The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

In this episode of Small Business Cybersecurity Guy, hosts Mauven MacLeod, Noel Bradford and Graham Falkner walk you through Module One of their six-part incident response plan series: building your response team. Through the real-world Katie Roberts case study (name changed), they show why independence matters when a breach hits — and how an unbiased incident manager can quickly uncover the truth, coordinate response, and save a business from far worse outcomes.   Topics covered include the four core incident roles (external incident manager, technical lead, business continuity coordinator, communications lead), how to find and contract an external IM (insurance, IT referrals, retainer vs pay-per-incident), what an IM can and cannot do, authority and spending limits, and realistic costs and timelines. The hosts explain a simple, achievable four-week setup plan that takes roughly four hours of actual work, and they share templates for team structure, external contacts, authority scripts, implementation timelines, and validation checklists.   Key points and takeaways: why impartial coordination matters, how to avoid common provider cover-up biases, the practical steps Katie used to stabilise her business, a real case study of an architecture firm saved from a Friday-afternoon ransomware attack, and concrete homework: find your IM, assign three internal roles, document everything on a single page, brief and validate your team. Listeners will leave with a clear, actionable plan, links to downloadable templates, and the promise that preparation reduces cost, stress, and downtime.

Hosted by Graham Falkner, this episode is a rapid, no‑nonsense January Patch Tuesday breakdown aimed at small businesses and IT owners. Graham walks listeners through Microsoft’s unusually large release of 114 security updates, explains the essential jargon (CVE and CVSS), and highlights why severity scores don’t replace real‑world risk assessments. The show covers the one vulnerability already being actively exploited (CVE‑2026‑2805 in Desktop Window Manager) and two other high‑risk items used in targeted attacks, plus three zero‑day bugs. Graham takes a deep dive into the critical on‑premises SharePoint emergency (Toolshell campaign, CVE‑2025‑53‑700‑70 and related issues), urging immediate patching and incident response for exposed servers. He also explains the severe Kestrel/ASP.NET Core HTTP request smuggling flaw (CVE‑2025‑55315) and the practical impact on web apps and deployment teams. The episode reviews other major vendor fixes: SAP’s 16 security updates (including four critical vulnerabilities), Apple’s two WebKit zero days, Adobe’s 32 patches (eight critical affecting Acrobat, Reader and creative apps), HPE OneView’s unauthenticated RCE (CVE‑2025‑37164), and ongoing VMware ESXi risks. Graham calls out long‑delayed Fortinet SSL‑VPN vulnerabilities (including CVE‑2020‑12812) and newer FortiCloud SSO bypasses, stressing that overdue patching still causes widespread compromises. Practical guidance and priorities are clear and actionable: patch Windows cumulative updates, exposed SharePoint servers, Fortinet edge devices and HPE OneView within 24 hours; address .NET/web app fixes and SAP critical patches within the next 72 hours to one week; then continue with routine maintenance for browsers, Adobe, Cisco and other software. The episode also flags upcoming deadlines and logistics—Oracle’s critical patch update on January 20 and the end of Windows 10 support—so listeners can plan maintenance windows and migrations. Key takeaways: assume compromise if you haven’t patched exposed services, verify systems after applying updates, assign owners who can patch and redeploy quickly, and treat cumulative Windows updates as all‑or‑nothing. There are no external guests—this episode is hosted solo by Graham Faulkner and aimed at helping small organizations act fast and reduce risk in the wake of an intense Patch Tuesday.

In this episode of the Small Business Cybersecurity Guy, host Noel Bradford is joined by Mauven McLeod and Graham Falkner to unpack the Cabinet Office’s January 2026 Government Cyber Action Plan — a blunt, 100‑page admission that the UK government’s cybersecurity posture is “critically high” risk and that many of its own targets are unachievable. The trio break down the report’s headline findings, case studies of high‑profile failures, and why this matters to you even if you’ve never worked with government. Key revelations from the Plan covered in the episode include: roughly 28% of government IT is legacy and cannot be defended with modern tools; repeated systemic failures across departments (poor patching, weak passwords, lack of monitoring); high‑cost incidents such as the British Library ransomware recovery and the CrowdStrike outage that cost the UK economy billions; and the Electoral Commission breach that exposed millions of voter records. The hosts explain the language the report uses — from “historical underinvestment” to “not achievable” targets — and what those admissions mean in plain English. The episode also examines the Cabinet Office’s proposed response: new accountability rules giving accounting officers (permanent secretaries) personal responsibility for cyber risk, routine cyber risk reporting to boards, escalation mechanisms, and potential consequences including removal or public parliamentary scrutiny. The hosts discuss how this mirrors the health & safety/HSE accountability model and why public‑sector reform will likely set the precedent for private‑sector regulation (including implications of forthcoming cyber security and resilience legislation). Financing and timelines are analysed too: the government has allocated around £210 million to kickstart a central cyber transformation unit with milestones through 2029, but the hosts stress this is a down payment — true remediation will take years and likely billions. The Plan’s investment priorities (visibility/monitoring, accountability, supply‑chain assurance, incident response and skills) form a checklist for businesses to adopt now. Supply‑chain requirements are a central takeaway: departments will require security schedules, certification (Cyber Essentials, Cyber Essentials Plus, ISO 27001 where appropriate), and documented evidence of controls. These requirements will cascade down through primes to second‑ and third‑tier suppliers, so small businesses should expect tightened demands for proof of security and that compliance will become a competitive advantage. The hosts finish with practical, actionable advice for small businesses: treat cyber risk as board‑level risk; establish personal accountability and clear escalation; prioritise visibility and monitoring; inventory and pragmatically manage legacy systems; obtain appropriate certifications (Cyber Essentials Plus, ISO etc.) if you have or might have public‑sector exposure; segregate and protect government work; build or improve incident response capability; and use this moment to push cultural change so security is embedded across the organisation. Throughout the episode Noel, Mauven and Graham provide candid analysis, real examples from recent government failures, and specific steps SMBs can take now to reduce risk and gain a competitive edge as regulation and procurement expectations tighten. Listeners are pointed to the full Government Cyber Action Plan on gov.uk and the podcast blog for a detailed breakdown and sources.

