: Fractional services at £150-350/hour for 8 hours monthly vs full-time CIO/CISO at £100,000-180,000 annually plus benefits and normal staffing costs.

Next Steps

1. Honest self-assessment of current technology/security decision-making
2. Calculate the annual cost of technology inefficiencies and security risks
3. Research fractional providers with genuine senior executive experience
4. Consider starting with the current state assessment project

Connect With Us

Hit subscribe, leave a review mentioning whether you're considering fractional services, and share with business owners making technology decisions without strategic guidance.

Remember: You don't need enterprise budgets to get enterprise thinking. And be kind to Dave - he's doing his best.

#FractionalCIO #FractionalCISO #CIO #CISO #ChiefInformationOfficer #ChiefInformationSecurityOfficer #FractionalExecutive #ITLeadership #TechnologyStrategy #SecurityStrategy #SmallBusiness #SMB #SmallBusinessOwners #Entrepreneurs #BusinessOwners #StartupLife #GrowingBusiness #ScaleUp #BusinessGrowth #SMBTech #ITStrategy #TechnologyLeadership #BusinessTechnology #ITManagement #DigitalTransformation #TechStack #CloudStrategy #ITBudget #TechnologyRoadmap #SystemsIntegration

Special Edition with Graham Falkner

Microsoft's September Patch Tuesday brings 81 security fixes, including 9 critical vulnerabilities already being exploited by attackers. This episode provides essential business guidance for small business owners navigating these updates safely and efficiently.

Key Topics Covered:

• Business impact of 81 security vulnerabilities
• Four critical threats affecting small businesses
• SharePoint Server active exploitation campaigns
• Network authentication bypass vulnerabilities
• 7-day practical deployment strategy
• Windows 10 end-of-life planning (October 14th deadline)
• Cyber Essentials compliance requirements

Critical Action Items:

• Days 1-2: Assess SharePoint installations and document processing systems
• Days 3-7: Deploy controlled testing and priority system updates
• Days 8-14: Complete production environment deployment
• Immediate: Audit all Windows 10 devices and plan migration

Windows 10 Urgent Notice:

Support ends October 14th, 2025. This may be the final security update for Windows 10 systems. Extended Security Updates available at significant cost. Migration planning required immediately.

Compliance Requirements:

Cyber Essentials certified organisations must deploy updates by September 23rd, 2025. Earlier deployment recommended for business risk management.

Vulnerable Systems Requiring Priority Attention:

• SharePoint Server installations (under active attack)
• Systems processing external documents and email attachments
• Network authentication infrastructure
• Customer data handling environments

Known Compatibility Issues:

• PowerShell Direct connection failures in virtualised environments
• SMB signing requirements affecting older network storage
• MSI installer UAC prompt changes

Sources:

• Microsoft Security Response Center - September 2025 Security Updates
• Verizon 2024 Data Breach Investigations Report
• UK GDPR Article 32 - Security of Processing Requirements
• Cyber Essentials Certification Guidelines

Resources:

Comprehensive deployment guides, compatibility checklists, and Windows 11 migration planning available at: thesmallbusinesscybersecurityguy.co.uk

Technical support documentation: Microsoft KB5065426, KB5065431, KB5065429

Next Steps:

Subscribe for regular cybersecurity updates. Share with business owners who need this information. Visit our website for detailed implementation guidance.

This episode provides educational information only. Always implement cybersecurity measures appropriate to your specific business needs and risk profile.

Hashtags:

#CyberSecurity #SmallBusiness #Windows10 #PatchTuesday #Microsoft #BusinessSecurity #ITSecurity #CyberEssentials #Windows11 #SecurityUpdates #BusinessContinuity #UKBusiness #Compliance #GDPR #CyberInsurance #NetworkSecurity #SharePoint #BusinessTech #InfoSec #DigitalSecurity

The Electoral Commission suffered a 14-month data breach affecting 40 million UK voters, yet faced zero ICO enforcement action. Meanwhile, small businesses receive crushing GDPR fines for minor infractions. This explosive episode exposes dangerous double standards leaving SMBs vulnerable while government bodies escape accountability.

