The Small Business Cyber Security Guy | UK Cybersecurity for SMB & Startups

  Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks. With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business. Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now. No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs. This Episode is Sponsored by Authentrend Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025 We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag. Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works. Learn more: authentrend.com What You'll Learn Understanding the Differences What Information Security actually covers (hint: it's not just digital) Why Cybersecurity isn't the same as IT Security (despite what vendors claim) The CIA triad explained without the jargon Real-world examples showing when each approach matters UK Business Reality Current threat landscape: 43% of UK businesses breached in 2025 Why small businesses (10-49 employees) face 50% breach rates Average incident costs: £3,400 (but the real number is much higher) UK GDPR, Data Protection Act 2018, and what actually applies to you What It Actually Costs Starting from scratch: £5,000-£15,000 annually for 10-20 employees Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys) Cyber Essentials: £300-£500 (your best bang for buck) Managed security services: £300-£450/month realistic pricing When £2,000-£3,500/month managed detection makes sense Free government resources you're probably ignoring Authentication Security Reality Why SMS codes and app-based MFA still get phished How FIDO2 hardware security keys cryptographically prevent credential theft Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually Special offer mentioned in episode: Authentrend keys at £40 until December 22nd Implementation Without the Bullshit Why IT Security basics beat fancy cybersecurity tools every time The five controls that address 90% of UK SMB threats Common mistakes that waste your security budget How to prioritise when you can't afford everything Vendor red flags and what to actually look for Regulatory Requirements Decoded ICO data protection fees: £40-£60/year (mandatory) What "appropriate technical and organisational measures" really means Why recent enforcement shows reprimands over fines for SMBs Insurance requirements and how to reduce premiums How phishing-resistant authentication affects cyber insurance premiums Key Statistics Mentioned 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025 £3,400 average cost per cyber incident (excluding business impact) 60% of small businesses close within 6 months of serious data loss 85% of cyber incidents involve phishing attacks 43% of all UK businesses experienced breaches in 2025 Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords) Products & Solutions Discussed Authentication Security (Featured in Episode) Authentrend ATKey Series (Episode Sponsor) ATKey.Pro: USB-A/USB-C with NFC support ATKey.Card: Contactless card format Pricing: £45 regular, £40 special offer until December 22nd FIDO Alliance Level 2 certified Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services Deployment cost: £80-90 per employee (2 keys for backup) Why hardware security keys matter: Cryptographically bound to specific domains (phishing technically impossible) Works even when users make mistakes One-time purchase vs ongoing subscription costs Significantly reduces cyber insurance premiums Email Security Options Microsoft Defender for Office 365 Plan 1: £1.70/user/month Google Workspace Advanced Protection: £4.60/user/month Sophos Email Security: £2.50/user/month Endpoint Protection Microsoft Defender for Business: £2.50/user/month Sophos Intercept X: £3.50/user/month CrowdStrike Falcon Go: £7.00/user/month Compliance & Frameworks Cyber Essentials: £300-£500 annually ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs) Resources Mentioned Free Government Resources NCSC Small Business Guidance: ncsc.gov.uk ICO Free Templates: ico.org.uk Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations Episode Sponsor Authentrend: authentrend.com Special offer: £40 per key (regular £45) until December 22nd, 2025 ATKey.Pro and ATKey.Card models UK distributor support available Related Blog Posts (From This Week's Series) Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025" Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached" Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection" Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure" Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs" Recommended First Steps Immediate Actions (This Week) Catalogue your information - 1 day exercise to understand what you have and where it lives Register for ICO data protection fee - £40-£60 annual mandatory requirement Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd) First Month Get Cyber Essentials certified - £300-£500, addresses 90% of common threats Implement email security - £900-£1,800 annually for proper anti-phishing Deploy phishing-resistant MFA - £80-90 per employee one-time investment Configure endpoint protection - £1,200-£2,500 annually for 15-30 users First Quarter Test your backups - Don't assume they work, actually restore something Basic staff training - Use free NCSC materials, focus on phishing recognition Review and document - Simple policies using ICO templates Budget Planning 15-20 employee business, first year total: £6,200-£14,500 Email security: £900-£1,800 annually Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400) Endpoint protection: £1,200-£2,500 annually Backup systems: £600-£1,200 annually Network security: £600-£1,800 (includes one-time hardware costs) Training: £0-£1,500 annually Testing: £500-£2,000 annually Ongoing costs (Year 2+): £3,800-£11,100 annually Hosts Noel Bradford - CIO/Head of Technology, Boutique Security First MSP 40+ years enterprise security (Intel, Disney, BBC) Direct, budget-conscious, solutions-focused Enjoys challenging conventional security wisdom Known for calling out vendor bollocks Mauven MacLeod - Ex-Government Cyber Analyst Government cybersecurity background (NCSC) Glasgow-raised, practical approach Translates national security threats into business reality Focuses on what actually works for UK SMBs Our Sponsorship Disclosure Policy We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it. Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because: They provide the phishing-resistant authentication we consistently advise UK SMBs to implement Pricing makes proper authentication accessible to small businesses FIDO Alliance Level 2 certification ensures they meet security standards They align with our core message: affordable IT security fundamentals over expensive security theatre Take Action Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there. Your Next Steps Listen to the episode - Understand the differences before spending money Download the risk assessment template - Available on our blog Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd) Get Cyber Essentials certified - £300-£500 addresses most common threats Implement IT Security fundamentals - £2K-£5K gets you real protection Review quarterly - Security isn't a one-time project Subscribe & Connect Never miss an episode - Hit subscribe wherever you get your podcasts Leave us a review - It genuinely helps other UK small business owners find these conversations Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com] Got specific questions? - Drop us a comment and we might cover it in a future episode Next Week's Episode "Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses" The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently mi

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs. What we cover What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged. Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor. The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices. Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness. Why it matters to UK SMBs You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice. Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them. Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep. Key takeaways Do not collect what you can’t protect. Prefer attribute proofs over document uploads. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents. Action checklist for SMB owners Map every place you’re collecting ID or age proof today. Kill non-essential collection. Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity. Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control. Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly. Run DPIAs for onboarding, support and HR flows that touch identity documents. Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.” Chapter outline Setting the scene: a breach born in the support queue Why ID uploads are a liability multiplier The UK’s digital ID plan, without the spin Vendor risk is your risk Practical fixes you can implement before lunch Q&A and what to do if you uploaded ID to Discord If you think you’re affected Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links. Support the show Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk. Send questions or topic requests for future episodes.

Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours. Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today. Key Topics Covered The Scale of the Problem 172 total vulnerabilities patched across Microsoft's ecosystem Six zero-day flaws (actively exploited or publicly known before patches released) Eight critical vulnerabilities that could allow unauthorised code execution Elevation of privilege, remote code execution, and information disclosure threats Windows 10: End of an Era 15 October 2025 marks the final day of free security updates for Windows 10 Extended Security Updates (ESU) now required for continued protection Time to seriously plan your Windows 11 migration or budget for ESU costs Real-World Impact Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK. Windows 11 October 2025 Features Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2: Improved Phishing Protection Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox. Enhanced Device Control Settings Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.) Wi-Fi Security Dashboard No IT degree required. Plain-language summary of your network's safety status that anyone can understand. Built-in Password Manager Improvements Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best. AI Actions in File Explorer Smarter file organisation and quick task shortcuts Notification Centre on Secondary Monitors Finally works properly where you click it Moveable System Indicators Customise where volume and brightness indicators appear Administrator Protection Additional security layer for privileged accounts Passkey Support for Third-Party Providers More flexibility in authentication methods Practical Action Steps Immediate Tasks (This Week) Schedule Your Updates Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse. Verify Installation Success Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point. Back Up Before Updating Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly. Recovery Planning Know Your Rollback Options Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works. Document Your Process Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days. Long-Term Security Habits Regular Review Schedule Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?" Consider Automation Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist. Staff Training Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers. Key Quotes from the Episode "When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind." "These updates have real-world impact. I'm not talking theoretical." "Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind." "Not updating isn't just risky, it's old-fashioned." "The strongest business is the one that learns just a bit faster than the crooks." UK Business Context Why This Matters for Small Businesses Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust. Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates. Regulatory Considerations Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches: GDPR obligations require appropriate security measures ICO enforcement takes security seriously Professional indemnity insurers increasingly audit cybersecurity practices Client trust depends on demonstrating you protect their data properly Technical Details (For the IT-Minded) Vulnerability Breakdown 80 Elevation of Privilege vulnerabilities 31 Remote Code Execution flaws 28 Information Disclosure issues 11 Security Feature Bypass vulnerabilities 11 Denial of Service flaws 10 Spoofing vulnerabilities 1 Tampering vulnerability Notable Zero-Days Patched CVE-2025-24990: Agere Modem driver vulnerability (actively exploited) CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited) CVE-2025-24052: Agere Modem driver (publicly disclosed) CVE-2025-2884: TPM 2.0 implementation flaw CVE-2025-0033: AMD EPYC processor vulnerability CVE-2025-47827: IGEL OS Secure Boot bypass Removed Components Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update. Resources and Further Reading Official Microsoft Sources Microsoft October 2025 Patch Tuesday Security Update Guide Windows 11 Version 25H2 Known Issues Windows 10 Extended Security Updates Information Third-Party Analysis BleepingComputer: October 2025 Patch Tuesday Coverage Windows Central: 9 New Features in October Update Cybersecurity News: Detailed Vulnerability Analysis UK-Specific Resources NCSC Small Business Guide Cyber Essentials Scheme ICO Data Protection Guidance Episode Credits Host: Graham Falkner Production: The Small Business Cyber Security Guy Podcast Copyright: 2025 - All Rights Reserved Call to Action Help Other Small Businesses Stay Secure Like this Hot Take if you found it useful Subscribe to catch every episode as we release them Share with other UK small business owners who need to hear this Comment with your own update horror stories or success stories Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic. Stay Connected Visit thesmallbusinesscybersecurityguy.co.uk for: Complete episode archive Written guides and checklists Additional resources for UK small businesses Ways to submit questions for future episodes Related Episodes Looking for more context on topics mentioned in this Hot Take? Check out these related episodes: Episode 17: Social Engineering - The Human Firewall Under Siege Why staff training matters more than you think, and how attackers exploit human psychology Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI AI-powered attacks and how small businesses can defend against sophisticated threats Enhanced Supply Chain Security Understanding vendor dependencies and how updates fit into broader security strategy