In this episode Mauven McLeod and Graham Faulkner (with Noel Bradford joining partway through) unpack a worrying trend: adversary‑in‑the‑middle (AITM) attacks that steal session tokens and completely bypass conventional multi‑factor authentication (MFA). Using Microsoft’s recent telemetry (a 146% jump in AITM incidents) as a backdrop, they explain how transparent proxy phishing pages relay credentials and MFA approvals to capture session tokens and gain hours of unrestricted access to Microsoft 365 accounts. The hosts explain, in plain technical terms, why SMS codes, authenticator app push prompts and one‑time codes fail against these attacks and why the stolen session token becomes a single‑factor credential for attackers. They describe what attackers typically do after compromise — mailbox reconnaissance, forwarding rules, OAuth app persistence, and registering new authentication methods — and highlight the scale of automated phishing‑as‑a‑service tools that make these attacks cheap and fast. The episode then walks through the practical, phishing‑resistant solutions every small business should consider: Windows Hello for Business, hardware security keys (YubiKey, Authentrend and similar), and passkeys on mobile devices. For each option they cover how it works, deployment requirements, licensing or purchase costs, user experience trade‑offs, and which users to prioritize for rollout. Mauven and Graham recommend a tiered, risk‑based rollout strategy: protect admin and privileged accounts first, then finance/HR/executives, and finally the wider workforce over months. They discuss real‑world gotchas — legacy apps that don’t support modern auth, BYOD complications, mobile workflows, and the need for a secured “break glass” account — plus expected labour, training and hardware costs for a typical 30‑user small business. Beyond replacing or upgrading MFA, the hosts cover essential complementary controls: conditional access policies, continuous access evaluation (CAE) to shorten token windows, blocking legacy authentication (SMTP/IMAP/POP), impossible‑travel detection, and concrete incident response steps (revoking sessions, removing rogue MFA methods and OAuth apps, checking forwarding rules and mailbox rules, and doing forensics on accessed data). The episode closes with an immediate to‑do list for small businesses: verify MFA is actually enabled, remove SMS/email MFA methods, plan a phishing‑resistant rollout starting with tier‑1 users, enable conditional access and CAE, and budget for training and support. They also preview an upcoming multi‑episode series to help businesses build a practical incident response plan. Listeners can expect a technically grounded but actionable discussion aimed at business owners and IT staff: why traditional MFA is still valuable, why it’s not enough against AITM, and exactly how to adopt phishing‑resistant authentication to close that gap.

  What You'll Learn Three in the morning. Your phone's ringing. Someone's encrypted your customer database. What do you do? This trailer launches our most ambitious series yet: a six-module programme running January through March 2026 that transforms panic into a complete, tested incident response plan. Each module drops every two weeks, giving you time to implement before the next one arrives. Between modules, normal episodes continue covering current threats, breaches, and patches. This Series Will Give You: Complete incident response framework for small businesses Communication templates you can use during an actual incident Threat-specific playbooks for ransomware, data breaches, and system compromises Testing procedures that prove your plan works under pressure Implementation time built into the schedule Practical guidance for teams with real constraints What This Series Covers Module 1: Incident Response Foundations (Early January 2026) What You'll Build: Clear decision tree for incident classification Role definitions (even if your team is three people) Initial response procedures Documentation requirements Escalation pathways Practical Outputs: Who does what, when, and how Your first response checklist Contact list template Module 2: Building Your Response Team (Late January 2026) What You'll Build: Response team structure for small businesses Role assignments that work with limited staff External contact management Vendor coordination procedures Backup personnel plans Practical Outputs: Team roster with responsibilities External contacts database Succession planning for key roles Module 3: Communication Plans (Early February 2026) What You'll Build: Internal notification procedures Customer communication templates Regulatory reporting guidance Media handling basics Stakeholder management Practical Outputs: Communication templates ready to use Notification timelines Contact escalation matrix Module 4: Threat-Specific Playbooks (Late February 2026) What You'll Build: Ransomware response procedures Data breach protocols System compromise workflows Phishing incident handling Insider threat procedures Practical Outputs: Step-by-step playbooks for each threat type Decision trees for common scenarios Evidence preservation guides Module 5: Testing Your Plan (Early March 2026) What You'll Build: Tabletop exercise framework Simulation scenarios Assessment criteria Continuous improvement process Lessons learned documentation Practical Outputs: Test schedule Simulation scripts Improvement tracking system Module 6: Complete System Integration (Late March 2026) What You'll Build: Your complete, customised IR plan Integration with existing processes Maintenance schedule Annual review procedures Staff training programme Practical Outputs: Final incident response plan document Ongoing maintenance checklist Training materials for your team Between Modules: Normal Episodes Continue Every other week between module releases, you'll get: Latest Breach Analysis: What happened, how it happened, what you can learn Critical Security Patches: What you need to apply and why (see our December 2025 Patch Tuesday analysis) Emerging Threat Intelligence: Current attacks targeting