The Shocking Facts

• Breach Duration: 14 months (August 2021 - October 2022)
• Affected People: 40 million UK voters' data accessible
• Attack Method: ProxyShell vulnerabilities - patches available months before breach
• Attribution: Chinese state-affiliated actors (APT31)
• ICO Response: "No enforcement action taken"

Security Failures That Would Destroy Small Businesses

• Default passwords still in use
• No password policy
• Multi-factor authentication not universal
• Critical security patches ignored for months
• One account used original issued password

ICO's Dangerous Double Standard

While the Electoral Commission faces zero consequences for exposing 40 million people's data, small businesses routinely receive thousands in fines for single email attachment breaches. This regulatory hypocrisy creates false security expectations and leaves SMBs as easy targets for cybercriminals and regulators.

Immediate Action Required: Patch Tuesday Compliance

The Electoral Commission's breach used ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) patched months earlier. Every day you delay Microsoft updates increases breach risk and regulatory exposure.

Critical Steps Today:

1. Apply Microsoft Updates Now: Stop reading, patch systems, then continue
2. Audit Password Security: Eliminate default, weak, or original passwords
3. Implement Universal MFA: Multi-factor authentication on all accounts

Key Takeaways

• Government bodies receive preferential ICO treatment despite massive failures
• Small businesses face disproportionate scrutiny and penalties
• Basic security hygiene prevents most cyberattacks
• Professional cybersecurity help costs less than ICO fines
• Regulatory consistency doesn't exist - protect yourself accordingly

Why This Matters for Your Business

If the Electoral Commission can ignore basic cybersecurity for 14 months without consequences, imagine what happens when your business makes similar mistakes. The ICO needs examples - and it won't be government bodies.

Resources

• Microsoft Security Updates Portal
• NCSC Small Business Guidance
• ICO Data Protection Guidelines
• ProxyShell Vulnerability Database

Get Help

Need cybersecurity basics, patch management, or GDPR compliance help? Don't become the ICO's next small business example.

Email: help@thesmallbusinesscybersecurity.co.uk Website: thesmallbusinesscybersecurity.co.uk

Related Episodes

• Episode 8: White House CIO Insights - Government Security
• Episode 9: Cyber Essentials Framework
• Episode 6: Shadow IT Risks

Keywords

#ElectoralCommissionhack, #ICO #doublestandards, #GDPR, #PatchTuesday, #Microsoftupdates, #ProxyShellvulnerability

96% of hackers target YOUR business, not big corporations. Think you're too small to be a target? Think again.

Noel and Mauven reveal the brutal truth about cybersecurity that could save your business - or expose why you're already at risk.

💀 The Terrifying Reality:

• ​82% of ransomware attacks target businesses under 1,000 employees
• ​Small business employees face 350% MORE attacks than enterprise workers
• ​Average cyber incident costs UK businesses £362,000
• ​Only 17% of small businesses have cyber insurance

🛡️ What You'll Discover:

• ​The FREE security fix that stops most attacks (costs nothing, takes 30 seconds)
• ​Why Multi-Factor Authentication is your business lifeline
• ​How Cyber Essentials certification makes you 92% less likely to get attacked
• ​Government programs most business owners don't know exist
• ​Why this is a BUSINESS issue, not an IT problem

🎯 Perfect For:

• ​Small & medium business owners
• ​Anyone worried about cyber threats
• ​Business leaders who think they're "too small" to be targeted
• ​Companies looking for practical, affordable security solutions

💡 Key Takeaways:

• ​Multi-Factor Authentication everywhere - Enable it on email, accounting systems, cloud storage, and remote access. This one change stops the vast majority of attacks.
• ​Cyber Essentials certification - Organizations with this UK government scheme are 92% less likely to make insurance claims. Plus, Noel's preferred certification body includes up to £250,000 in cyber insurance coverage as part of the package!
• ​Staff training that actually works - Monthly 5-minute team discussions about real threats, not boring annual presentations.
• ​The 3-2-1 backup rule - Three copies of data, two different storage types, one completely offline.