Ministers have sent an urgent letter to UK business leaders after the NCSC handled 204 nationally significant cyber incidents in the past year, with 18 "highly significant" incidents – a 50% increase for the third consecutive year. Join Mauven MacLeod and Graham Falkner as they unpack the government's wake-up call and translate ministerial warnings into concrete actions every business leader can take today. What You'll Learn Why the Chancellor and three Cabinet Ministers personally co-signed an urgent letter to UK business leaders -  Ministerial letter on cyber security The shocking NCSC statistics: nearly half of all incidents were nationally significant, with highly significant incidents up 50% Real-world impact: empty supermarket shelves, healthcare disruption causing deaths, and £300m+ losses for single organisations The three specific government requests that will have an immediate impact on your cyber resilience  - Ministerial letter on cyber security Practical first steps you can take this week (most are free) Key Quotes "Any leader who fails to prepare for that scenario is jeopardising their business's future... It is time to act." - Richard Horne, CEO of NCSC "Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. There is a direct and active threat to our economic and national security." - Ministerial Letter, 13 October 2025 - Ministerial letter on cyber security "While you can plan meticulously, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse." - Shirine Khoury-Haq, CEO of The Co-op Group Resources Mentioned Ministerial Letter (13 Oct 2025) NCSC Annual Review 2025 Free Cyber Governance Training for Boards Early Warning Service (Free) - 13,000+ organisations already signed up Cyber Essentials - 92% reduction in insurance claims Cyber Action Toolkit - Free for small businesses Take Action This Week Sign up for NCSC Early Warning (free) Read the ministerial letter Add cyber security to your next Board agenda Check if MFA is enabled on critical systems About the Hosts Mauven MacLeod - Ex-NCSC cyber security expert with Glasgow roots who translates government-level threat intelligence into practical advice for small businesses. Graham Falkner - The unmistakable voice from UK cinema trailers, now bringing his theatrical gravitas and storytelling skills to demystify cybersecurity for business leaders. Connect Visit our blog: thesmallbusinesscybersecurityguy.co.uk Like the show? Subscribe, leave a review, and share with colleagues. Episode Length: ~8 minutes Bottom line: Nearly half of NCSC incidents are now nationally significant. It's time to act.

We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make." So we grabbed another cup of tea, broke out the custard creams, and kept recording. Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun. In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen. This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure. Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions. Currently ranked in the Top 100 Apple Business Podcasts (US) This episode is sponsored by Authentrend Biomentric Hardware  Why Listen to Part 2? If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind. The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore. The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about. The corrections: What we got wrong in Part 1, and why the reality is even more serious. What You'll Learn The Major Revelations Cyber Security = Safeguarding (2025 Guidance) First time explicitly linked in statutory guidance Changes everything about how schools must respond Makes Kido a safeguarding failure, not just IT breach Gives cyber the legal teeth it's never had The Repository Screenshot VX-Underground documented what appears to be Kido's code Files that typically contain credentials visible Repository has since been removed Suggests how breach may have occurred Partial MFA = No MFA Schools enable MFA for head teachers but not everyone Like "locking doors but leaving windows open" Must be ALL staff with system access or it's useless The Third Party Illusion Schools think IT providers handle compliance DfE Standards explicitly say schools must verify Cannot outsource responsibility Practical Takeaways Why phone-based MFA conflicts with safeguarding policies (and what to do) The NCSC Cyber Assessment Framework for schools Questions to ask developers about code repositories How to audit custom software What "Time Off In Lieu" means for training   The VX-Underground Discovery (Important Context) What We Can Confirm On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository: Repository name: kido-fullstack/mykido-api Files visible: Including mail.py (typically contains email credentials in Python apps) Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks Current status: Repository has been removed VX-Underground's assessment: Called it "f**king slop piece of s**t" See: https://www.instagram.com/reel/DPUjd9mj2tG/ What We Cannot Independently Verify The actual contents of the files (repository is down) Whether repository was public or had limited visibility That this definitively caused the breach What specific credentials may have been present Why It Matters This screenshot shows the exact type of vulnerability cybersecurity experts warn about: Custom code pushed to repositories without proper security review Files that typically contain credentials visible in structure Pattern common in education sector (confirmed by Tammy) Explains how Famly data could be accessed without Famly infrastructure breach We present this as a plausible explanation based on professional analysis, not as a confirmed fact. The Safeguarding Game-Changer 2025 Keeping Children Safe in Education Guidance For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard. What this means: Cybersecurity is no longer optional IT work It's a safeguarding responsibility with Ofsted implications Schools respond to safeguarding requirements (unlike IT recommendations) Governors have safeguarding oversight duties that now include cyber The Kido breach is officially a safeguarding failure When it takes effect: The 2025 guidance is already in force. Schools should be implementing now. Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem. Critical Corrections from Part 1 1. The MFA Misconception What we said in Part 1: "Only 50% of schools have MFA enabled" What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs. The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest. The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices. Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications). 2. The Compliance Responsibility Myth The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us." The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?" What IT providers should do: Help implement technical controls What schools must do: Verify compliance is actually happening Who's responsible: School leadership, governors, senior management - not outsourceable 3. Training and TOIL Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours. Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs. Resources Mentioned Statutory Guidance and Standards Keeping Children Safe in Education 2025 Statutory safeguarding guidance for schools First explicit link between cybersecurity and safeguarding Available: UK Government website / DfE publications ACTION: Read Section on Cyber Security Standard DfE Digital Standards for Schools Sets out cyber security requirements Six standards schools should meet by 2030 Schools must actively verify compliance ACTION: Ask your school "Are we meeting these?" Free Security Resources NCSC Cyber Assessment Framework (CAF) Designed specifically for small businesses and schools Written in accessible language (not technical jargon) Covers: access control, incident management, supply chain security Free to use LINK: ncsc.gov.uk NCSC Early Years Settings Guidance Bespoke guidance for nurseries Practical steps for settings without IT expertise LINK: ncsc.gov.uk GitHub Secret Scanning Free for public repositories Detects exposed credentials in code Schools should use if they have repositories ACTION: Enable on all repositories Tammy's Resources DfE Digital Standards Webinars Regular sessions explaining standards in simple terms How to track progress and implementation Contact Tammy for upcoming dates Guest Expert Tammy Buchanan Title: Senior Data Protection Consultant Organisation: Data Protection Education Background: 15 years in UK education sector 12 years working directly in schools (8 years technician, 4 years IT manager) "Recovering Dave from IT" What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience. Expertise: Data protection compliance in education Information security for schools and MATs DfE Digital Standards implementation GDPR for the education sector Cyber resilience on school budgets Contact Tammy Email: info@dataprotection.education LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page) Services: Compliance assessments DfE Digital Standards webinars Data protection consultancy for schools and MATs Incident response support   Questions Parents Should Ask Their School Copy these questions and email them to your head teacher: Security Basics Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)? How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training? Where is your incident response plan, and when was it last tested? Custom Software and Code Do we have any custom-built software, integrations, or scripts? If yes: Where is the source code stored? (GitHub, GitLab, etc.) Who has access to our code repositories? Have repositories been scanned for exposed credentials? Do former developers or contractors still have access to our systems? Compliance and Governance Are we meeting the DfE Digital Standards, and how is this verified? Who on the governing body is responsible for data protection and cyber resilience? How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance? Third Party Platforms Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.) How do you verify these platforms are securely configured? Does our IT provider handle compliance verification, or do you verify it yourselves? Don't accept: "We have an IT company, they handle all thi

