Host Graham Faulkner dives into Windows 11 25H2 in this solo episode, explaining why this understated update matters for security, stability, and small-business productivity. He breaks down how 25H2 arrives as an Enablement Package (EKB), what that means if you’re already on 24H2, and why the streamlined rollout keeps disruptions to a minimum.

The episode covers key technical and practical changes: removal of legacy components like PowerShell 2.0 and WMIC, continued performance improvements (CPU scheduling, memory management, faster startups), and expanded Wi‑Fi 7 support. Graham highlights Microsoft’s shift toward continuous monthly innovation and why that helps maintain a more secure, reliable environment without waiting for big yearly releases.

Security is a major focus: Graham explains Microsoft’s Secure Future initiative, which brings AI-assisted secure coding and enhanced vulnerability detection into the development and post-release lifecycle. He frames these advances for small business owners, showing how better detection and automated security practices reduce risk and downtime.

Practical deployment and lifecycle details are explained clearly: support-cycle resets (24 months for Home/Pro, 36 months for Enterprise/Education), how to get 25H2 via the “Get the Latest Updates” toggle, controlled rollouts and device holds, and enterprise deployment options like Windows AutoPatch and the Microsoft 365 Admin Center. He also covers admin-friendly improvements such as removing preinstalled Microsoft Store apps with Intune or Group Policy.

The episode closes with hands-on advice: check the Windows Release Health Hub for known issues, back up critical machines before upgrading, verify driver and app compatibility, and prepare rollback plans for important systems. Graham adds a personal anecdote about preparing his vinyl-catalog PC for the update and stresses that 25H2 is about steady, practical improvements—safer, faster, and less disruptive for both single machines and fleets.

In 40 years of Information Technology work, Noel Bradford has never been this angry. On September 25th, 2025, the Radiant ransomware gang stole personal data from 8,000 children at Kido International nurseries, posted their photos and medical records online, and then started calling parents at home to demand ransom payments. This isn't just another data breach. This is the moment cybercrime lost whatever soul it had left.

In this raw, unfiltered episode, Noel breaks down exactly what happened, why the security failures that enabled this attack exist in thousands of UK small businesses right now, and what you need to do immediately to protect your organisation from becoming the NEXT headline.

WARNING: This episode contains strong language and discusses disturbing tactics used by cybercriminals. Parental guidance advised.

What You'll Learn

• The complete timeline of the Kido ransomware attack and how it unfolded
• Why hackers spent weeks inside the network before striking
• The new escalation tactic of directly contacting victims' families
• Five critical security failures that allowed 8,000 children's records to be stolen
• Why "we're too small to be targeted" is the most dangerous lie in business
• The regulatory consequences Kido faces under UK GDPR
• Immediate action steps every small business must take NOW
• Why does this attack signal a fundamental shift in cybercrime tactics

  Key Takeaways The Five Critical Failures

1. Initial Access Was Preventable - Likely phishing, weak passwords, or unpatched vulnerabilities
2. No Monitoring - Weeks of dwell time with zero detection
3. No Network Segmentation - Hackers accessed everything once inside
4. No Data Loss Prevention - 8,000 records exfiltrated without triggering alarms
5. Inadequate Backups - No mention of restoration from clean backups

New Threat Landscape Reality

• Ransomware gangs now directly contact victims' families
• Children's data is being weaponised for psychological pressure
• Moral boundaries in cybercrime have completely dissolved
• Attack tactics proven successful will be replicated by other groups

Business Impact Statistics

• 43% of UK businesses suffered a breach in the past year
• Nearly 50% of primary schools reported cyber incidents
• 60% of secondary schools experienced attacks
• The education sector is particularly vulnerable

Featured Experts & Sources

Government & Law Enforcement:

• Metropolitan Police Cyber Crime Unit
• Information Commissioner's Office (ICO)
• Jonathon Ellison, Director for National Resilience, National Cyber Security Centre

Cybersecurity Experts:

• Rebecca Moody, Head of Data Research, Comparitech
• Anne Cutler, Cybersecurity Expert, Keeper Security
• Mantas Sabeckis, Infosecurity Researcher, Cybernews

Direct Victims:

• Stephen Gilbert, Parent with two children at Kido nursery

Threat Actors:

• Radiant Ransomware Gang (claims to be Russia-based)

Immediate Action Checklist Do These TODAY:

• Enable multi-factor authentication on ALL business accounts
• Check that all software is updated to the latest versions
• Review who has access to sensitive data
• Verify backups exist and are stored offline
• Schedule staff phishing awareness training

Do These This Week:

• Audit your network segmentation
• Implement monitoring and alerting systems
• Review password policies across the organisation
• Create an incident response plan
• Assess cyber insurance coverage

Do These This Month:

• Conduct a full security audit
• Test backup restoration procedures
• Implement data loss prevention tools
• Review vendor and third-party security
• Schedule penetration testing

Resources Mentioned Government Resources

• National Cyber Security Centre: https://www.ncsc.gov.uk/
• Information Commissioner's Office: https://ico.org.uk/
• Met Police Cyber Crime Unit: https://www.met.police.uk/advice/advice-and-information/fa/fraud/online-fraud/cyber-crime/
• UK Cyber Security Breaches Survey: https://www.gov.uk/government/collections/cyber-security-breaches-survey

Cybersecurity Companies

• Comparitech: https://www.comparitech.com/
• Keeper Security: https://www.keepersecurity.com/
• Cybernews: https://cybernews.com/

Legal & Compliance

• UK GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/
• Children's Data Protection: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/

Episode Quotes

"What happened to Kido International this week represents the absolute lowest point I've witnessed in 40 years of cybersecurity."

"These hackers didn't just encrypt some files and demand payment. They actively posted samples of children's profiles online. Then they started ringing parents directly."

"You're not special. You're not too small. You're not immune. You're just next on the list unless you take action."

"The hackers claim they 'deserve some compensation for our pentest.' Let that sink in. They're calling this a penetration test."

"A child's photo, name, and home address in criminal hands. This data doesn't expire. It doesn't get less valuable. It just sits there, a permanent risk to these families."

"None of these failures are unique to nurseries or large organizations. I see the same problems in small businesses every single week."

"You're making the same mistakes that led to 8,000 children's data being posted on the dark web. The only difference is scale."

Discussion Questions

1. How would you respond if your business were to experience a similar attack?
2. What security measures do you currently have in place?
3. Do you know where your most sensitive data is stored and who can access it?
4. When was the last time you tested your backup restoration?
5. How would you handle direct contact from threat actors?

Connect With Noel Bradford

• Website: The Small Business Cyber Security Guy
• Email: hello@thesmallbusinesscybersecurityguy.co.uk
• LinkedIn: Noel Bradford

Need Help With Your Cybersecurity? Equate Group

Support The Podcast

If this episode made you think differently about cybersecurity, please:

• ⭐ Leave a 5-star review on Apple Podcasts
• 📢 Share this episode with other business owners
• 📧 Subscribe to get every new episode
• 💬 Join the conversation on social media using #KidoHack

 

Legal Disclaimer

The information provided in this podcast is for educational and informational purposes only. It does not constitute legal, financial, or professional cybersecurity advice. Always consult with qualified professionals regarding your specific situation. Opinions expressed are those of the host and do not necessarily reflect the views of any organisations mentioned.

Transcript

Full episode transcript available at: TBC

Episode Tags

#Cybersecurity #Ransomware #DataBreach #SmallBusiness #KidoHack #UKBusiness #CyberCrime #DataProtection #GDPR #InformationSecurity #CyberAwareness #ThreatIntelligence #BusinessSecurity #RansomwareAttack #ChildSafety

© 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

💀 Welcome to the UK's Cyber Graveyard 💀

Over 2,000 jobs GONE. Centuries of business history DELETED. All because of weak passwords and basic security failures that could have been prevented for FREE.

🚨 THE VICTIMS:

• KNP Logistics: 158 years old, £94.5M revenue → 730 redundancies
• Travelex: Global currency giant → 1,309 UK job losses
• NRS Healthcare: NHS supplier → Currently liquidating after 16 months

💣 THE KILLER: Simple password attacks that Multi-Factor Authentication would have STOPPED

🛡️ WHAT YOU'LL LEARN:✅ The 5 fatal security failures that killed these companies✅ Why MFA blocks 99.9% of credential attacks (and costs nothing)✅ 30-60-90 day action plan to bulletproof your business✅ How to get leadership buy-in without breaking the bank✅ Real case studies from BBC Panorama investigations

⚡ TAKE ACTION NOW:Stop listening and enable MFA on your email systems RIGHT NOW. Your future self will thank you when you're not explaining redundancies to your staff.

Don't become the next cautionary tale in the UK's growing cyber graveyard.

#CyberSecurity #SmallBusiness #Ransomware #DataBreach #MFA #CyberAttack #BusinessSecurity #PasswordSecurity #UKBusiness #BusinessFailure

After 17 episodes covering everything from basic password security to nation-state threats targeting corner shops, Noel and Mauven reveal what actually works, what consistently fails, and why most businesses are fighting 2019 threats with 2015 thinking while facing 2025 attack methods.

🎯 Shocking Revelations:

• 42% of business applications are unauthorised Shadow IT - Your parallel digital infrastructure you never knew existed
• Multi-factor authentication stops 90% of credential attacks - Yet businesses still resist this free silver bullet
• AI systems now write custom malware faster than humans can patch - Deepfakes fool CEOs, psychological manipulation targets individuals
• Supply chain attacks make YOU liable for everyone - Protecting clients, suppliers, and partners becomes your responsibility
• Most successful attacks still exploit basic failures - Unpatched systems, weak passwords, untested backups

🔥 Real Listener Questions Answered:

"My IT budget is three pounds fifty and digestives - how do I justify £8/month for security?"

"Staff revolt against MFA - how do I implement without workplace mutiny?"

"Found 17 project management tools in use - how do I consolidate without chaos?"

"Completely overwhelmed by 17 episodes - where do I actually start?"

"Client angry about payment verification - how do I explain without damaging relationships?"

⚡ What Actually Works :

Systematic thinking over panic-buying security products, modern endpoint protection with AI detection, verification procedures that defeat deepfakes, documentation that survives when Dave from IT leaves, regular testing cycles, and risk-based prioritisation focusing on high-impact areas first.

💥 What Consistently Fails:

"Set it and forget it" security measures, relying on users to spot sophisticated AI-crafted threats, compliance theatre without genuine implementation, single-solution approaches, the "we're too small to be targeted" delusion, and treating cybersecurity as IT-only responsibility.

🎯 Three Things to Implement Immediately:

1. Enable MFA everywhere - Free protection against 90% of credential attacks
2. Implement payment verification procedures - Call back on known numbers before acting
3. Test your backups regularly - Having backups ≠ having working backups

🎧 Perfect For:

Business owners feeling overwhelmed by cybersecurity complexity, IT managers defending security budgets to sceptical accountants, professionals tired of vendor marketing promising magic solutions, and anyone who thinks antivirus software equals comprehensive security.

From basic concepts to AI threats - the complete cybersecurity education in one retrospective episode.

Subscribe for weekly episodes making enterprise-level security thinking accessible for small business budgets. Real solutions, no vendor fluff, practical advice that actually works in the real world.

#SmallBusinessSecurity #CyberSecurity #MFA #ShadowIT #AIThreats #CyberEssentials #DataProtection #BusinessSecurity #TechSecurity #CyberDefense

🎧 Latest Episode Alert | Fresh intelligence from DefCon 33 reveals how AI-enhanced cyber threats to small business are accelerating rapidly. Techniques demonstrated in Las Vegas are targeting UK businesses within weeks.

🚨 Critical Cyber Threats to Small Business

AI-Powered Social Engineering

• 85% success rates against security professionals
• AI psychological profiling from social media
• Voice synthesis for CEO impersonation attacks
• Multi-month fake identity campaigns

Supply Chain Cyber Threats

• Coordinated ecosystem attacks across suppliers
• AI mapping of business relationships
• MSP compromises affecting 200+ networks
• Hardware backdoors surviving firmware updates

Automated Attack Evolution

• 6-hour vulnerability-to-exploit timeline
• 88% evasion of traditional antivirus
• Custom malware for each target
• Cybercrime-as-a-Service platforms

🛡️ Defending Against Modern Cyber Threats

Immediate Actions (Free)

1. Multi-channel verification for financial requests
2. Independent contact verification procedures
3. Staff training on systematic verification

Essential Tech Upgrades (£3-8/user/month)

• AI-powered endpoint protection (Microsoft Defender for Business, CrowdStrike)
• Network segmentation via modern firewalls
• Air-gapped backup systems
• ThreatLocker "Deny All by Default" protection

Cyber Essentials Framework

Version 3.2 updates include 14-day critical vulnerability patching, passwordless authentication recognition, and enhanced remote working requirements.

💼 Business Benefits Beyond Security

• Better insurance rates
• Government contract access
• Supply chain partnership opportunities
• Competitive advantage demonstration

🔥 TRENDING & HASHTAGS

Topics: DefCon 33 findings | AI cyber attacks | Small business vulnerabilities | Supply chain security

Hashtags: #CyberSecurity #SmallBusiness #DefCon33 #AISecurity #CyberThreats #BusinessProtection #UKBusiness #CyberEssentials #InfoSec #ThreatIntelligence #CyberDefense #BusinessSecurity #SecurityFirst

🚀 ENGAGEMENT HOOKS

🔥 URGENT: AI attacks now target small businesses within 6 weeks of DefCon demos 💡 FREE defence strategies that stop 85% of social engineering ⚡ Why your antivirus is useless against 2025 threats 🎯 Turn cybersecurity into competitive advantage

👍 LIKE if this helped you understand modern cyber threats 🔔 SUBSCRIBE for weekly threat intelligence 💬 COMMENT your biggest security concern 📤 SHARE with business owners using outdated protection

🎧 Listen now before these threats target YOUR business!

Subscribe for weekly cyber threat intelligence. Share with business owners still using basic antivirus protection against advanced threats.

🚨 Episode 11: When Your Safety Net Becomes the Target

Backup Security Under Fire + Business Email Compromise Reality Check

Your backups aren't protecting you anymore—they're the primary target. In this explosive double-header episode, we expose why 94% of ransomware attacks now target backup systems first, and how Business Email Compromise enables these devastating attacks.

🎯 What You'll Learn:

• Backup Reality Check: Why "immutable" storage isn't, and cloud sync ≠ backup protection
• Cloud Provider Truth Bomb: Neither Microsoft nor Google guarantee your data integrity
• BEC Epidemic: How £35+ billion in global losses connect to backup destruction
• Modern Attack Chains: Email compromise → reconnaissance → backup annihilation
• What Actually Works: Third-party solutions, testing reality, budget truths

💡 Key Takeaways:

• Only 27% of businesses successfully recover all data after incidents
• 30-40% of cyber insurance claims denied due to backup inadequacies
• Proper backup solutions cost £20-100/month, not £500+
• Process controls beat technical controls for BEC prevention
• Multi-channel verification saves businesses millions

🎙️ Hosts & Guests:

• Noel Bradford - The Small Business Cyber Security Guy
• Mauven MacLeod - Ex-NCSC Cyber Expert
• Oliver Sterling - Veteran IT & Cyber Specialist
• Lucy Harper & Graham Falkner - Announcing The 10-Minute Cyber Fix daily show!

📺 NEW: The 10-Minute Cyber Fix

Starting Monday! Daily cybersecurity news analysis with Lucy Harper. Perfect for commute listening—cutting through vendor panic and media hyperbole to deliver what actually matters for YOUR business.

🔗 Essential Resources:

• Veeam Ransomware Trends Report 2024 - 94% backup targeting statistics
• FBI IC3 BEC Report 2023 - £35+ billion global losses
• Microsoft Online Services Terms - "Commercially reasonable efforts" reality
• NCSC BEC Guidance - UK government protection advice
• Action Fraud BEC Statistics - UK-specific loss data
• Cyber Essentials Scheme - UK government backup guidance
• Google Cloud Terms of Service - Data responsibility clauses

💰 Vendor Solutions Mentioned:

Third-Party Backup: Veeam Backup for Microsoft 365, Druva, Barracuda, Dropsuite, SkyKick

Key Point: Your cloud provider's backup ISN'T enough—you need independent protection.

⚠️ Critical Actions:

1. Implement multi-channel verification for all financial requests
2. Test backup restoration regularly, not just backup completion
3. Deploy third-party backup for cloud services
4. Document procedures that work under pressure
5. Train staff on BEC recognition and response

🎯 Next Week Preview:

Advanced Persistent Threats targeting SMBs - How nation-state techniques filter down to everyday criminals. Special guest from UK's Cyber Security Agency.

📱 Connect With Us:

💼 LinkedIn: Mauven's getting job offers—someone's listening! 📧 Consulting: Real-world security help for small businesses 🎧 Daily Fix: Subscribe for Monday's launch of The 10-Minute Cyber Fix

⚖️ Disclaimer: Educational content only. Consult qualified professionals for business-specific advice. Not affiliated with any government agency or vendor.

🔥 If this episode saved you from a backup disaster or BEC scam, hit subscribe and share with fellow business owners who still think "it's in the cloud" means "it's safe"!

In the final part of our White House CIO Insights series, we explore the cutting-edge AI-powered threats that are transforming cybersecurity. Our special guest Sarah Chen, who heads up AI threat research at a leading UK cybersecurity firm, reveals how artificial intelligence is being weaponized by criminals - and what small businesses can do to defend themselves.

From deepfakes that fool CEOs to AI that writes custom malware in real-time, discover why traditional security approaches are failing and what you need to implement today to protect your business against tomorrow's threats.

What You'll Learn

• How sophisticated deepfakes are targeting UK businesses right now
• Why AI-powered social engineering succeeds 30% of the time vs 3% for traditional phishing
• How criminals are using AI to generate custom malware faster than humans can patch it
• Practical defenses that work against AI threats without enterprise budgets
• What the future threat landscape means for small business cybersecurity

Key Takeaways

🔐 Implement multi-channel verification for all financial transactions and sensitive requests 🔐 Upgrade to AI-powered endpoint protection - traditional antivirus is obsolete 🔐 Train staff on procedures, not threat recognition - create decision trees that work under pressure 🔐 Understand this is ongoing - build adaptive capabilities, not static defences

Source Attribution

This episode features insights from Theresa Payton's interview with the Scammer Payback podcast. Theresa served as the first female White House CIO under President George W. Bush and is a leading expert on cybersecurity threats and manipulation campaigns.

Full Interview: We strongly encourage listening to the complete Theresa Payton interview on Scammer Payback for comprehensive coverage of nation-state threats, deepfakes, and digital privacy strategies.

About Scammer Payback: Excellent podcast and YouTube channel dedicated to exposing cybercriminal tactics and protecting people from fraud. Essential viewing/listening for anyone interested in cybersecurity.

Connect With Us

🎧 Subscribe for weekly cybersecurity insights for small business ⭐ Rate & Review - help other business owners find practical security advice 📱 Share with fellow business owners who need to understand AI threats 💬 Comment with your questions about AI security challenges

What's Next

Episode 11: Backup Security in the AI Age - When even your recovery procedures need defending against adaptive adversaries

Coming Soon: Deep dives into email security, mobile security, and building comprehensive security cultures for small business

Series Information

This episode completes our White House CIO Insights trilogy:

• Episode 8: The Threat Landscape Small Business Faces
• Episode 9: Cyber Essentials - Enterprise Security for Small Business
• Episode 10: Advanced Threats & AI (this episode)

Disclaimer: This podcast provides educational information about cybersecurity threats and defenses. Always consult with qualified cybersecurity professionals for specific advice about your business security needs.