UK small businesses Practical Implementation Guides: Hands-on advice for immediate action Because security doesn't pause whilst you're building your plan. The Two-Week Implementation Rhythm Week 1: Module episode drops Week 2: Implementation time + normal episode Week 3: Next module episode drops Week 4: Implementation time + normal episode This cadence gives you: Time to actually implement each module Space to ask questions and refine Current threat intelligence throughout Sustainable pace for resource-constrained teams Why This Series Matters The UK Small Business Reality Current State: 43% of UK small businesses experienced cyber breaches last year (DSIT 2025) Average breach cost: £250,000 Some breaches exceed £7 million 60% of small businesses close within six months of a major cyber incident NCSC estimates 50% of UK SMBs will experience a breach annually The Gap: 73% have no board-level cybersecurity responsibility (see Episode 31: The Risk Register Argument) Most have no documented incident response plan Existing plans are often enterprise frameworks that don't work for SMBs When incidents occur, response is reactive panic rather than systematic procedure The Opportunity: Having a tested incident response plan can reduce breach impact by up to 70% Cut recovery time significantly Minimise business disruption Demonstrate due diligence for cyber insurance Meet regulatory requirements Protect customer trust This Isn't Enterprise Security Theatre Traditional incident response planning assumes you have: Dedicated security team 24/7 SOC coverage Unlimited budget Complex organisational structure Enterprise-grade tools This series assumes you have: Limited staff wearing multiple hats Constrained budget Time pressure Real business to run Practical need for procedures that actually work Every recommendation is: Tested in actual small business environments Budget-conscious Time-realistic Scalable as you grow Focused on high-impact, low-cost implementations Who Should Listen to This Series This series is particularly relevant for: UK small business owners (5-50 employees) who need incident response capability Startup founders building security from the ground up SME managers responsible for cybersecurity without security backgrounds Solo IT staff who handle everything Business owners who've invested in prevention but lack response capability Anyone who thinks "we're too small to need an incident response plan" Directors concerned about personal liability under the Companies Act Businesses pursuing Cyber Essentials or cyber insurance Professional services firms handling sensitive client data You'll especially benefit if: You've asked "what happens if we get breached?" and had no good answer Your current plan is "call the IT guy and hope" You've got prevention sorted but no response capability You need to demonstrate due diligence for insurance or compliance You're responsible for security but lack formal training Your team is small and you can't afford enterprise solutions What Makes This Series Different Practical Implementation Focus Not theoretical frameworks or consultant waffle. Every module produces concrete, usable outputs you can implement on a Tuesday afternoon between customer calls. Small Business Specific Built for teams of 3-50 people, not Fortune 500 enterprises. Acknowledges real constraints around time, money, and expertise. Tested in Real Environments Every procedure comes from actual small business implementations. No academic theory or enterprise assumptions. Sustainable Pace Two-week rhythm gives you time to implement, refine, and ask questions before the next module arrives. Continuous Relevance Normal episodes between modules keep you current on threats, breaches, and patches whilst you're building your plan. Complete System Six modules build into one cohesive incident response capability, not disconnected tips. Content Calendar January 2026: Week 1: Module 1 - Incident Response Foundations Week 2: Normal Episode (current threats) Week 3: Module 2 - Building Your Response Team Week 4: Normal Episode (current threats) February 2026: Week 1: Module 3 - Communication Plans Week 2: Normal Episode (current threats) Week 3: Module 4 - Threat-Specific Playbooks Week 4: Normal Episode (current threats) March 2026: Week 1: Module 5 - Testing Your Plan Week 2: Normal Episode (current threats) Week 3: Module 6 - Complete System Integration Week 4: Normal Episode (current threats) Subscribe Now Don't miss any module in this series. Subscribe on your preferred platform: Apple Podcasts: Currently ranked #13 in Management category worldwide Spotify: New episodes every week All Major Podcast Platforms: Search for "The Small Business Cyber Security Guy" RSS Feed: Direct feed link Connect With Us Need Help? If you need direct assistance with incident response planning or any cybersecurity topic we cover: Email: hello@thesmallbusinesscybersecurityguy.co.uk Website: thesmallbusinesscybersecurityguy.co.uk Resources & Guides Visit our website for: Detailed implementation guides Template downloads Step-by-step walkthroughs All episode show notes and transcripts Blog articles expanding on episode topics Newsletter "No BS Cyber for SMBs" on LinkedIn - practical cybersecurity advice delivered weekly by Noel Bradford Share This Series Know someone who needs this? Share with: Business owners without incident response plans IT managers dealing with limited resources Directors concerned about cyber liability Anyone responsible for small business security About the Hosts Noel Bradford With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses. Mauven MacLeod Former UK Government cyber analyst, Mauven brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered. Related Episodes & Blog Posts Preparation for This Series: Episode 17: Social Engineering - The Human Firewall Under Siege Episode 30: The Printer Is Watching - IoT Security Episode 29: Reverse Benchmarking - Learning from Disasters Episode 31: Boards, Breaches and Accountability - Risk Registers Related Blog Posts: Reverse Benchmarking: Why Studying Cyber Failures Beats