Episode Description Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security. Currently ranked in the Top 100 Apple Business Podcasts (US) What You'll Learn Why only 50% of schools have multi-factor authentication enabled The difference between early years providers and mainstream schools How photo-rich platforms create unique vulnerabilities for nurseries Why DFE digital standards remain unknown to most schools The governance problem: volunteers without power Who actually gets things done when head teachers won't prioritise security Why schools keep breaches quiet and what that means for parents Practical steps parents can demand from their child's school today The Cyber Essentials challenge for small schools with limited budgets How COVID pushed schools years ahead without proper security foundations Guest Contact Details Tammy Buchanan Senior Data Protection Consultant Data Protection Education Email: info@dataprotection.education LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page Website: Data Protection Education Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.   Resources Mentioned Government and Regulatory: DFE Digital Standards (Department for Education) NCSC (National Cyber Security Centre) staff training resources ICO (Information Commissioner's Office) breach log and guidance Ofsted inspection framework Safeguarding regulations Platforms Discussed: Famly (early years learning journey platform) Tapestry (early years learning journey platform) Arbor (school management information system) Bromcom (school management information system) Security Standards: Cyber Essentials certification Multi-factor authentication (MFA) implementation Incident response planning Additional Resources: The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk Data Protection Education news page (free resources for schools) Key Statistics from This Episode 50% or less of schools have MFA enabled 8,000 children's photos stolen in the Kido breach 12 years Tammy worked directly in schools before consulting 15 years Tammy has been in the education sector overall 2030 target date for schools to meet six DFE digital standards Questions Parents Should Ask Their School Do you have multi-factor authentication enabled on all systems? How often do staff receive cybersecurity training? Where is your incident response plan and when was it last tested? Who on the governing body is responsible for data protection and cyber resilience? Are you working towards the DFE digital standards? Which third-party platforms hold my child's data and photos? How do you monitor and configure security settings on these platforms? Key Takeaways For Parents: Schools are having breaches regularly but keeping them quiet Most schools lack basic security like MFA Your child's photos on learning journey apps create unique risks You have the right to ask questions about data protection Schools respond to parental pressure For School Leaders: Documentation matters for ICO compliance Training needs updating regularly, not the same video for three years Incident response plans are useless if nobody knows where they are School business managers need authority, not just responsibility Other schools' examples work better than external expert advice For Governors: Cybersecurity needs to be statutory to get real traction Digital lead on governing body remains unfilled at many schools You need both knowledge and authority to make change happen Physical security analogies help boards understand cyber risks The Big Picture This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow. Connect With The Show Website: thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on all major podcast platforms Social Media: Find us on LinkedIn Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

Host Graham Faulkner dives into Windows 11 25H2 in this solo episode, explaining why this understated update matters for security, stability, and small-business productivity. He breaks down how 25H2 arrives as an Enablement Package (EKB), what that means if you’re already on 24H2, and why the streamlined rollout keeps disruptions to a minimum. The episode covers key technical and practical changes: removal of legacy components like PowerShell 2.0 and WMIC, continued performance improvements (CPU scheduling, memory management, faster startups), and expanded Wi‑Fi 7 support. Graham highlights Microsoft’s shift toward continuous monthly innovation and why that helps maintain a more secure, reliable environment without waiting for big yearly releases. Security is a major focus: Graham explains Microsoft’s Secure Future initiative, which brings AI-assisted secure coding and enhanced vulnerability detection into the development and post-release lifecycle. He frames these advances for small business owners, showing how better detection and automated security practices reduce risk and downtime. Practical deployment and lifecycle details are explained clearly: support-cycle resets (24 months for Home/Pro, 36 months for Enterprise/Education), how to get 25H2 via the “Get the Latest Updates” toggle, controlled rollouts and device holds, and enterprise deployment options like Windows AutoPatch and the Microsoft 365 Admin Center. He also covers admin-friendly improvements such as removing preinstalled Microsoft Store apps with Intune or Group Policy. The episode closes with hands-on advice: check the Windows Release Health Hub for known issues, back up critical machines before upgrading, verify driver and app compatibility, and prepare rollback plans for important systems. Graham adds a personal anecdote about preparing his vinyl-catalog PC for the update and stresses that 25H2 is about steady, practical improvements—safer, faster, and less disruptive for both single machines and fleets.