Copyright: © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

UK Ransomware Ban: Why Your SMB Just Became a Bigger Target

Show: The Small Business Cyber Security Guy Hot Take

Hosts: Graham Falkner & Noel Bradford

Episode Length: 7:30

Category: Business, Technology

Episode Description

The UK Government just dropped the most aggressive ransomware policy in the world - and it's about to make your small business a much more attractive target for criminals.

Join Graham and Noel as they break down the three shocking proposals that will reshape cyber threats for every British business by 2026.

What You'll Learn:

• Why 72% of consultation respondents backed payment bans despite industry panic
• How the "essential supplier" loophole could snare thousands of unsuspecting SMBs
• The brutal mathematics: £3K prevention vs £300K+ ransomware losses
• Why Cyber Essentials is about to become a business survival tool, not just compliance

Key Takeaway:

With criminals pivoting from locked-down public sector to easier SMB prey, you have 18 months to get your cyber house in order. Don't wait - the attack frequency is about to explode.

Key Statistics

• 72% Consultation support for payment ban

• £1B Global ransomware payments in 2023
• 80% Attack reduction with Cyber Essentials
• 18 Months to prepare before 2026

Key Topics

Government Ransomware Proposals

• Payment bans for public sector and CNI (no exceptions)
• Mandatory 72-hour incident reporting for all sectors
• Government pre-approval required for private sector payments
• Implementation timeline: Late 2026 (if passed)

The SMB Target Shift

• Global ransomware payments: $1 billion in 2023
• UK victims doubled on leak sites since 2022
• Attack displacement from public sector to private SMBs
• Volume strategy: 40 SMBs at £50K vs 1 NHS trust at £2M

Cyber Essentials Reality Check

• 68% reduction in successful ransomware attacks
• Five controls that actually work (when implemented properly)
• Insurance discounts becoming business necessity
• "Badges don't stop hackers, controls do"

Insurance Market Transformation

• Premium increases of 25-50% over next two years
• Claims denials for businesses without proper controls
• CE certification shifting from discount to baseline requirement

Real-World Case Studies:

• Post-ransom betrayal: Attackers left backdoors, insurance refused payout
• Lost government contract: SMB couldn't prove basic cyber hygiene after small breach
• Regulatory tag scenario: Sourdough bakery subject to cyber law for prison deliveries

Action Items

Immediate (Next 30 Days)

• Map CNI/public sector client relationships
• Assess potential supply chain compliance exposure
• Calculate business-specific ransomware impact costs
• Review current cyber insurance coverage terms

Short-term (90 Days)

• Begin Cyber Essentials certification process
• Implement five core security controls properly
• Establish professional security response relationships
• Test backup and recovery procedures monthly

Strategic (18 Months)

• Prepare for potential "essential supplier" designation
• Budget for insurance premium increases
• Develop incident response and crisis communication plans
• Create alternative business operation procedures

Blog Post: The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger TargetRelated Episodes

• Episode 2: "Compliance Theatre vs Real Security"
• Episode 6: "Supply Chain Security: Your Weakest Link"

Rate and Review: Help other SMB owners discover critical cyber security insights by rating this episode on Spotify, Apple Podcasts, or your preferred platform.

Questions? Email: hello@thesmallbusinesscybersecurityguy.co.uk

Website: www.thesmallbusinesscybersecurityguy.co.uk

Episode Credits

Hosts: Graham Falkner, Noel Bradford Production: The Small Business Cyber Security Guy Copyright: © 2025 The Small Business Cyber Security Guy. All rights reserved.

Content for educational purposes. Consult cybersecurity professionals for specific business advice.

Episode Description

Join Noel Bradford and Graham Falkner for another cybersecurity hot take as they dive into the alarming world of help desk social engineering attacks. This episode exposes how the notorious Scattered Spider group has weaponized basic human helpfulness to devastating effect, turning your friendly IT support into the front door for ransomware attacks.

From MGM's $100 million disaster to the recent wave of UK retail breaches (M&S, Co-op, Harrods), discover how teenagers armed with nothing more than convincing accents and sob stories are outsmarting million-pound security systems. Spoiler alert: it's not the tech that's failing us.

Key topics

• The Scattered Spider Phenomenon: Meet the English-speaking teenagers who graduated from Roblox to ransomware
• Help Desk Horror Stories: Why your MFA reset process is probably easier than ordering a dodgy kebab
• The MGM Masterclass: How one phone call led to 10 days of casino chaos
• UK Retail Ransomware Wave: The domino effect that took down half the high street
• Sandra's 3AM Security Failures: Why verification questions like "favourite biscuit" aren't cutting it
• Real Solutions That Actually Work: Beyond useless training modules to proper phishing-resistant MFA

Notable Quotes

"You can get your entire digital life reset with less hassle than ordering a dodgy kebab after the pub."

"The help desk culture these days - it's like the Wild West, but with more hold music and less gunfire."

"If your help desk can be outwitted by someone who sounds like they're late for a Fortnite tournament, you've got bigger problems than patching Windows."

"It's not hacking, it's just really, really good acting."

What You'll Learn

• How Scattered Spider targets help desk processes with surgical precision
• Why traditional security questions are laughably inadequate
• The real-world impact of social engineering attacks on major retailers
• Practical defenses that actually work (hint: it's not more training)
• Why your business might be the stepping stone, not the target

Solutions Discussed

• Video verification for all MFA resets
• Phishing-resistant MFA (FIDO2 keys, smart cards, PKI certificates)
• Proper RMM tool controls with device whitelisting and geographic restrictions
• Zero unauthenticated resets policy
• Monitoring for unusual authentication patterns

Episode Hightlights

• The career trajectory from Minecraft to MGM hacking
• Why "favourite colour" security questions are a disaster waiting to happen
• The proposed "angry Scottish nans verification panel" security policy
• The legendary cat impression MFA reset incident
• How one help desk call can ransomware half the high street

Perfect For

• Small business owners worried about cybersecurity
• IT professionals dealing with help desk security
• Anyone who's ever reset a password over the phone
• Security-conscious listeners who enjoy a good dose of British humor with their cyber threats

#Cybersecurity #ScatteredSpider #Ransomware #SocialEngineering #HelpDesk #MFA #UKRetail #MGM #SmallBusiness #InfoSec #PhishingResistant #SecurityAwareness

Remember: Security isn't about being perfect, it's about being better than the bloke next door. Don't let Sandra near the reset button after midnight!

See - https://www.noelbradford.com/blog/scattered-spider-helpdesk-mfa-reset-attack-warning-uk-2025

1984 is here! Just 41 years late - Big Brother is watching and censorship is increasing.

The UK's Online Safety Act went live July 25th, 2025. VPN usage exploded 1,400% overnight. Teenagers are using PlayStation screenshots to bypass age verification.

Join Noel Bradford and Mauven MacLeod for an emergency breakdown of Britain's most expensive digital policy failure and why every tech-savvy teen is already laughing at it.

Warning: Contains passionate commentary about government digital policy

The Spectacular Failure (0:00-4:00)

• ​ProtonVPN's 1,400% UK signup surge in 48 hours
• ​Death Stranding character defeats government AI systems
• ​Why teenagers always win the circumvention game
• ​Digital cavity searches for legal content access

The Authoritarian Agenda (4:00-7:00)

• ​Pattern of moral panics from rock music to the internet
• ​Surveillance infrastructure outlasts the panic that created it
• ​Ministers' unprecedented power to designate "harmful" content
• ​International platforms blocking UK users entirely

The VPN Danger Zone (7:00-10:00)

• ​Millions of non-tech users suddenly need VPN services
• ​How to avoid data harvesting and malware traps
• ​Red flags in free VPN services
• ​Recommended providers with proven track records

The Bottom Line (10:00-12:00)

• ​Why this was never about protecting children
• ​Essential digital literacy in the circumvention era
• ​The only rational response to broken digital policy
• ​1,400% increase in VPN signups within hours of enforcement
• ​Over 280,000 signatures on petition to repeal the Act
• ​6+ years from conception to failure by video game screenshots
• ​Zero responses from some platforms to compliance requirements

Part 2 of White House CIO Insights Series | ~38 minutes

How do you implement White House-level security without White House-level budgets? Building on insights from former White House CIO Theresa Payton's interview with Scammer Payback, Noel and Mauven explore the UK's Cyber Essentials framework - translating enterprise security principles into achievable small business requirements.

The Five Cyber Essentials Controls:

1. Boundary Firewalls - Your digital perimeter defense
2. Secure Configuration - Closing manufacturer security gaps
3. Access Control & MFA - 90% credential attack prevention
4. Malware Protection - Beyond traditional antivirus
5. Security Update Management - Systematic patching

Key Takeaways:

• Real implementation costs (£300+VAT basic certification, 2-4 weeks setup)
• Business benefits: insurance discounts, government contracts, supply chain compliance
• Why CE stops 80% of attacks targeting 80% of small businesses
• When you need more than basic frameworks

Featured Content:

Audio clips from Theresa Payton interview courtesy of Scammer Payback Podcast

• Building safety standards for cybersecurity
• MFA stopping 90% of credential attacks
• Systematic security thinking

Highly recommend the full Theresa Payton interview on Scammer Payback - covers nation-state threats, manipulation campaigns, deepfakes, and digital privacy. Essential cybersecurity listening.

Take Action This Week:

1. Start Cyber Essentials self-assessment
2. Enable multi-factor authentication everywhere
3. Audit your third-party vendor list

Resources:

• NCSC Cyber Essentials Scheme: ncsc.gov.uk/cyberessentials
• Self-Assessment Portal: cyberessentials.ncsc.gov.uk
• Scammer Payback Podcast Subscribe
• "Manipulated" by Theresa Payton - Buy

Next Episode: Advanced Threats & AI

The final White House CIO series episode tackles threats that challenge enterprise security teams: AI-powered attacks, executive-fooling deepfakes, and psychological social engineering.

Subscribe & Review | Share with business owners who think cybersecurity requires unlimited budgets |

Special thanks to Daniel and Scammer Payback team

From White House situation rooms to your actual situation.

What's scarier - protecting the President or a small business in Manchester? Former White House CIO Theresa Payton says they face exactly the same sophisticated threats now.

Runtime: 36 minutes | Series: Part 1 of 3 | Hosts: Noel Bradford & Mauven MacLeodKey Topics Covered

• Nation-state targeting: North Korea (vengeful), Iran (cyber mercenaries), Russia (everything), China (supply chains)

• "Verify and never trust" - Evolution from Reagan's "trust but verify" for modern threats
• Island hopping attacks - Small businesses as stepping stones to larger targets
• White House security principles scaled for small business budgets
• Multi-factor authentication - 90% effective against credential attacks
• Supply chain vulnerabilities - Every vendor is a potential attack vector
• Systematic security thinking - Enterprise mindset without enterprise costs

Major Takeaways

1. Same threats, different resources - SMBs face enterprise-level attacks without enterprise budgets
2. Verification is critical - Modern threats require systematic verification of all requests
3. MFA is transformative - 90% attack prevention for minimal cost - no excuse not to implement
4. Process over products - Systematic thinking matters more than expensive technology
5. Asymmetric warfare reality - Defenders must succeed daily; attackers need one breakthrough
6. British politeness problem - Don't let politeness override security verification

Featured Audio Clips

Powerful segments from Theresa Payton's comprehensive interview courtesy of Scammer Payback podcast - essential listening for modern cybersecurity insights.

Full Featured Interview: https://www.youtube.com/watch?v=ScammerPaybackTeresaPayton

About Scammer Payback: Outstanding podcast and YouTube channel fighting cybercrime daily while educating about online threats.

Resources & Links

• Theresa's Book: "Manipulated: Inside the Cyberwar to Hijack Elections"
• Our Website: thesmallbusinesscybersecurityguy.co.uk for practical small business cybersecurity resources

Coming Next

Episode 9: Cyber Essentials - How UK government turned White House security principles into achievable small business framework. Five controls addressing 80% of attacks affecting 80% of SMBs.

Episode 10: Advanced Threats - AI, deepfakes, and social engineering that challenge even security professionals.

Your Immediate Action Items

• Today: Implement multi-factor authentication on ALL business accounts
• This week: Create verification procedures for payment/change requests
• This month: Audit vendor security practices and supply chain dependencies
• Ongoing: Train staff on "verify and never trust" protocols

Connect & Support

Website: thesmallbusinesscybersecurityguy.co.uk for actionable cybersecurity resources

Subscribe & Review: Help us reach more vulnerable businesses

Share: With that business owner using "password123" wondering why systems act strangely

From White House situation rooms to your actual business situation - if it's good enough for protecting the President, it's good enough for protecting your business.

#Cybersecurity #SmallBusiness #InfoSec #WhiteHouse #NationState #MFA #SupplyChain #CyberThreats #BusinessSecurity #CyberEssentials #Podcast #UKBusiness #SecurityAwareness #CyberDefense

Copyright 2025 The Small Business Cyber Security Guy Podcast - All rights reserved.

Join hosts Noel Bradford and Mauven McLeod in this Back-to-School special of the Small Business Cybersecurity Guy podcast as they trace a line from 1980s schoolroom mischief to modern, large-scale breaches that put millions of students and small organisations at risk. Through recollections of early BBC Model B and Novell-era antics, the episode uses real recent incidents to expose how weak passwords, written credentials and opportunistic insiders create systemic security failures.

The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses.

Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout.

Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them.

Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management.

Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

Show Notes

Duration: 25:16

Hosts: Mauven MacLeod & Noel Bradford

Technical debt isn't just old computers - it's a ticking time bomb in every UK business. When Noel discovers his local Oxford Council data was sitting in legacy systems for 21 years, things get personal. From NHS cyber deaths to £1.4 billion breaches, this episode reveals why "if it ain't broke, don't fix it" could destroy your business.

Warning: Contains one epic Noel rant and brutal truths about preventable disasters.

Shocking Statistics Revealed

• ​160,000 Microsoft Exchange servers still vulnerable 4 months after patch
• ​59% of UK public sector apps contain year-old security vulnerabilities
• ​Nearly half of £4.7 billion government IT spending just maintains aging systems
• ​Some organizations spend 75% of IT budget on legacy system life support

Episode Highlights

"Technical debt isn't just an IT problem - it's a business survival issue"

"We're talking about digital decisions made when people were still using typewriters, and they're still causing security problems today"

"Every shortcut has consequences. Every deferred update accumulates interest"

Next Episode Preview

We hear from Former White House CIO Theresa Payton about lessons from US government digital transformation that UK small businesses can actually use.

Take Action Now:

1. ​Audit your systems - What are you actually running?
2. ​Budget 20% of IT spending for technical debt reduction
3. ​Plan Windows 10 migration - Support ends October 2025
4. ​Document everything - Future you will thank present you

Share Your Stories

Tell us about your technical debt discoveries in the comments (minus the hacker-helpful details). Have you found systems you didn't know existed?

Like, Subscribe and Follow

🎧 New episodes every Monday

🔔 Hit the follow button for notifications

⭐ Rate and review if this episode convinced you to finally address your technical debt

Next: Episode 8 - White House CIO Insights (July 21-27)

Show Guide: When Basics Break - Special Bonus Episode

Duration: 9 minutes | Type: Special Episode

Episode Summary

McDonald's password "123456" exposed 64 million job applications. M&S lost £300M to a phone call. Our full team dissects how basic security failures are destroying major brands and what small businesses must learn.

Featured Team

• Noel Bradford - Lead Host
• Mauven MacLeod - Ex-NCSC Specialist
• Oliver Sterling - Cybersecurity Veteran
• Dr. Sarah Chen - AI Security Researcher

Key Segments & Timestamps

🍟 McDonald's AI Disaster (0:00-3:00)

• Paradox.ai hiring bot secured with "123456" password
• IDOR vulnerability exposed all applicant data
• Vendor blamed "dormant 2019 test account"
• Lesson: AI features don't fix basic security

📞 M&S & Co-op Phone Scams (3:00-6:30)

• £300M lost at M&S, 20M records at Co-op
• Help desk reset admin passwords without verification
• Attackers gave BBC interviews while inside systems
• Lesson: Vendor security failures become yours

🌍 Global Security Catastrophes (6:30-9:00)

• AT&T: 73M accounts leaked
• Change Healthcare: $22M ransom, data still lost
• 23andMe: Genetic profiles exposed via credential stuffing

Key Takeaways

✅ Do The Boring Stuff:

• Strong passwords + MFA everywhere
• Regular patching and updates
• Proper help desk procedures

✅ Vendor Due Diligence:

• Ask about password policies
• Implement call-back verification
• If they can't answer security questions, walk away

✅ AI Reality Check:

• Shiny features don't compensate for weak foundations
• Basic vulnerabilities still dominate breaches

Episode Highlights

"It's the old 'move fast and break things' mindset, but now it's people's personal data on the line." - Dr. Sarah Chen

"A simple call-back to a registered number would've stopped the whole thing." - Mauven MacLeod

Immediate Actions for Small Business

1. Change any "123456" or "password" credentials NOW
2. Enable MFA on all business accounts today
3. Create help desk verification procedures
4. Audit vendor security practices

Content Notes

Real company breaches discussed. Some strong language regarding security failures.

Essential listening for business owners who think "it won't happen to us."

Remember: If major corporations with unlimited budgets fail at basics, small businesses need to be even more vigilant.

#Cybersecurity #DataBreach #SmallBusiness #PasswordSecurity

Shadow IT: The Unauthorised Technology Inside Your Business

42% of business applications are unauthorised Shadow IT. Your employees have built hackers a data highway while trying to be helpful.

What You'll Learn

• ​Detection Methods: DNS monitoring, MDM, endpoint audits, ThreatLocker solutions
• ​GDPR Nightmare: Why Shadow IT makes data subject access requests impossible
• ​Real Examples: 17 project management tools in one 12-person company
• ​Management Strategies: Control without becoming a digital dictator

Immediate Actions

1. ​Audit DNS logs for unknown cloud domains
2. ​Check business credit cards for unauthorised SaaS subscriptions
3. ​Ask employees "How do you actually do this job?"

Key Statistics

• ​ 65% of remote workers use non-approved tools• £80,000 potential GDPR fine for £2M turnover business• 52% of enterprise SaaS apps are unsanctioned

Featured Solutions

ThreatLocker: Application whitelisting, DNS filtering, complete visibility without complexity

Expert Hosts

Noel Bradford: 40+ years experience, MSP CIOMauven MacLeod: Ex-NCSC cybersecurity expert

Next Episode

Technical Debt: The shortcuts strangling your business infrastructure

🔗 Subscribe for weekly cybersecurity insights💡 Share with business owners who need this⭐ Leave a review to help others find practical security advice

What if hackers are already inside your business... and you invited them in?

63% of data breaches involve third-party vendors. Your payment processor, cloud storage, email provider - any could be the backdoor that destroys your business overnight.

WHAT YOU'LL LEARN:

• Why small businesses are sitting ducks for supply chain attacks
• SolarWinds, Kaseya & Log4Shell disaster breakdowns
• Vendor vetting checklist that actually works
• Cloud dependency risks & escape strategies
• When software updates become malware delivery
• Your bulletproof defense framework

KEY STATS:

• 63% of breaches involve third-party vendors
• Average business uses 50+ third-party services
• 18,000+ orgs compromised in SolarWinds
• £50M ransom in Kaseya attack

THE ENVELOPE CHALLENGE:Listen to Mauven tackle supply chain security with ZERO prep time. Real expertise, genuine reactions, practical solutions.

YOUR ACTION PLAN:

• This Week: Create vendor inventory
• This Month: Assess vendor risks
• Next Quarter: Implement monitoring

NEXT EPISODE:Shadow IT: 42% of business apps are unauthorized. Discover the parallel IT infrastructure hiding in your business.

CONNECT:Subscribe, review, share your vendor horror stories!