Do UK small businesses need cyber risk registers? Graham said no. After this 40-minute debate with Noel Bradford, he changed his mind completely. This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers. UK cyber security statistics that changed Graham's mind: 43% of UK small businesses experienced cyber breaches last year (DSIT 2025) 73% have no board-level cyber security responsibility 28% of SMEs say one cyber attack could close them permanently (Vodafone 2025) Average UK small business breach costs £3,398 Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed. Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability. Practical cyber risk register implementation: ✓ Minimum viable cyber risk register template (8 columns, single spreadsheet) ✓ Board-level cyber security governance framework ✓ Quick remediation: enable MFA, test backup restoration, implement payment verification ✓ NCSC Board Toolkit guidance for UK SMEs ✓ Cyber insurance risk assessment requirements Perfect for UK small business owners, SME directors, startup founders, business managers responsible for cyber security compliance, GDPR, and corporate governance. Listen to this cyber security governance debate and learn why risk registers aren't bureaucracy - they're legal protection for directors and businesses.

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks. With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business. Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now. No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs. This Episode is Sponsored by Authentrend Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025 We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag. Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works. Learn more: authentrend.com What You'll Learn Understanding the Differences What Information Security actually covers (hint: it's not just digital) Why Cybersecurity isn't the same as IT Security (despite what vendors claim) The CIA triad explained without the jargon Real-world examples showing when each approach matters UK Business Reality Current threat landscape: 43% of UK businesses breached in 2025 Why small businesses (10-49 employees) face 50% breach rates Average incident costs: £3,400 (but the real number is much higher) UK GDPR, Data Protection Act 2018, and what actually applies to you What It Actually Costs Starting from scratch: £5,000-£15,000 annually for 10-20 employees Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys) Cyber Essentials: £300-£500 (your best bang for buck) Managed security services: £300-£450/month realistic pricing When £2,000-£3,500/month managed detection makes sense Free government resources you're probably ignoring Authentication Security Reality Why SMS codes and app-based MFA still get phished How FIDO2 hardware security keys cryptographically prevent credential theft Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually Special offer mentioned in episode: Authentrend keys at £40 until December 22nd Implementation Without the Bullshit Why IT Security basics beat fancy cybersecurity tools every time The five controls that address 90% of UK SMB threats Common mistakes that waste your security budget How to prioritise when you can't afford everything Vendor red flags and what to actually look for Regulatory Requirements Decoded ICO data protection fees: £40-£60/year (mandatory) What "appropriate technical and organisational measures" really means Why recent enforcement shows reprimands over fines for SMBs Insurance requirements and how to reduce premiums How phishing-resistant authentication affects cyber insurance premiums Key Statistics Mentioned 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025 £3,400 average cost per cyber incident (excluding business impact) 60% of small businesses close within 6 months of serious data loss 85% of cyber incidents involve phishing attacks 43% of all UK businesses experienced breaches in 2025 Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords) Products & Solutions Discussed Authentication Security (Featured in Episode) Authentrend ATKey Series (Episode Sponsor) ATKey.Pro: USB-A/USB-C with NFC support ATKey.Card: Contactless card format Pricing: £45 regular, £40 special offer until December 22nd FIDO Alliance Level 2 certified Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services Deployment cost: £80-90 per employee (2 keys for backup) Why hardware security keys matter: Cryptographically bound to specific domains (phishing technically impossible) Works even when users make mistakes One-time purchase vs ongoing subscription costs Significantly reduces cyber insurance premiums Email Security Options Microsoft Defender for Office 365 Plan 1: £1.70/user/month Google Workspace Advanced Protection: £4.60/user/month Sophos Email Security: £2.50/user/month Endpoint Protection Microsoft Defender for Business: £2.50/user/month Sophos Intercept X: £3.50/user/month CrowdStrike Falcon Go: £7.00/user/month Compliance & Frameworks Cyber Essentials: £300-£500 annually ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs) Resources Mentioned Free Government Resources NCSC Small Business Guidance: ncsc.gov.uk ICO Free Templates: ico.org.uk Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations Episode Sponsor Authentrend: authentrend.com Special offer: £40 per key (regular £45) until December 22nd, 2025 ATKey.Pro and ATKey.Card models UK distributor support available Related Blog Posts (From This Week's Series) Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025" Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached" Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection" Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure" Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs" Recommended First Steps Immediate Actions (This Week) Catalogue your information - 1 day exercise to understand what you have and where it lives Register for ICO data protection fee - £40-£60 annual mandatory requirement Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd) First Month Get Cyber Essentials certified - £300-£500, addresses 90% of common threats Implement email security - £900-£1,800 annually for proper anti-phishing Deploy phishing-resistant MFA - £80-90 per employee one-time investment Configure endpoint protection - £1,200-£2,500 annually for 15-30 users First Quarter Test your backups - Don't assume they work, actually restore something Basic staff training - Use free NCSC materials, focus on phishing recognition Review and document - Simple policies using ICO templates Budget Planning 15-20 employee business, first year total: £6,200-£14,500 Email security: £900-£1,800 annually Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400) Endpoint protection: £1,200-£2,500 annually Backup systems: £600-£1,200 annually Network security: £600-£1,800 (includes one-time hardware costs) Training: £0-£1,500 annually Testing: £500-£2,000 annually Ongoing costs (Year 2+): £3,800-£11,100 annually Hosts Noel Bradford - CIO/Head of Technology, Boutique Security First MSP 40+ years enterprise security (Intel, Disney, BBC) Direct, budget-conscious, solutions-focused Enjoys challenging conventional security wisdom Known for calling out vendor bollocks Mauven MacLeod - Ex-Government Cyber Analyst Government cybersecurity background (NCSC) Glasgow-raised, practical approach Translates national security threats into business reality Focuses on what actually works for UK SMBs Our Sponsorship Disclosure Policy We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it. Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because: They provide the phishing-resistant authentication we consistently advise UK SMBs to implement Pricing makes proper authentication accessible to small businesses FIDO Alliance Level 2 certification ensures they meet security standards They align with our core message: affordable IT security fundamentals over expensive security theatre Take Action Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there. Your Next Steps Listen to the episode - Understand the differences before spending money Download the risk assessment template - Available on our blog Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd) Get Cyber Essentials certified - £300-£500 addresses most common threats Implement IT Security fundamentals - £2K-£5K gets you real protection Review quarterly - Security isn't a one-time project Subscribe & Connect Never miss an episode - Hit subscribe wherever you get your podcasts Leave us a review - It genuinely helps other UK small business owners find these conversations Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com] Got specific questions? - Drop us a comment and we might cover it in a future episode Next Week's Episode "Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses" The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss

Join hosts Noel Bradford and Mauven McLeod in this Back-to-School special of the Small Business Cybersecurity Guy podcast as they trace a line from 1980s schoolroom mischief to modern, large-scale breaches that put millions of students and small organisations at risk. Through recollections of early BBC Model B and Novell-era antics, the episode uses real recent incidents to expose how weak passwords, written credentials and opportunistic insiders create systemic security failures. The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses. Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout. Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them. Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management. Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

This episode explores the risks of relying on a single IT manager as an entire IT department. Hosts Noel Bradford and Mauven MacLeod unpack why paying one person a modest salary is not the same as buying a full team of specialists, and they share vivid real-world horror stories — from a sudden resignation that paralysed a 40-person engineering firm, to a ruined holiday when backups failed, to a marketing agency locked out by a burnt-out IT manager. Key topics include the cost mismatch between expectations and reality, how knowledge concentration creates critical single points of failure, signs that your IT lead is drowning (long hours, no lunch breaks, defensiveness, lack of documentation), and how poor management decisions can make things worse. Practical solutions are given: document everything, hire a competent number two rather than a trainee, engage managed service providers for specialist and 24/7 support, move critical services to cloud platforms to reduce on-site burden, and start with small, affordable steps like basic support contracts or break-fix services. The episode includes personal anecdotes from Noel (the "Donny" and zoo-day stories) and a discussion of when to involve external help, how to create continuity plans, and three immediate actions business owners can take today. Listeners are encouraged to have an open conversation with their IT person, assess real costs and risks, and take steps to protect both their systems and their staff from burnout and catastrophic failure.