⚡ Real Talk:

This isn't fear-mongering - it's business reality. Every day you delay basic cybersecurity is another day you're gambling with everything you've built.

The cost of prevention is ALWAYS less than the cost of recovery.

🔗 Take Action:

Start this week: Enable MFA on your email, research Cyber Essentials, schedule team security discussions.

Your future self will thank you.

Want to know more about Cyber Essentials certification with included insurance? Reach out to Noel directly.

Like what you heard? Subscribe, leave a review, and share with other business owners who need to hear this.

#Cybersecurity #SmallBusiness #CyberEssentials #BusinessSecurity #UKBusiness

Noel Bradford, with 40 years of experience in corporate security, and Maurven MacLeod, a former government cyber analyst who tracked nation-state actors, introduce themselves and explain why attackers are increasingly targeting customer databases and other easy-to-access systems. They describe common threat vectors and the mistakes that turn manageable incidents into business-ending disasters.

Topics covered include ransomware timelines, authentication failures, shadow IT risks, social engineering and real breach case studies. The hosts translate enterprise-level controls into simple, low-cost actions you can implement between customer calls — covering backups, multi-factor authentication, software hygiene, incident response basics and how to spot a phishing scam before it’s too late.

Key takeaways: perfect security is unattainable, but practical, layered defences dramatically reduce risk; small changes can stop most attacks; and preparation (not panic) is the difference between a blip and a shutdown. Expect clear, jargon-free advice, step-by-step recommendations and real lessons from the trenches.

Tune in for a fast, actionable guide to protecting your business assets and customer data. Subscribe to the Small Business Cybersecurity Guide for weekly episodes that make good security affordable and straightforward — because good security doesn't have to cost a fortune, but stupidity always does.

Over 2,000 jobs GONE. Centuries of business history DELETED. All because of weak passwords and basic security failures that could have been prevented for FREE.

🚨 THE VICTIMS:

• KNP Logistics: 158 years old, £94.5M revenue → 730 redundancies
• Travelex: Global currency giant → 1,309 UK job losses
• NRS Healthcare: NHS supplier → Currently liquidating after 16 months

💣 THE KILLER: Simple password attacks that Multi-Factor Authentication would have STOPPED

🛡️ WHAT YOU'LL LEARN:✅ The 5 fatal security failures that killed these companies✅ Why MFA blocks 99.9% of credential attacks (and costs nothing)✅ 30-60-90 day action plan to bulletproof your business✅ How to get leadership buy-in without breaking the bank✅ Real case studies from BBC Panorama investigations

⚡ TAKE ACTION NOW:Stop listening and enable MFA on your email systems RIGHT NOW. Your future self will thank you when you're not explaining redundancies to your staff.

Don't become the next cautionary tale in the UK's growing cyber graveyard.

#CyberSecurity #SmallBusiness #Ransomware #DataBreach #MFA #CyberAttack #BusinessSecurity #PasswordSecurity #UKBusiness #BusinessFailure

🎯 Shocking Revelations:

• 42% of business applications are unauthorised Shadow IT - Your parallel digital infrastructure you never knew existed
• Multi-factor authentication stops 90% of credential attacks - Yet businesses still resist this free silver bullet
• AI systems now write custom malware faster than humans can patch - Deepfakes fool CEOs, psychological manipulation targets individuals
• Supply chain attacks make YOU liable for everyone - Protecting clients, suppliers, and partners becomes your responsibility
• Most successful attacks still exploit basic failures - Unpatched systems, weak passwords, untested backups

🔥 Real Listener Questions Answered:

"My IT budget is three pounds fifty and digestives - how do I justify £8/month for security?"

"Staff revolt against MFA - how do I implement without workplace mutiny?"

