The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams. Key Topics Covered Microsoft Security Updates 89 total vulnerabilities patched (12 critical, 4 zero-days) CVE-2025-0445: Windows Kernel privilege escalation (actively exploited) CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited) CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022) CVE-2025-1789: MSHTML remote code execution via Office documents CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release) 23 remote code execution vulnerabilities across Windows, Office, and developer tools Adobe Security Updates 35+ vulnerabilities patched across multiple products CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1) CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS) Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D Oracle Critical Patch Update (October 2025) 374 new security patches addressing ~260 unique CVEs CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups) 73 patches for Oracle Communications (47 remotely exploitable without authentication) 20 patches for Fusion Middleware (17 remote unauthenticated) 18 fixes for MySQL Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server SAP Security Updates 18 new security notes plus 1 updated note CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE) CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS) CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch) CVE-2025-42940: CommonCryptoLib memory corruption Mozilla Firefox Updates Firefox 145.0 released November 11th 15 security vulnerabilities fixed (8 high impact) New anti-fingerprinting measures halving trackable users Memory safety and sandbox escape prevention Apple Security Updates iOS/iPadOS 17.1 and macOS 14.1 released 100+ vulnerabilities patched across iPhones, iPads, Macs Critical kernel and WebKit bugs fixed Zero-click exploit prevention Google Security Updates Chrome 142 with 5 security bug fixes Android November 2025 bulletin (patch level 2025-11-01) CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16 Third-Party Critical Vulnerabilities WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected) WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed) Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment) Critical Action Items for Businesses IMMEDIATE (Deploy Within 24-48 Hours) Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento Windows Kernel - Patch CVE-2025-0445 zero-day exploit Edge/Chrome - Update browsers to address CVE-2025-0334 Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed WordPress Post SMTP - Update to v3.6.1 or remove plugin Cisco routers - Apply CVE-2025-20352 patches and check for compromise HIGH PRIORITY (Deploy Within 1 Week) SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887 WSUS servers - Verify CVE-2025-59287 patch installed correctly Adobe Connect - Update to version 12.10 Firefox, Chrome, Edge - Deploy browser updates organisation-wide Android devices - Deploy November 2025 security bulletin WatchGuard Firebox - Apply CVE-2025-9242 patch STANDARD PRIORITY (Deploy Within 2-4 Weeks) All other Microsoft patches - Complete Windows and Office updates Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc. Oracle - Complete October CPU deployment across all Oracle products SAP - Apply remaining security notes across SAP landscape CVE Quick Reference CVE ID Vendor Severity Status Product CVE-2025-0445 Microsoft Critical Actively Exploited Windows Kernel CVE-2025-0334 Microsoft Critical Actively Exploited Edge/Chrome V8 CVE-2025-0078 Microsoft Critical Not Exploited Yet Exchange Server CVE-2025-1789 Microsoft Critical Not Exploited Yet MSHTML CVE-2025-59287 Microsoft Critical (9.8) Actively Exploited WSUS CVE-2025-54236 Adobe Critical (9.1) Actively Exploited Magento/Commerce CVE-2025-49553 Adobe Critical (9.3) Not Exploited Yet Adobe Connect CVE-2025-61882 Oracle Critical Actively Exploited E-Business Suite CVE-2025-42890 SAP Critical (10.0) Not Exploited Yet SQL Anywhere Monitor CVE-2025-42887 SAP Critical (9.9) Not Exploited Yet Solution Manager CVE-2025-11833 WordPress Critical (9.8) Actively Exploited Post SMTP Plugin CVE-2025-20352 Cisco High Actively Exploited IOS/XE SNMP CVE-2025-9242 WatchGuard Critical Not Exploited Yet Firebox Firewalls Resources & Links Vendor Security Bulletins Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide Adobe Security Bulletins: https://helpx.adobe.com/security.html Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/ SAP Security Notes: https://support.sap.com/securitynotes Mozilla Security Advisories: https://www.mozilla.org/security/advisories/ CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog Patch Tuesday Resources Microsoft Tech Community: https://techcommunity.microsoft.com/ Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/ Security Week Patch Tuesday Coverage: https://www.securityweek.com/ Small Business Cybersecurity Resources Blog: https://thesmallbusinesscybersecurityguy.co.uk NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials Key Statistics 89 Microsoft vulnerabilities patched 4 actively exploited zero-days (Microsoft) 23 remote code execution flaws (Microsoft) 35+ Adobe vulnerabilities fixed 374 Oracle security patches 18 SAP security notes 200,000+ WordPress sites affected by Post SMTP bug 75,000 WatchGuard devices exposed online Narrator Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions. About The Small Business Cyber Security Guy Podcast The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining. Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints. Connect With Us Website: https://thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms Social Media: Follow us on LinkedIn for daily cybersecurity insights Contact: hello@thesmallbusinesscybersecurityguy.co.uk   Help us spread the word about practical cybersecurity for small businesses: ⭐ Subscribe to never miss an episode ⭐ Leave a review on Apple Podcasts or Spotify ⭐ Share this episode with other business owners who need to hear this ⭐ Comment below with topics you'd like us to cover next ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources Disclaimer This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile. Next Episode Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately. Episode Length: 10-11 minutes Difficulty Level: Intermediate to Advanced Best For: IT managers, business owners, MSP clients, anyone responsible for patching The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce Episode Information Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance Farce Episode Number: Hot Take Release Date: 11 November 2025 Duration: Approximately 18 minute Hosts: Mauven MacLeod & Graham Falkner Format: Research segment with heavy sarcasm Episode Description Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools. In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone. Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme? We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes. If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide. Key Topics Covered The Surveillance Revelation Ofcom confirms use of unnamed third-party AI monitoring tool TechRadar exclusive: "We use a leading third-party provider" with zero transparency Government surveillance of privacy tools sets a dangerous precedent Comparison to authoritarian regimes (China, Russia, UAE, Iran) The Numbers That Don't Add Up 1.5 million daily VPN users claim appears nowhere in official Ofcom documents No published methodology or verification VPN detection cannot determine the intent or legitimacy of use Analytics show VPN use is lower in countries with greater online freedom What Actually Happened on July 25th The UK Online Safety Act child safety duties became fully enforceable Mandatory "highly effective age assurance" replaced simple checkbox verification Proton VPN: 1,400% surge in UK signups within hours NordVPN: 1,000% increase in downloads ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store The Small Business Nightmare Business VPNs are essential security hygiene for remote work Ofcom's monitoring cannot distinguish legitimate business use from circumvention Undisclosed data collection creates unknowable privacy risks GDPR compliance implications when the government monitors your security tools Section 121: The Spy Clause Powers to require client-side scanning of encrypted communications Government promises not to use "until technically feasible" Cryptography experts: impossible without destroying encryption Apple shelved similar plans in 2021 Signal and WhatsApp threatened to leave the UK market The Authoritarian Playbook in Action Scope creep within days: blocking parliamentary speeches, news coverage, forums A cycling forum shut down due to compliance costs Small platforms are closing rather than face a compliance nightmare Chilling effect on legitimate content and discussion International Surveillance Creep 25 US states passed similar age verification laws EU debating Chat Control (mandatory encrypted message scanning) Australia is implementing age verification for search engines Legislative arms race using "protecting children" as a universal justification What Small Business Owners Must Do Document all VPN usage for legitimate business purposes Maintain VPN security protocols despite surveillance theatre Get legal advice if operating any platform with user-generated content Fines up to £18 million or 10% of global revenue Criminal liability for senior managers The GDPR Compliance Paradox How do you assess data protection risks from secret surveillance tools? Opacity makes compliance verification impossible Government monitoring creates unassessable risks to customer data   Resources & Links Mentioned Primary Source TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act Key Organizations Quoted Open Rights Group - James Baker's comments on surveillance precedent Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran Government Resources Online Safety Act 2023 - UK Government legislation Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements Section 121 - Client-side scanning provisions ("spy clause") VPN Statistics Sources Proton VPN: 1,400% surge report NordVPN: 1,000% increase report Apple UK App Store rankings: July 25-27, 2025 Related Coverage Petition to Repeal Online Safety Act: 550,000+ signatures Peter Kyle (UK Technology Secretary) statement on critics Parliamentary debate triggered by petition threshold Additional Reading GDPR compliance implications of government surveillance Cryptography expert analysis of client-side scanning Apple's 2021 decision to shelve client-side scanning plans Signal and WhatsApp statements on Section 121 Key Quotes from Episode Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?" Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it." Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics." Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent." Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'" Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties." Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'" Action Items for Small Business Owners Immediate Actions Document VPN Usage List which employees use VPNs Document business purposes for encrypted connections Maintain evidence of legitimate use for potential regulatory action Maintain Security Protocols Continue using VPNs for remote work security Don't let surveillance theatre compromise actual cybersecurity Protect against real threats (ransomware, phishing, etc.) Assess Platform Compliance If you operate any online platform, forum, or user-generated content site Get legal advice immediately Understand massive fines (£18m or 10% global revenue) and criminal liability. Ongoing Monitoring Stay Informed Section 121 could be activated at any time EU Chat Control could affect European operations US state laws are proliferating rapidly Monitor regulatory developments actively Engage Politically Contact your MP about the surveillance of privacy tools Reference the 550,000+ signature petition Make it clear that this is unacceptable in a democracy Push back before surveillance becomes normalised GDPR Compliance Review Assess how government VPN monitoring affects data protection obligations Document that opacity makes risk assessment impossible Consult legal counsel on compliance implications Visual Elements (for YouTube/Video) Screenshot: TechRadar exclusive article headline On-screen text: "1.5 million daily VPN users" with question mark Comparison graphic: VPN use in free vs. authoritarian countries Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring Text overlay: Section 121 "spy clause" powers Map graphic: International surveillance legislation spread (UK, US, EU, Australia) Infographic: Small business action checklist Key Themes Government surveillance of privacy tools in supposed liberal democracy Technical limitations make monitoring ineffective at stated purpose Scope creep from child protection to political content blocking within days Small business caught in surveillance net designed for age verification International trend toward authoritarian internet regulation models GDPR compliance paradox when government creates unknowable privacy risks Practical cybersecurity must continue despite surveillance theatre Political engagement essential before normalization occurs Tone & Style Notes Heavy sarcasm throughout - serious WTF tone without profanity Incredulous questioning of government logic and transparency Dark humour about dystopian surveillance implications Technical precision in explaining what monitoring can/cannot do Practical focus on small business implications Political urgency without becoming preachy Professional skepticism balanced with actionable guidance CTAs (Calls to Action) Primary CTAs Subscribe wherever you get your podcasts Share with other small business owners who need this information Leave a review if you found this episode useful (or terrifying) Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources Secondary CTAs Drop a comment with questions about VPN security or regulatory compliance Contact your MP about surveillance of privacy tools Sign the petition to repeal the Online Safety Act (if not already done) Document your VPN usage for legitimate business purposes starting today Social Media Hashtags #OnlineSafetyAct #VPNSurveill

In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security. Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers. The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites. Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers. The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts. Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice. Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly. Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade. In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032. This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right. Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed. Key Takeaways The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response. Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't complete until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't be completed until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement About The Host Noel Bradford brings over 40 years of IT and cybersecurity experience across enterprise and SMB sectors, including roles at Intel, Disney, and BBC. Currently serving as CIO and Head of Technology for a boutique security-first MSP, Noel specialises in translating enterprise-grade cybersecurity expertise into practical, affordable solutions for UK small businesses with 5-50 employees. His philosophy centres on "perfect security is the enemy of any security at all," focusing on real-world constraints and actionable advice over theoretical discussions. Noel's direct, no-nonsense approach has helped "The Small Business Cyber Security Guy Podcast" achieve Top 90 Business Podcast status in the USA and Top 170 in the UK, with a unique cross-Atlantic audience (47% American, 39% British). Legal & Disclaimer The information provided in this podcast is for educational and informational purposes only and should not be construed as professional cybersecurity, legal, or financial advice. Listeners should consult qualified professionals for guidance specific to their circumstances. Product and service mentions, including sponsors, are provided for informational purposes. The host and podcast do not guarantee results from implementing suggested strategies or using mentioned products. All case studies and incidents discussed are based on publicly available information and reporting. Facts are verified against multiple authoritative sources before publication. © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.   Credits Host: Noel Bradford Production: The Small Business Cyber Security Guy Productions Editing: Noel Bradford Research: Graham Falkner Show Notes: Graham Falkner Special Thanks: ANSSI (for their audit work that we wish the Louvre had acted upon), Libération journalist Brice Le Borgne (for his investigative reporting), and UK small businesses everywhere who take security more seriously than world-famous museums apparently do. Episode Tags #Cybersecurity #SmallBusiness #UKBusiness #PasswordSecurity #Louvre #DataBreach #HardwareAuthentication #FIDO2 #CyberAccountability #InformationSecurity #RiskManagement #SMBSecurity #CyberNews #HotTake #BusinessPodcast Next Episode: Coming Soon - Criminal Accountability for Cybersecurity Negligence (Two-Part Series) Average Episode Downloads: 3,000+ per day at peak Listener Demographics: 47% USA, 39% UK, 14% Other Target Audience: UK SMBs with 5-50 employees  

In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope. Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free. Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain. Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

What if I told you there’s a laboratory in Switzerland where scientists are building computers from living human neurons?   Sounds like science fiction, right? But it’s happening right now, and the energy crisis driving this research is about to affect every small business owner’s cloud computing bills.   In this episode, Noel, Graham, and Mauven explore FinalSpark’s revolutionary biocomputing platform. This Swiss company has created the Neuroplatform, a system using approximately 160,000 living human neurons to perform computational tasks. Their goal?   Solving the massive energy consumption problem created by artificial intelligence and modern data centres.   Your brain runs on 20 watts of power. Current AI data centres consume megawatts.   FinalSpark claims their biological processors could use a million times less energy than traditional computing. That’s not incremental improvement – that’s fundamental transformation.   But here’s the catch: this technology is still early, really early. So why should small business owners care about laboratory experiments with brain cells?   Because the energy costs driving this research are already affecting your Azure bills, your SaaS subscriptions, and your cloud hosting fees. And understanding where technology is heading helps you make better decisions about where to invest your limited resources.   What You’ll Learn Why energy consumption in computing matters to small businesses right now How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree) The realistic timeline for when this technology might affect your business What small businesses should actually do about emerging technologies The security implications nobody’s talking about yet The uncomfortable ethical questions around growing human neurons for computation   Key Quotes   Noel Bradford:“Training a single large AI model produces the same carbon emissions as five cars create during their entire lifetime. And that statistic is from 2019. Modern models like GPT-4 produce 50 to 100 times more emissions than that.”   Graham Falkner:“So naturally they thought, you know what, let’s just use actual neurons instead. Because that’s a perfectly reasonable next step when your silicon experiments don’t work.”   Mauven MacLeod:“Bloody hell. Today’s topic just got properly mental.”   Noel Bradford on timeline:“In the next 12 months, nothing. Ignore biocomputing entirely. Focus on the security basics most businesses are probably still getting wrong.”   On security implications:“How do you secure a computer made from living cells? Do you need to understand neuroscience to exploit vulnerabilities in bioprocessors? If someone breaches a living computer system, is it a cyber attack or biological warfare?”   