Hosts: Noel Bradford (CIO) & Mauven MacLeod (Ex-NCSC)Sources: NCSC, NIST, industry reportsDuration: ~45 minutes

Five days ago, it was Israel versus Iran. Over the weekend, American B-2 bombers dropped 14 bunker-busters on Iranian nuclear facilities. Today, your small business became a target in a war you're not even fighting. If you run a UK business using American tech services, and almost certainly yours does, we are talking Microsoft 365 and Google Drive to name 2, this fifteen minute briefing could save you from digital destruction.

Noel and Morven explain why passwords are failing us, how bad habits put us at risk, and what small businesses can do about it today. From password overload to the rise of passkeys, this episode is your practical guide to ditching old security mistakes for good.

This episode unpacks the global impact of Patch Tuesday, its evolution, and the chaos it tamed in cybersecurity. Noel and Mauven explore why patch management matters now more than ever and how attackers are always just one step behind—or sometimes ahead. Real stories and practical insights make sense of updates that affect every device in your business.

This episode exposes why cyber certifications like ISO27001 and SOC 2 don’t guarantee real security. We break down the difference between frameworks and show how neglecting basic controls leaves even big brands open to attack.

Iranian cyber attackers aren’t just hacking—they’re outsmarting and outmaneuvering defenses through psychological cunning. Noel and Morven break down the real methods behind the headlines, exposing how these groups trick even the savviest users and why old-school security training just isn’t enough anymore.

Co-op's CEO has just confirmed that their cybersecurity disaster cost £80 million. The attackers? Teenagers are using basic social engineering. In this Hot Takes episode, we break down how "We've contained the incident" turned into an £80 million earnings wipeout, and why the final bill could reach £400-500 million once legal claims are settled.

This isn't just another breach story - it's a wake-up call for every UK business owner who thinks "it won't happen to us."

Key Topics Covered

The Attack Breakdown [0:30]

• April 2024 attack by the Scattered Spider group
• Social engineering, not sophisticated exploits
• 6.5 million members affected (100% of Co-op members)
• 2,300 stores disrupted, 800 funeral homes on paper systems

The Real Cost [1:45]

• £80 million confirmed earnings impact
• £206 million total sales impact
• £20 million in direct incident costs
• Zero cyber insurance coverage

Why It Could Get Much Worse [2:30]

• Pending ICO fine: £15-20 million likely
• Individual GDPR compensation claims: £25-£150 per person
• Potential £325 million member compensation exposure
• Final bill estimate: £400-500 million

Lessons for UK Small Businesses [3:15]

• Social engineering beats technical defences
• Cyber insurance is essential, not optional
• Business continuity failures amplify costs
• Training matters more than firewalls

Key Statistics

• £80 million - Confirmed earnings impact
• 6.5 million - Customers affected (every single member)
• £12 - Cost per affected customer (low by UK standards)
• £325 million - Potential member compensation exposure
• 17-20 years old - Age of arrested suspects
• 2,300+ - Stores affected by operational disruption

Resources & Links

Full Analysis: Read the complete breakdown: Link 

Key Sources Cited:

• ICO Statement on Retail Cyber Incidents
• Computer Weekly: Co-op breach coverage
• Insurance Insider: Co-op's lack of cyber coverage
• UK Government Cyber Security Breaches Survey 2025

Action Items for Listeners

1. Check your cyber insurance policy - Do you have coverage? Is it adequate?
2. Review employee training - When was the last time your team received social engineering awareness training?
3. Test business continuity - Can your operations survive 2 weeks offline?
4. Read the full blog post - Get all the details and cost breakdowns

Quote of the Episode

"Co-op's disaster isn't a cybersecurity failure. It's a business leadership failure. And if you're listening to this thinking your business is different, you're next."

 

Date: 23 September 2025 — Host Mauven McLeod delivers a furious, fast-paced analysis of two seismic cyber incidents and what they mean for UK and global businesses. This episode examines the Jaguar Land Rover and Collins Aerospace ransomware attacks, the human-driven methods that enabled them, and why they represent the first significant test of the EU's Digital Operational Resilience Act (DORA).

Topics covered include the scale of the damage (JLR reportedly losing up to £5 million per day and sector-wide losses potentially exceeding £1 billion), the criminal methodology (simple social engineering and help-desk manipulation by groups linked to Lapsus-style actors), and the cascading supply-chain impacts across automotive and aviation sectors. The episode references confirmations from Anissa about Collins’ ransomware compromise and notes reactions from industry figures such as Chris MacDonald at the Department for Business and Trade, as well as large providers like Tata Consultancy Services, Microsoft and RTX/Collins Aerospace.

Key points you’ll take away: these attacks were largely preventable with basic controls — MFA (hardware keys), formal helpdesk identity verification, callback confirmation, network segmentation and focused security training — yet failures persist even at well-resourced organisations. Crucially, the episode explains DORA’s cross-border reach (applicable since 17 January 2025), how EU authorities can designate critical ICT third-party providers (including non-EU firms), the reporting and continuity obligations this triggers for financial entities, and the potential penalties (including fines up to around 1% of global turnover) and oversight mechanisms now coming into play.

Practical guidance for listeners covers immediate steps: map vendor dependencies and identify any providers serving EU financial entities; review and update contracts for DORA alignment; update incident response and continuity plans to reflect DORA reporting requirements; and deploy low-cost, high-impact controls like hardware MFA, strict helpdesk processes and segmentation. The episode also critiques the UK government’s reactive crisis management during these incidents and warns of an accelerating enforcement wave: designations, cross-border scrutiny and contractual overhauls are expected to intensify through 2025.

Ultimately, Moven argues this is the start of a new era — one where regulatory exposure flows through vendor dependencies and where organisational will, not technical capability, is the biggest barrier to resilience. Listeners will finish with a clear sense of urgency, the regulatory risks to assess, and concrete next steps to reduce operational and regulatory fallout from future incidents.

This episode explores the risks of relying on a single IT manager as an entire IT department.

Hosts Noel Bradford and Mauven MacLeod unpack why paying one person a modest salary is not the same as buying a full team of specialists, and they share vivid real-world horror stories — from a sudden resignation that paralysed a 40-person engineering firm, to a ruined holiday when backups failed, to a marketing agency locked out by a burnt-out IT manager.

Key topics include the cost mismatch between expectations and reality, how knowledge concentration creates critical single points of failure, signs that your IT lead is drowning (long hours, no lunch breaks, defensiveness, lack of documentation), and how poor management decisions can make things worse.

Practical solutions are given: document everything, hire a competent number two rather than a trainee, engage managed service providers for specialist and 24/7 support, move critical services to cloud platforms to reduce on-site burden, and start with small, affordable steps like basic support contracts or break-fix services.

The episode includes personal anecdotes from Noel (the "Donny" and zoo-day stories) and a discussion of when to involve external help, how to create continuity plans, and three immediate actions business owners can take today.

Listeners are encouraged to have an open conversation with their IT person, assess real costs and risks, and take steps to protect both their systems and their staff from burnout and catastrophic failure.

Most small business owners think CIO stands for "Chief I-Fix-Everything Officer" and CISO means "Chief I-Worry-About-Security Officer." In this episode, Noel Bradford (actual CIO/CISO) breaks down what these executive roles actually do and why your business desperately needs this strategic thinking - without the six-figure salary.

Discover how fractional CIO/CISO services let 20-100 employee businesses access Fortune 500 expertise for £15,000-35,000 annually instead of £120,000+ for full-time hiring.

What You'll Learn

• The Real Difference Between CIO and CISO: Technology strategy vs security strategy (and why one person can do both).
• Why Dave from IT Needs Help: The unfair burden of strategic decisions on operational staff.
• Fractional Services Explained: How to get executive-level guidance for 8-12 hours per month.
• ROI Reality Check: Technology inefficiencies probably cost you more than £15k annually
• Finding Quality Providers: Red flags vs genuine executive experience.
• Integration Strategy: Treating fractional executives like Non-Executive Directors.

Key Takeaways

• Strategic technology and security leadership isn't just for large corporations.
• Fractional services cost £15,000-35,000 annually vs £120,000+ for full-time hiring
• Sound fractional executives enhance internal capabilities rather than replacing them.
• Treat fractional CIO/CISO like Non-Executive Directors - invite them to board meetings.
• Start with a current state assessment (£3,000-6,000) before ongoing engagement.

Diagnostic Questions

You probably need fractional CIO/CISO services if you answer "yes" to several of these:

• Technology decisions are made reactively rather than strategically
• Increasing tech spending without clear ROI visibility
• Security/compliance concerns are constantly pushed down the priority list
• Internal IT person making strategic decisions while handling operations
• Current systems won't scale with business growth plans
• Regulatory compliance anxiety about technology approaches

Episode Highlights

Real-World Example: A 15-person marketing agency saved £300/month and improved security by consolidating from multiple cloud storage solutions to a single strategic platform.

Cost Comparison: Fractional services at £150-350/hour for 8 hours monthly vs full-time CIO/CISO at £100,000-180,000 annually plus benefits and normal staffing costs.

Next Steps

1. Honest self-assessment of current technology/security decision-making
2. Calculate the annual cost of technology inefficiencies and security risks
3. Research fractional providers with genuine senior executive experience
4. Consider starting with the current state assessment project

Connect With Us

Hit subscribe, leave a review mentioning whether you're considering fractional services, and share with business owners making technology decisions without strategic guidance.

Remember: You don't need enterprise budgets to get enterprise thinking. And be kind to Dave - he's doing his best.

#FractionalCIO #FractionalCISO #CIO #CISO #ChiefInformationOfficer #ChiefInformationSecurityOfficer #FractionalExecutive #ITLeadership #TechnologyStrategy #SecurityStrategy #SmallBusiness #SMB #SmallBusinessOwners #Entrepreneurs #BusinessOwners #StartupLife #GrowingBusiness #ScaleUp #BusinessGrowth #SMBTech #ITStrategy #TechnologyLeadership #BusinessTechnology #ITManagement #DigitalTransformation #TechStack #CloudStrategy #ITBudget #TechnologyRoadmap #SystemsIntegration

September 2025 Patch Tuesday: Critical Business Update

Special Edition with Graham Falkner

Microsoft's September Patch Tuesday brings 81 security fixes, including 9 critical vulnerabilities already being exploited by attackers. This episode provides essential business guidance for small business owners navigating these updates safely and efficiently.

Key Topics Covered:

• Business impact of 81 security vulnerabilities
• Four critical threats affecting small businesses
• SharePoint Server active exploitation campaigns
• Network authentication bypass vulnerabilities
• 7-day practical deployment strategy
• Windows 10 end-of-life planning (October 14th deadline)
• Cyber Essentials compliance requirements

Critical Action Items:

• Days 1-2: Assess SharePoint installations and document processing systems
• Days 3-7: Deploy controlled testing and priority system updates
• Days 8-14: Complete production environment deployment
• Immediate: Audit all Windows 10 devices and plan migration

Windows 10 Urgent Notice:

Support ends October 14th, 2025. This may be the final security update for Windows 10 systems. Extended Security Updates available at significant cost. Migration planning required immediately.

Compliance Requirements:

Cyber Essentials certified organisations must deploy updates by September 23rd, 2025. Earlier deployment recommended for business risk management.

Vulnerable Systems Requiring Priority Attention:

• SharePoint Server installations (under active attack)
• Systems processing external documents and email attachments
• Network authentication infrastructure
• Customer data handling environments

Known Compatibility Issues:

• PowerShell Direct connection failures in virtualised environments
• SMB signing requirements affecting older network storage
• MSI installer UAC prompt changes

Sources:

• Microsoft Security Response Center - September 2025 Security Updates
• Verizon 2024 Data Breach Investigations Report
• UK GDPR Article 32 - Security of Processing Requirements
• Cyber Essentials Certification Guidelines

Resources:

Comprehensive deployment guides, compatibility checklists, and Windows 11 migration planning available at: thesmallbusinesscybersecurityguy.co.uk

Technical support documentation: Microsoft KB5065426, KB5065431, KB5065429

Next Steps:

Subscribe for regular cybersecurity updates. Share with business owners who need this information. Visit our website for detailed implementation guidance.

This episode provides educational information only. Always implement cybersecurity measures appropriate to your specific business needs and risk profile.

Hashtags:

#CyberSecurity #SmallBusiness #Windows10 #PatchTuesday #Microsoft #BusinessSecurity #ITSecurity #CyberEssentials #Windows11 #SecurityUpdates #BusinessContinuity #UKBusiness #Compliance #GDPR #CyberInsurance #NetworkSecurity #SharePoint #BusinessTech #InfoSec #DigitalSecurity

Episode Summary

The Electoral Commission suffered a 14-month data breach affecting 40 million UK voters, yet faced zero ICO enforcement action. Meanwhile, small businesses receive crushing GDPR fines for minor infractions. This explosive episode exposes dangerous double standards leaving SMBs vulnerable while government bodies escape accountability.

The Shocking Facts

• Breach Duration: 14 months (August 2021 - October 2022)
• Affected People: 40 million UK voters' data accessible
• Attack Method: ProxyShell vulnerabilities - patches available months before breach
• Attribution: Chinese state-affiliated actors (APT31)
• ICO Response: "No enforcement action taken"

Security Failures That Would Destroy Small Businesses

• Default passwords still in use
• No password policy
• Multi-factor authentication not universal
• Critical security patches ignored for months
• One account used original issued password

ICO's Dangerous Double Standard

While the Electoral Commission faces zero consequences for exposing 40 million people's data, small businesses routinely receive thousands in fines for single email attachment breaches. This regulatory hypocrisy creates false security expectations and leaves SMBs as easy targets for cybercriminals and regulators.

Immediate Action Required: Patch Tuesday Compliance

The Electoral Commission's breach used ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) patched months earlier. Every day you delay Microsoft updates increases breach risk and regulatory exposure.

Critical Steps Today:

1. Apply Microsoft Updates Now: Stop reading, patch systems, then continue
2. Audit Password Security: Eliminate default, weak, or original passwords
3. Implement Universal MFA: Multi-factor authentication on all accounts

Key Takeaways

• Government bodies receive preferential ICO treatment despite massive failures
• Small businesses face disproportionate scrutiny and penalties
• Basic security hygiene prevents most cyberattacks
• Professional cybersecurity help costs less than ICO fines
• Regulatory consistency doesn't exist - protect yourself accordingly

Why This Matters for Your Business

If the Electoral Commission can ignore basic cybersecurity for 14 months without consequences, imagine what happens when your business makes similar mistakes. The ICO needs examples - and it won't be government bodies.

Resources

• Microsoft Security Updates Portal
• NCSC Small Business Guidance
• ICO Data Protection Guidelines
• ProxyShell Vulnerability Database

Get Help

Need cybersecurity basics, patch management, or GDPR compliance help? Don't become the ICO's next small business example.

Email: help@thesmallbusinesscybersecurity.co.uk Website: thesmallbusinesscybersecurity.co.uk

Related Episodes

• Episode 8: White House CIO Insights - Government Security
• Episode 9: Cyber Essentials Framework
• Episode 6: Shadow IT Risks

Keywords

#ElectoralCommissionhack, #ICO #doublestandards, #GDPR, #PatchTuesday, #Microsoftupdates, #ProxyShellvulnerability

🚨 SHOCKING: 60% of Small Businesses Shut Down Forever After Cyberattacks

96% of hackers target YOUR business, not big corporations. Think you're too small to be a target? Think again.

Noel and Mauven reveal the brutal truth about cybersecurity that could save your business - or expose why you're already at risk.

💀 The Terrifying Reality:

• ​82% of ransomware attacks target businesses under 1,000 employees
• ​Small business employees face 350% MORE attacks than enterprise workers
• ​Average cyber incident costs UK businesses £362,000
• ​Only 17% of small businesses have cyber insurance

🛡️ What You'll Discover:

• ​The FREE security fix that stops most attacks (costs nothing, takes 30 seconds)
• ​Why Multi-Factor Authentication is your business lifeline
• ​How Cyber Essentials certification makes you 92% less likely to get attacked
• ​Government programs most business owners don't know exist
• ​Why this is a BUSINESS issue, not an IT problem

🎯 Perfect For:

• ​Small & medium business owners
• ​Anyone worried about cyber threats
• ​Business leaders who think they're "too small" to be targeted
• ​Companies looking for practical, affordable security solutions

💡 Key Takeaways:

• ​Multi-Factor Authentication everywhere - Enable it on email, accounting systems, cloud storage, and remote access. This one change stops the vast majority of attacks.
• ​Cyber Essentials certification - Organizations with this UK government scheme are 92% less likely to make insurance claims. Plus, Noel's preferred certification body includes up to £250,000 in cyber insurance coverage as part of the package!
• ​Staff training that actually works - Monthly 5-minute team discussions about real threats, not boring annual presentations.
• ​The 3-2-1 backup rule - Three copies of data, two different storage types, one completely offline.

⚡ Real Talk:

This isn't fear-mongering - it's business reality. Every day you delay basic cybersecurity is another day you're gambling with everything you've built.

The cost of prevention is ALWAYS less than the cost of recovery.

🔗 Take Action:

Start this week: Enable MFA on your email, research Cyber Essentials, schedule team security discussions.

Your future self will thank you.

Want to know more about Cyber Essentials certification with included insurance? Reach out to Noel directly.

Like what you heard? Subscribe, leave a review, and share with other business owners who need to hear this.

#Cybersecurity #SmallBusiness #CyberEssentials #BusinessSecurity #UKBusiness

Episode Description

Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security.

Currently ranked in the Top 100 Apple Business Podcasts (US)

What You'll Learn

• Why only 50% of schools have multi-factor authentication enabled
• The difference between early years providers and mainstream schools
• How photo-rich platforms create unique vulnerabilities for nurseries
• Why DFE digital standards remain unknown to most schools
• The governance problem: volunteers without power
• Who actually gets things done when head teachers won't prioritise security
• Why schools keep breaches quiet and what that means for parents
• Practical steps parents can demand from their child's school today
• The Cyber Essentials challenge for small schools with limited budgets
• How COVID pushed schools years ahead without proper security foundations

Guest Contact Details

Tammy Buchanan Senior Data Protection Consultant Data Protection Education

Email: info@dataprotection.education LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page Website: Data Protection Education

Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.

 

Resources Mentioned

Government and Regulatory:

• DFE Digital Standards (Department for Education)
• NCSC (National Cyber Security Centre) staff training resources
• ICO (Information Commissioner's Office) breach log and guidance
• Ofsted inspection framework
• Safeguarding regulations

Platforms Discussed:

• Famly (early years learning journey platform)
• Tapestry (early years learning journey platform)
• Arbor (school management information system)
• Bromcom (school management information system)

Security Standards:

• Cyber Essentials certification
• Multi-factor authentication (MFA) implementation
• Incident response planning

Additional Resources:

• The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk
• Data Protection Education news page (free resources for schools)

Key Statistics from This Episode

• 50% or less of schools have MFA enabled
• 8,000 children's photos stolen in the Kido breach
• 12 years Tammy worked directly in schools before consulting
• 15 years Tammy has been in the education sector overall
• 2030 target date for schools to meet six DFE digital standards

Questions Parents Should Ask Their School

1. Do you have multi-factor authentication enabled on all systems?
2. How often do staff receive cybersecurity training?
3. Where is your incident response plan and when was it last tested?
4. Who on the governing body is responsible for data protection and cyber resilience?
5. Are you working towards the DFE digital standards?
6. Which third-party platforms hold my child's data and photos?
7. How do you monitor and configure security settings on these platforms?