"Found 17 project management tools in use - how do I consolidate without chaos?"

"Completely overwhelmed by 17 episodes - where do I actually start?"

"Client angry about payment verification - how do I explain without damaging relationships?"

⚡ What Actually Works :

Systematic thinking over panic-buying security products, modern endpoint protection with AI detection, verification procedures that defeat deepfakes, documentation that survives when Dave from IT leaves, regular testing cycles, and risk-based prioritisation focusing on high-impact areas first.

💥 What Consistently Fails:

"Set it and forget it" security measures, relying on users to spot sophisticated AI-crafted threats, compliance theatre without genuine implementation, single-solution approaches, the "we're too small to be targeted" delusion, and treating cybersecurity as IT-only responsibility.

🎯 Three Things to Implement Immediately:

1. Enable MFA everywhere - Free protection against 90% of credential attacks
2. Implement payment verification procedures - Call back on known numbers before acting
3. Test your backups regularly - Having backups ≠ having working backups

🎧 Perfect For:

Business owners feeling overwhelmed by cybersecurity complexity, IT managers defending security budgets to sceptical accountants, professionals tired of vendor marketing promising magic solutions, and anyone who thinks antivirus software equals comprehensive security.

From basic concepts to AI threats - the complete cybersecurity education in one retrospective episode.

Subscribe for weekly episodes making enterprise-level security thinking accessible for small business budgets. Real solutions, no vendor fluff, practical advice that actually works in the real world.

#SmallBusinessSecurity #CyberSecurity #MFA #ShadowIT #AIThreats #CyberEssentials #DataProtection #BusinessSecurity #TechSecurity #CyberDefense

🚨 Critical Cyber Threats to Small Business

AI-Powered Social Engineering

• 85% success rates against security professionals
• AI psychological profiling from social media
• Voice synthesis for CEO impersonation attacks
• Multi-month fake identity campaigns

Supply Chain Cyber Threats

• Coordinated ecosystem attacks across suppliers
• AI mapping of business relationships
• MSP compromises affecting 200+ networks
• Hardware backdoors surviving firmware updates

Automated Attack Evolution

• 6-hour vulnerability-to-exploit timeline
• 88% evasion of traditional antivirus
• Custom malware for each target
• Cybercrime-as-a-Service platforms

🛡️ Defending Against Modern Cyber Threats

Immediate Actions (Free)

1. Multi-channel verification for financial requests
2. Independent contact verification procedures
3. Staff training on systematic verification

Essential Tech Upgrades (£3-8/user/month)

• AI-powered endpoint protection (Microsoft Defender for Business, CrowdStrike)
• Network segmentation via modern firewalls
• Air-gapped backup systems
• ThreatLocker "Deny All by Default" protection

Cyber Essentials Framework

Version 3.2 updates include 14-day critical vulnerability patching, passwordless authentication recognition, and enhanced remote working requirements.

💼 Business Benefits Beyond Security

• Better insurance rates
• Government contract access
• Supply chain partnership opportunities
• Competitive advantage demonstration

🔥 TRENDING & HASHTAGS

Topics: DefCon 33 findings | AI cyber attacks | Small business vulnerabilities | Supply chain security

Hashtags: #CyberSecurity #SmallBusiness #DefCon33 #AISecurity #CyberThreats #BusinessProtection #UKBusiness #CyberEssentials #InfoSec #ThreatIntelligence #CyberDefense #BusinessSecurity #SecurityFirst

🚀 ENGAGEMENT HOOKS

🔥 URGENT: AI attacks now target small businesses within 6 weeks of DefCon demos 💡 FREE defence strategies that stop 85% of social engineering ⚡ Why your antivirus is useless against 2025 threats 🎯 Turn cybersecurity into competitive advantage

👍 LIKE if this helped you understand modern cyber threats 🔔 SUBSCRIBE for weekly threat intelligence 💬 COMMENT your biggest security concern 📤 SHARE with business owners using outdated protection

🎧 Listen now before these threats target YOUR business!