About FinalSpark Founded by: Dr. Martin Kutter and Dr. Fred Jordan Location: Vevey, Switzerland Previous company: Alpvision (anti-counterfeiting specialists) Current project: The Neuroplatform   Research credentials: Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal Providing free access to 10 universities worldwide (36 applications received) Created APIs and documentation for remote access Built Discord community with 1,200+ members discussing biocomputing Participating universities: University of Michigan Free University of Berlin University of Exeter Lancaster University Leipzig University University of York Oxford Brookes University University of Bath University of Bristol Université Côte d’Azur (France) University of Tokyo Key Facts from the Episode   Energy consumption statistics: Data centres consumed 1.5% of global electricity as of 2024 Projected to reach 3% by 2030 AI is accelerating growth exponentially Meta, Google, and OpenAI are talking about building nuclear power stations   The biocomputing advantage: Human brain runs on 20 watts Modern AI data centres use megawatts (millions of watts) FinalSpark claims million-times efficiency (99.9999% reduction) Some sources cite up to billion-times more energy efficient   The Neuroplatform specifications: 10,000 living neurons per organoid 16 organoids total Approximately 160,000 neurons system-wide Neurons survive up to 100 days in active use Accessible remotely by researchers worldwide   Why This Matters for Small Businesses   Immediate concerns: Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy Every interaction costs carbon, and those costs eventually reach small businesses Future implications: If biocomputing proves viable, benefits arrive through infrastructure improvements Your cloud providers incorporate biological processors Your costs decrease, capabilities increase You won’t buy biocomputers any more than you buy specific processor architectures now   What to watch for (2-5 year timeline): •Early commercial applications in specialised tasks •Medical diagnostics applications •Pattern recognition improvements •Industry adoption signals   Practical Takeaways for Business Owners   Do these things now: Secure current systems properly (multi-factor authentication, proper backups) Train staff on cybersecurity basics Achieve Cyber Essentials certification Build adaptable IT infrastructure   Build awareness: Subscribe to technology news sources Spend 15 minutes monthly reading about emerging tech Build mental models of where technology might head Prepare for paradigm shifts Watch for these milestones: Commercial partnerships with major tech companies Published benchmarks proving practical advantages Scaling demonstrations (thousands of neurons for months) Security framework development Independent energy validation studies Remember: Mad ideas sometimes win (iPhone, Netflix, electric cars) Companies that survive aren’t the ones that predicted the exact future They’re the ones who built adaptable systems that could pivot Focus on fundamentals whilst keeping awareness of emerging tech   Resources Mentioned FinalSpark: Company website and Neuroplatform information FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons) Discord community (1,200+ members) Academic publications in Frontiers journal Further reading: Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk Research papers on biological computing Energy consumption studies for AI and data centres The Uncomfortable Questions We Need to Answer   As Noel, Graham, and Mauven discuss in the episode, biocomputing raises security and ethical questions that nobody has answers for yet:   Security concerns: How do you secure computers made from living cells? Can you hack biological neural networks? Do you need neuroscience expertise to exploit vulnerabilities? Is a breach a cyber attack or biological warfare? How do you wipe a neuron’s memory? Can you verify data deletion? How do you conduct forensic analysis on biological substrates? Ethical considerations: These neurons aren’t conscious or sentient (they’re biological cells performing functions) But they’re human neurons grown from human stem cells Where’s the ethical line if we can grow larger collections? How large before we worry about experiences or consciousness? How do we measure consciousness in biological systems grown for computation? Should these conversations happen now, before ubiquity? The hosts emphasize that awareness isn’t the same as answers, but these discussions need to happen before the technology becomes widespread.   What the Hosts Say You Should Actually Do   After 22 minutes of discussing living neurons, Swiss laboratories, and energy crises, the practical advice is refreshingly straightforward:   Do Nothing different for now at least!   Seriously. Don’t change your technology strategy based on biocomputing research. Instead: Secure your current systems properly Implement proper backup strategies Train your staff on cybersecurity basics Achieve Cyber Essentials certification Build IT infrastructure that serves your business objectives   Why? Because the exciting developments in biocomputing don’t change the fact that most UK small businesses still haven’t done the tedious, essential security work that prevents 95% of attacks.   As Noel puts it: “The companies that survive aren’t the ones that predicted the exact future. They’re the ones who built adaptable systems that could pivot when the future arrived unexpectedly.”   Next Steps Subscribe to the podcast so you don’t miss future episodes exploring where technology is heading and what it means for your business.   Leave a review if you found this episode valuable. Reviews genuinely help other small business owners find the show. Takes 30 seconds, makes a real difference.   Share this episode with business owners who need to understand how energy costs are about to affect their cloud computing bills.   Visit the blog at thesmallbusinesscybersecurityguy.co.uk for the comprehensive write-up with all technical details, source verification, and links to the research.   Comment with your thoughts: Do you think biocomputing is the future or an expensive dead end? Your questions sometimes become future episodes.   About The Small Business Cyber Security Guy Podcast Practical cybersecurity advice for UK small businesses, delivered with humour and authentic British personality.   Hosted by Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO) Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality) Mauven MacLeod (ex-government cybersecurity background) New episodes weekly Website: thesmallbusinesscybersecurityguy.co.uk Podcast feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml   Final Thoughts from the Hosts Noel Bradford:“After 40 years in this industry, I’ve learned that mad

This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone. The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale. Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised. The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business. There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean. Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

The £18,000 Saving That Cost £200,000 in Revenue Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now. In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count. Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions. What You'll Learn The Core Concept What the Doorman Fallacy is and why it matters for cybersecurity The difference between nominal functions (what something obviously does) and actual functions (what it really does) Why efficiency optimisation without a complete understanding is just expensive destruction The five-question framework for avoiding Doorman Fallacy mistakes Five Catastrophic Case Studies 1. The Security Training Fallacy (Chapter 2) How cutting £12,000 in training led to a £70,000 Business Email Compromise attack Why training isn't about delivering information—it's about building culture The invisible value: shared language, verification frameworks, psychological safety What to measure instead of cost-per-employee-hour 2. The Cyber Insurance Fallacy (Chapter 3) The software company that saved £18,000 and lost £200,000 in client contracts Why insurance isn't just financial protection—it's a market signal Hidden benefits: third-party validation, incident response capability, customer confidence How cancelling coverage destroyed vendor relationships and sales opportunities 3. The Dave Automation Fallacy (Chapter 4) Insurance broker spent £100,000+ replacing a £50,000 IT person The £15,000 server upgrade that Dave would have known was unnecessary Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics Why ticketing systems can't replace anthropological understanding 4. The MFA Friction Fallacy (Chapter 5) Fifteen seconds of "friction" versus three weeks of crisis response The retail client who removed MFA and suffered £65,000 in direct incident costs Why attackers specifically target businesses without MFA The reputational damage you can't quantify until it's too late 5. The Vendor Relationship Fallacy (Chapter 6) Solicitors saved £4,800 annually, lost a £150,000 client Why "identical services" aren't actually identical The difference between contractual obligations and genuine partnerships What happens when you need flexibility and you've burned your bridges Key Statistics & Case Studies 42% of business applications are unauthorised Shadow IT (relevant context) £47,000 BEC loss vs £12,000 annual training savings £200,000 lost revenue vs £18,000 insurance savings £100,000+ replacement costs vs £50,000 salary £65,000 incident costs vs marginal productivity gains £150,000 lost client vs £4,800 vendor savings Common pattern: Small measurable savings, catastrophic unmeasurable consequences. The Five-Question Framework Before cutting any security costs, ask yourself: What's the nominal function versus the actual function? What does it obviously do vs what does it really do? What invisible benefits will disappear? Be specific: not "provides value" but "provides priority incident response during emergencies" How would we replace those invisible benefits? If you can't answer this, you're making a Doorman Fallacy mistake What's the actual cost-benefit analysis, including invisible factors? Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk" What's the cost of being wrong? In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection Practical Takeaways What to Do Tomorrow Review your most recent efficiency or cost-cutting decision. Ask: Did we define this function too narrowly? What invisible value might we have destroyed? Are we experiencing consequences we haven't connected to that decision? Better Metrics for Security Investments Instead of measuring cost-per-hour or savings-per-quarter, measure: Incident reporting rates (should go UP with good training) Verification procedure usage frequency Time-to-report for security concerns Vendor response times during emergencies Employee confidence in raising concerns Making Trade-Offs Honestly Budget constraints are legitimate. The solution isn't "never cut anything." It's: Acknowledge what you're sacrificing when you cut Admit the risks you're accepting Have plans for replacing invisible functions Make consequences visible during decision-making Ensure decision-makers bear some responsibility for outcomes Quotable Moments "The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel "Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel "We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel "You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven "The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel Chapter Timestamps 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision 02:15 - Intro: Why Marketing Books Matter for Cybersecurity 05:30 - Chapter 1: The Book, The Fallacy, The Revelation 12:00 - Chapter 2: The Security Training Fallacy 19:30 - Chapter 3: The Cyber Insurance Fallacy 27:00 - Chapter 4: The Dave Automation Fallacy 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message) 42:00 - Chapter 6: The Vendor Relationship Fallacy 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework 58:00 - Outro: Action Items & CTAs Total Runtime: Approximately 62 minutes Sponsored By Authentrend - Biometric FIDO2 Security Solutions This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity. Learn more: authentrend.com Resources & Links Mentioned in This Episode: Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life" Authentrend ATKey Products: authentrend.com Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4) Useful Tools & Guides: Download our Doorman Fallacy Decision Framework (PDF) Template: Articulating Invisible Value in Budget Meetings Checklist: Five Questions Before Cutting Security Costs Case Study Library: Real-World Doorman Fallacy Examples UK-Specific Resources: ICO Guidance on Security Measures NCSC Small Business Cyber Security Guide Cyber Essentials Scheme Information About Your Hosts Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints. Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints. Support The Show New episodes every Monday at Noon UK Time! Never miss an episode! Subscribe on your favourite podcast platform: Apple Podcasts Spotify Google Podcasts RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml Help us reach more small businesses: ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home) 💬 Comment with your own efficiency optimisation horror stories 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences Connect with us: Website: thesmallbusinesscybersecurityguy.co.uk Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/ Email: hello@thesmallbusinesscybersecurityguy.co.uk Episode Tags #Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication Legal The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cyberse

Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups. The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault. Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo). Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks. With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business. Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now. No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs. This Episode is Sponsored by Authentrend Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025 We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag. Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works. Learn more: authentrend.com What You'll Learn Understanding the Differences What Information Security actually covers (hint: it's not just digital) Why Cybersecurity isn't the same as IT Security (despite what vendors claim) The CIA triad explained without the jargon Real-world examples showing when each approach matters UK Business Reality Current threat landscape: 43% of UK businesses breached in 2025 Why small businesses (10-49 employees) face 50% breach rates Average incident costs: £3,400 (but the real number is much higher) UK GDPR, Data Protection Act 2018, and what actually applies to you What It Actually Costs Starting from scratch: £5,000-£15,000 annually for 10-20 employees Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys) Cyber Essentials: £300-£500 (your best bang for buck) Managed security services: £300-£450/month realistic pricing When £2,000-£3,500/month managed detection makes sense Free government resources you're probably ignoring Authentication Security Reality Why SMS codes and app-based MFA still get phished How FIDO2 hardware security keys cryptographically prevent credential theft Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually Special offer mentioned in episode: Authentrend keys at £40 until December 22nd Implementation Without the Bullshit Why IT Security basics beat fancy cybersecurity tools every time The five controls that address 90% of UK SMB threats Common mistakes that waste your security budget How to prioritise when you can't afford everything Vendor red flags and what to actually look for Regulatory Requirements Decoded ICO data protection fees: £40-£60/year (mandatory) What "appropriate technical and organisational measures" really means Why recent enforcement shows reprimands over fines for SMBs Insurance requirements and how to reduce premiums How phishing-resistant authentication affects cyber insurance premiums Key Statistics Mentioned 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025 £3,400 average cost per cyber incident (excluding business impact) 60% of small businesses close within 6 months of serious data loss 85% of cyber incidents involve phishing attacks 43% of all UK businesses experienced breaches in 2025 Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords) Products & Solutions Discussed Authentication Security (Featured in Episode) Authentrend ATKey Series (Episode Sponsor) ATKey.Pro: USB-A/USB-C with NFC support ATKey.Card: Contactless card format Pricing: £45 regular, £40 special offer until December 22nd FIDO Alliance Level 2 certified Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services Deployment cost: £80-90 per employee (2 keys for backup) Why hardware security keys matter: Cryptographically bound to specific domains (phishing technically impossible) Works even when users make mistakes One-time purchase vs ongoing subscription costs Significantly reduces cyber insurance premiums Email Security Options Microsoft Defender for Office 365 Plan 1: £1.70/user/month Google Workspace Advanced Protection: £4.60/user/month Sophos Email Security: £2.50/user/month Endpoint Protection Microsoft Defender for Business: £2.50/user/month Sophos Intercept X: £3.50/user/month CrowdStrike Falcon Go: £7.00/user/month Compliance & Frameworks Cyber Essentials: £300-£500 annually ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs) Resources Mentioned Free Government Resources NCSC Small Business Guidance: ncsc.gov.uk ICO Free Templates: ico.org.uk Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations Episode Sponsor Authentrend: authentrend.com Special offer: £40 per key (regular £45) until December 22nd, 2025 ATKey.Pro and ATKey.Card models UK distributor support available Related Blog Posts (From This Week's Series) Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025" Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached" Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection" Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure" Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs" Recommended First Steps Immediate Actions (This Week) Catalogue your information - 1 day exercise to understand what you have and where it lives Register for ICO data protection fee - £40-£60 annual mandatory requirement Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd) First Month Get Cyber Essentials certified - £300-£500, addresses 90% of common threats Implement email security - £900-£1,800 annually for proper anti-phishing Deploy phishing-resistant MFA - £80-90 per employee one-time investment Configure endpoint protection - £1,200-£2,500 annually for 15-30 users First Quarter Test your backups - Don't assume they work, actually restore something Basic staff training - Use free NCSC materials, focus on phishing recognition Review and document - Simple policies using ICO templates Budget Planning 15-20 employee business, first year total: £6,200-£14,500 Email security: £900-£1,800 annually Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400) Endpoint protection: £1,200-£2,500 annually Backup systems: £600-£1,200 annually Network security: £600-£1,800 (includes one-time hardware costs) Training: £0-£1,500 annually Testing: £500-£2,000 annually Ongoing costs (Year 2+): £3,800-£11,100 annually Hosts Noel Bradford - CIO/Head of Technology, Boutique Security First MSP 40+ years enterprise security (Intel, Disney, BBC) Direct, budget-conscious, solutions-focused Enjoys challenging conventional security wisdom Known for calling out vendor bollocks Mauven MacLeod - Ex-Government Cyber Analyst Government cybersecurity background (NCSC) Glasgow-raised, practical approach Translates national security threats into business reality Focuses on what actually works for UK SMBs Our Sponsorship Disclosure Policy We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it. Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because: They provide the phishing-resistant authentication we consistently advise UK SMBs to implement Pricing makes proper authentication accessible to small businesses FIDO Alliance Level 2 certification ensures they meet security standards They align with our core message: affordable IT security fundamentals over expensive security theatre Take Action Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there. Your Next Steps Listen to the episode - Understand the differences before spending money Download the risk assessment template - Available on our blog Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd) Get Cyber Essentials certified - £300-£500 addresses most common threats Implement IT Security fundamentals - £2K-£5K gets you real protection Review quarterly - Security isn't a one-time project Subscribe & Connect Never miss an episode - Hit subscribe wherever you get your podcasts Leave us a review - It genuinely helps other UK small business owners find these conversations Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com] Got specific questions? - Drop us a comment and we might cover it in a future episode Next Week's Episode "Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses" The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs. What we cover What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged. Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor. The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices. Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness. Why it matters to UK SMBs You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice. Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them. Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep. Key takeaways Do not collect what you can’t protect. Prefer attribute proofs over document uploads. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents. Action checklist for SMB owners Map every place you’re collecting ID or age proof today. Kill non-essential collection. Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity. Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control. Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly. Run DPIAs for onboarding, support and HR flows that touch identity documents. Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.” Chapter outline Setting the scene: a breach born in the support queue Why ID uploads are a liability multiplier The UK’s digital ID plan, without the spin Vendor risk is your risk Practical fixes you can implement before lunch Q&A and what to do if you uploaded ID to Discord If you think you’re affected Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links. Support the show Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk. Send questions or topic requests for future episodes.

Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours. Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today. Key Topics Covered The Scale of the Problem 172 total vulnerabilities patched across Microsoft's ecosystem Six zero-day flaws (actively exploited or publicly known before patches released) Eight critical vulnerabilities that could allow unauthorised code execution Elevation of privilege, remote code execution, and information disclosure threats Windows 10: End of an Era 15 October 2025 marks the final day of free security updates for Windows 10 Extended Security Updates (ESU) now required for continued protection Time to seriously plan your Windows 11 migration or budget for ESU costs Real-World Impact Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK. Windows 11 October 2025 Features Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2: Improved Phishing Protection Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox. Enhanced Device Control Settings Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.) Wi-Fi Security Dashboard No IT degree required. Plain-language summary of your network's safety status that anyone can understand. Built-in Password Manager Improvements Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best. AI Actions in File Explorer Smarter file organisation and quick task shortcuts Notification Centre on Secondary Monitors Finally works properly where you click it Moveable System Indicators Customise where volume and brightness indicators appear Administrator Protection Additional security layer for privileged accounts Passkey Support for Third-Party Providers More flexibility in authentication methods Practical Action Steps Immediate Tasks (This Week) Schedule Your Updates Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse. Verify Installation Success Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point. Back Up Before Updating Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly. Recovery Planning Know Your Rollback Options Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works. Document Your Process Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days. Long-Term Security Habits Regular Review Schedule Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?" Consider Automation Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist. Staff Training Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers. Key Quotes from the Episode "When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind." "These updates have real-world impact. I'm not talking theoretical." "Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind." "Not updating isn't just risky, it's old-fashioned." "The strongest business is the one that learns just a bit faster than the crooks." UK Business Context Why This Matters for Small Businesses Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust. Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates. Regulatory Considerations Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches: GDPR obligations require appropriate security measures ICO enforcement takes security seriously Professional indemnity insurers increasingly audit cybersecurity practices Client trust depends on demonstrating you protect their data properly Technical Details (For the IT-Minded) Vulnerability Breakdown 80 Elevation of Privilege vulnerabilities 31 Remote Code Execution flaws 28 Information Disclosure issues 11 Security Feature Bypass vulnerabilities 11 Denial of Service flaws 10 Spoofing vulnerabilities 1 Tampering vulnerability Notable Zero-Days Patched CVE-2025-24990: Agere Modem driver vulnerability (actively exploited) CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited) CVE-2025-24052: Agere Modem driver (publicly disclosed) CVE-2025-2884: TPM 2.0 implementation flaw CVE-2025-0033: AMD EPYC processor vulnerability CVE-2025-47827: IGEL OS Secure Boot bypass Removed Components Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update. Resources and Further Reading Official Microsoft Sources Microsoft October 2025 Patch Tuesday Security Update Guide Windows 11 Version 25H2 Known Issues Windows 10 Extended Security Updates Information Third-Party Analysis BleepingComputer: October 2025 Patch Tuesday Coverage Windows Central: 9 New Features in October Update Cybersecurity News: Detailed Vulnerability Analysis UK-Specific Resources NCSC Small Business Guide Cyber Essentials Scheme ICO Data Protection Guidance Episode Credits Host: Graham Falkner Production: The Small Business Cyber Security Guy Podcast Copyright: 2025 - All Rights Reserved Call to Action Help Other Small Businesses Stay Secure Like this Hot Take if you found it useful Subscribe to catch every episode as we release them Share with other UK small business owners who need to hear this Comment with your own update horror stories or success stories Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic. Stay Connected Visit thesmallbusinesscybersecurityguy.co.uk for: Complete episode archive Written guides and checklists Additional resources for UK small businesses Ways to submit questions for future episodes Related Episodes Looking for more context on topics mentioned in this Hot Take? Check out these related episodes: Episode 17: Social Engineering - The Human Firewall Under Siege Why staff training matters more than you think, and how attackers exploit human psychology Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI AI-powered attacks and how small businesses can defend against sophisticated threats Enhanced Supply Chain Security Understanding vendor dependencies and how updates fit into broader security strategy

Ministers have sent an urgent letter to UK business leaders after the NCSC handled 204 nationally significant cyber incidents in the past year, with 18 "highly significant" incidents – a 50% increase for the third consecutive year. Join Mauven MacLeod and Graham Falkner as they unpack the government's wake-up call and translate ministerial warnings into concrete actions every business leader can take today. What You'll Learn Why the Chancellor and three Cabinet Ministers personally co-signed an urgent letter to UK business leaders -  Ministerial letter on cyber security The shocking NCSC statistics: nearly half of all incidents were nationally significant, with highly significant incidents up 50% Real-world impact: empty supermarket shelves, healthcare disruption causing deaths, and £300m+ losses for single organisations The three specific government requests that will have an immediate impact on your cyber resilience  - Ministerial letter on cyber security Practical first steps you can take this week (most are free) Key Quotes "Any leader who fails to prepare for that scenario is jeopardising their business's future... It is time to act." - Richard Horne, CEO of NCSC "Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. There is a direct and active threat to our economic and national security." - Ministerial Letter, 13 October 2025 - Ministerial letter on cyber security "While you can plan meticulously, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse." - Shirine Khoury-Haq, CEO of The Co-op Group Resources Mentioned Ministerial Letter (13 Oct 2025) NCSC Annual Review 2025 Free Cyber Governance Training for Boards Early Warning Service (Free) - 13,000+ organisations already signed up Cyber Essentials - 92% reduction in insurance claims Cyber Action Toolkit - Free for small businesses Take Action This Week Sign up for NCSC Early Warning (free) Read the ministerial letter Add cyber security to your next Board agenda Check if MFA is enabled on critical systems About the Hosts Mauven MacLeod - Ex-NCSC cyber security expert with Glasgow roots who translates government-level threat intelligence into practical advice for small businesses. Graham Falkner - The unmistakable voice from UK cinema trailers, now bringing his theatrical gravitas and storytelling skills to demystify cybersecurity for business leaders. Connect Visit our blog: thesmallbusinesscybersecurityguy.co.uk Like the show? Subscribe, leave a review, and share with colleagues. Episode Length: ~8 minutes Bottom line: Nearly half of NCSC incidents are now nationally significant. It's time to act.