Key Takeaways

For Parents:

• Schools are having breaches regularly but keeping them quiet
• Most schools lack basic security like MFA
• Your child's photos on learning journey apps create unique risks
• You have the right to ask questions about data protection
• Schools respond to parental pressure

For School Leaders:

• Documentation matters for ICO compliance
• Training needs updating regularly, not the same video for three years
• Incident response plans are useless if nobody knows where they are
• School business managers need authority, not just responsibility
• Other schools' examples work better than external expert advice

For Governors:

• Cybersecurity needs to be statutory to get real traction
• Digital lead on governing body remains unfilled at many schools
• You need both knowledge and authority to make change happen
• Physical security analogies help boards understand cyber risks

The Big Picture

This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow.

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on all major podcast platforms Social Media: Find us on LinkedIn

Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make."

So we grabbed another cup of tea, broke out the custard creams, and kept recording.

Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun.

In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen.

This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure.

Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions.

Currently ranked in the Top 100 Apple Business Podcasts (US)

This episode is sponsored by Authentrend Biomentric Hardware 

Why Listen to Part 2?

If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind.

The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore.

The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about.

The corrections: What we got wrong in Part 1, and why the reality is even more serious.

What You'll Learn The Major Revelations

1. Cyber Security = Safeguarding (2025 Guidance)
   • First time explicitly linked in statutory guidance
   • Changes everything about how schools must respond
   • Makes Kido a safeguarding failure, not just IT breach
   • Gives cyber the legal teeth it's never had
2. The Repository Screenshot
   • VX-Underground documented what appears to be Kido's code
   • Files that typically contain credentials visible
   • Repository has since been removed
   • Suggests how breach may have occurred
3. Partial MFA = No MFA
   • Schools enable MFA for head teachers but not everyone
   • Like "locking doors but leaving windows open"
   • Must be ALL staff with system access or it's useless
4. The Third Party Illusion
   • Schools think IT providers handle compliance
   • DfE Standards explicitly say schools must verify
   • Cannot outsource responsibility

Practical Takeaways

• Why phone-based MFA conflicts with safeguarding policies (and what to do)
• The NCSC Cyber Assessment Framework for schools
• Questions to ask developers about code repositories
• How to audit custom software
• What "Time Off In Lieu" means for training

 

The VX-Underground Discovery (Important Context) What We Can Confirm

On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository:

• Repository name: kido-fullstack/mykido-api
• Files visible: Including mail.py (typically contains email credentials in Python apps)
• Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks
• Current status: Repository has been removed
• VX-Underground's assessment: Called it "f**king slop piece of s**t"
• See: https://www.instagram.com/reel/DPUjd9mj2tG/

What We Cannot Independently Verify

• The actual contents of the files (repository is down)
• Whether repository was public or had limited visibility
• That this definitively caused the breach
• What specific credentials may have been present

Why It Matters

This screenshot shows the exact type of vulnerability cybersecurity experts warn about:

• Custom code pushed to repositories without proper security review
• Files that typically contain credentials visible in structure
• Pattern common in education sector (confirmed by Tammy)
• Explains how Famly data could be accessed without Famly infrastructure breach

We present this as a plausible explanation based on professional analysis, not as a confirmed fact.

The Safeguarding Game-Changer 2025 Keeping Children Safe in Education Guidance

For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard.

What this means:

• Cybersecurity is no longer optional IT work
• It's a safeguarding responsibility with Ofsted implications
• Schools respond to safeguarding requirements (unlike IT recommendations)
• Governors have safeguarding oversight duties that now include cyber
• The Kido breach is officially a safeguarding failure

When it takes effect: The 2025 guidance is already in force. Schools should be implementing now.

Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem.

Critical Corrections from Part 1 1. The MFA Misconception

What we said in Part 1: "Only 50% of schools have MFA enabled"

What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs.

The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest.

The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices.

Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications).

2. The Compliance Responsibility Myth

The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us."

The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?"

What IT providers should do: Help implement technical controls

What schools must do: Verify compliance is actually happening

Who's responsible: School leadership, governors, senior management - not outsourceable

3. Training and TOIL

Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours.

Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs.

Resources Mentioned Statutory Guidance and Standards

Keeping Children Safe in Education 2025

• Statutory safeguarding guidance for schools
• First explicit link between cybersecurity and safeguarding
• Available: UK Government website / DfE publications
• ACTION: Read Section on Cyber Security Standard

DfE Digital Standards for Schools

• Sets out cyber security requirements
• Six standards schools should meet by 2030
• Schools must actively verify compliance
• ACTION: Ask your school "Are we meeting these?"

Free Security Resources

NCSC Cyber Assessment Framework (CAF)

• Designed specifically for small businesses and schools
• Written in accessible language (not technical jargon)
• Covers: access control, incident management, supply chain security
• Free to use
• LINK: ncsc.gov.uk

NCSC Early Years Settings Guidance

• Bespoke guidance for nurseries
• Practical steps for settings without IT expertise
• LINK: ncsc.gov.uk

GitHub Secret Scanning

• Free for public repositories
• Detects exposed credentials in code
• Schools should use if they have repositories
• ACTION: Enable on all repositories

Tammy's Resources

DfE Digital Standards Webinars

• Regular sessions explaining standards in simple terms
• How to track progress and implementation
• Contact Tammy for upcoming dates

Guest Expert Tammy Buchanan

Title: Senior Data Protection Consultant Organisation: Data Protection Education Background:

• 15 years in UK education sector
• 12 years working directly in schools (8 years technician, 4 years IT manager)
• "Recovering Dave from IT"

What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience.

Expertise:

• Data protection compliance in education
• Information security for schools and MATs
• DfE Digital Standards implementation
• GDPR for the education sector
• Cyber resilience on school budgets

Contact Tammy

Email: info@dataprotection.education LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page) Services:

• Compliance assessments
• DfE Digital Standards webinars
• Data protection consultancy for schools and MATs
• Incident response support

 

Questions Parents Should Ask Their School

Copy these questions and email them to your head teacher:

Security Basics

1. Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)?
2. How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training?
3. Where is your incident response plan, and when was it last tested?

Custom Software and Code

1. Do we have any custom-built software, integrations, or scripts?
2. If yes: Where is the source code stored? (GitHub, GitLab, etc.)
3. Who has access to our code repositories?
4. Have repositories been scanned for exposed credentials?
5. Do former developers or contractors still have access to our systems?

Compliance and Governance

1. Are we meeting the DfE Digital Standards, and how is this verified?
2. Who on the governing body is responsible for data protection and cyber resilience?
3. How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance?

Third Party Platforms

1. Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.)
2. How do you verify these platforms are securely configured?
3. Does our IT provider handle compliance verification, or do you verify it yourselves?

Don't accept: "We have an IT company, they handle all this." Do accept: Specific answers with evidence of verification.

Questions Schools Should Ask Developers

If you have any custom software, ask your developer:

1. Where is the source code stored?
2. Is the repository public or private?
3. Who currently has access to the repository?
4. Are there any credentials, API keys, or connection strings in the code?
5. How are secrets managed? (Environment variables, secret management tools?)
6. When was the code last security reviewed?
7. Has the repository been scanned for exposed secrets?
8. What happens if you're not available? Who else can access/maintain this?

Red flags:

• "What do you mean by credentials in the code?"
• "It's a private repo, it's fine."
• "I'll get round to moving those credentials out eventually."
• Cannot answer who else has access

The Bigger Picture Why This Matters Beyond Kido

The pattern Tammy sees constantly:

1. School needs custom integration between systems
2. Hire developer (staff, parent volunteer, local contractor)
3. Developer builds something functional
4. Developer has zero security training
5. Code pushed to GitHub/GitLab for convenience
6. No security review, no secrets management
7. Repository sits there for months/years
8. Former contractors still have access
9. No documentation of what exists or where
10. School doesn't know to check

One credential compromise = full breach

The Education Sector Reality

Constraints schools face:

• No dedicated IT staff (part-time technician comes twice a week)
• No cybersecurity budget
• Volunteer governors with no technical expertise
• Staff expected to train in unpaid time
• Third-party providers without clear responsibility
• Safeguarding policies that conflict with security best practice
• An overwhelming number of platforms and systems
• Turnover of staff and contractors

What needs to change:

• Make cyber security statutory with Ofsted oversight
• Provide funding for proper implementation
• Link explicitly to safeguarding (now happening!)
• Require IT providers to verify compliance
• Train governors on cybersecurity oversight
• Make DfE Digital Standards non-negotiable

The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements.

Key Quotes

Tammy on partial MFA:

"It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled."

Tammy on the safeguarding link:

"Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable."

Tammy on the repository:

"This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security."

Tammy on compliance responsibility:

"Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that."

Noel on the repository screenshot:

"The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'"

What's Next? If You're a Parent

1. Email your school the questions above
2. Don't accept vague reassurances
3. Ask for specific evidence that they're meeting DfE Digital Standards
4. Remember: you're asking about safeguarding, not just IT

If You're a School Leader

1. Read the 2025 Keeping Children Safe in Education guidance
2. Audit all custom software and code repositories
3. Enable MFA for ALL staff (find solutions for phone conflict)
4. Document what you have and who has access
5. Verify DfE Digital Standards compliance yourself
6. Contact Tammy or similar experts for gap analysis

If You're a Governor

1. Add cyber security to safeguarding oversight
2. Ask the head teacher the same questions parents should ask
3. Don't accept "our IT company handles it"
4. Consider appointing a digital lead on the governing body
5. Ensure cyber security is a standing agenda item

Social Media Sharing

Share this episode if:

• You're a parent with kids in nursery or school
• You're a school governor or school leader
• You work in education
• You're concerned about children's data protection
• You want schools to take cyber security seriously

Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards

Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything."

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk Blog: Full breakdown of repository screenshot analysis Subscribe: Available on all major podcast platforms Review: Leave us a review and tell us what you think Comment: What security topic should we cover next?

Currently ranked Top 100 Apple Business Podcasts (US)

Related Episodes

Part 1: The Education Data Protection Gap (listen first)

• Main interview with Tammy Buchanan
• Overview of Kido breach
• Systematic failures in education security
• 35-40 minutes

The Kido Hot Take 

• Initial reaction to breach announcement
• Why nurseries are targets
• Immediate implications

Episode Credits

Hosts:

• Noel Bradford (The Veteran Solution Provider)
• Mauven MacLeod (The Government-Trained Practitioner)
• Graham Falkner (Producer/Researcher)

Guest:

• Tammy Buchanan (Data Protection Education)

Production:

• Same session recording as Part 1
• Tea break transition edited
• Cold open recorded post-session
• Natural conversation maintained

Special mention:

• Custard creams (the real MVPs)
• VX-Underground (for documenting the repository before it vanished)

Legal Disclaimer

This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation.

Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism.

The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team.

Transcript

Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts

Accessibility: Contact us for alternative formats

Next Episode

Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not!

Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it.

Published: 13 October 2025 Duration: ~30 minutes Format: MP3 Copyright: © 2025 The Small Business Cyber Security Guy License: All rights reserved

Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks.

With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business.

Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now.

No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs.

This Episode is Sponsored by Authentrend

Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025

We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag.

Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works.

Learn more: authentrend.com

What You'll Learn Understanding the Differences

• What Information Security actually covers (hint: it's not just digital)
• Why Cybersecurity isn't the same as IT Security (despite what vendors claim)
• The CIA triad explained without the jargon
• Real-world examples showing when each approach matters

UK Business Reality

• Current threat landscape: 43% of UK businesses breached in 2025
• Why small businesses (10-49 employees) face 50% breach rates
• Average incident costs: £3,400 (but the real number is much higher)
• UK GDPR, Data Protection Act 2018, and what actually applies to you

What It Actually Costs

• Starting from scratch: £5,000-£15,000 annually for 10-20 employees
• Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys)
• Cyber Essentials: £300-£500 (your best bang for buck)
• Managed security services: £300-£450/month realistic pricing
• When £2,000-£3,500/month managed detection makes sense
• Free government resources you're probably ignoring

Authentication Security Reality

• Why SMS codes and app-based MFA still get phished
• How FIDO2 hardware security keys cryptographically prevent credential theft
• Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually
• Special offer mentioned in episode: Authentrend keys at £40 until December 22nd

Implementation Without the Bullshit

• Why IT Security basics beat fancy cybersecurity tools every time
• The five controls that address 90% of UK SMB threats
• Common mistakes that waste your security budget
• How to prioritise when you can't afford everything
• Vendor red flags and what to actually look for

Regulatory Requirements Decoded

• ICO data protection fees: £40-£60/year (mandatory)
• What "appropriate technical and organisational measures" really means
• Why recent enforcement shows reprimands over fines for SMBs
• Insurance requirements and how to reduce premiums
• How phishing-resistant authentication affects cyber insurance premiums

Key Statistics Mentioned

• 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025
• £3,400 average cost per cyber incident (excluding business impact)
• 60% of small businesses close within 6 months of serious data loss
• 85% of cyber incidents involve phishing attacks
• 43% of all UK businesses experienced breaches in 2025
• Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification
• 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords)

Products & Solutions Discussed Authentication Security (Featured in Episode)

Authentrend ATKey Series (Episode Sponsor)

• ATKey.Pro: USB-A/USB-C with NFC support
• ATKey.Card: Contactless card format
• Pricing: £45 regular, £40 special offer until December 22nd
• FIDO Alliance Level 2 certified
• Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services
• Deployment cost: £80-90 per employee (2 keys for backup)

Why hardware security keys matter:

• Cryptographically bound to specific domains (phishing technically impossible)
• Works even when users make mistakes
• One-time purchase vs ongoing subscription costs
• Significantly reduces cyber insurance premiums

Email Security Options

• Microsoft Defender for Office 365 Plan 1: £1.70/user/month
• Google Workspace Advanced Protection: £4.60/user/month
• Sophos Email Security: £2.50/user/month

Endpoint Protection

• Microsoft Defender for Business: £2.50/user/month
• Sophos Intercept X: £3.50/user/month
• CrowdStrike Falcon Go: £7.00/user/month

Compliance & Frameworks

• Cyber Essentials: £300-£500 annually
• ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs)

Resources Mentioned Free Government Resources

• NCSC Small Business Guidance: ncsc.gov.uk
• ICO Free Templates: ico.org.uk
• Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk
• NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations

Episode Sponsor

• Authentrend: authentrend.com
• Special offer: £40 per key (regular £45) until December 22nd, 2025
• ATKey.Pro and ATKey.Card models
• UK distributor support available

Related Blog Posts (From This Week's Series)

• Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025"
• Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached"
• Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection"
• Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure"
• Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs"

Recommended First Steps Immediate Actions (This Week)

1. Catalogue your information - 1 day exercise to understand what you have and where it lives
2. Register for ICO data protection fee - £40-£60 annual mandatory requirement
3. Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd)

First Month

1. Get Cyber Essentials certified - £300-£500, addresses 90% of common threats
2. Implement email security - £900-£1,800 annually for proper anti-phishing
3. Deploy phishing-resistant MFA - £80-90 per employee one-time investment
4. Configure endpoint protection - £1,200-£2,500 annually for 15-30 users

First Quarter

1. Test your backups - Don't assume they work, actually restore something
2. Basic staff training - Use free NCSC materials, focus on phishing recognition
3. Review and document - Simple policies using ICO templates

Budget Planning

15-20 employee business, first year total: £6,200-£14,500

• Email security: £900-£1,800 annually
• Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400)
• Endpoint protection: £1,200-£2,500 annually
• Backup systems: £600-£1,200 annually
• Network security: £600-£1,800 (includes one-time hardware costs)
• Training: £0-£1,500 annually
• Testing: £500-£2,000 annually

Ongoing costs (Year 2+): £3,800-£11,100 annually

Hosts

Noel Bradford - CIO/Head of Technology, Boutique Security First MSP

• 40+ years enterprise security (Intel, Disney, BBC)
• Direct, budget-conscious, solutions-focused
• Enjoys challenging conventional security wisdom
• Known for calling out vendor bollocks

Mauven MacLeod - Ex-Government Cyber Analyst

• Government cybersecurity background (NCSC)
• Glasgow-raised, practical approach
• Translates national security threats into business reality
• Focuses on what actually works for UK SMBs

Our Sponsorship Disclosure Policy

We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it.

Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because:

• They provide the phishing-resistant authentication we consistently advise UK SMBs to implement
• Pricing makes proper authentication accessible to small businesses
• FIDO Alliance Level 2 certification ensures they meet security standards
• They align with our core message: affordable IT security fundamentals over expensive security theatre

Take Action

Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there.

Your Next Steps

1. Listen to the episode - Understand the differences before spending money
2. Download the risk assessment template - Available on our blog
3. Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd)
4. Get Cyber Essentials certified - £300-£500 addresses most common threats
5. Implement IT Security fundamentals - £2K-£5K gets you real protection
6. Review quarterly - Security isn't a one-time project

Subscribe & Connect

• Never miss an episode - Hit subscribe wherever you get your podcasts
• Leave us a review - It genuinely helps other UK small business owners find these conversations
• Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com]
• Got specific questions? - Drop us a comment and we might cover it in a future episode

Next Week's Episode

"Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses"

The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead.

Remember

The biggest security risk is doing nothing while you debate the perfect approach.

Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff.

Everything else can come later.

Tags

#Cybersecurity #InformationSecurity #ITSecurity #UKSmallBusiness #SMB #UKGDPR #CyberEssentials #DataProtection #ICO #BusinessSecurity #CyberThreats #SecurityBudget #NCSC #UKBusiness #SmallBusinessUK #FIDO2 #PhishingResistant #MFA #Authentrend #HardwareSecurityKeys #AuthenticationSecurity

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs.

What we cover

• What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged.

• Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor.

• The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices.

• Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness.

Why it matters to UK SMBs

• You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice.

• Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them.

• Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep.

Key takeaways

1. Do not collect what you can’t protect. Prefer attribute proofs over document uploads.

2. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked.

3. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements.

4. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents.

Action checklist for SMB owners

• Map every place you’re collecting ID or age proof today. Kill non-essential collection.

• Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity.

• Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control.

• Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly.

• Run DPIAs for onboarding, support and HR flows that touch identity documents.

• Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.”

Chapter outline

• Setting the scene: a breach born in the support queue

• Why ID uploads are a liability multiplier

• The UK’s digital ID plan, without the spin

• Vendor risk is your risk

• Practical fixes you can implement before lunch

• Q&A and what to do if you uploaded ID to Discord

If you think you’re affected

• Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links.

Support the show

• Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk.

• Send questions or topic requests for future episodes.

Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours.

Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today.

Key Topics Covered The Scale of the Problem

• 172 total vulnerabilities patched across Microsoft's ecosystem
• Six zero-day flaws (actively exploited or publicly known before patches released)
• Eight critical vulnerabilities that could allow unauthorised code execution
• Elevation of privilege, remote code execution, and information disclosure threats

Windows 10: End of an Era

• 15 October 2025 marks the final day of free security updates for Windows 10
• Extended Security Updates (ESU) now required for continued protection
• Time to seriously plan your Windows 11 migration or budget for ESU costs

Real-World Impact

Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK.

Windows 11 October 2025 Features

Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2:

Improved Phishing Protection Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox.

Enhanced Device Control Settings Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.)

Wi-Fi Security Dashboard No IT degree required. Plain-language summary of your network's safety status that anyone can understand.

Built-in Password Manager Improvements Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best.

AI Actions in File Explorer Smarter file organisation and quick task shortcuts

Notification Centre on Secondary Monitors Finally works properly where you click it

Moveable System Indicators Customise where volume and brightness indicators appear

Administrator Protection Additional security layer for privileged accounts

Passkey Support for Third-Party Providers More flexibility in authentication methods

Practical Action Steps Immediate Tasks (This Week)

Schedule Your Updates Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse.

Verify Installation Success Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point.

Back Up Before Updating Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly.