In 40 years of Information Technology work, Noel Bradford has never been this angry. On September 25th, 2025, the Radiant ransomware gang stole personal data from 8,000 children at Kido International nurseries, posted their photos and medical records online, and then started calling parents at home to demand ransom payments. This isn't just another data breach. This is the moment cybercrime lost whatever soul it had left. In this raw, unfiltered episode, Noel breaks down exactly what happened, why the security failures that enabled this attack exist in thousands of UK small businesses right now, and what you need to do immediately to protect your organisation from becoming the NEXT headline. WARNING: This episode contains strong language and discusses disturbing tactics used by cybercriminals. Parental guidance advised. What You'll Learn The complete timeline of the Kido ransomware attack and how it unfolded Why hackers spent weeks inside the network before striking The new escalation tactic of directly contacting victims' families Five critical security failures that allowed 8,000 children's records to be stolen Why "we're too small to be targeted" is the most dangerous lie in business The regulatory consequences Kido faces under UK GDPR Immediate action steps every small business must take NOW Why does this attack signal a fundamental shift in cybercrime tactics   Key Takeaways The Five Critical Failures Initial Access Was Preventable - Likely phishing, weak passwords, or unpatched vulnerabilities No Monitoring - Weeks of dwell time with zero detection No Network Segmentation - Hackers accessed everything once inside No Data Loss Prevention - 8,000 records exfiltrated without triggering alarms Inadequate Backups - No mention of restoration from clean backups New Threat Landscape Reality Ransomware gangs now directly contact victims' families Children's data is being weaponised for psychological pressure Moral boundaries in cybercrime have completely dissolved Attack tactics proven successful will be replicated by other groups Business Impact Statistics 43% of UK businesses suffered a breach in the past year Nearly 50% of primary schools reported cyber incidents 60% of secondary schools experienced attacks The education sector is particularly vulnerable Featured Experts & Sources Government & Law Enforcement: Metropolitan Police Cyber Crime Unit Information Commissioner's Office (ICO) Jonathon Ellison, Director for National Resilience, National Cyber Security Centre Cybersecurity Experts: Rebecca Moody, Head of Data Research, Comparitech Anne Cutler, Cybersecurity Expert, Keeper Security Mantas Sabeckis, Infosecurity Researcher, Cybernews Direct Victims: Stephen Gilbert, Parent with two children at Kido nursery Threat Actors: Radiant Ransomware Gang (claims to be Russia-based) Immediate Action Checklist Do These TODAY: Enable multi-factor authentication on ALL business accounts Check that all software is updated to the latest versions Review who has access to sensitive data Verify backups exist and are stored offline Schedule staff phishing awareness training Do These This Week: Audit your network segmentation Implement monitoring and alerting systems Review password policies across the organisation Create an incident response plan Assess cyber insurance coverage Do These This Month: Conduct a full security audit Test backup restoration procedures Implement data loss prevention tools Review vendor and third-party security Schedule penetration testing Resources Mentioned Government Resources National Cyber Security Centre: https://www.ncsc.gov.uk/ Information Commissioner's Office: https://ico.org.uk/ Met Police Cyber Crime Unit: https://www.met.police.uk/advice/advice-and-information/fa/fraud/online-fraud/cyber-crime/ UK Cyber Security Breaches Survey: https://www.gov.uk/government/collections/cyber-security-breaches-survey Cybersecurity Companies Comparitech: https://www.comparitech.com/ Keeper Security: https://www.keepersecurity.com/ Cybernews: https://cybernews.com/ Legal & Compliance UK GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/ Children's Data Protection: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/ Episode Quotes "What happened to Kido International this week represents the absolute lowest point I've witnessed in 40 years of cybersecurity." "These hackers didn't just encrypt some files and demand payment. They actively posted samples of children's profiles online. Then they started ringing parents directly." "You're not special. You're not too small. You're not immune. You're just next on the list unless you take action." "The hackers claim they 'deserve some compensation for our pentest.' Let that sink in. They're calling this a penetration test." "A child's photo, name, and home address in criminal hands. This data doesn't expire. It doesn't get less valuable. It just sits there, a permanent risk to these families." "None of these failures are unique to nurseries or large organizations. I see the same problems in small businesses every single week." "You're making the same mistakes that led to 8,000 children's data being posted on the dark web. The only difference is scale." Discussion Questions How would you respond if your business were to experience a similar attack? What security measures do you currently have in place? Do you know where your most sensitive data is stored and who can access it? When was the last time you tested your backup restoration? How would you handle direct contact from threat actors? Connect With Noel Bradford Website: The Small Business Cyber Security Guy Email: hello@thesmallbusinesscybersecurityguy.co.uk LinkedIn: Noel Bradford Need Help With Your Cybersecurity? Equate Group Support The Podcast If this episode made you think differently about cybersecurity, please: ⭐ Leave a 5-star review on Apple Podcasts 📢 Share this episode with other business owners 📧 Subscribe to get every new episode 💬 Join the conversation on social media using #KidoHack   Legal Disclaimer The information provided in this podcast is for educational and informational purposes only. It does not constitute legal, financial, or professional cybersecurity advice. Always consult with qualified professionals regarding your specific situation. Opinions expressed are those of the host and do not necessarily reflect the views of any organisations mentioned. Transcript Full episode transcript available at: TBC Episode Tags #Cybersecurity #Ransomware #DataBreach #SmallBusiness #KidoHack #UKBusiness #CyberCrime #DataProtection #GDPR #InformationSecurity #CyberAwareness #ThreatIntelligence #BusinessSecurity #RansomwareAttack #ChildSafety © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Join hosts Noel Bradford and Mauven McLeod in this Back-to-School special of the Small Business Cybersecurity Guy podcast as they trace a line from 1980s schoolroom mischief to modern, large-scale breaches that put millions of students and small organisations at risk. Through recollections of early BBC Model B and Novell-era antics, the episode uses real recent incidents to expose how weak passwords, written credentials and opportunistic insiders create systemic security failures. The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses. Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout. Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them. Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management. Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