We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make." So we grabbed another cup of tea, broke out the custard creams, and kept recording. Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun. In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen. This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure. Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions. Currently ranked in the Top 100 Apple Business Podcasts (US) This episode is sponsored by Authentrend Biomentric Hardware  Why Listen to Part 2? If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind. The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore. The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about. The corrections: What we got wrong in Part 1, and why the reality is even more serious. What You'll Learn The Major Revelations Cyber Security = Safeguarding (2025 Guidance) First time explicitly linked in statutory guidance Changes everything about how schools must respond Makes Kido a safeguarding failure, not just IT breach Gives cyber the legal teeth it's never had The Repository Screenshot VX-Underground documented what appears to be Kido's code Files that typically contain credentials visible Repository has since been removed Suggests how breach may have occurred Partial MFA = No MFA Schools enable MFA for head teachers but not everyone Like "locking doors but leaving windows open" Must be ALL staff with system access or it's useless The Third Party Illusion Schools think IT providers handle compliance DfE Standards explicitly say schools must verify Cannot outsource responsibility Practical Takeaways Why phone-based MFA conflicts with safeguarding policies (and what to do) The NCSC Cyber Assessment Framework for schools Questions to ask developers about code repositories How to audit custom software What "Time Off In Lieu" means for training   The VX-Underground Discovery (Important Context) What We Can Confirm On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository: Repository name: kido-fullstack/mykido-api Files visible: Including mail.py (typically contains email credentials in Python apps) Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks Current status: Repository has been removed VX-Underground's assessment: Called it "f**king slop piece of s**t" See: https://www.instagram.com/reel/DPUjd9mj2tG/ What We Cannot Independently Verify The actual contents of the files (repository is down) Whether repository was public or had limited visibility That this definitively caused the breach What specific credentials may have been present Why It Matters This screenshot shows the exact type of vulnerability cybersecurity experts warn about: Custom code pushed to repositories without proper security review Files that typically contain credentials visible in structure Pattern common in education sector (confirmed by Tammy) Explains how Famly data could be accessed without Famly infrastructure breach We present this as a plausible explanation based on professional analysis, not as a confirmed fact. The Safeguarding Game-Changer 2025 Keeping Children Safe in Education Guidance For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard. What this means: Cybersecurity is no longer optional IT work It's a safeguarding responsibility with Ofsted implications Schools respond to safeguarding requirements (unlike IT recommendations) Governors have safeguarding oversight duties that now include cyber The Kido breach is officially a safeguarding failure When it takes effect: The 2025 guidance is already in force. Schools should be implementing now. Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem. Critical Corrections from Part 1 1. The MFA Misconception What we said in Part 1: "Only 50% of schools have MFA enabled" What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs. The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest. The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices. Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications). 2. The Compliance Responsibility Myth The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us." The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?" What IT providers should do: Help implement technical controls What schools must do: Verify compliance is actually happening Who's responsible: School leadership, governors, senior management - not outsourceable 3. Training and TOIL Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours. Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs. Resources Mentioned Statutory Guidance and Standards Keeping Children Safe in Education 2025 Statutory safeguarding guidance for schools First explicit link between cybersecurity and safeguarding Available: UK Government website / DfE publications ACTION: Read Section on Cyber Security Standard DfE Digital Standards for Schools Sets out cyber security requirements Six standards schools should meet by 2030 Schools must actively verify compliance ACTION: Ask your school "Are we meeting these?" Free Security Resources NCSC Cyber Assessment Framework (CAF) Designed specifically for small businesses and schools Written in accessible language (not technical jargon) Covers: access control, incident management, supply chain security Free to use LINK: ncsc.gov.uk NCSC Early Years Settings Guidance Bespoke guidance for nurseries Practical steps for settings without IT expertise LINK: ncsc.gov.uk GitHub Secret Scanning Free for public repositories Detects exposed credentials in code Schools should use if they have repositories ACTION: Enable on all repositories Tammy's Resources DfE Digital Standards Webinars Regular sessions explaining standards in simple terms How to track progress and implementation Contact Tammy for upcoming dates Guest Expert Tammy Buchanan Title: Senior Data Protection Consultant Organisation: Data Protection Education Background: 15 years in UK education sector 12 years working directly in schools (8 years technician, 4 years IT manager) "Recovering Dave from IT" What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience. Expertise: Data protection compliance in education Information security for schools and MATs DfE Digital Standards implementation GDPR for the education sector Cyber resilience on school budgets Contact Tammy Email: info@dataprotection.education LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page) Services: Compliance assessments DfE Digital Standards webinars Data protection consultancy for schools and MATs Incident response support   Questions Parents Should Ask Their School Copy these questions and email them to your head teacher: Security Basics Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)? How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training? Where is your incident response plan, and when was it last tested? Custom Software and Code Do we have any custom-built software, integrations, or scripts? If yes: Where is the source code stored? (GitHub, GitLab, etc.) Who has access to our code repositories? Have repositories been scanned for exposed credentials? Do former developers or contractors still have access to our systems? Compliance and Governance Are we meeting the DfE Digital Standards, and how is this verified? Who on the governing body is responsible for data protection and cyber resilience? How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance? Third Party Platforms Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.) How do you verify these platforms are securely configured? Does our IT provider handle compliance verification, or do you verify it yourselves? Don't accept: "We have an IT company, they handle all thi