Recovery Planning

Know Your Rollback Options Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works.

Document Your Process Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days.

Long-Term Security Habits

Regular Review Schedule Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?"

Consider Automation Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist.

Staff Training Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers.

Key Quotes from the Episode

"When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind."

"These updates have real-world impact. I'm not talking theoretical."

"Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind."

"Not updating isn't just risky, it's old-fashioned."

"The strongest business is the one that learns just a bit faster than the crooks."

UK Business Context Why This Matters for Small Businesses

Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust.

Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates.

Regulatory Considerations

Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches:

• GDPR obligations require appropriate security measures
• ICO enforcement takes security seriously
• Professional indemnity insurers increasingly audit cybersecurity practices
• Client trust depends on demonstrating you protect their data properly

Technical Details (For the IT-Minded) Vulnerability Breakdown

• 80 Elevation of Privilege vulnerabilities
• 31 Remote Code Execution flaws
• 28 Information Disclosure issues
• 11 Security Feature Bypass vulnerabilities
• 11 Denial of Service flaws
• 10 Spoofing vulnerabilities
• 1 Tampering vulnerability

Notable Zero-Days Patched

• CVE-2025-24990: Agere Modem driver vulnerability (actively exploited)
• CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited)
• CVE-2025-24052: Agere Modem driver (publicly disclosed)
• CVE-2025-2884: TPM 2.0 implementation flaw
• CVE-2025-0033: AMD EPYC processor vulnerability
• CVE-2025-47827: IGEL OS Secure Boot bypass

Removed Components

Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update.

Resources and Further Reading Official Microsoft Sources

• Microsoft October 2025 Patch Tuesday Security Update Guide
• Windows 11 Version 25H2 Known Issues
• Windows 10 Extended Security Updates Information

Third-Party Analysis

• BleepingComputer: October 2025 Patch Tuesday Coverage
• Windows Central: 9 New Features in October Update
• Cybersecurity News: Detailed Vulnerability Analysis

UK-Specific Resources

• NCSC Small Business Guide
• Cyber Essentials Scheme
• ICO Data Protection Guidance

Episode Credits

Host: Graham Falkner Production: The Small Business Cyber Security Guy Podcast Copyright: 2025 - All Rights Reserved

Call to Action Help Other Small Businesses Stay Secure

Like this Hot Take if you found it useful Subscribe to catch every episode as we release them Share with other UK small business owners who need to hear this Comment with your own update horror stories or success stories

Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic.

Stay Connected

Visit thesmallbusinesscybersecurityguy.co.uk for:

• Complete episode archive
• Written guides and checklists
• Additional resources for UK small businesses
• Ways to submit questions for future episodes

Related Episodes

Looking for more context on topics mentioned in this Hot Take? Check out these related episodes:

Episode 17: Social Engineering - The Human Firewall Under Siege Why staff training matters more than you think, and how attackers exploit human psychology

Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI AI-powered attacks and how small businesses can defend against sophisticated threats

Enhanced Supply Chain Security Understanding vendor dependencies and how updates fit into broader security strategy

Ministers have sent an urgent letter to UK business leaders after the NCSC handled 204 nationally significant cyber incidents in the past year, with 18 "highly significant" incidents – a 50% increase for the third consecutive year. Join Mauven MacLeod and Graham Falkner as they unpack the government's wake-up call and translate ministerial warnings into concrete actions every business leader can take today.

What You'll Learn

• Why the Chancellor and three Cabinet Ministers personally co-signed an urgent letter to UK business leaders -  Ministerial letter on cyber security
• The shocking NCSC statistics: nearly half of all incidents were nationally significant, with highly significant incidents up 50%
• Real-world impact: empty supermarket shelves, healthcare disruption causing deaths, and £300m+ losses for single organisations
• The three specific government requests that will have an immediate impact on your cyber resilience  - Ministerial letter on cyber security
• Practical first steps you can take this week (most are free)

Key Quotes

"Any leader who fails to prepare for that scenario is jeopardising their business's future... It is time to act." - Richard Horne, CEO of NCSC

"Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. There is a direct and active threat to our economic and national security." - Ministerial Letter, 13 October 2025 - Ministerial letter on cyber security

"While you can plan meticulously, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse." - Shirine Khoury-Haq, CEO of The Co-op Group

Resources Mentioned

• Ministerial Letter (13 Oct 2025)
• NCSC Annual Review 2025
• Free Cyber Governance Training for Boards
• Early Warning Service (Free) - 13,000+ organisations already signed up
• Cyber Essentials - 92% reduction in insurance claims
• Cyber Action Toolkit - Free for small businesses

Take Action This Week

1. Sign up for NCSC Early Warning (free)
2. Read the ministerial letter
3. Add cyber security to your next Board agenda
4. Check if MFA is enabled on critical systems

About the Hosts

Mauven MacLeod - Ex-NCSC cyber security expert with Glasgow roots who translates government-level threat intelligence into practical advice for small businesses.

Graham Falkner - The unmistakable voice from UK cinema trailers, now bringing his theatrical gravitas and storytelling skills to demystify cybersecurity for business leaders.

Connect

Visit our blog: thesmallbusinesscybersecurityguy.co.uk

Like the show? Subscribe, leave a review, and share with colleagues.

Episode Length: ~8 minutes

Bottom line: Nearly half of NCSC incidents are now nationally significant. It's time to act.

Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups.

The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault.

Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo).

Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

The £18,000 Saving That Cost £200,000 in Revenue

Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now.

In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count.

Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions.

What You'll Learn The Core Concept

• What the Doorman Fallacy is and why it matters for cybersecurity
• The difference between nominal functions (what something obviously does) and actual functions (what it really does)
• Why efficiency optimisation without a complete understanding is just expensive destruction
• The five-question framework for avoiding Doorman Fallacy mistakes

Five Catastrophic Case Studies

1. The Security Training Fallacy (Chapter 2)

• How cutting £12,000 in training led to a £70,000 Business Email Compromise attack
• Why training isn't about delivering information—it's about building culture
• The invisible value: shared language, verification frameworks, psychological safety
• What to measure instead of cost-per-employee-hour

2. The Cyber Insurance Fallacy (Chapter 3)

• The software company that saved £18,000 and lost £200,000 in client contracts
• Why insurance isn't just financial protection—it's a market signal
• Hidden benefits: third-party validation, incident response capability, customer confidence
• How cancelling coverage destroyed vendor relationships and sales opportunities

3. The Dave Automation Fallacy (Chapter 4)

• Insurance broker spent £100,000+ replacing a £50,000 IT person
• The £15,000 server upgrade that Dave would have known was unnecessary
• Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics
• Why ticketing systems can't replace anthropological understanding

4. The MFA Friction Fallacy (Chapter 5)

• Fifteen seconds of "friction" versus three weeks of crisis response
• The retail client who removed MFA and suffered £65,000 in direct incident costs
• Why attackers specifically target businesses without MFA
• The reputational damage you can't quantify until it's too late

5. The Vendor Relationship Fallacy (Chapter 6)

• Solicitors saved £4,800 annually, lost a £150,000 client
• Why "identical services" aren't actually identical
• The difference between contractual obligations and genuine partnerships
• What happens when you need flexibility and you've burned your bridges

Key Statistics & Case Studies

• 42% of business applications are unauthorised Shadow IT (relevant context)
• £47,000 BEC loss vs £12,000 annual training savings
• £200,000 lost revenue vs £18,000 insurance savings
• £100,000+ replacement costs vs £50,000 salary
• £65,000 incident costs vs marginal productivity gains
• £150,000 lost client vs £4,800 vendor savings

Common pattern: Small measurable savings, catastrophic unmeasurable consequences.

The Five-Question Framework

Before cutting any security costs, ask yourself:

1. What's the nominal function versus the actual function?
   • What does it obviously do vs what does it really do?
2. What invisible benefits will disappear?
   • Be specific: not "provides value" but "provides priority incident response during emergencies"
3. How would we replace those invisible benefits?
   • If you can't answer this, you're making a Doorman Fallacy mistake
4. What's the actual cost-benefit analysis, including invisible factors?
   • Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk"
5. What's the cost of being wrong?
   • In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection

Practical Takeaways What to Do Tomorrow

Review your most recent efficiency or cost-cutting decision. Ask:

• Did we define this function too narrowly?
• What invisible value might we have destroyed?
• Are we experiencing consequences we haven't connected to that decision?

Better Metrics for Security Investments

Instead of measuring cost-per-hour or savings-per-quarter, measure:

• Incident reporting rates (should go UP with good training)
• Verification procedure usage frequency
• Time-to-report for security concerns
• Vendor response times during emergencies
• Employee confidence in raising concerns

Making Trade-Offs Honestly

Budget constraints are legitimate. The solution isn't "never cut anything." It's:

• Acknowledge what you're sacrificing when you cut
• Admit the risks you're accepting
• Have plans for replacing invisible functions
• Make consequences visible during decision-making
• Ensure decision-makers bear some responsibility for outcomes

Quotable Moments

"The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel

"Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel

"We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel

"You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven

"The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel

Chapter Timestamps

• 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision
• 02:15 - Intro: Why Marketing Books Matter for Cybersecurity
• 05:30 - Chapter 1: The Book, The Fallacy, The Revelation
• 12:00 - Chapter 2: The Security Training Fallacy
• 19:30 - Chapter 3: The Cyber Insurance Fallacy
• 27:00 - Chapter 4: The Dave Automation Fallacy
• 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message)
• 42:00 - Chapter 6: The Vendor Relationship Fallacy
• 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework
• 58:00 - Outro: Action Items & CTAs

Total Runtime: Approximately 62 minutes

Sponsored By

Authentrend - Biometric FIDO2 Security Solutions

This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity.

Learn more: authentrend.com

Resources & Links

Mentioned in This Episode:

• Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life"
• Authentrend ATKey Products: authentrend.com
• Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4)

Useful Tools & Guides:

• Download our Doorman Fallacy Decision Framework (PDF)
• Template: Articulating Invisible Value in Budget Meetings
• Checklist: Five Questions Before Cutting Security Costs
• Case Study Library: Real-World Doorman Fallacy Examples

UK-Specific Resources:

• ICO Guidance on Security Measures
• NCSC Small Business Cyber Security Guide
• Cyber Essentials Scheme Information

About Your Hosts

Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints.

Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints.

Support The Show

New episodes every Monday at Noon UK Time!

Never miss an episode! Subscribe on your favourite podcast platform:

• Apple Podcasts
• Spotify
• Google Podcasts
• RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml

Help us reach more small businesses:

• ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home)
• 💬 Comment with your own efficiency optimisation horror stories
• 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions
• 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences

Connect with us:

• Website: thesmallbusinesscybersecurityguy.co.uk
• Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates
• LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/
• Email: hello@thesmallbusinesscybersecurityguy.co.uk

Episode Tags

#Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication

Legal

The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs.

Copyright © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Got a question or topic suggestion? Email us at hello@thesmallbusinesscybersecurityguy.co.uk or leave a comment below!

This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone.

The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale.

Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised.

The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business.

There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean.

Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope.

Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free.

Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain.

Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

What if I told you there’s a laboratory in Switzerland where scientists are building computers from living human neurons?   Sounds like science fiction, right? But it’s happening right now, and the energy crisis driving this research is about to affect every small business owner’s cloud computing bills.   In this episode, Noel, Graham, and Mauven explore FinalSpark’s revolutionary biocomputing platform. This Swiss company has created the Neuroplatform, a system using approximately 160,000 living human neurons to perform computational tasks. Their goal?   Solving the massive energy consumption problem created by artificial intelligence and modern data centres.   Your brain runs on 20 watts of power. Current AI data centres consume megawatts.   FinalSpark claims their biological processors could use a million times less energy than traditional computing. That’s not incremental improvement – that’s fundamental transformation.   But here’s the catch: this technology is still early, really early. So why should small business owners care about laboratory experiments with brain cells?   Because the energy costs driving this research are already affecting your Azure bills, your SaaS subscriptions, and your cloud hosting fees. And understanding where technology is heading helps you make better decisions about where to invest your limited resources.   What You’ll Learn

• Why energy consumption in computing matters to small businesses right now
• How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree)
• The realistic timeline for when this technology might affect your business
• What small businesses should actually do about emerging technologies
• The security implications nobody’s talking about yet
• The uncomfortable ethical questions around growing human neurons for computation

  Key Quotes   Noel Bradford:“Training a single large AI model produces the same carbon emissions as five cars create during their entire lifetime. And that statistic is from 2019. Modern models like GPT-4 produce 50 to 100 times more emissions than that.”   Graham Falkner:“So naturally they thought, you know what, let’s just use actual neurons instead. Because that’s a perfectly reasonable next step when your silicon experiments don’t work.”   Mauven MacLeod:“Bloody hell. Today’s topic just got properly mental.”   Noel Bradford on timeline:“In the next 12 months, nothing. Ignore biocomputing entirely. Focus on the security basics most businesses are probably still getting wrong.”   On security implications:“How do you secure a computer made from living cells? Do you need to understand neuroscience to exploit vulnerabilities in bioprocessors? If someone breaches a living computer system, is it a cyber attack or biological warfare?”   About FinalSpark Founded by: Dr. Martin Kutter and Dr. Fred Jordan Location: Vevey, Switzerland Previous company: Alpvision (anti-counterfeiting specialists) Current project: The Neuroplatform   Research credentials:

• Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal
• Providing free access to 10 universities worldwide (36 applications received)
• Created APIs and documentation for remote access
• Built Discord community with 1,200+ members discussing biocomputing

Participating universities:

• University of Michigan
• Free University of Berlin
• University of Exeter
• Lancaster University
• Leipzig University
• University of York
• Oxford Brookes University
• University of Bath
• University of Bristol
• Université Côte d’Azur (France)
• University of Tokyo

Key Facts from the Episode   Energy consumption statistics:

• Data centres consumed 1.5% of global electricity as of 2024
• Projected to reach 3% by 2030
• AI is accelerating growth exponentially
• Meta, Google, and OpenAI are talking about building nuclear power stations

  The biocomputing advantage:

• Human brain runs on 20 watts
• Modern AI data centres use megawatts (millions of watts)
• FinalSpark claims million-times efficiency (99.9999% reduction)
• Some sources cite up to billion-times more energy efficient

  The Neuroplatform specifications:

• 10,000 living neurons per organoid
• 16 organoids total
• Approximately 160,000 neurons system-wide
• Neurons survive up to 100 days in active use
• Accessible remotely by researchers worldwide

  Why This Matters for Small Businesses   Immediate concerns:

1. Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions
2. AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy
3. Every interaction costs carbon, and those costs eventually reach small businesses

Future implications:

1. If biocomputing proves viable, benefits arrive through infrastructure improvements
2. Your cloud providers incorporate biological processors
3. Your costs decrease, capabilities increase
4. You won’t buy biocomputers any more than you buy specific processor architectures now

  What to watch for (2-5 year timeline): •Early commercial applications in specialised tasks •Medical diagnostics applications •Pattern recognition improvements •Industry adoption signals   Practical Takeaways for Business Owners   Do these things now:

1. Secure current systems properly (multi-factor authentication, proper backups)
2. Train staff on cybersecurity basics
3. Achieve Cyber Essentials certification
4. Build adaptable IT infrastructure

  Build awareness:

1. Subscribe to technology news sources
2. Spend 15 minutes monthly reading about emerging tech
3. Build mental models of where technology might head
4. Prepare for paradigm shifts

Watch for these milestones:

1. Commercial partnerships with major tech companies
2. Published benchmarks proving practical advantages
3. Scaling demonstrations (thousands of neurons for months)
4. Security framework development
5. Independent energy validation studies

Remember:

• Mad ideas sometimes win (iPhone, Netflix, electric cars)
• Companies that survive aren’t the ones that predicted the exact future
• They’re the ones who built adaptable systems that could pivot
• Focus on fundamentals whilst keeping awareness of emerging tech

  Resources Mentioned FinalSpark:

• Company website and Neuroplatform information
• FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons)
• Discord community (1,200+ members)
• Academic publications in Frontiers journal

Further reading:

• Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk
• Research papers on biological computing
• Energy consumption studies for AI and data centres

The Uncomfortable Questions We Need to Answer   As Noel, Graham, and Mauven discuss in the episode, biocomputing raises security and ethical questions that nobody has answers for yet:   Security concerns:

• How do you secure computers made from living cells?
• Can you hack biological neural networks?
• Do you need neuroscience expertise to exploit vulnerabilities?
• Is a breach a cyber attack or biological warfare?
• How do you wipe a neuron’s memory?
• Can you verify data deletion?
• How do you conduct forensic analysis on biological substrates?

Ethical considerations:

• These neurons aren’t conscious or sentient (they’re biological cells performing functions)
• But they’re human neurons grown from human stem cells
• Where’s the ethical line if we can grow larger collections?
• How large before we worry about experiences or consciousness?
• How do we measure consciousness in biological systems grown for computation?
• Should these conversations happen now, before ubiquity?

The hosts emphasize that awareness isn’t the same as answers, but these discussions need to happen before the technology becomes widespread.   What the Hosts Say You Should Actually Do   After 22 minutes of discussing living neurons, Swiss laboratories, and energy crises, the practical advice is refreshingly straightforward:   Do Nothing different for now at least!   Seriously. Don’t change your technology strategy based on biocomputing research. Instead:

1. Secure your current systems properly
2. Implement proper backup strategies
3. Train your staff on cybersecurity basics
4. Achieve Cyber Essentials certification
5. Build IT infrastructure that serves your business objectives

  Why? Because the exciting developments in biocomputing don’t change the fact that most UK small businesses still haven’t done the tedious, essential security work that prevents 95% of attacks.   As Noel puts it: “The companies that survive aren’t the ones that predicted the exact future. They’re the ones who built adaptable systems that could pivot when the future arrived unexpectedly.”   Next Steps Subscribe to the podcast so you don’t miss future episodes exploring where technology is heading and what it means for your business.   Leave a review if you found this episode valuable. Reviews genuinely help other small business owners find the show. Takes 30 seconds, makes a real difference.   Share this episode with business owners who need to understand how energy costs are about to affect their cloud computing bills.   Visit the blog at thesmallbusinesscybersecurityguy.co.uk for the comprehensive write-up with all technical details, source verification, and links to the research.   Comment with your thoughts: Do you think biocomputing is the future or an expensive dead end? Your questions sometimes become future episodes.   About The Small Business Cyber Security Guy Podcast Practical cybersecurity advice for UK small businesses, delivered with humour and authentic British personality.   Hosted by

• Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO)
• Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality)
• Mauven MacLeod (ex-government cybersecurity background)

New episodes weekly Website: thesmallbusinesscybersecurityguy.co.uk Podcast feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml   Final Thoughts from the Hosts Noel Bradford:“After 40 years in this industry, I’ve learned that mad ideas sometimes win. Especially the really mad ones.” Mauven MacLeod:“Stay curious, stay sceptical, stay secure, and maybe keep one eye on the Swiss scientists growing computers in dishes.” Graham Falkner:“The small business cybersecurity challenges haven’t changed. But knowing where technology is heading helps you make better decisions about where to invest your limited resources.”   Legal Disclaimer The Small Business Cyber Security Guy Podcast is produced for educational and informational purposes. All information provided is believed to be accurate at the time of recording, but cybersecurity is a rapidly evolving field. Listeners should verify current information and seek professional advice specific to their circumstances. The hosts and producers are not liable for actions taken based on information provided in this podcast. Always implement cybersecurity measures appropriate to your business needs and risk profile. Copyright 2025. All rights reserved.   Tags biocomputing, FinalSpark, living neurons, computing energy crisis, AI energy consumption, small business technology, future of computing, cybersecurity, data centres, cloud computing costs, Swiss technology, enterprise technology, SMB technology strategy, emerging technology, biological computing, neural networks, technology innovation, small business podcast, UK business, cyber essentials  

On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly.

Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade.

In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032.

This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right.

Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed.

Key Takeaways

1. The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems.
2. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence.
3. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources.
4. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption.
5. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture.
6. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning.
7. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response.

Case Studies Referenced The Louvre Heist (October 2025)

• Incident: €102 million in French crown jewels stolen in 7 minutes
• Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points
• Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations
• Accountability: Director retained position, no terminations, Culture Minister initially denied security failure
• Timeline: Security upgrades recommended in 2015 won't complete until 2032

KNP Logistics (Referenced)

• Industry: East Yorkshire haulage firm
• Incident: Ransomware attack, £850,000 ransom demand
• Outcome: Couldn't pay, business entered administration, 70 jobs lost
• Contrast: Small business faces closure; national institution faces no consequences

Electoral Commission (Referenced)

• Incident: Data breach affecting 40 million UK voters
• Outcome: No job losses, no significant consequences
• Relevance: Government accountability gap vs private sector enforcement

Case Studies Referenced The Louvre Heist (October 2025)

• Incident: €102 million in French crown jewels stolen in 7 minutes
• Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points
• Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations
• Accountability: Director retained position, no terminations, Culture Minister initially denied security failure
• Timeline: Security upgrades recommended in 2015 won't be completed until 2032

KNP Logistics (Referenced)

• Industry: East Yorkshire haulage firm
• Incident: Ransomware attack, £850,000 ransom demand
• Outcome: Couldn't pay, business entered administration, 70 jobs lost
• Contrast: Small business faces closure; national institution faces no consequences

Electoral Commission (Referenced)

• Incident: Data breach affecting 40 million UK voters
• Outcome: No job losses, no significant consequences
• Relevance: Government accountability gap vs private sector enforcement

About The Host

Noel Bradford brings over 40 years of IT and cybersecurity experience across enterprise and SMB sectors, including roles at Intel, Disney, and BBC. Currently serving as CIO and Head of Technology for a boutique security-first MSP, Noel specialises in translating enterprise-grade cybersecurity expertise into practical, affordable solutions for UK small businesses with 5-50 employees.

His philosophy centres on "perfect security is the enemy of any security at all," focusing on real-world constraints and actionable advice over theoretical discussions. Noel's direct, no-nonsense approach has helped "The Small Business Cyber Security Guy Podcast" achieve Top 90 Business Podcast status in the USA and Top 170 in the UK, with a unique cross-Atlantic audience (47% American, 39% British).

Legal & Disclaimer

The information provided in this podcast is for educational and informational purposes only and should not be construed as professional cybersecurity, legal, or financial advice. Listeners should consult qualified professionals for guidance specific to their circumstances.

Product and service mentions, including sponsors, are provided for informational purposes. The host and podcast do not guarantee results from implementing suggested strategies or using mentioned products.

All case studies and incidents discussed are based on publicly available information and reporting. Facts are verified against multiple authoritative sources before publication.

© 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

 

Credits

Host: Noel Bradford Production: The Small Business Cyber Security Guy Productions Editing: Noel Bradford Research: Graham Falkner Show Notes: Graham Falkner

Special Thanks: ANSSI (for their audit work that we wish the Louvre had acted upon), Libération journalist Brice Le Borgne (for his investigative reporting), and UK small businesses everywhere who take security more seriously than world-famous museums apparently do.

Episode Tags

#Cybersecurity #SmallBusiness #UKBusiness #PasswordSecurity #Louvre #DataBreach #HardwareAuthentication #FIDO2 #CyberAccountability #InformationSecurity #RiskManagement #SMBSecurity #CyberNews #HotTake #BusinessPodcast

Next Episode: Coming Soon - Criminal Accountability for Cybersecurity Negligence (Two-Part Series)

Average Episode Downloads: 3,000+ per day at peak Listener Demographics: 47% USA, 39% UK, 14% Other Target Audience: UK SMBs with 5-50 employees

 

 

K&P Logistics — 158 years in business — wiped out in 48 hours by ransomware. Noel Bradford and Maurven MacLeod unpack that real-world catastrophe to show small businesses how the same fate can be avoided. If you run a local shop, agency or family firm and think cybersecurity is either incomprehensible or unaffordable, this episode is for you.

Noel Bradford, with 40 years of experience in corporate security, and Maurven MacLeod, a former government cyber analyst who tracked nation-state actors, introduce themselves and explain why attackers are increasingly targeting customer databases and other easy-to-access systems. They describe common threat vectors and the mistakes that turn manageable incidents into business-ending disasters.

Topics covered include ransomware timelines, authentication failures, shadow IT risks, social engineering and real breach case studies. The hosts translate enterprise-level controls into simple, low-cost actions you can implement between customer calls — covering backups, multi-factor authentication, software hygiene, incident response basics and how to spot a phishing scam before it’s too late.

Key takeaways: perfect security is unattainable, but practical, layered defences dramatically reduce risk; small changes can stop most attacks; and preparation (not panic) is the difference between a blip and a shutdown. Expect clear, jargon-free advice, step-by-step recommendations and real lessons from the trenches.

Tune in for a fast, actionable guide to protecting your business assets and customer data. Subscribe to the Small Business Cybersecurity Guide for weekly episodes that make good security affordable and straightforward — because good security doesn't have to cost a fortune, but stupidity always does.

In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security.

Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers.

The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites.

Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers.

The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts.

Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice.

Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend

The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams.

Key Topics Covered Microsoft Security Updates

• 89 total vulnerabilities patched (12 critical, 4 zero-days)
• CVE-2025-0445: Windows Kernel privilege escalation (actively exploited)
• CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited)
• CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022)
• CVE-2025-1789: MSHTML remote code execution via Office documents
• CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release)
• 23 remote code execution vulnerabilities across Windows, Office, and developer tools

Adobe Security Updates

• 35+ vulnerabilities patched across multiple products
• CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1)
• CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS)
• Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D

Oracle Critical Patch Update (October 2025)

• 374 new security patches addressing ~260 unique CVEs
• CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups)
• 73 patches for Oracle Communications (47 remotely exploitable without authentication)
• 20 patches for Fusion Middleware (17 remote unauthenticated)
• 18 fixes for MySQL
• Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server

SAP Security Updates

• 18 new security notes plus 1 updated note
• CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE)
• CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS)
• CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch)
• CVE-2025-42940: CommonCryptoLib memory corruption

Mozilla Firefox Updates

• Firefox 145.0 released November 11th
• 15 security vulnerabilities fixed (8 high impact)
• New anti-fingerprinting measures halving trackable users
• Memory safety and sandbox escape prevention

Apple Security Updates

• iOS/iPadOS 17.1 and macOS 14.1 released
• 100+ vulnerabilities patched across iPhones, iPads, Macs
• Critical kernel and WebKit bugs fixed
• Zero-click exploit prevention

Google Security Updates

• Chrome 142 with 5 security bug fixes
• Android November 2025 bulletin (patch level 2025-11-01)
• CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16

Third-Party Critical Vulnerabilities

• WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected)
• WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed)
• Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment)

Critical Action Items for Businesses IMMEDIATE (Deploy Within 24-48 Hours)

1. Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers
2. Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento
3. Windows Kernel - Patch CVE-2025-0445 zero-day exploit
4. Edge/Chrome - Update browsers to address CVE-2025-0334
5. Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed
6. WordPress Post SMTP - Update to v3.6.1 or remove plugin
7. Cisco routers - Apply CVE-2025-20352 patches and check for compromise

HIGH PRIORITY (Deploy Within 1 Week)

1. SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887
2. WSUS servers - Verify CVE-2025-59287 patch installed correctly
3. Adobe Connect - Update to version 12.10
4. Firefox, Chrome, Edge - Deploy browser updates organisation-wide
5. Android devices - Deploy November 2025 security bulletin
6. WatchGuard Firebox - Apply CVE-2025-9242 patch

STANDARD PRIORITY (Deploy Within 2-4 Weeks)

1. All other Microsoft patches - Complete Windows and Office updates
2. Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc.
3. Oracle - Complete October CPU deployment across all Oracle products
4. SAP - Apply remaining security notes across SAP landscape

CVE Quick Reference CVE ID Vendor Severity Status Product CVE-2025-0445 Microsoft Critical Actively Exploited Windows Kernel CVE-2025-0334 Microsoft Critical Actively Exploited Edge/Chrome V8 CVE-2025-0078 Microsoft Critical Not Exploited Yet Exchange Server CVE-2025-1789 Microsoft Critical Not Exploited Yet MSHTML CVE-2025-59287 Microsoft Critical (9.8) Actively Exploited WSUS CVE-2025-54236 Adobe Critical (9.1) Actively Exploited Magento/Commerce CVE-2025-49553 Adobe Critical (9.3) Not Exploited Yet Adobe Connect CVE-2025-61882 Oracle Critical Actively Exploited E-Business Suite CVE-2025-42890 SAP Critical (10.0) Not Exploited Yet SQL Anywhere Monitor CVE-2025-42887 SAP Critical (9.9) Not Exploited Yet Solution Manager CVE-2025-11833 WordPress Critical (9.8) Actively Exploited Post SMTP Plugin CVE-2025-20352 Cisco High Actively Exploited IOS/XE SNMP CVE-2025-9242 WatchGuard Critical Not Exploited Yet Firebox Firewalls Resources & Links Vendor Security Bulletins

• Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide
• Adobe Security Bulletins: https://helpx.adobe.com/security.html
• Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/
• SAP Security Notes: https://support.sap.com/securitynotes
• Mozilla Security Advisories: https://www.mozilla.org/security/advisories/
• CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Patch Tuesday Resources

• Microsoft Tech Community: https://techcommunity.microsoft.com/
• Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/
• Security Week Patch Tuesday Coverage: https://www.securityweek.com/

Small Business Cybersecurity Resources

• Blog: https://thesmallbusinesscybersecurityguy.co.uk
• NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness
• Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials

Key Statistics

• 89 Microsoft vulnerabilities patched
• 4 actively exploited zero-days (Microsoft)
• 23 remote code execution flaws (Microsoft)
• 35+ Adobe vulnerabilities fixed
• 374 Oracle security patches
• 18 SAP security notes
• 200,000+ WordPress sites affected by Post SMTP bug
• 75,000 WatchGuard devices exposed online

Narrator

Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions.

About The Small Business Cyber Security Guy Podcast

The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining.

Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints.

Connect With Us

• Website: https://thesmallbusinesscybersecurityguy.co.uk
• Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms
• Social Media: Follow us on LinkedIn for daily cybersecurity insights
• Contact: hello@thesmallbusinesscybersecurityguy.co.uk

 

Help us spread the word about practical cybersecurity for small businesses:

• ⭐ Subscribe to never miss an episode
• ⭐ Leave a review on Apple Podcasts or Spotify
• ⭐ Share this episode with other business owners who need to hear this
• ⭐ Comment below with topics you'd like us to cover next
• ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources

Disclaimer

This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile.

Next Episode

Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately.

Episode Length: 10-11 minutes Difficulty Level: Intermediate to Advanced Best For: IT managers, business owners, MSP clients, anyone responsible for patching

The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce Episode Information

Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance Farce Episode Number: Hot Take Release Date: 11 November 2025 Duration: Approximately 18 minute Hosts: Mauven MacLeod & Graham Falkner Format: Research segment with heavy sarcasm

Episode Description

Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools.

In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone.

Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme?

We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes.

If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide.

Key Topics Covered The Surveillance Revelation

• Ofcom confirms use of unnamed third-party AI monitoring tool
• TechRadar exclusive: "We use a leading third-party provider" with zero transparency
• Government surveillance of privacy tools sets a dangerous precedent
• Comparison to authoritarian regimes (China, Russia, UAE, Iran)

The Numbers That Don't Add Up

• 1.5 million daily VPN users claim appears nowhere in official Ofcom documents
• No published methodology or verification
• VPN detection cannot determine the intent or legitimacy of use
• Analytics show VPN use is lower in countries with greater online freedom

What Actually Happened on July 25th

• The UK Online Safety Act child safety duties became fully enforceable
• Mandatory "highly effective age assurance" replaced simple checkbox verification
• Proton VPN: 1,400% surge in UK signups within hours
• NordVPN: 1,000% increase in downloads
• ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store

The Small Business Nightmare

• Business VPNs are essential security hygiene for remote work
• Ofcom's monitoring cannot distinguish legitimate business use from circumvention
• Undisclosed data collection creates unknowable privacy risks
• GDPR compliance implications when the government monitors your security tools

Section 121: The Spy Clause

• Powers to require client-side scanning of encrypted communications
• Government promises not to use "until technically feasible"
• Cryptography experts: impossible without destroying encryption
• Apple shelved similar plans in 2021
• Signal and WhatsApp threatened to leave the UK market

The Authoritarian Playbook in Action

• Scope creep within days: blocking parliamentary speeches, news coverage, forums
• A cycling forum shut down due to compliance costs
• Small platforms are closing rather than face a compliance nightmare
• Chilling effect on legitimate content and discussion

International Surveillance Creep

• 25 US states passed similar age verification laws
• EU debating Chat Control (mandatory encrypted message scanning)
• Australia is implementing age verification for search engines
• Legislative arms race using "protecting children" as a universal justification

What Small Business Owners Must Do

• Document all VPN usage for legitimate business purposes
• Maintain VPN security protocols despite surveillance theatre
• Get legal advice if operating any platform with user-generated content
• Fines up to £18 million or 10% of global revenue
• Criminal liability for senior managers

The GDPR Compliance Paradox

• How do you assess data protection risks from secret surveillance tools?
• Opacity makes compliance verification impossible
• Government monitoring creates unassessable risks to customer data

 

Resources & Links Mentioned Primary Source

• TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act

Key Organizations Quoted

• Open Rights Group - James Baker's comments on surveillance precedent
• Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran

Government Resources

• Online Safety Act 2023 - UK Government legislation
• Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements
• Section 121 - Client-side scanning provisions ("spy clause")

VPN Statistics Sources

• Proton VPN: 1,400% surge report
• NordVPN: 1,000% increase report
• Apple UK App Store rankings: July 25-27, 2025

Related Coverage

• Petition to Repeal Online Safety Act: 550,000+ signatures
• Peter Kyle (UK Technology Secretary) statement on critics
• Parliamentary debate triggered by petition threshold

Additional Reading

• GDPR compliance implications of government surveillance
• Cryptography expert analysis of client-side scanning
• Apple's 2021 decision to shelve client-side scanning plans
• Signal and WhatsApp statements on Section 121

Key Quotes from Episode

Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?"

Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it."

Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics."

Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent."

Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'"

Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties."

Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'"

Action Items for Small Business Owners Immediate Actions

1. Document VPN Usage

   • List which employees use VPNs
   • Document business purposes for encrypted connections
   • Maintain evidence of legitimate use for potential regulatory action

2. Maintain Security Protocols

   • Continue using VPNs for remote work security
   • Don't let surveillance theatre compromise actual cybersecurity
   • Protect against real threats (ransomware, phishing, etc.)

3. Assess Platform Compliance

   • If you operate any online platform, forum, or user-generated content site
   • Get legal advice immediately
   • Understand massive fines (£18m or 10% global revenue) and criminal liability.

Ongoing Monitoring

1. Stay Informed

   • Section 121 could be activated at any time
   • EU Chat Control could affect European operations
   • US state laws are proliferating rapidly
   • Monitor regulatory developments actively

2. Engage Politically

   • Contact your MP about the surveillance of privacy tools
   • Reference the 550,000+ signature petition
   • Make it clear that this is unacceptable in a democracy
   • Push back before surveillance becomes normalised

3. GDPR Compliance Review

   • Assess how government VPN monitoring affects data protection obligations
   • Document that opacity makes risk assessment impossible
   • Consult legal counsel on compliance implications

Visual Elements (for YouTube/Video)

• Screenshot: TechRadar exclusive article headline
• On-screen text: "1.5 million daily VPN users" with question mark
• Comparison graphic: VPN use in free vs. authoritarian countries
• Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring
• Text overlay: Section 121 "spy clause" powers
• Map graphic: International surveillance legislation spread (UK, US, EU, Australia)
• Infographic: Small business action checklist

Key Themes

• Government surveillance of privacy tools in supposed liberal democracy
• Technical limitations make monitoring ineffective at stated purpose
• Scope creep from child protection to political content blocking within days
• Small business caught in surveillance net designed for age verification
• International trend toward authoritarian internet regulation models
• GDPR compliance paradox when government creates unknowable privacy risks
• Practical cybersecurity must continue despite surveillance theatre
• Political engagement essential before normalization occurs

Tone & Style Notes

• Heavy sarcasm throughout - serious WTF tone without profanity
• Incredulous questioning of government logic and transparency
• Dark humour about dystopian surveillance implications
• Technical precision in explaining what monitoring can/cannot do
• Practical focus on small business implications
• Political urgency without becoming preachy
• Professional skepticism balanced with actionable guidance

CTAs (Calls to Action) Primary CTAs

1. Subscribe wherever you get your podcasts
2. Share with other small business owners who need this information
3. Leave a review if you found this episode useful (or terrifying)
4. Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources

Secondary CTAs

1. Drop a comment with questions about VPN security or regulatory compliance
2. Contact your MP about surveillance of privacy tools
3. Sign the petition to repeal the Online Safety Act (if not already done)
4. Document your VPN usage for legitimate business purposes starting today

Social Media Hashtags

• #OnlineSafetyAct
• #VPNSurveillance
• #CyberSecurity
• #SmallBusinessSecurity
• #DigitalPrivacy
• #GDPR
• #UKTech
• #Section121

Next Episode Setup

[To be determined based on episode schedule]

Potential follow-ups:

• Deep dive on Section 121 and encryption threats
• GDPR compliance strategies in surveillance environment
• International comparison: UK vs. other countries' approaches
• Interview with digital rights expert on fighting surveillance creep
• Practical VPN selection and configuration for small businesses

Production Notes Technical Specifications

• Duration: Approximately 10 minutes
• Word Count: 1,847 words
• Format: Two-host conversation (Mauven & Graham)
• Tone: Punchy, sarcastic, serious WTF energy
• Language: UK spelling and grammar throughout
• Profanity: None (despite heavy sarcasm)

Research Verification

• All statistics verified against multiple sources
• TechRadar article quotes confirmed accurate
• Government legislation references checked
• VPN provider surge numbers from official company statements
• Expert quotes verified from named sources
• No unverified claims included

Character Dynamics

• Mauven MacLeod: Ex-NCSC analyst, brings government cybersecurity expertise
• Graham Falkner: Former actor/narrator, handles research segments
• Natural professional banter with pub conversation energy
• Shared incredulity at government surveillance overreach
• Complementary expertise: technical precision + narrative delivery

Content Strategy

• Small business cybersecurity focus maintained throughout
• Practical implications prioritized over abstract privacy philosophy
• Action items clear and immediately implementable
• Balances outrage with constructive guidance
• Positions podcast as authoritative voice on UK cybersecurity policy

SEO Keywords

• Ofcom VPN monitoring
• Online Safety Act surveillance
• UK VPN usage 2025
• Business VPN security
• Section 121 encryption
• Small business cybersecurity UK
• GDPR VPN compliance
• Government VPN tracking
• Age verification VPN
• UK internet surveillance

Related Episodes

[To be linked as series develops]

Potential related content:

• Online Safety Act initial coverage (if previously covered)
• GDPR compliance series
• VPN security best practices
• Encryption fundamentals
• Remote work security

Episode Tags

Topics: VPN Surveillance, Online Safety Act, Ofcom, Government Monitoring, Privacy, Encryption, Section 121, Age Verification, GDPR, Small Business Security

Category: Technology, Cybersecurity, Privacy, Government Policy, Business

Difficulty Level: Intermediate (technical concepts explained accessibly)

Target Audience: Small business owners (5-50 employees), IT managers, privacy advocates, UK businesses

Geographic Focus: United Kingdom (with international context)

Credits

Hosts: Mauven MacLeod, Graham Falkner Research: Advanced web research on Ofcom VPN monitoring Script: Based on TechRadar exclusive and verified sources Production: Graham Falkner Music: The Small Business Cyber Security Guy

Disclaimer

This podcast episode provides commentary and analysis on publicly reported information about UK government surveillance policies. Nothing in this episode constitutes legal advice. Small business owners should consult qualified legal counsel regarding compliance with the Online Safety Act and related regulations. The opinions expressed are those of the hosts and do not represent legal or professional advice.