Co-op's CEO has just confirmed that their cybersecurity disaster cost £80 million. The attackers? Teenagers are using basic social engineering. In this Hot Takes episode, we break down how "We've contained the incident" turned into an £80 million earnings wipeout, and why the final bill could reach £400-500 million once legal claims are settled. This isn't just another breach story - it's a wake-up call for every UK business owner who thinks "it won't happen to us." Key Topics Covered The Attack Breakdown [0:30] April 2024 attack by the Scattered Spider group Social engineering, not sophisticated exploits 6.5 million members affected (100% of Co-op members) 2,300 stores disrupted, 800 funeral homes on paper systems The Real Cost [1:45] £80 million confirmed earnings impact £206 million total sales impact £20 million in direct incident costs Zero cyber insurance coverage Why It Could Get Much Worse [2:30] Pending ICO fine: £15-20 million likely Individual GDPR compensation claims: £25-£150 per person Potential £325 million member compensation exposure Final bill estimate: £400-500 million Lessons for UK Small Businesses [3:15] Social engineering beats technical defences Cyber insurance is essential, not optional Business continuity failures amplify costs Training matters more than firewalls Key Statistics £80 million - Confirmed earnings impact 6.5 million - Customers affected (every single member) £12 - Cost per affected customer (low by UK standards) £325 million - Potential member compensation exposure 17-20 years old - Age of arrested suspects 2,300+ - Stores affected by operational disruption Resources & Links Full Analysis: Read the complete breakdown: Link  Key Sources Cited: ICO Statement on Retail Cyber Incidents Computer Weekly: Co-op breach coverage Insurance Insider: Co-op's lack of cyber coverage UK Government Cyber Security Breaches Survey 2025 Action Items for Listeners Check your cyber insurance policy - Do you have coverage? Is it adequate? Review employee training - When was the last time your team received social engineering awareness training? Test business continuity - Can your operations survive 2 weeks offline? Read the full blog post - Get all the details and cost breakdowns Quote of the Episode "Co-op's disaster isn't a cybersecurity failure. It's a business leadership failure. And if you're listening to this thinking your business is different, you're next."  

Date: 23 September 2025 — Host Mauven McLeod delivers a furious, fast-paced analysis of two seismic cyber incidents and what they mean for UK and global businesses. This episode examines the Jaguar Land Rover and Collins Aerospace ransomware attacks, the human-driven methods that enabled them, and why they represent the first significant test of the EU's Digital Operational Resilience Act (DORA). Topics covered include the scale of the damage (JLR reportedly losing up to £5 million per day and sector-wide losses potentially exceeding £1 billion), the criminal methodology (simple social engineering and help-desk manipulation by groups linked to Lapsus-style actors), and the cascading supply-chain impacts across automotive and aviation sectors. The episode references confirmations from Anissa about Collins’ ransomware compromise and notes reactions from industry figures such as Chris MacDonald at the Department for Business and Trade, as well as large providers like Tata Consultancy Services, Microsoft and RTX/Collins Aerospace. Key points you’ll take away: these attacks were largely preventable with basic controls — MFA (hardware keys), formal helpdesk identity verification, callback confirmation, network segmentation and focused security training — yet failures persist even at well-resourced organisations. Crucially, the episode explains DORA’s cross-border reach (applicable since 17 January 2025), how EU authorities can designate critical ICT third-party providers (including non-EU firms), the reporting and continuity obligations this triggers for financial entities, and the potential penalties (including fines up to around 1% of global turnover) and oversight mechanisms now coming into play. Practical guidance for listeners covers immediate steps: map vendor dependencies and identify any providers serving EU financial entities; review and update contracts for DORA alignment; update incident response and continuity plans to reflect DORA reporting requirements; and deploy low-cost, high-impact controls like hardware MFA, strict helpdesk processes and segmentation. The episode also critiques the UK government’s reactive crisis management during these incidents and warns of an accelerating enforcement wave: designations, cross-border scrutiny and contractual overhauls are expected to intensify through 2025. Ultimately, Moven argues this is the start of a new era — one where regulatory exposure flows through vendor dependencies and where organisational will, not technical capability, is the biggest barrier to resilience. Listeners will finish with a clear sense of urgency, the regulatory risks to assess, and concrete next steps to reduce operational and regulatory fallout from future incidents.

This episode explores the risks of relying on a single IT manager as an entire IT department. Hosts Noel Bradford and Mauven MacLeod unpack why paying one person a modest salary is not the same as buying a full team of specialists, and they share vivid real-world horror stories — from a sudden resignation that paralysed a 40-person engineering firm, to a ruined holiday when backups failed, to a marketing agency locked out by a burnt-out IT manager. Key topics include the cost mismatch between expectations and reality, how knowledge concentration creates critical single points of failure, signs that your IT lead is drowning (long hours, no lunch breaks, defensiveness, lack of documentation), and how poor management decisions can make things worse. Practical solutions are given: document everything, hire a competent number two rather than a trainee, engage managed service providers for specialist and 24/7 support, move critical services to cloud platforms to reduce on-site burden, and start with small, affordable steps like basic support contracts or break-fix services. The episode includes personal anecdotes from Noel (the "Donny" and zoo-day stories) and a discussion of when to involve external help, how to create continuity plans, and three immediate actions business owners can take today. Listeners are encouraged to have an open conversation with their IT person, assess real costs and risks, and take steps to protect both their systems and their staff from burnout and catastrophic failure.