Most small business owners think CIO stands for "Chief I-Fix-Everything Officer" and CISO means "Chief I-Worry-About-Security Officer." In this episode, Noel Bradford (actual CIO/CISO) breaks down what these executive roles actually do and why your business desperately needs this strategic thinking - without the six-figure salary. Discover how fractional CIO/CISO services let 20-100 employee businesses access Fortune 500 expertise for £15,000-35,000 annually instead of £120,000+ for full-time hiring. What You'll Learn The Real Difference Between CIO and CISO: Technology strategy vs security strategy (and why one person can do both). Why Dave from IT Needs Help: The unfair burden of strategic decisions on operational staff. Fractional Services Explained: How to get executive-level guidance for 8-12 hours per month. ROI Reality Check: Technology inefficiencies probably cost you more than £15k annually Finding Quality Providers: Red flags vs genuine executive experience. Integration Strategy: Treating fractional executives like Non-Executive Directors. Key Takeaways Strategic technology and security leadership isn't just for large corporations. Fractional services cost £15,000-35,000 annually vs £120,000+ for full-time hiring Sound fractional executives enhance internal capabilities rather than replacing them. Treat fractional CIO/CISO like Non-Executive Directors - invite them to board meetings. Start with a current state assessment (£3,000-6,000) before ongoing engagement. Diagnostic Questions You probably need fractional CIO/CISO services if you answer "yes" to several of these: Technology decisions are made reactively rather than strategically Increasing tech spending without clear ROI visibility Security/compliance concerns are constantly pushed down the priority list Internal IT person making strategic decisions while handling operations Current systems won't scale with business growth plans Regulatory compliance anxiety about technology approaches Episode Highlights Real-World Example: A 15-person marketing agency saved £300/month and improved security by consolidating from multiple cloud storage solutions to a single strategic platform. Cost Comparison: Fractional services at £150-350/hour for 8 hours monthly vs full-time CIO/CISO at £100,000-180,000 annually plus benefits and normal staffing costs. Next Steps Honest self-assessment of current technology/security decision-making Calculate the annual cost of technology inefficiencies and security risks Research fractional providers with genuine senior executive experience Consider starting with the current state assessment project Connect With Us Hit subscribe, leave a review mentioning whether you're considering fractional services, and share with business owners making technology decisions without strategic guidance. Remember: You don't need enterprise budgets to get enterprise thinking. And be kind to Dave - he's doing his best. #FractionalCIO #FractionalCISO #CIO #CISO #ChiefInformationOfficer #ChiefInformationSecurityOfficer #FractionalExecutive #ITLeadership #TechnologyStrategy #SecurityStrategy #SmallBusiness #SMB #SmallBusinessOwners #Entrepreneurs #BusinessOwners #StartupLife #GrowingBusiness #ScaleUp #BusinessGrowth #SMBTech #ITStrategy #TechnologyLeadership #BusinessTechnology #ITManagement #DigitalTransformation #TechStack #CloudStrategy #ITBudget #TechnologyRoadmap #SystemsIntegration

🚨 SHOCKING: 60% of Small Businesses Shut Down Forever After Cyberattacks 96% of hackers target YOUR business, not big corporations. Think you're too small to be a target? Think again. Noel and Mauven reveal the brutal truth about cybersecurity that could save your business - or expose why you're already at risk. 💀 The Terrifying Reality: ​82% of ransomware attacks target businesses under 1,000 employees ​Small business employees face 350% MORE attacks than enterprise workers ​Average cyber incident costs UK businesses £362,000 ​Only 17% of small businesses have cyber insurance 🛡️ What You'll Discover: ​The FREE security fix that stops most attacks (costs nothing, takes 30 seconds) ​Why Multi-Factor Authentication is your business lifeline ​How Cyber Essentials certification makes you 92% less likely to get attacked ​Government programs most business owners don't know exist ​Why this is a BUSINESS issue, not an IT problem 🎯 Perfect For: ​Small & medium business owners ​Anyone worried about cyber threats ​Business leaders who think they're "too small" to be targeted ​Companies looking for practical, affordable security solutions 💡 Key Takeaways: ​Multi-Factor Authentication everywhere - Enable it on email, accounting systems, cloud storage, and remote access. This one change stops the vast majority of attacks. ​Cyber Essentials certification - Organizations with this UK government scheme are 92% less likely to make insurance claims. Plus, Noel's preferred certification body includes up to £250,000 in cyber insurance coverage as part of the package! ​Staff training that actually works - Monthly 5-minute team discussions about real threats, not boring annual presentations. ​The 3-2-1 backup rule - Three copies of data, two different storage types, one completely offline. ⚡ Real Talk: This isn't fear-mongering - it's business reality. Every day you delay basic cybersecurity is another day you're gambling with everything you've built. The cost of prevention is ALWAYS less than the cost of recovery. 🔗 Take Action: Start this week: Enable MFA on your email, research Cyber Essentials, schedule team security discussions. Your future self will thank you. Want to know more about Cyber Essentials certification with included insurance? Reach out to Noel directly. Like what you heard? Subscribe, leave a review, and share with other business owners who need to hear this. #Cybersecurity #SmallBusiness #CyberEssentials #BusinessSecurity #UKBusiness

💀 Welcome to the UK's Cyber Graveyard 💀 Over 2,000 jobs GONE. Centuries of business history DELETED. All because of weak passwords and basic security failures that could have been prevented for FREE. 🚨 THE VICTIMS: KNP Logistics: 158 years old, £94.5M revenue → 730 redundancies Travelex: Global currency giant → 1,309 UK job losses NRS Healthcare: NHS supplier → Currently liquidating after 16 months 💣 THE KILLER: Simple password attacks that Multi-Factor Authentication would have STOPPED 🛡️ WHAT YOU'LL LEARN:✅ The 5 fatal security failures that killed these companies✅ Why MFA blocks 99.9% of credential attacks (and costs nothing)✅ 30-60-90 day action plan to bulletproof your business✅ How to get leadership buy-in without breaking the bank✅ Real case studies from BBC Panorama investigations ⚡ TAKE ACTION NOW:Stop listening and enable MFA on your email systems RIGHT NOW. Your future self will thank you when you're not explaining redundancies to your staff. Don't become the next cautionary tale in the UK's growing cyber graveyard. #CyberSecurity #SmallBusiness #Ransomware #DataBreach #MFA #CyberAttack #BusinessSecurity #PasswordSecurity #UKBusiness #BusinessFailure