Subscribe for weekly cyber threat intelligence. Share with business owners still using basic antivirus protection against advanced threats.

Your backups aren't protecting you anymore—they're the primary target. In this explosive double-header episode, we expose why 94% of ransomware attacks now target backup systems first, and how Business Email Compromise enables these devastating attacks.

• Backup Reality Check: Why "immutable" storage isn't, and cloud sync ≠ backup protection
• Cloud Provider Truth Bomb: Neither Microsoft nor Google guarantee your data integrity
• BEC Epidemic: How £35+ billion in global losses connect to backup destruction
• Modern Attack Chains: Email compromise → reconnaissance → backup annihilation
• What Actually Works: Third-party solutions, testing reality, budget truths

• Only 27% of businesses successfully recover all data after incidents
• 30-40% of cyber insurance claims denied due to backup inadequacies
• Proper backup solutions cost £20-100/month, not £500+
• Process controls beat technical controls for BEC prevention
• Multi-channel verification saves businesses millions

• Noel Bradford - The Small Business Cyber Security Guy
• Mauven MacLeod - Ex-NCSC Cyber Expert
• Oliver Sterling - Veteran IT & Cyber Specialist
• Lucy Harper & Graham Falkner - Announcing The 10-Minute Cyber Fix daily show!

Starting Monday! Daily cybersecurity news analysis with Lucy Harper. Perfect for commute listening—cutting through vendor panic and media hyperbole to deliver what actually matters for YOUR business.

• Veeam Ransomware Trends Report 2024 - 94% backup targeting statistics
• FBI IC3 BEC Report 2023 - £35+ billion global losses
• Microsoft Online Services Terms - "Commercially reasonable efforts" reality
• NCSC BEC Guidance - UK government protection advice
• Action Fraud BEC Statistics - UK-specific loss data
• Cyber Essentials Scheme - UK government backup guidance
• Google Cloud Terms of Service - Data responsibility clauses

Third-Party Backup: Veeam Backup for Microsoft 365, Druva, Barracuda, Dropsuite, SkyKick

Key Point: Your cloud provider's backup ISN'T enough—you need independent protection.

1. Implement multi-channel verification for all financial requests
2. Test backup restoration regularly, not just backup completion
3. Deploy third-party backup for cloud services
4. Document procedures that work under pressure
5. Train staff on BEC recognition and response

Advanced Persistent Threats targeting SMBs - How nation-state techniques filter down to everyday criminals. Special guest from UK's Cyber Security Agency.

💼 LinkedIn: Mauven's getting job offers—someone's listening! 📧 Consulting: Real-world security help for small businesses 🎧 Daily Fix: Subscribe for Monday's launch of The 10-Minute Cyber Fix

⚖️ Disclaimer: Educational content only. Consult qualified professionals for business-specific advice. Not affiliated with any government agency or vendor.

🔥 If this episode saved you from a backup disaster or BEC scam, hit subscribe and share with fellow business owners who still think "it's in the cloud" means "it's safe"!

From deepfakes that fool CEOs to AI that writes custom malware in real-time, discover why traditional security approaches are failing and what you need to implement today to protect your business against tomorrow's threats.

What You'll Learn

• How sophisticated deepfakes are targeting UK businesses right now
• Why AI-powered social engineering succeeds 30% of the time vs 3% for traditional phishing
• How criminals are using AI to generate custom malware faster than humans can patch it
• Practical defenses that work against AI threats without enterprise budgets
• What the future threat landscape means for small business cybersecurity

Key Takeaways

🔐 Implement multi-channel verification for all financial transactions and sensitive requests 🔐 Upgrade to AI-powered endpoint protection - traditional antivirus is obsolete 🔐 Train staff on procedures, not threat recognition - create decision trees that work under pressure 🔐 Understand this is ongoing - build adaptive capabilities, not static defences

Source Attribution

This episode features insights from Theresa Payton's interview with the Scammer Payback podcast. Theresa served as the first female White House CIO under President George W. Bush and is a leading expert on cybersecurity threats and manipulation campaigns.