Most small business owners think CIO stands for "Chief I-Fix-Everything Officer" and CISO means "Chief I-Worry-About-Security Officer." In this episode, Noel Bradford (actual CIO/CISO) breaks down what these executive roles actually do and why your business desperately needs this strategic thinking - without the six-figure salary. Discover how fractional CIO/CISO services let 20-100 employee businesses access Fortune 500 expertise for £15,000-35,000 annually instead of £120,000+ for full-time hiring. What You'll Learn The Real Difference Between CIO and CISO: Technology strategy vs security strategy (and why one person can do both). Why Dave from IT Needs Help: The unfair burden of strategic decisions on operational staff. Fractional Services Explained: How to get executive-level guidance for 8-12 hours per month. ROI Reality Check: Technology inefficiencies probably cost you more than £15k annually Finding Quality Providers: Red flags vs genuine executive experience. Integration Strategy: Treating fractional executives like Non-Executive Directors. Key Takeaways Strategic technology and security leadership isn't just for large corporations. Fractional services cost £15,000-35,000 annually vs £120,000+ for full-time hiring Sound fractional executives enhance internal capabilities rather than replacing them. Treat fractional CIO/CISO like Non-Executive Directors - invite them to board meetings. Start with a current state assessment (£3,000-6,000) before ongoing engagement. Diagnostic Questions You probably need fractional CIO/CISO services if you answer "yes" to several of these: Technology decisions are made reactively rather than strategically Increasing tech spending without clear ROI visibility Security/compliance concerns are constantly pushed down the priority list Internal IT person making strategic decisions while handling operations Current systems won't scale with business growth plans Regulatory compliance anxiety about technology approaches Episode Highlights Real-World Example: A 15-person marketing agency saved £300/month and improved security by consolidating from multiple cloud storage solutions to a single strategic platform. Cost Comparison: Fractional services at £150-350/hour for 8 hours monthly vs full-time CIO/CISO at £100,000-180,000 annually plus benefits and normal staffing costs. Next Steps Honest self-assessment of current technology/security decision-making Calculate the annual cost of technology inefficiencies and security risks Research fractional providers with genuine senior executive experience Consider starting with the current state assessment project Connect With Us Hit subscribe, leave a review mentioning whether you're considering fractional services, and share with business owners making technology decisions without strategic guidance. Remember: You don't need enterprise budgets to get enterprise thinking. And be kind to Dave - he's doing his best. #FractionalCIO #FractionalCISO #CIO #CISO #ChiefInformationOfficer #ChiefInformationSecurityOfficer #FractionalExecutive #ITLeadership #TechnologyStrategy #SecurityStrategy #SmallBusiness #SMB #SmallBusinessOwners #Entrepreneurs #BusinessOwners #StartupLife #GrowingBusiness #ScaleUp #BusinessGrowth #SMBTech #ITStrategy #TechnologyLeadership #BusinessTechnology #ITManagement #DigitalTransformation #TechStack #CloudStrategy #ITBudget #TechnologyRoadmap #SystemsIntegration

September 2025 Patch Tuesday: Critical Business Update Special Edition with Graham Falkner Microsoft's September Patch Tuesday brings 81 security fixes, including 9 critical vulnerabilities already being exploited by attackers. This episode provides essential business guidance for small business owners navigating these updates safely and efficiently. Key Topics Covered: Business impact of 81 security vulnerabilities Four critical threats affecting small businesses SharePoint Server active exploitation campaigns Network authentication bypass vulnerabilities 7-day practical deployment strategy Windows 10 end-of-life planning (October 14th deadline) Cyber Essentials compliance requirements Critical Action Items: Days 1-2: Assess SharePoint installations and document processing systems Days 3-7: Deploy controlled testing and priority system updates Days 8-14: Complete production environment deployment Immediate: Audit all Windows 10 devices and plan migration Windows 10 Urgent Notice: Support ends October 14th, 2025. This may be the final security update for Windows 10 systems. Extended Security Updates available at significant cost. Migration planning required immediately. Compliance Requirements: Cyber Essentials certified organisations must deploy updates by September 23rd, 2025. Earlier deployment recommended for business risk management. Vulnerable Systems Requiring Priority Attention: SharePoint Server installations (under active attack) Systems processing external documents and email attachments Network authentication infrastructure Customer data handling environments Known Compatibility Issues: PowerShell Direct connection failures in virtualised environments SMB signing requirements affecting older network storage MSI installer UAC prompt changes Sources: Microsoft Security Response Center - September 2025 Security Updates Verizon 2024 Data Breach Investigations Report UK GDPR Article 32 - Security of Processing Requirements Cyber Essentials Certification Guidelines Resources: Comprehensive deployment guides, compatibility checklists, and Windows 11 migration planning available at: thesmallbusinesscybersecurityguy.co.uk Technical support documentation: Microsoft KB5065426, KB5065431, KB5065429 Next Steps: Subscribe for regular cybersecurity updates. Share with business owners who need this information. Visit our website for detailed implementation guidance. This episode provides educational information only. Always implement cybersecurity measures appropriate to your specific business needs and risk profile. Hashtags: #CyberSecurity #SmallBusiness #Windows10 #PatchTuesday #Microsoft #BusinessSecurity #ITSecurity #CyberEssentials #Windows11 #SecurityUpdates #BusinessContinuity #UKBusiness #Compliance #GDPR #CyberInsurance #NetworkSecurity #SharePoint #BusinessTech #InfoSec #DigitalSecurity