After 17 episodes covering everything from basic password security to nation-state threats targeting corner shops, Noel and Mauven reveal what actually works, what consistently fails, and why most businesses are fighting 2019 threats with 2015 thinking while facing 2025 attack methods. 🎯 Shocking Revelations: 42% of business applications are unauthorised Shadow IT - Your parallel digital infrastructure you never knew existed Multi-factor authentication stops 90% of credential attacks - Yet businesses still resist this free silver bullet AI systems now write custom malware faster than humans can patch - Deepfakes fool CEOs, psychological manipulation targets individuals Supply chain attacks make YOU liable for everyone - Protecting clients, suppliers, and partners becomes your responsibility Most successful attacks still exploit basic failures - Unpatched systems, weak passwords, untested backups 🔥 Real Listener Questions Answered: "My IT budget is three pounds fifty and digestives - how do I justify £8/month for security?" "Staff revolt against MFA - how do I implement without workplace mutiny?" "Found 17 project management tools in use - how do I consolidate without chaos?" "Completely overwhelmed by 17 episodes - where do I actually start?" "Client angry about payment verification - how do I explain without damaging relationships?" ⚡ What Actually Works : Systematic thinking over panic-buying security products, modern endpoint protection with AI detection, verification procedures that defeat deepfakes, documentation that survives when Dave from IT leaves, regular testing cycles, and risk-based prioritisation focusing on high-impact areas first. 💥 What Consistently Fails: "Set it and forget it" security measures, relying on users to spot sophisticated AI-crafted threats, compliance theatre without genuine implementation, single-solution approaches, the "we're too small to be targeted" delusion, and treating cybersecurity as IT-only responsibility. 🎯 Three Things to Implement Immediately: Enable MFA everywhere - Free protection against 90% of credential attacks Implement payment verification procedures - Call back on known numbers before acting Test your backups regularly - Having backups ≠ having working backups 🎧 Perfect For: Business owners feeling overwhelmed by cybersecurity complexity, IT managers defending security budgets to sceptical accountants, professionals tired of vendor marketing promising magic solutions, and anyone who thinks antivirus software equals comprehensive security. From basic concepts to AI threats - the complete cybersecurity education in one retrospective episode. Subscribe for weekly episodes making enterprise-level security thinking accessible for small business budgets. Real solutions, no vendor fluff, practical advice that actually works in the real world. #SmallBusinessSecurity #CyberSecurity #MFA #ShadowIT #AIThreats #CyberEssentials #DataProtection #BusinessSecurity #TechSecurity #CyberDefense

🎧 Latest Episode Alert | Fresh intelligence from DefCon 33 reveals how AI-enhanced cyber threats to small business are accelerating rapidly. Techniques demonstrated in Las Vegas are targeting UK businesses within weeks. 🚨 Critical Cyber Threats to Small Business AI-Powered Social Engineering 85% success rates against security professionals AI psychological profiling from social media Voice synthesis for CEO impersonation attacks Multi-month fake identity campaigns Supply Chain Cyber Threats Coordinated ecosystem attacks across suppliers AI mapping of business relationships MSP compromises affecting 200+ networks Hardware backdoors surviving firmware updates Automated Attack Evolution 6-hour vulnerability-to-exploit timeline 88% evasion of traditional antivirus Custom malware for each target Cybercrime-as-a-Service platforms 🛡️ Defending Against Modern Cyber Threats Immediate Actions (Free) Multi-channel verification for financial requests Independent contact verification procedures Staff training on systematic verification Essential Tech Upgrades (£3-8/user/month) AI-powered endpoint protection (Microsoft Defender for Business, CrowdStrike) Network segmentation via modern firewalls Air-gapped backup systems ThreatLocker "Deny All by Default" protection Cyber Essentials Framework Version 3.2 updates include 14-day critical vulnerability patching, passwordless authentication recognition, and enhanced remote working requirements. 💼 Business Benefits Beyond Security Better insurance rates Government contract access Supply chain partnership opportunities Competitive advantage demonstration 🔥 TRENDING & HASHTAGS Topics: DefCon 33 findings | AI cyber attacks | Small business vulnerabilities | Supply chain security Hashtags: #CyberSecurity #SmallBusiness #DefCon33 #AISecurity #CyberThreats #BusinessProtection #UKBusiness #CyberEssentials #InfoSec #ThreatIntelligence #CyberDefense #BusinessSecurity #SecurityFirst 🚀 ENGAGEMENT HOOKS 🔥 URGENT: AI attacks now target small businesses within 6 weeks of DefCon demos 💡 FREE defence strategies that stop 85% of social engineering ⚡ Why your antivirus is useless against 2025 threats 🎯 Turn cybersecurity into competitive advantage 👍 LIKE if this helped you understand modern cyber threats 🔔 SUBSCRIBE for weekly threat intelligence 💬 COMMENT your biggest security concern 📤 SHARE with business owners using outdated protection 🎧 Listen now before these threats target YOUR business! Subscribe for weekly cyber threat intelligence. Share with business owners still using basic antivirus protection against advanced threats.

🚨 Episode 11: When Your Safety Net Becomes the TargetBackup Security Under Fire + Business Email Compromise Reality Check Your backups aren't protecting you anymore—they're the primary target. In this explosive double-header episode, we expose why 94% of ransomware attacks now target backup systems first, and how Business Email Compromise enables these devastating attacks. 🎯 What You'll Learn:Backup Reality Check: Why "immutable" storage isn't, and cloud sync ≠ backup protection Cloud Provider Truth Bomb: Neither Microsoft nor Google guarantee your data integrity BEC Epidemic: How £35+ billion in global losses connect to backup destruction Modern Attack Chains: Email compromise → reconnaissance → backup annihilation What Actually Works: Third-party solutions, testing reality, budget truths 💡 Key Takeaways:Only 27% of businesses successfully recover all data after incidents 30-40% of cyber insurance claims denied due to backup inadequacies Proper backup solutions cost £20-100/month, not £500+ Process controls beat technical controls for BEC prevention Multi-channel verification saves businesses millions 🎙️ Hosts & Guests:Noel Bradford - The Small Business Cyber Security Guy Mauven MacLeod - Ex-NCSC Cyber Expert Oliver Sterling - Veteran IT & Cyber Specialist Lucy Harper & Graham Falkner - Announcing The 10-Minute Cyber Fix daily show! 📺 NEW: The 10-Minute Cyber FixStarting Monday! Daily cybersecurity news analysis with Lucy Harper. Perfect for commute listening—cutting through vendor panic and media hyperbole to deliver what actually matters for YOUR business. 🔗 Essential Resources:Veeam Ransomware Trends Report 2024 - 94% backup targeting statistics FBI IC3 BEC Report 2023 - £35+ billion global losses Microsoft Online Services Terms - "Commercially reasonable efforts" reality NCSC BEC Guidance - UK government protection advice Action Fraud BEC Statistics - UK-specific loss data Cyber Essentials Scheme - UK government backup guidance Google Cloud Terms of Service - Data responsibility clauses 💰 Vendor Solutions Mentioned:Third-Party Backup: Veeam Backup for Microsoft 365, Druva, Barracuda, Dropsuite, SkyKick Key Point: Your cloud provider's backup ISN'T enough—you need independent protection. ⚠️ Critical Actions:Implement multi-channel verification for all financial requests Test backup restoration regularly, not just backup completion Deploy third-party backup for cloud services Document procedures that work under pressure Train staff on BEC recognition and response 🎯 Next Week Preview:Advanced Persistent Threats targeting SMBs - How nation-state techniques filter down to everyday criminals. Special guest from UK's Cyber Security Agency. 📱 Connect With Us:💼 LinkedIn: Mauven's getting job offers—someone's listening! 📧 Consulting: Real-world security help for small businesses 🎧 Daily Fix: Subscribe for Monday's launch of The 10-Minute Cyber Fix ⚖️ Disclaimer: Educational content only. Consult qualified professionals for business-specific advice. Not affiliated with any government agency or vendor. 🔥 If this episode saved you from a backup disaster or BEC scam, hit subscribe and share with fellow business owners who still think "it's in the cloud" means "it's safe"!