All statistics and quotes have been verified against multiple sources and represent information available as of the episode recording date. The regulatory landscape continues to evolve rapidly.

Blog Post Companion

Full written breakdown available at: thesmallbusinesscybersecurityguy.co.uk

Blog post should include:

• Complete source list with hyperlinks
• Detailed analysis of Section 121 implications
• Step-by-step VPN documentation guide for businesses
• GDPR compliance checklist
• Template for MP correspondence
• Updated information on the petition and parliamentary response
• International comparison chart
• Technical explainer: How VPN detection works (and doesn't work)
• Additional expert commentary
• Community discussion forum

Last Updated: [Date] Version: 1.0 Status: Ready for production

What happens when business negligence causes serious harm to thousands of people? If a faulty ladder injures someone, directors face prison time. If forty million people have their data stolen due to poor security, they receive a strongly worded letter.

In this provocative first episode of our two-part series, Noel and Mauven examine the shocking disparity between health and safety enforcement and cybersecurity regulation in the UK. We compare the HSE's tough approach (prison sentences, director liability, millions in fines) with the ICO's gentle touch (guidance, occasional fines, zero criminal consequences).

With 40 million voter records compromised at the Electoral Commission resulting in just a formal reprimand, whilst construction directors regularly face 18-month prison sentences for single workplace accidents, we ask the uncomfortable question: why is cybersecurity enforcement essentially performative?

This isn't anti-business rhetoric. This is an evidence-based examination of a broken system that fails to protect either businesses or the public, presented through statistics, case studies, and historical precedent, which demonstrates that personal accountability is effective.

What You'll Learn The Two Regulators: A Tale of Vastly Different Consequences

• Why HSE directors face up to 2 years imprisonment, whilst the ICO never imposes criminal penalties
• How HSE issued 13,424 enforcement notices and 399 prosecutions in 2023-24
• Why the ICO issued just £2.7 million in total UK fines, whilst EU regulators issued over £1 billion
• The legal frameworks that create this enforcement gap

The Public-Private Accountability Divide

• Electoral Commission breach: 40 million records compromised, 14 months of hostile state access, consequence: formal reprimand
• Construction site failures: single injuries lead to prison sentences and director disqualifications
• Why do government organisations face minimal consequences for security failures
• The message this sends about who matters and who doesn't

Historical Context: How HSE Transformed Workplace Safety

• 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974
• How personal criminal liability changed director behaviour overnight
• The construction industry transformation from dangerous to safety-conscious
• Evidence that accountability actually works when properly enforced

Arguments Against Director Liability (And Why They Fail)

• "Security is too complex for criminal standards" - why doesn't this hold up
• "Small businesses can't afford proper security" - HSE already handles proportionate enforcement
• "Innovation will suffer" - data showing the opposite effect in the safety sector
• "Current system works fine" - statistics proving it demonstrably doesn't

The Current State of Inertia

• Why ICO enforcement focuses on "guidance and support" over punishment
• Political pressure keeps cybersecurity consequences minimal
• Business lobby resistance to accountability measures
• The broken incentive structure that rewards negligence

Key Statistics Referenced

• HSE Enforcement 2023-24:

  • 13,424 enforcement notices issued
  • 399 prosecutions brought
  • £73.8 million in fines
  • Regular prison sentences (average 12-18 months for serious breaches)

• ICO Enforcement 2023-24:

  • £2.7 million total fines across all UK GDPR violations
  • Zero prison sentences imposed
  • Zero director disqualifications
  • Focus on "guidance and support" over punishment

• Electoral Commission Breach:

  • 40 million UK voter records compromised
  • The hostile state actor maintained access for 14 months
  • Basic security failures: poor patching, weak passwords, inadequate monitoring
  • Consequence: Formal reprimand only

• Impact Statistics:

  • 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974
  • EU regulators issued over £1 billion in GDPR fines (vs the UK's £2.7 million)
  • Keymark Construction director: 18 months' prison for fatal fall (2023)

Notable Cases Discussed Health and Safety Enforcement

• Keymark Construction (2023): Director sentenced to 18 months imprisonment following fatal fall due to inadequate safety measures
• Corporate Manslaughter Act 2007: Multiple organisations convicted when management failures caused death

Cybersecurity Non-Enforcement

• Electoral Commission (2023-24): 40 million voter records compromised by hostile state actor, 14 months of system access, consequence was formal reprimand with no financial penalty or personal liability
• British Airways GDPR Fine: Initially £183 million, reduced to £20 million, no director consequences despite preventable security failures

Why This Matters for Small Businesses

This isn't about attacking business owners. It's about exposing a system that fails everyone:

• Honest businesses suffer when competitors cut security corners without consequences
• Directors lack incentive to invest in security when breaches only result in fines the company pays
• Small businesses become collateral damage when larger organisations treat security as optional
• The current approach demonstrably doesn't work - breaches increase year on year despite ICO "guidance"

Understanding this enforcement gap helps you see why cybersecurity culture hasn't undergone the same transformation as workplace safety culture. Part 2 will explore what accountability with teeth would actually look like, and how to protect SMEs whilst implementing it.

Resources Mentioned

• HSE Annual Report 2023-24: Full enforcement statistics and prosecution details
• ICO Enforcement Data: Annual reports showing UK GDPR fine totals
• Health and Safety at Work Act 1974: Foundation legislation that transformed UK workplace safety
• Corporate Manslaughter and Corporate Homicide Act 2007: Criminal liability framework for organisations
• Electoral Commission Breach Report: Technical details of 14-month compromise
• EU GDPR Enforcement Tracker: Comparison of UK vs European enforcement approaches

Hosts

Noel Bradford 40+ years in IT/Cybersecurity across enterprise and SMB sectors. Former Intel, Disney, BBC. Current CIO/Head of Technology for boutique security-first MSP. Brings enterprise-level knowledge to small business constraints.

Mauven MacLeod Ex-NCSC Government Cybersecurity Analyst with deep threat intelligence expertise. Glasgow-based security professional who translates complex government-level security concepts into practical SMB advice.

Coming in Part 2

"What If Cyber Had Corporate Manslaughter? The Case for Personal Liability"

We'll explore:

• Specific legislative framework for "Corporate Cyber Manslaughter"
• SME protection mechanisms (proportionate thresholds)
• How other countries successfully implement director liability
• Expected cultural transformations
• Practical compliance guidance
• What "reasonable care" actually means for small businesses

Take Action

1. Share Your Thoughts: Should directors face criminal liability for gross cybersecurity negligence? Comment on our website or social media.

2. Prepare for Part 2: Start thinking about what security measures you currently have in place. Could you demonstrate "reasonable care" if asked?

3. Review Your Security: Whilst we wait for better enforcement, don't wait to improve your security. Free resources available from NCSC.

4. Subscribe: Make sure you don't miss Part 2, where we build the case for what enforcement with teeth would actually look like.

5. Forward This Episode: Every business owner needs to understand why the current system fails them.

Episode Details

Runtime: 42 minutes

Release Date: November 17th 2025

Series: Part 1 of 2

Category: Cybersecurity, Business, Technology, Policy

Content Warning: Discussion of regulatory failures, system criticism, and calls for significant policy change. Evidence-based but provocative examination of current enforcement approaches.

Connect With Us

Website: thesmallbusinesscybersecurityguy.co.uk

LinkedIn: [The Small Business Cyber Security Guy]

Email: hello@thesmallbusinesscybersecurityguy.co.uk

Tags

#Cybersecurity #SmallBusiness #UKBusiness #DataProtection #ICO #HSE #RegulatoryEnforcement #DirectorLiability #GDPR #BusinessSecurity #CyberAccountability #SecurityPolicy #UKRegulation #DataBreach #ElectoralCommission #CorporateManslaughter #BusinessCompliance #CyberGovernance #SecurityLeadership #RiskManagement

Transcript

Full episode transcript available on our website at thesmallbusinesscybersecurityguy.co.uk

Support the Show

If this episode opened your eyes to the enforcement gap, please:

• Leave a 5-star review on Apple Podcasts
• Share with business owners in your network
• Follow us on LinkedIn for ongoing discussion
• Subscribe to ensure you catch Part 2

Next Episode: Part 2 - What If Cyber Had Corporate Manslaughter?

All Episodes: thesmallbusinesscybersecurityguy.co.uk/podcasts

The Small Business Cybersecurity Guy Podcast offers practical, actionable cybersecurity advice for UK small businesses. We translate enterprise-grade security into affordable, implementable solutions for businesses with 5-50 employees.

Disclaimer: This podcast provides general information and discussion about cybersecurity and business topics. This is not intended as legal, regulatory, or professional advice. Listeners should consult qualified professionals for personalised guidance tailored to their specific circumstances.

© 2025 The Small Business Cyber Security Guy. All rights reserved.

In this provocative second instalment of the accountability series, hosts Noel Bradford and Mauven MacLeod lay out a detailed proposal for a UK cybersecurity enforcement regime that balances protection for small businesses with personal liability for negligent directors. They compare the current weak regulatory approach to the Health and Safety Executive model, cite international evidence from Singapore, and explore why criminal consequences — up to fines, disqualification and, in extreme cases, prison — might be necessary to change boardroom behaviour.

The episode explains a three-tier framework: Tier 1 (micro and small businesses) protected by Cyber Essentials and criminal liability only for gross negligence; Tier 2 (25–250 employees) required to follow industry-reasonable practice with qualified oversight and documented policies; and Tier 3 (large organisations and public sector) held to the highest standards (ISO/SOC) with lower thresholds for prosecution. The hosts walk through concrete, measurable standards, outcome-based testing, and safe-harbour defences for businesses that engage accredited advisors.

Key technical and organisational measures discussed include Cyber Essentials, MFA, patching and backups, incident response plans, staff training, qualified security oversight (fractional CISOs or accredited MSPs), and government-approved lists of assessors. The episode stresses practical testing — inspectors verifying controls actually work — to prevent compliance theatre and ensure certificates match reality.

Noel and Mauven outline a phased five-year implementation pathway: publication and guidance, data collection and mandatory reporting, staged enforcement beginning with large organisations, then medium businesses, and finally full enforcement — all accompanied by funded support programs, subsidies, and free advisory services to help firms comply.

Costs, benefits and market effects are examined: basic Tier 1 protections are framed as affordable (Cyber Essentials, free MFA), while stronger governance yields lower insurance premiums, preferential procurement, and overall reduced breach costs. The hosts discuss the need to upskill the ICO into a technically capable enforcement agency, political and industry pushback, and international alignment with EU, Singapore and Australia precedents.

The episode closes with a call to action for listeners: implement the basics now (Cyber Essentials, MFA, updates), pressure MPs and industry bodies for proportionate enforcement, and spread the conversation. Expect debates about proportionality, false positives, and safeguarding SMEs, but the central case is clear: a calibrated, evidence-based accountability regime could dramatically reduce breaches and force cybersecurity into the boardroom.

For our 30th episode, we're tackling the cybersecurity blind spot that almost no one discusses but everyone should worry about. You've secured your laptops. You've rolled out multi-factor authentication. Your firewall is properly configured. But what about that office printer quietly storing every contract and payslip you've printed this year on a hard drive nobody ever wipes, with a password an attacker can guess in three tries?

This episode reveals the uncomfortable truth about Internet of Things (IoT) devices in your business. We're talking about printers, CCTV systems, smart thermostats, networked door locks, and every other "smart" device you've stopped thinking about as a computer. These forgotten devices are giving attackers a free pass into networks that are otherwise properly secured.

We share a real case study from our recent emails about a marketing agency that spent £15,000 on security, passed their audit with flying colours, and still got breached through their office printer. This isn't theoretical paranoia. This is happening right now to businesses that think they've got security sorted.

What You'll Learn

• Why your office printer is possibly the biggest security risk in your building
• How default passwords on "forgotten" devices create easy access points for attackers
• The real story of a £15,000 security investment defeated by a £300 printer
• What network segmentation actually means and why it matters for small businesses
• How to create and maintain an accurate device inventory
• Practical steps to secure IoT devices without enterprise budgets
• Why your CCTV system might be livestreaming to the internet right now
• How smart thermostats become backdoors into your network

Key Topics Covered The Forgotten Device Problem

Modern offices are full of computers disguised as other things. Every printer, every CCTV camera, every smart thermostat, and every networked door lock is actually a computer connected to your network. Most businesses secure their obvious computers whilst completely forgetting about these devices, creating perfect entry points for attackers who aren't bothering with sophisticated social engineering when they can just log in with "admin/admin".

Real Case Study: The £15,000 Security Investment Defeated by a Printer

A 30-person marketing agency listened to our ransomware and authentication episodes, then invested £15,000 in proper security: new firewalls, endpoint protection, hardware authentication keys for every staff member, and a security audit that came back clean. Two months later, they discovered someone had been accessing their client files for weeks through their HP printer that still used factory default credentials. The printer had full network access and stored copies of everything printed. Nobody had changed the password. Nobody had checked it during the audit. Nobody even thought about it.

Default Credentials: The Epidemic Nobody Discusses

Attackers maintain databases of default passwords for thousands of devices. They don't need to crack complex passwords when they can try "admin/admin" or "admin/password" and gain access to printers, cameras, or thermostats within seconds. These devices often ship with administrative interfaces accessible from the network, and most businesses never change the defaults because they don't think of these devices as security concerns.

Network Segmentation Explained (Without Enterprise Complexity)

Network segmentation sounds enterprise-level complicated, but the basic concept is simple: not everything on your network should be able to access everything else. Your printer doesn't need access to your accounting server. Your CCTV system doesn't need to reach your customer database. Creating separate network zones for different device types means a compromised printer can't become a stepping stone to your sensitive data.

The Device Inventory Challenge

Most small businesses have no accurate list of what's actually connected to their network. They know about the laptops and servers but often forget about the smart coffee machine someone plugged in last year, the wireless access points in the meeting rooms, or the networked thermostat the facilities team installed. Without knowing what's connected, you can't secure it. We discuss practical methods for discovering and documenting every device on your network.

Practical IoT Security Steps

We break down actionable steps that don't require enterprise budgets or dedicated security teams. This includes conducting device audits, changing default passwords, implementing basic network segmentation, regular firmware updates, and creating ownership responsibility for every connected device. The goal is proportionate security that's actually achievable for small businesses.

Key Takeaways

1. Every connected device is a computer. If it has an IP address, it's a potential security risk that needs management and protection.
2. Default passwords are attackers' best friends. The first thing to do with any new device is change the administrative password. Never assume factory defaults are acceptable.
3. Network segmentation isn't optional anymore. IoT devices should be isolated from your main business network, even if that means starting with basic VLAN separation.
4. Device inventory is fundamental. You can't secure what you don't know exists. Conduct regular network scans to discover forgotten devices.
5. Ownership matters. Every device needs someone responsible for its security. Don't let devices become "nobody's problem" because that's when they become everyone's problem.
6. Security audits miss IoT devices. Standard security assessments often focus on servers and workstations whilst completely overlooking printers, cameras, and other IoT equipment.
7. Firmware updates apply to everything. IoT devices need security patches just like computers. Many businesses forget this entirely.
8. Your £15,000 security investment can be defeated by a £300 printer. Security is only as strong as your weakest link, and IoT devices are often the weakest links because they're forgotten.

Resources & References Mentioned in This Episode

• Previous Episodes Referenced:
  • Episode 17: Social Engineering - The Human Firewall Under Siege
  • Ransomware episodes (multiple)
  • Authentication episodes featuring Mark Bell
  • Cyber Essentials episodes
  • Electoral Commission accountability episode
• Hardware Authentication: AuthenTrend hardware keys (mentioned as sponsor)
• Case Studies: Marketing agency breach via printer (anonymized client)

Recommended Reading & Tools

• NCSC Guidance: National Cyber Security Centre - IoT security guidance
• Network Discovery Tools: Fing, Advanced IP Scanner, or similar free network scanning utilities
• Device Documentation: Spreadsheet templates for device inventory available on our website

Practical Action Steps This Week:

1. Find your printer's admin interface. Log in. If you can't remember the password, that's probably because it's still set to "admin". Change it. Now.
2. List five connected devices that aren't computers or phones. These are your starting inventory.
3. Check one device's firmware. Is it up to date? When was it last updated? Who's responsible for keeping it current?

This Month:

1. Complete device inventory. Use network scanning tools to discover everything connected to your network. Document it all.
2. Change all default passwords. Every printer, camera, thermostat, and access point needs unique, strong credentials.
3. Assess your network segmentation. Can your printer access your file server? It shouldn't. Start planning basic network separation.
4. Assign device ownership. Every device needs someone responsible for its security, updates, and maintenance.

This Quarter:

1. Implement basic network segmentation. Even simple VLAN separation is better than everything on one network.
2. Create update schedules. IoT devices need regular firmware updates just like computers.
3. Review and test. Verify your device inventory is accurate. Check that passwords actually changed. Confirm segmentation works.

Who Should Listen to This Episode?

This episode is particularly relevant for:

• Small business owners who've invested in cybersecurity but may have overlooked IoT devices
• IT managers and solo IT staff responsible for securing business networks with limited resources
• Office managers who purchase and install connected devices without considering security implications
• Business owners who think they've "done security" but haven't considered printers, cameras, and similar devices
• Anyone who's ever said "it's just a printer" when security concerns were raised

Why This Episode Matters

We've covered passwords, multi-factor authentication, ransomware, supply chain attacks, shadow IT, and social engineering across 30 episodes. We've discussed major breaches at household names and examined what it takes to protect heads of state. But we've deliberately avoided IoT security until now because we knew it would make people uncomfortable, possibly angry, and definitely worried.

The uncomfortable truth is that whilst you've been securing laptops and servers, your office printer has had full network access, stores every document you print, and still uses the password it shipped with. The CCTV system protecting your premises might be livestreaming to the internet because nobody changed the default settings. The smart thermostat saving you money on heating is potentially giving attackers a way into your network.

This isn't theoretical paranoia. We're seeing breaches through IoT devices happen to businesses that have otherwise invested properly in cybersecurity. The marketing agency case study we discuss spent £15,000 on security and still got breached through a printer nobody thought to check during the security audit.

IoT security is the blind spot in small business cybersecurity. This episode gives you the knowledge and practical steps to finally address it without enterprise budgets or dedicated security teams.

Celebrating 30 Episodes

This milestone episode also marks an important achievement for the podcast. Since launching in June 2025, we've:

• Reached Top 12 in Apple Podcasts Management category worldwide
• Peaked at 3,500 daily downloads
• Built an audience that's 47% US, 37% UK despite being a UK-focused show
• Made cybersecurity almost entertaining whilst maintaining technical accuracy
• Helped businesses actually implement security improvements, not just understand threats

We're genuinely grateful to everyone who's been listening, sharing, and most importantly, doing the work. The chart positions and download numbers are nice, but what matters more is when someone emails to say they've finally sorted Cyber Essentials or retired Dave from IT as a single point of failure.