Full Interview: We strongly encourage listening to the complete Theresa Payton interview on Scammer Payback for comprehensive coverage of nation-state threats, deepfakes, and digital privacy strategies.

About Scammer Payback: Excellent podcast and YouTube channel dedicated to exposing cybercriminal tactics and protecting people from fraud. Essential viewing/listening for anyone interested in cybersecurity.

Connect With Us

🎧 Subscribe for weekly cybersecurity insights for small business ⭐ Rate & Review - help other business owners find practical security advice 📱 Share with fellow business owners who need to understand AI threats 💬 Comment with your questions about AI security challenges

What's Next

Episode 11: Backup Security in the AI Age - When even your recovery procedures need defending against adaptive adversaries

Coming Soon: Deep dives into email security, mobile security, and building comprehensive security cultures for small business

Series Information

This episode completes our White House CIO Insights trilogy:

• Episode 8: The Threat Landscape Small Business Faces
• Episode 9: Cyber Essentials - Enterprise Security for Small Business
• Episode 10: Advanced Threats & AI (this episode)

Disclaimer: This podcast provides educational information about cybersecurity threats and defenses. Always consult with qualified cybersecurity professionals for specific advice about your business security needs.

Copyright: © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Show: The Small Business Cyber Security Guy Hot Take

Hosts: Graham Falkner & Noel Bradford

Episode Length: 7:30

Category: Business, Technology

Episode Description

The UK Government just dropped the most aggressive ransomware policy in the world - and it's about to make your small business a much more attractive target for criminals.

Join Graham and Noel as they break down the three shocking proposals that will reshape cyber threats for every British business by 2026.

What You'll Learn:

• Why 72% of consultation respondents backed payment bans despite industry panic
• How the "essential supplier" loophole could snare thousands of unsuspecting SMBs
• The brutal mathematics: £3K prevention vs £300K+ ransomware losses
• Why Cyber Essentials is about to become a business survival tool, not just compliance

Key Takeaway:

With criminals pivoting from locked-down public sector to easier SMB prey, you have 18 months to get your cyber house in order. Don't wait - the attack frequency is about to explode.

Key Statistics

• 72% Consultation support for payment ban

• £1B Global ransomware payments in 2023
• 80% Attack reduction with Cyber Essentials
• 18 Months to prepare before 2026

Key Topics

Government Ransomware Proposals

• Payment bans for public sector and CNI (no exceptions)
• Mandatory 72-hour incident reporting for all sectors
• Government pre-approval required for private sector payments
• Implementation timeline: Late 2026 (if passed)

The SMB Target Shift

• Global ransomware payments: $1 billion in 2023
• UK victims doubled on leak sites since 2022
• Attack displacement from public sector to private SMBs
• Volume strategy: 40 SMBs at £50K vs 1 NHS trust at £2M

Cyber Essentials Reality Check

• 68% reduction in successful ransomware attacks
• Five controls that actually work (when implemented properly)
• Insurance discounts becoming business necessity
• "Badges don't stop hackers, controls do"

Insurance Market Transformation

• Premium increases of 25-50% over next two years
• Claims denials for businesses without proper controls
• CE certification shifting from discount to baseline requirement

Real-World Case Studies:

• Post-ransom betrayal: Attackers left backdoors, insurance refused payout
• Lost government contract: SMB couldn't prove basic cyber hygiene after small breach
• Regulatory tag scenario: Sourdough bakery subject to cyber law for prison deliveries

Action Items

Immediate (Next 30 Days)

• Map CNI/public sector client relationships
• Assess potential supply chain compliance exposure
• Calculate business-specific ransomware impact costs
• Review current cyber insurance coverage terms

Short-term (90 Days)

• Begin Cyber Essentials certification process
• Implement five core security controls properly
• Establish professional security response relationships
• Test backup and recovery procedures monthly

Strategic (18 Months)

• Prepare for potential "essential supplier" designation
• Budget for insurance premium increases
• Develop incident response and crisis communication plans
• Create alternative business operation procedures

Blog Post: The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger TargetRelated Episodes

• Episode 2: "Compliance Theatre vs Real Security"
• Episode 6: "Supply Chain Security: Your Weakest Link"

Rate and Review: Help other SMB owners discover critical cyber security insights by rating this episode on Spotify, Apple Podcasts, or your preferred platform.