In the final part of our White House CIO Insights series, we explore the cutting-edge AI-powered threats that are transforming cybersecurity. Our special guest Sarah Chen, who heads up AI threat research at a leading UK cybersecurity firm, reveals how artificial intelligence is being weaponized by criminals - and what small businesses can do to defend themselves. From deepfakes that fool CEOs to AI that writes custom malware in real-time, discover why traditional security approaches are failing and what you need to implement today to protect your business against tomorrow's threats. What You'll Learn How sophisticated deepfakes are targeting UK businesses right now Why AI-powered social engineering succeeds 30% of the time vs 3% for traditional phishing How criminals are using AI to generate custom malware faster than humans can patch it Practical defenses that work against AI threats without enterprise budgets What the future threat landscape means for small business cybersecurity Key Takeaways 🔐 Implement multi-channel verification for all financial transactions and sensitive requests 🔐 Upgrade to AI-powered endpoint protection - traditional antivirus is obsolete 🔐 Train staff on procedures, not threat recognition - create decision trees that work under pressure 🔐 Understand this is ongoing - build adaptive capabilities, not static defences Source Attribution This episode features insights from Theresa Payton's interview with the Scammer Payback podcast. Theresa served as the first female White House CIO under President George W. Bush and is a leading expert on cybersecurity threats and manipulation campaigns. Full Interview: We strongly encourage listening to the complete Theresa Payton interview on Scammer Payback for comprehensive coverage of nation-state threats, deepfakes, and digital privacy strategies. About Scammer Payback: Excellent podcast and YouTube channel dedicated to exposing cybercriminal tactics and protecting people from fraud. Essential viewing/listening for anyone interested in cybersecurity. Connect With Us 🎧 Subscribe for weekly cybersecurity insights for small business ⭐ Rate & Review - help other business owners find practical security advice 📱 Share with fellow business owners who need to understand AI threats 💬 Comment with your questions about AI security challenges What's Next Episode 11: Backup Security in the AI Age - When even your recovery procedures need defending against adaptive adversaries Coming Soon: Deep dives into email security, mobile security, and building comprehensive security cultures for small business Series Information This episode completes our White House CIO Insights trilogy: Episode 8: The Threat Landscape Small Business Faces Episode 9: Cyber Essentials - Enterprise Security for Small Business Episode 10: Advanced Threats & AI (this episode) Disclaimer: This podcast provides educational information about cybersecurity threats and defenses. Always consult with qualified cybersecurity professionals for specific advice about your business security needs. Copyright: © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Part 2 of White House CIO Insights Series | ~38 minutes How do you implement White House-level security without White House-level budgets? Building on insights from former White House CIO Theresa Payton's interview with Scammer Payback, Noel and Mauven explore the UK's Cyber Essentials framework - translating enterprise security principles into achievable small business requirements. The Five Cyber Essentials Controls: Boundary Firewalls - Your digital perimeter defense Secure Configuration - Closing manufacturer security gaps Access Control & MFA - 90% credential attack prevention Malware Protection - Beyond traditional antivirus Security Update Management - Systematic patching Key Takeaways: Real implementation costs (£300+VAT basic certification, 2-4 weeks setup) Business benefits: insurance discounts, government contracts, supply chain compliance Why CE stops 80% of attacks targeting 80% of small businesses When you need more than basic frameworks Featured Content: Audio clips from Theresa Payton interview courtesy of Scammer Payback Podcast Building safety standards for cybersecurity MFA stopping 90% of credential attacks Systematic security thinking Highly recommend the full Theresa Payton interview on Scammer Payback - covers nation-state threats, manipulation campaigns, deepfakes, and digital privacy. Essential cybersecurity listening. Take Action This Week: Start Cyber Essentials self-assessment Enable multi-factor authentication everywhere Audit your third-party vendor list Resources: NCSC Cyber Essentials Scheme: ncsc.gov.uk/cyberessentials Self-Assessment Portal: cyberessentials.ncsc.gov.uk Scammer Payback Podcast Subscribe "Manipulated" by Theresa Payton - Buy Next Episode: Advanced Threats & AI The final White House CIO series episode tackles threats that challenge enterprise security teams: AI-powered attacks, executive-fooling deepfakes, and psychological social engineering. Subscribe & Review | Share with business owners who think cybersecurity requires unlimited budgets | Special thanks to Daniel and Scammer Payback team From White House situation rooms to your actual situation.