Coming Up

Episode 31 (Next Week): Regular episode format continues with another crucial small business cybersecurity topic

Episode 32 (22nd December): Christmas Special - a festive take on cybersecurity for small businesses

Connect With Us Need Help?

If you need direct assistance with IoT device security, Cyber Essentials, network segmentation, or any topic we've covered, contact us at: hello@thesmallbusinesscybersecurityguy.co.uk

Website & Resources

Visit thesmallbusinesscybersecurityguy.co.uk for:

• Detailed guides on everything we've discussed
• Step-by-step walkthroughs for printer security, camera configuration, and network segmentation
• Device inventory templates and checklists
• All episode show notes and transcripts

Subscribe & Follow

• Apple Podcasts: Currently Top 12 in Management category worldwide
• Spotify: New episodes every week
• All major podcast platforms: Search for "The Small Business Cyber Security Guy"

Share This Episode

Know someone who's ever said "it's just a printer"? They need this episode in their life. Share it with:

• Business owners who think they've got security sorted
• IT managers dealing with limited budgets and forgotten devices
• Office managers who purchase connected devices
• Anyone responsible for small business network security

Support the Show

If you've had real value from this podcast:

1. Leave a review on Apple Podcasts or Spotify - tell us what you've actually changed in your business
2. Share episodes with other business owners who need to hear this
3. Tell us what's landing - your feedback helps us create more useful content
4. Subscribe so you don't miss episodes

About the Hosts Noel Bradford

With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses.

Mauven MacLeod

Former government cyber analyst, Mauven, brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered.

Graham Falkner

Regular contributor and co-host for special episodes, Graham adds additional perspective and helps make complex cybersecurity topics accessible to small business audiences. His role includes managing the legal disclaimers and ensuring content remains grounded in practical business reality.

Legal Disclaimer

Everything discussed in this episode is for general guidance and educational purposes. It's meant to point you in the right direction but absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What worked brilliantly for one business might be completely inappropriate for another.

We do our very best to keep everything accurate and current, but the cybersecurity world moves faster than a caffeinated squirrel. Things can change between when we record and when you're listening, so always double-check critical technical details with qualified professionals before making major changes to your systems.

If we've mentioned any websites, products, or services, we're giving you information, not necessarily endorsing them. We can't be responsible for what happens on their end or if things go sideways when you use them.

If you're dealing with serious cybersecurity incidents, actual data breaches, or complex compliance issues, please talk to proper professionals rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team.

Think of us as your knowledgeable mates down the pub who work in cybersecurity, not your official contracted consultants. We care about your business, but we're not your insurance policy.

Stay safe out there, keep learning, and remember: when in doubt, get a second opinion from someone who can see your specific situation.

This has been a Small Business Cyber Security Guy production. Copyright 2025, all rights reserved.

Episode 30 | December 2025 | The Small Business Cyber Security Guy Podcast

What if the best way to protect your business isn't copying what the successful companies do, but avoiding what the failures did wrong? Welcome to reverse benchmarking, the cybersecurity equivalent of learning from other people's face-plants so you don't repeat them.

In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses.

You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones.

This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works.

Why This Episode Matters

One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident.

Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast.

Key Takeaways

1. Traditional Benchmarking Often Fails SMBs

• Copying FTSE 100 security on a shoestring budget is a losing game
• Enterprise solutions don't scale down effectively
• By the time you copy last year's "best practice," threats have evolved
• Context matters more than copying

2. Compliance ≠ Security

• Being compliant doesn't mean you're secure
• Compliance is like passing your driving test - it proves you know the rules, not that you'll never crash
• Checkbox culture creates dangerous complacency
• Attackers don't check your certifications before striking

3. The Statistics Are Sobering

• One third of SMBs hit by cyberattacks annually
• Average breach cost: £250,000
• Some breaches: £7 million
• 60% of small businesses close within six months post-attack
• NCSC estimates 50% of UK SMBs will experience a breach each year

4. Real-World Disasters Teach Practical Lessons

• Target breach: Lost $162 million because HVAC vendor credentials weren't properly segmented
• Colonial Pipeline: Shutdown of major US fuel infrastructure from weak VPN password
• UK holiday park ransomware: Peak season attack forced cash-only operations
• Common thread: Basic security fundamentals ignored

5. Third-Party Risks Are Existential

• 61% of breaches involve third-party access
• Small vendors create backdoors into larger networks
• Your security is only as strong as your weakest supplier
• Segment vendor access ruthlessly

6. Practical Implementation Steps

• Build your own "disaster library" of relevant failures
• Hold quarterly "what went wrong" review sessions
• Map your business to failed case studies
• Ask "could this happen to us?" for every breach you read about
• Create no-blame culture for reporting near-misses

Detailed Show Notes Introduction (00:00 - 01:24)

Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls.

Key Quote: "Learn from other people's face-plants so we don't repeat them."

What Is Reverse Benchmarking? (01:24 - 03:46)

Traditional benchmarking means copying what successful companies do. Reverse benchmarking flips this around: study the worst failures in your industry and make certain you don't repeat them.

The Problem with Traditional Benchmarking:

• Big enterprises have massive IT teams and unlimited budgets
• Trying to copy enterprise security on SMB resources is futile
• Benchmarking looks backwards - by the time you implement, hackers have moved on
• If everyone in your industry has the same gap, benchmarking won't reveal it

Why It Matters Now:

• One third of SMBs were hit by cyberattacks in the past year
• Average cost: £250,000, with some reaching £7 million
• 60% of small businesses close within six months of a cyberattack
• Most small business owners still think they're too small to be targeted

UK Context: The National Cyber Security Centre (NCSC) estimates around half of UK SMBs will experience a breach each year. Coin flip odds. If you're sitting in a board meeting saying "hackers won't bother with us," you might as well hang a sign reading "free Wi-Fi, no password."

The Compliance Trap (03:46 - 06:15)

Many businesses believe being compliant means they're secure. This is cybersecurity's biggest misconception.

Compliance vs Security:

• Compliance is like passing your driving test - it means you know the rules, not that you'll never crash
• Or that you're a good driver
• Microsoft's security GM: "Some SMBs believe being compliant means they're safe. It doesn't."
• Hackers don't check whether you've got ISO certification before attacking

The Checkbox Culture:

• "We did our annual password change. Job done."
• Hackers respond: "Challenge accepted."
• Following checklists creates false sense of security
• Real security requires ongoing vigilance, not annual tick-boxes

The Hidden Risk: If everyone in your industry has the same security gap but meets the same compliance standards, benchmarking against them won't reveal your shared vulnerability. You're all vulnerable together, congratulating each other on your certifications.

Case Study 1: The Target Breach (06:15 - 09:42)

One of retail history's most infamous breaches demonstrates how third-party access becomes a catastrophic liability.

What Happened:

• December 2013: Hackers stole 40 million credit card numbers and 70 million customer records
• Entry point: HVAC contractor with network access
• Attackers used vendor credentials to access Target's corporate network
• Then moved laterally to payment systems

The Aftermath:

• Direct losses: $162 million
• CEO resigned
• CIO resigned
• Board chairman resigned
• Countless hours dealing with breach response, forensics, legal battles

The Lesson: Your security is only as strong as your weakest supplier. That HVAC company, plumber, or IT consultant with network access? They're potential backdoors. Target's enterprise-grade security was bypassed through a small contractor's weak credentials.

For Small Businesses:

• 61% of breaches involve third-party access
• Small businesses often provide services to larger enterprises
• Your compromise becomes their breach
• Vendor management isn't optional

Practical Actions:

• Segment vendor access ruthlessly
• No contractor needs access to your entire network
• Use separate credentials for third parties
• Monitor vendor access continuously
• Regular vendor security audits

Case Study 2: Colonial Pipeline (09:42 - 12:28)

In May 2021, a single compromised password shut down a major fuel pipeline supplying 45% of the US East Coast's fuel.

What Happened:

• Ransomware attack forced shutdown of 5,500-mile pipeline
• Entry point: Weak VPN password
• No multi-factor authentication (MFA) on VPN access
• Company paid $4.4 million ransom (partially recovered later)

The Impact:

• Fuel shortages across southeastern United States
• Panic buying, price spikes
• Emergency government declarations
• Week-long shutdown of critical infrastructure

The Lesson: Credentials are your front door. If you're not protecting them properly, you've left the door unlocked with a welcome mat out for attackers.

For Small Businesses: The Colonial Pipeline didn't fail because of sophisticated zero-day exploits or nation-state malware. They failed because they didn't have MFA enabled on remote access.

Your Action Items:

• Enable MFA everywhere, particularly VPN access
• Enforce strong password policies
• Monitor for credential compromise
• Phishing-resistant MFA (hardware tokens or biometrics) for privileged access
• Regular access reviews

The Cost-Benefit Reality:

• Hardware security keys: £40-70 per user
• Potential breach cost: £250,000 average
• MFA prevents 99.9% of automated credential attacks
• The mathematics are straightforward

Case Study 3: UK Holiday Park Ransomware (12:28 - 15:15)

Closer to home, a UK holiday park discovered that timing matters when ransomware strikes.

What Happened:

• Ransomware attack during peak summer season
• All booking systems encrypted
• Payment processing down
• Guest check-ins disrupted

The Business Impact:

• Had to operate cash-only during busiest period
• Couldn't process new bookings
• Lost revenue during most profitable weeks
• Guest experience severely compromised
• Reputation damage

The Lesson: Attackers choose timing deliberately. They struck during peak season when the business would be most desperate to restore operations quickly and most likely to pay the ransom.

For Small Businesses: Seasonal businesses are particularly vulnerable during peak periods. That's precisely when attackers strike, knowing you can't afford downtime.

Your Defence Strategy:

• Offline, air-gapped backups tested regularly
• Incident response plan practiced before peak season
• Alternative payment processing methods ready
• Staff trained on ransomware procedures
• Crisis communication templates prepared

The Backup Reality: Having backups isn't enough. You need to test restoration procedures. The middle of a ransomware attack is not the time to discover your backups don't work or take three weeks to restore.

Why Reverse Benchmarking Works Better (15:15 - 17:45)

Traditional approaches focus on aspirational goals. Reverse benchmarking focuses on avoiding catastrophic failures.

The Psychological Advantage:

• Failures provide concrete examples of what not to do
• Success stories often omit the messy details
• Disasters reveal the actual attack patterns you'll face
• Real consequences make lessons stick

The Practical Advantage:

• You learn what actually breaks in the real world
• Not theoretical best practices that might work
• Understand attack chains step by step
• See how small gaps become massive breaches

The Cost Advantage:

• Avoiding one disaster pays for years of modest security investment
• You don't need enterprise budgets to avoid enterprise mistakes
• Focus resources on genuine vulnerabilities
• Not on impressive-sounding but irrelevant controls

The Timeliness Advantage:

• Recent failures reflect current threat landscape
• More relevant than last year's "best practices"
• See how threats evolve in real-time
• Adapt defences to actual attack methods

Building Your Disaster Library (17:45 - 19:29)

Practical implementation of reverse benchmarking for your business.

Step 1: Collect Relevant Failures

• Focus on breaches in similar-sized businesses
• Same industry or adjacent sectors
• Similar technology stack
• Geographic relevance (UK regulations, threat actors)

Step 2: Quarterly Review Sessions

• "What went wrong" meetings with your team
• Review recent breaches systematically
• Ask: "Could this happen to us?"
• Identify similar vulnerabilities in your environment

Step 3: Map to Your Environment

• For each breach, trace the attack path
• Identify which elements exist in your business
• Where are your equivalent vulnerabilities?
• What would the impact be if it happened to you?

Step 4: Prioritise Actions

• Not every lesson requires immediate implementation
• Focus on high-probability, high-impact scenarios first
• Quick wins vs long-term projects
• Balance cost against realistic risk

Step 5: Create Your "Anti-Playbook"

• Document what you'll never do based on failure analysis
• Share with team so everyone knows the "forbidden" approaches
• Update as new disasters emerge
• Make it living document, not static policy

Resources to Monitor:

• NCSC Weekly Threat Reports
• Information Commissioner's Office (ICO) breach reports
• Industry-specific security bulletins
• UK Cyber Security News
• Global breach databases with UK filter

Creating a No-Blame Culture (19:29 - 20:45)

If people hide mistakes, you lose the chance to fix vulnerabilities before an actual breach occurs.

The Aviation Model: Airlines improve safety by fostering no-blame culture for near-misses. They want to hear about every close call so they can fix systemic issues before disaster strikes.

Applying This to Cybersecurity: If Janet in accounting falls for a phishing test, berating her is counterproductive. Instead, make it a learning opportunity for everyone. Next time, she might be the one to spot a real phishing attempt and save your business.

Practical Implementation:

• "Lessons learned" sessions, not "who screwed up" meetings
• Focus on systems and processes, not individuals
• Reward reporting of near-misses
• Share failures anonymously when needed
• Celebrate catches of suspicious activity

The Payoff: Fear doesn't work. Education does. When people feel safe reporting potential issues, you catch problems early before they become breaches.

Summary and Call to Action (20:45 - 21:37)

Sometimes the best way to secure your business is by studying the worst failures out there and doing the opposite.

Key Principles:

• Traditional benchmarking can lead you astray for SMBs
• Reverse benchmarking provides genuine security advantage
• Study disasters: Target, Colonial Pipeline, holiday park ransomware
• Build it into regular practice, not one-off exercise

Your Mindset Shift: Think of yourself as Sherlock Holmes of cyber failures. Every incident is a case study that makes your business smarter. In cybersecurity, boring is good. If nothing's happening, it means your defences are working.

Immediate Actions:

1. Start your disaster library this week
2. Schedule your first quarterly review session
3. Map one recent breach to your business environment
4. Implement one lesson learned from this episode
5. Share this approach with your team

Resources Mentioned Statistics and Studies

• National Cyber Security Centre (NCSC): UK SMB breach probability estimates
• Microsoft Security: Compliance vs security research
• Industry reports: 61% of breaches involve third-party access
• Bernard Ma: Quote on benchmarking limitations

Case Studies Referenced

• Target Corporation data breach (2013): HVAC vendor compromise, 40 million cards stolen, $162 million loss
• Colonial Pipeline ransomware (2021): VPN password compromise, $4.4 million ransom, critical infrastructure shutdown
• UK holiday park ransomware: Peak season attack, cash-only operations

UK Regulatory and Advisory Bodies

• National Cyber Security Centre (NCSC): www.ncsc.gov.uk
• Information Commissioner's Office (ICO): www.ico.org.uk

Recommended Reading

• NCSC Weekly Threat Reports
• ICO breach notifications and enforcement actions
• Industry-specific security bulletins
• UK Cyber Security News aggregators

Practical Checklist: Start Your Reverse Benchmarking Practice

This Week:

• Create a folder or document for your "disaster library"
• Sign up for NCSC weekly threat report emails
• Identify three recent breaches in businesses similar to yours
• Schedule your first quarterly "what went wrong" review meeting

This Month:

• Map one major breach to your business environment
• Identify your equivalent vulnerabilities to the mapped breach
• Implement one quick-win lesson from disaster analysis
• Share this approach with your leadership team

This Quarter:

• Hold your first formal reverse benchmarking session
• Build your "anti-playbook" of forbidden approaches
• Establish no-blame reporting culture for near-misses
• Review and update third-party access controls

Ongoing:

• Weekly review of new breach reports
• Monthly check: "Could this happen to us?"
• Quarterly team review sessions
• Annual comprehensive vulnerability mapping

Questions for Your Team

Use these discussion prompts in your quarterly review sessions:

1. Which recent breach in our industry most closely resembles our business model?
2. Do we have the same entry points that attackers used in [specific breach]?
3. What would be our equivalent business impact if we experienced this type of attack?
4. Which quick fixes could we implement this month to avoid similar failures?
5. What systemic vulnerabilities do we share with failed organisations?
6. Are we making the same assumptions that led to their breach?
7. Would our backup and recovery process work in a real crisis?
8. Do our third-party vendors have access they don't need?
9. Where are we relying on compliance rather than actual security?
10. What's our single point of failure that resembles their weakness?

Next Episode Preview

Episode 30: The Office Printer Hacker Saga

Yes, office printers are a genuine security risk. Sounds hilarious, but it's genuinely scary. We'll explore why that seemingly innocent device in the corner is actually a network-connected computer with hard drives, stored documents, and often the same default admin password it shipped with.

You'll discover the printer botnet that attacked an entire city, the university students who made campus printers output memes, and why your MFP (multi-function printer) knows more about your business than you'd be comfortable with.

If you think printers are just about paper jams and toner costs, this episode will open your eyes to why printer security belongs in your threat model. Subscribe so you don't miss it.

Share Your Story

Have you learned from a cybersecurity blunder, either your own or someone else's? We'd love to hear about it. Send your story to us (anonymously if you prefer), and we might feature it in a future episode.

Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming episodes.

Connect With The Show

Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms

Leave a Review: Your reviews help other small business owners find practical cybersecurity advice

Website: thesmallbusinesscybersecurityguy.co.uk

Email: hello@thesmallbusinesscybersecurityguy.co.uk

Legal Disclaimer

The views and opinions expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of any organisations they work for, employers, advertisers, sponsors, or any other entities connected to the show.

This podcast is for general educational and informational purposes only. It should not be treated as professional advice tailored specifically to your business circumstances. Your situation is unique, and you should consult with qualified cybersecurity professionals before implementing significant changes to your systems.

Whilst we strive to keep all information accurate and current, the cybersecurity landscape evolves rapidly. Always verify critical technical details with qualified professionals before making major decisions.

We cannot accept liability for any losses or problems that may result from following the suggestions in this podcast. Please think of us as knowledgeable colleagues sharing insights, not contracted consultants providing formal advice. When in doubt, get a second opinion from someone who can assess your specific situation.

Copyright © 2025 The Small Business Cyber Security Guy. All rights reserved.

Episode Tags

#Cybersecurity #SmallBusiness #ReverseBenchmarking #CyberThreats #DataBreach #UKBusiness #SMBSecurity #InformationSecurity #ThreatIntelligence #SecurityStrategy #BusinessProtection #CyberResilience #RiskManagement #SecurityPodcast #UKCyber #NCSC #ThirdPartyRisk #ComplianceVsSecurity #CyberEducation #BusinessContinuity

Show notes

December 2025 just shipped the last Microsoft security fixes of the year. Fifty seven vulnerabilities, three zero days, and one actively exploited Windows privilege escalation that hits almost every supported build. Are you patched before the Christmas break, or are you leaving a present for attackers in January?

In this episode, Graham walks through the December Patch Tuesday release for 2025, with a focus on what actually matters for small and medium businesses. You will hear how CVE 2025 62221 in the Windows Cloud Files driver turns a low level account into full system compromise, why Office Preview Pane is once again a risk, and how AI powered tools like GitHub Copilot for JetBrains and PowerShell changes introduce new attack paths. Does your team know about any of that?

You also get a fast tour of Adobe and other vendor updates, including ColdFusion, Android, Ivanti, Fortinet, React server components and SAP. Graham then zooms out to review the full year, with more than one thousand one hundred Microsoft vulnerabilities in 2025 and privilege escalation bugs leading the pack. Finally, he explains why the five week gap before the next Patch Tuesday on thirteen January 2026 makes December patching non negotiable.

By the end of the episode you will know:

1. Which patches you must treat as emergency work, especially CVE 2025 62221

2. How Office, Copilot and PowerShell changes affect day to day risk

3. Why Windows 10 without Extended Security Updates is now a business liability

4. What to ask your IT team or provider before everyone disappears for the holidays

Are you confident your estate will survive the festive period, or do you need to push patching to the top of the list?