Questions? Email: hello@thesmallbusinesscybersecurityguy.co.uk

Website: www.thesmallbusinesscybersecurityguy.co.uk

Episode Credits

Hosts: Graham Falkner, Noel Bradford Production: The Small Business Cyber Security Guy Copyright: © 2025 The Small Business Cyber Security Guy. All rights reserved.

Content for educational purposes. Consult cybersecurity professionals for specific business advice.

Join Noel Bradford and Graham Falkner for another cybersecurity hot take as they dive into the alarming world of help desk social engineering attacks. This episode exposes how the notorious Scattered Spider group has weaponized basic human helpfulness to devastating effect, turning your friendly IT support into the front door for ransomware attacks.

From MGM's $100 million disaster to the recent wave of UK retail breaches (M&S, Co-op, Harrods), discover how teenagers armed with nothing more than convincing accents and sob stories are outsmarting million-pound security systems. Spoiler alert: it's not the tech that's failing us.

Key topics

• The Scattered Spider Phenomenon: Meet the English-speaking teenagers who graduated from Roblox to ransomware
• Help Desk Horror Stories: Why your MFA reset process is probably easier than ordering a dodgy kebab
• The MGM Masterclass: How one phone call led to 10 days of casino chaos
• UK Retail Ransomware Wave: The domino effect that took down half the high street
• Sandra's 3AM Security Failures: Why verification questions like "favourite biscuit" aren't cutting it
• Real Solutions That Actually Work: Beyond useless training modules to proper phishing-resistant MFA

Notable Quotes

"You can get your entire digital life reset with less hassle than ordering a dodgy kebab after the pub."

"The help desk culture these days - it's like the Wild West, but with more hold music and less gunfire."

"If your help desk can be outwitted by someone who sounds like they're late for a Fortnite tournament, you've got bigger problems than patching Windows."

"It's not hacking, it's just really, really good acting."

What You'll Learn

• How Scattered Spider targets help desk processes with surgical precision
• Why traditional security questions are laughably inadequate
• The real-world impact of social engineering attacks on major retailers
• Practical defenses that actually work (hint: it's not more training)
• Why your business might be the stepping stone, not the target

Solutions Discussed

• Video verification for all MFA resets
• Phishing-resistant MFA (FIDO2 keys, smart cards, PKI certificates)
• Proper RMM tool controls with device whitelisting and geographic restrictions
• Zero unauthenticated resets policy
• Monitoring for unusual authentication patterns

Episode Hightlights

• The career trajectory from Minecraft to MGM hacking
• Why "favourite colour" security questions are a disaster waiting to happen
• The proposed "angry Scottish nans verification panel" security policy
• The legendary cat impression MFA reset incident
• How one help desk call can ransomware half the high street

Perfect For

• Small business owners worried about cybersecurity
• IT professionals dealing with help desk security
• Anyone who's ever reset a password over the phone
• Security-conscious listeners who enjoy a good dose of British humor with their cyber threats

#Cybersecurity #ScatteredSpider #Ransomware #SocialEngineering #HelpDesk #MFA #UKRetail #MGM #SmallBusiness #InfoSec #PhishingResistant #SecurityAwareness

Remember: Security isn't about being perfect, it's about being better than the bloke next door. Don't let Sandra near the reset button after midnight!

See - https://www.noelbradford.com/blog/scattered-spider-helpdesk-mfa-reset-attack-warning-uk-2025