Episode Description Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security. Currently ranked in the Top 100 Apple Business Podcasts (US) What You'll Learn Why only 50% of schools have multi-factor authentication enabled The difference between early years providers and mainstream schools How photo-rich platforms create unique vulnerabilities for nurseries Why DFE digital standards remain unknown to most schools The governance problem: volunteers without power Who actually gets things done when head teachers won't prioritise security Why schools keep breaches quiet and what that means for parents Practical steps parents can demand from their child's school today The Cyber Essentials challenge for small schools with limited budgets How COVID pushed schools years ahead without proper security foundations Guest Contact Details Tammy Buchanan Senior Data Protection Consultant Data Protection Education Email: info@dataprotection.education LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page Website: Data Protection Education Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.   Resources Mentioned Government and Regulatory: DFE Digital Standards (Department for Education) NCSC (National Cyber Security Centre) staff training resources ICO (Information Commissioner's Office) breach log and guidance Ofsted inspection framework Safeguarding regulations Platforms Discussed: Famly (early years learning journey platform) Tapestry (early years learning journey platform) Arbor (school management information system) Bromcom (school management information system) Security Standards: Cyber Essentials certification Multi-factor authentication (MFA) implementation Incident response planning Additional Resources: The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk Data Protection Education news page (free resources for schools) Key Statistics from This Episode 50% or less of schools have MFA enabled 8,000 children's photos stolen in the Kido breach 12 years Tammy worked directly in schools before consulting 15 years Tammy has been in the education sector overall 2030 target date for schools to meet six DFE digital standards Questions Parents Should Ask Their School Do you have multi-factor authentication enabled on all systems? How often do staff receive cybersecurity training? Where is your incident response plan and when was it last tested? Who on the governing body is responsible for data protection and cyber resilience? Are you working towards the DFE digital standards? Which third-party platforms hold my child's data and photos? How do you monitor and configure security settings on these platforms? Key Takeaways For Parents: Schools are having breaches regularly but keeping them quiet Most schools lack basic security like MFA Your child's photos on learning journey apps create unique risks You have the right to ask questions about data protection Schools respond to parental pressure For School Leaders: Documentation matters for ICO compliance Training needs updating regularly, not the same video for three years Incident response plans are useless if nobody knows where they are School business managers need authority, not just responsibility Other schools' examples work better than external expert advice For Governors: Cybersecurity needs to be statutory to get real traction Digital lead on governing body remains unfilled at many schools You need both knowledge and authority to make change happen Physical security analogies help boards understand cyber risks The Big Picture This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow. Connect With The Show Website: thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on all major podcast platforms Social Media: Find us on LinkedIn Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

Host Graham Faulkner dives into Windows 11 25H2 in this solo episode, explaining why this understated update matters for security, stability, and small-business productivity. He breaks down how 25H2 arrives as an Enablement Package (EKB), what that means if you’re already on 24H2, and why the streamlined rollout keeps disruptions to a minimum. The episode covers key technical and practical changes: removal of legacy components like PowerShell 2.0 and WMIC, continued performance improvements (CPU scheduling, memory management, faster startups), and expanded Wi‑Fi 7 support. Graham highlights Microsoft’s shift toward continuous monthly innovation and why that helps maintain a more secure, reliable environment without waiting for big yearly releases. Security is a major focus: Graham explains Microsoft’s Secure Future initiative, which brings AI-assisted secure coding and enhanced vulnerability detection into the development and post-release lifecycle. He frames these advances for small business owners, showing how better detection and automated security practices reduce risk and downtime. Practical deployment and lifecycle details are explained clearly: support-cycle resets (24 months for Home/Pro, 36 months for Enterprise/Education), how to get 25H2 via the “Get the Latest Updates” toggle, controlled rollouts and device holds, and enterprise deployment options like Windows AutoPatch and the Microsoft 365 Admin Center. He also covers admin-friendly improvements such as removing preinstalled Microsoft Store apps with Intune or Group Policy. The episode closes with hands-on advice: check the Windows Release Health Hub for known issues, back up critical machines before upgrading, verify driver and app compatibility, and prepare rollback plans for important systems. Graham adds a personal anecdote about preparing his vinyl-catalog PC for the update and stresses that 25H2 is about steady, practical improvements—safer, faster, and less disruptive for both single machines and fleets.

In 40 years of Information Technology work, Noel Bradford has never been this angry. On September 25th, 2025, the Radiant ransomware gang stole personal data from 8,000 children at Kido International nurseries, posted their photos and medical records online, and then started calling parents at home to demand ransom payments. This isn't just another data breach. This is the moment cybercrime lost whatever soul it had left. In this raw, unfiltered episode, Noel breaks down exactly what happened, why the security failures that enabled this attack exist in thousands of UK small businesses right now, and what you need to do immediately to protect your organisation from becoming the NEXT headline. WARNING: This episode contains strong language and discusses disturbing tactics used by cybercriminals. Parental guidance advised. What You'll Learn The complete timeline of the Kido ransomware attack and how it unfolded Why hackers spent weeks inside the network before striking The new escalation tactic of directly contacting victims' families Five critical security failures that allowed 8,000 children's records to be stolen Why "we're too small to be targeted" is the most dangerous lie in business The regulatory consequences Kido faces under UK GDPR Immediate action steps every small business must take NOW Why does this attack signal a fundamental shift in cybercrime tactics   Key Takeaways The Five Critical Failures Initial Access Was Preventable - Likely phishing, weak passwords, or unpatched vulnerabilities No Monitoring - Weeks of dwell time with zero detection No Network Segmentation - Hackers accessed everything once inside No Data Loss Prevention - 8,000 records exfiltrated without triggering alarms Inadequate Backups - No mention of restoration from clean backups New Threat Landscape Reality Ransomware gangs now directly contact victims' families Children's data is being weaponised for psychological pressure Moral boundaries in cybercrime have completely dissolved Attack tactics proven successful will be replicated by other groups Business Impact Statistics 43% of UK businesses suffered a breach in the past year Nearly 50% of primary schools reported cyber incidents 60% of secondary schools experienced attacks The education sector is particularly vulnerable Featured Experts & Sources Government & Law Enforcement: Metropolitan Police Cyber Crime Unit Information Commissioner's Office (ICO) Jonathon Ellison, Director for National Resilience, National Cyber Security Centre Cybersecurity Experts: Rebecca Moody, Head of Data Research, Comparitech Anne Cutler, Cybersecurity Expert, Keeper Security Mantas Sabeckis, Infosecurity Researcher, Cybernews Direct Victims: Stephen Gilbert, Parent with two children at Kido nursery Threat Actors: Radiant Ransomware Gang (claims to be Russia-based) Immediate Action Checklist Do These TODAY: Enable multi-factor authentication on ALL business accounts Check that all software is updated to the latest versions Review who has access to sensitive data Verify backups exist and are stored offline Schedule staff phishing awareness training Do These This Week: Audit your network segmentation Implement monitoring and alerting systems Review password policies across the organisation Create an incident response plan Assess cyber insurance coverage Do These This Month: Conduct a full security audit Test backup restoration procedures Implement data loss prevention tools Review vendor and third-party security Schedule penetration testing Resources Mentioned Government Resources National Cyber Security Centre: https://www.ncsc.gov.uk/ Information Commissioner's Office: https://ico.org.uk/ Met Police Cyber Crime Unit: https://www.met.police.uk/advice/advice-and-information/fa/fraud/online-fraud/cyber-crime/ UK Cyber Security Breaches Survey: https://www.gov.uk/government/collections/cyber-security-breaches-survey Cybersecurity Companies Comparitech: https://www.comparitech.com/ Keeper Security: https://www.keepersecurity.com/ Cybernews: https://cybernews.com/ Legal & Compliance UK GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/ Children's Data Protection: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/ Episode Quotes "What happened to Kido International this week represents the absolute lowest point I've witnessed in 40 years of cybersecurity." "These hackers didn't just encrypt some files and demand payment. They actively posted samples of children's profiles online. Then they started ringing parents directly." "You're not special. You're not too small. You're not immune. You're just next on the list unless you take action." "The hackers claim they 'deserve some compensation for our pentest.' Let that sink in. They're calling this a penetration test." "A child's photo, name, and home address in criminal hands. This data doesn't expire. It doesn't get less valuable. It just sits there, a permanent risk to these families." "None of these failures are unique to nurseries or large organizations. I see the same problems in small businesses every single week." "You're making the same mistakes that led to 8,000 children's data being posted on the dark web. The only difference is scale." Discussion Questions How would you respond if your business were to experience a similar attack? What security measures do you currently have in place? Do you know where your most sensitive data is stored and who can access it? When was the last time you tested your backup restoration? How would you handle direct contact from threat actors? Connect With Noel Bradford Website: The Small Business Cyber Security Guy Email: hello@thesmallbusinesscybersecurityguy.co.uk LinkedIn: Noel Bradford Need Help With Your Cybersecurity? Equate Group Support The Podcast If this episode made you think differently about cybersecurity, please: ⭐ Leave a 5-star review on Apple Podcasts 📢 Share this episode with other business owners 📧 Subscribe to get every new episode 💬 Join the conversation on social media using #KidoHack   Legal Disclaimer The information provided in this podcast is for educational and informational purposes only. It does not constitute legal, financial, or professional cybersecurity advice. Always consult with qualified professionals regarding your specific situation. Opinions expressed are those of the host and do not necessarily reflect the views of any organisations mentioned. Transcript Full episode transcript available at: TBC Episode Tags #Cybersecurity #Ransomware #DataBreach #SmallBusiness #KidoHack #UKBusiness #CyberCrime #DataProtection #GDPR #InformationSecurity #CyberAwareness #ThreatIntelligence #BusinessSecurity #RansomwareAttack #ChildSafety © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Join hosts Noel Bradford and Mauven McLeod in this Back-to-School special of the Small Business Cybersecurity Guy podcast as they trace a line from 1980s schoolroom mischief to modern, large-scale breaches that put millions of students and small organisations at risk. Through recollections of early BBC Model B and Novell-era antics, the episode uses real recent incidents to expose how weak passwords, written credentials and opportunistic insiders create systemic security failures. The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses. Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout. Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them. Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management. Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

Co-op's CEO has just confirmed that their cybersecurity disaster cost £80 million. The attackers? Teenagers are using basic social engineering. In this Hot Takes episode, we break down how "We've contained the incident" turned into an £80 million earnings wipeout, and why the final bill could reach £400-500 million once legal claims are settled. This isn't just another breach story - it's a wake-up call for every UK business owner who thinks "it won't happen to us." Key Topics Covered The Attack Breakdown [0:30] April 2024 attack by the Scattered Spider group Social engineering, not sophisticated exploits 6.5 million members affected (100% of Co-op members) 2,300 stores disrupted, 800 funeral homes on paper systems The Real Cost [1:45] £80 million confirmed earnings impact £206 million total sales impact £20 million in direct incident costs Zero cyber insurance coverage Why It Could Get Much Worse [2:30] Pending ICO fine: £15-20 million likely Individual GDPR compensation claims: £25-£150 per person Potential £325 million member compensation exposure Final bill estimate: £400-500 million Lessons for UK Small Businesses [3:15] Social engineering beats technical defences Cyber insurance is essential, not optional Business continuity failures amplify costs Training matters more than firewalls Key Statistics £80 million - Confirmed earnings impact 6.5 million - Customers affected (every single member) £12 - Cost per affected customer (low by UK standards) £325 million - Potential member compensation exposure 17-20 years old - Age of arrested suspects 2,300+ - Stores affected by operational disruption Resources & Links Full Analysis: Read the complete breakdown: Link  Key Sources Cited: ICO Statement on Retail Cyber Incidents Computer Weekly: Co-op breach coverage Insurance Insider: Co-op's lack of cyber coverage UK Government Cyber Security Breaches Survey 2025 Action Items for Listeners Check your cyber insurance policy - Do you have coverage? Is it adequate? Review employee training - When was the last time your team received social engineering awareness training? Test business continuity - Can your operations survive 2 weeks offline? Read the full blog post - Get all the details and cost breakdowns Quote of the Episode "Co-op's disaster isn't a cybersecurity failure. It's a business leadership failure. And if you're listening to this thinking your business is different, you're next."  

Date: 23 September 2025 — Host Mauven McLeod delivers a furious, fast-paced analysis of two seismic cyber incidents and what they mean for UK and global businesses. This episode examines the Jaguar Land Rover and Collins Aerospace ransomware attacks, the human-driven methods that enabled them, and why they represent the first significant test of the EU's Digital Operational Resilience Act (DORA). Topics covered include the scale of the damage (JLR reportedly losing up to £5 million per day and sector-wide losses potentially exceeding £1 billion), the criminal methodology (simple social engineering and help-desk manipulation by groups linked to Lapsus-style actors), and the cascading supply-chain impacts across automotive and aviation sectors. The episode references confirmations from Anissa about Collins’ ransomware compromise and notes reactions from industry figures such as Chris MacDonald at the Department for Business and Trade, as well as large providers like Tata Consultancy Services, Microsoft and RTX/Collins Aerospace. Key points you’ll take away: these attacks were largely preventable with basic controls — MFA (hardware keys), formal helpdesk identity verification, callback confirmation, network segmentation and focused security training — yet failures persist even at well-resourced organisations. Crucially, the episode explains DORA’s cross-border reach (applicable since 17 January 2025), how EU authorities can designate critical ICT third-party providers (including non-EU firms), the reporting and continuity obligations this triggers for financial entities, and the potential penalties (including fines up to around 1% of global turnover) and oversight mechanisms now coming into play. Practical guidance for listeners covers immediate steps: map vendor dependencies and identify any providers serving EU financial entities; review and update contracts for DORA alignment; update incident response and continuity plans to reflect DORA reporting requirements; and deploy low-cost, high-impact controls like hardware MFA, strict helpdesk processes and segmentation. The episode also critiques the UK government’s reactive crisis management during these incidents and warns of an accelerating enforcement wave: designations, cross-border scrutiny and contractual overhauls are expected to intensify through 2025. Ultimately, Moven argues this is the start of a new era — one where regulatory exposure flows through vendor dependencies and where organisational will, not technical capability, is the biggest barrier to resilience. Listeners will finish with a clear sense of urgency, the regulatory risks to assess, and concrete next steps to reduce operational and regulatory fallout from future incidents.