What's scarier - protecting the President or a small business in Manchester? Former White House CIO Theresa Payton says they face exactly the same sophisticated threats now. Runtime: 36 minutes | Series: Part 1 of 3 | Hosts: Noel Bradford & Mauven MacLeodKey Topics Covered Nation-state targeting: North Korea (vengeful), Iran (cyber mercenaries), Russia (everything), China (supply chains) "Verify and never trust" - Evolution from Reagan's "trust but verify" for modern threats Island hopping attacks - Small businesses as stepping stones to larger targets White House security principles scaled for small business budgets Multi-factor authentication - 90% effective against credential attacks Supply chain vulnerabilities - Every vendor is a potential attack vector Systematic security thinking - Enterprise mindset without enterprise costs Major Takeaways Same threats, different resources - SMBs face enterprise-level attacks without enterprise budgets Verification is critical - Modern threats require systematic verification of all requests MFA is transformative - 90% attack prevention for minimal cost - no excuse not to implement Process over products - Systematic thinking matters more than expensive technology Asymmetric warfare reality - Defenders must succeed daily; attackers need one breakthrough British politeness problem - Don't let politeness override security verification Featured Audio Clips Powerful segments from Theresa Payton's comprehensive interview courtesy of Scammer Payback podcast - essential listening for modern cybersecurity insights. Full Featured Interview: https://www.youtube.com/watch?v=ScammerPaybackTeresaPayton About Scammer Payback: Outstanding podcast and YouTube channel fighting cybercrime daily while educating about online threats. Resources & Links Theresa's Book: "Manipulated: Inside the Cyberwar to Hijack Elections" Our Website: thesmallbusinesscybersecurityguy.co.uk for practical small business cybersecurity resources Coming Next Episode 9: Cyber Essentials - How UK government turned White House security principles into achievable small business framework. Five controls addressing 80% of attacks affecting 80% of SMBs. Episode 10: Advanced Threats - AI, deepfakes, and social engineering that challenge even security professionals. Your Immediate Action Items Today: Implement multi-factor authentication on ALL business accounts This week: Create verification procedures for payment/change requests This month: Audit vendor security practices and supply chain dependencies Ongoing: Train staff on "verify and never trust" protocols Connect & Support Website: thesmallbusinesscybersecurityguy.co.uk for actionable cybersecurity resources Subscribe & Review: Help us reach more vulnerable businesses Share: With that business owner using "password123" wondering why systems act strangely From White House situation rooms to your actual business situation - if it's good enough for protecting the President, it's good enough for protecting your business. #Cybersecurity #SmallBusiness #InfoSec #WhiteHouse #NationState #MFA #SupplyChain #CyberThreats #BusinessSecurity #CyberEssentials #Podcast #UKBusiness #SecurityAwareness #CyberDefense Copyright 2025 The Small Business Cyber Security Guy Podcast - All rights reserved.

Show Notes Duration: 25:16 Hosts: Mauven MacLeod & Noel Bradford Technical debt isn't just old computers - it's a ticking time bomb in every UK business. When Noel discovers his local Oxford Council data was sitting in legacy systems for 21 years, things get personal. From NHS cyber deaths to £1.4 billion breaches, this episode reveals why "if it ain't broke, don't fix it" could destroy your business. Warning: Contains one epic Noel rant and brutal truths about preventable disasters. Shocking Statistics Revealed ​160,000 Microsoft Exchange servers still vulnerable 4 months after patch ​59% of UK public sector apps contain year-old security vulnerabilities ​Nearly half of £4.7 billion government IT spending just maintains aging systems ​Some organizations spend 75% of IT budget on legacy system life support Episode Highlights "Technical debt isn't just an IT problem - it's a business survival issue" "We're talking about digital decisions made when people were still using typewriters, and they're still causing security problems today" "Every shortcut has consequences. Every deferred update accumulates interest" Next Episode Preview We hear from Former White House CIO Theresa Payton about lessons from US government digital transformation that UK small businesses can actually use. Take Action Now: ​Audit your systems - What are you actually running? ​Budget 20% of IT spending for technical debt reduction ​Plan Windows 10 migration - Support ends October 2025 ​Document everything - Future you will thank present you Share Your Stories Tell us about your technical debt discoveries in the comments (minus the hacker-helpful details). Have you found systems you didn't know existed? Like, Subscribe and Follow 🎧 New episodes every Monday 🔔 Hit the follow button for notifications ⭐ Rate and review if this episode convinced you to finally address your technical debt Next: Episode 8 - White House CIO Insights (July 21-27)

Show Guide: When Basics Break - Special Bonus Episode Duration: 9 minutes | Type: Special Episode Episode Summary McDonald's password "123456" exposed 64 million job applications. M&S lost £300M to a phone call. Our full team dissects how basic security failures are destroying major brands and what small businesses must learn. Featured Team Noel Bradford - Lead Host Mauven MacLeod - Ex-NCSC Specialist Oliver Sterling - Cybersecurity Veteran Dr. Sarah Chen - AI Security Researcher Key Segments & Timestamps 🍟 McDonald's AI Disaster (0:00-3:00) Paradox.ai hiring bot secured with "123456" password IDOR vulnerability exposed all applicant data Vendor blamed "dormant 2019 test account" Lesson: AI features don't fix basic security 📞 M&S & Co-op Phone Scams (3:00-6:30) £300M lost at M&S, 20M records at Co-op Help desk reset admin passwords without verification Attackers gave BBC interviews while inside systems Lesson: Vendor security failures become yours 🌍 Global Security Catastrophes (6:30-9:00) AT&T: 73M accounts leaked Change Healthcare: $22M ransom, data still lost 23andMe: Genetic profiles exposed via credential stuffing Key Takeaways ✅ Do The Boring Stuff: Strong passwords + MFA everywhere Regular patching and updates Proper help desk procedures ✅ Vendor Due Diligence: Ask about password policies Implement call-back verification If they can't answer security questions, walk away ✅ AI Reality Check: Shiny features don't compensate for weak foundations Basic vulnerabilities still dominate breaches Episode Highlights "It's the old 'move fast and break things' mindset, but now it's people's personal data on the line." - Dr. Sarah Chen "A simple call-back to a registered number would've stopped the whole thing." - Mauven MacLeod Immediate Actions for Small Business Change any "123456" or "password" credentials NOW Enable MFA on all business accounts today Create help desk verification procedures Audit vendor security practices Content Notes Real company breaches discussed. Some strong language regarding security failures. Essential listening for business owners who think "it won't happen to us." Remember: If major corporations with unlimited budgets fail at basics, small businesses need to be even more vigilant. #Cybersecurity #DataBreach #SmallBusiness #PasswordSecurity