Episode Summary The Electoral Commission suffered a 14-month data breach affecting 40 million UK voters, yet faced zero ICO enforcement action. Meanwhile, small businesses receive crushing GDPR fines for minor infractions. This explosive episode exposes dangerous double standards leaving SMBs vulnerable while government bodies escape accountability. The Shocking Facts Breach Duration: 14 months (August 2021 - October 2022) Affected People: 40 million UK voters' data accessible Attack Method: ProxyShell vulnerabilities - patches available months before breach Attribution: Chinese state-affiliated actors (APT31) ICO Response: "No enforcement action taken" Security Failures That Would Destroy Small Businesses Default passwords still in use No password policy Multi-factor authentication not universal Critical security patches ignored for months One account used original issued password ICO's Dangerous Double Standard While the Electoral Commission faces zero consequences for exposing 40 million people's data, small businesses routinely receive thousands in fines for single email attachment breaches. This regulatory hypocrisy creates false security expectations and leaves SMBs as easy targets for cybercriminals and regulators. Immediate Action Required: Patch Tuesday Compliance The Electoral Commission's breach used ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) patched months earlier. Every day you delay Microsoft updates increases breach risk and regulatory exposure. Critical Steps Today: Apply Microsoft Updates Now: Stop reading, patch systems, then continue Audit Password Security: Eliminate default, weak, or original passwords Implement Universal MFA: Multi-factor authentication on all accounts Key Takeaways Government bodies receive preferential ICO treatment despite massive failures Small businesses face disproportionate scrutiny and penalties Basic security hygiene prevents most cyberattacks Professional cybersecurity help costs less than ICO fines Regulatory consistency doesn't exist - protect yourself accordingly Why This Matters for Your Business If the Electoral Commission can ignore basic cybersecurity for 14 months without consequences, imagine what happens when your business makes similar mistakes. The ICO needs examples - and it won't be government bodies. Resources Microsoft Security Updates Portal NCSC Small Business Guidance ICO Data Protection Guidelines ProxyShell Vulnerability Database Get Help Need cybersecurity basics, patch management, or GDPR compliance help? Don't become the ICO's next small business example. Email: help@thesmallbusinesscybersecurity.co.uk Website: thesmallbusinesscybersecurity.co.uk Related Episodes Episode 8: White House CIO Insights - Government Security Episode 9: Cyber Essentials Framework Episode 6: Shadow IT Risks Keywords #ElectoralCommissionhack, #ICO #doublestandards, #GDPR, #PatchTuesday, #Microsoftupdates, #ProxyShellvulnerability

🚨 SHOCKING: 60% of Small Businesses Shut Down Forever After Cyberattacks 96% of hackers target YOUR business, not big corporations. Think you're too small to be a target? Think again. Noel and Mauven reveal the brutal truth about cybersecurity that could save your business - or expose why you're already at risk. 💀 The Terrifying Reality: ​82% of ransomware attacks target businesses under 1,000 employees ​Small business employees face 350% MORE attacks than enterprise workers ​Average cyber incident costs UK businesses £362,000 ​Only 17% of small businesses have cyber insurance 🛡️ What You'll Discover: ​The FREE security fix that stops most attacks (costs nothing, takes 30 seconds) ​Why Multi-Factor Authentication is your business lifeline ​How Cyber Essentials certification makes you 92% less likely to get attacked ​Government programs most business owners don't know exist ​Why this is a BUSINESS issue, not an IT problem 🎯 Perfect For: ​Small & medium business owners ​Anyone worried about cyber threats ​Business leaders who think they're "too small" to be targeted ​Companies looking for practical, affordable security solutions 💡 Key Takeaways: ​Multi-Factor Authentication everywhere - Enable it on email, accounting systems, cloud storage, and remote access. This one change stops the vast majority of attacks. ​Cyber Essentials certification - Organizations with this UK government scheme are 92% less likely to make insurance claims. Plus, Noel's preferred certification body includes up to £250,000 in cyber insurance coverage as part of the package! ​Staff training that actually works - Monthly 5-minute team discussions about real threats, not boring annual presentations. ​The 3-2-1 backup rule - Three copies of data, two different storage types, one completely offline. ⚡ Real Talk: This isn't fear-mongering - it's business reality. Every day you delay basic cybersecurity is another day you're gambling with everything you've built. The cost of prevention is ALWAYS less than the cost of recovery. 🔗 Take Action: Start this week: Enable MFA on your email, research Cyber Essentials, schedule team security discussions. Your future self will thank you. Want to know more about Cyber Essentials certification with included insurance? Reach out to Noel directly. Like what you heard? Subscribe, leave a review, and share with other business owners who need to hear this. #Cybersecurity #SmallBusiness #CyberEssentials #BusinessSecurity #UKBusiness

💀 Welcome to the UK's Cyber Graveyard 💀 Over 2,000 jobs GONE. Centuries of business history DELETED. All because of weak passwords and basic security failures that could have been prevented for FREE. 🚨 THE VICTIMS: KNP Logistics: 158 years old, £94.5M revenue → 730 redundancies Travelex: Global currency giant → 1,309 UK job losses NRS Healthcare: NHS supplier → Currently liquidating after 16 months 💣 THE KILLER: Simple password attacks that Multi-Factor Authentication would have STOPPED 🛡️ WHAT YOU'LL LEARN:✅ The 5 fatal security failures that killed these companies✅ Why MFA blocks 99.9% of credential attacks (and costs nothing)✅ 30-60-90 day action plan to bulletproof your business✅ How to get leadership buy-in without breaking the bank✅ Real case studies from BBC Panorama investigations ⚡ TAKE ACTION NOW:Stop listening and enable MFA on your email systems RIGHT NOW. Your future self will thank you when you're not explaining redundancies to your staff. Don't become the next cautionary tale in the UK's growing cyber graveyard. #CyberSecurity #SmallBusiness #Ransomware #DataBreach #MFA #CyberAttack #BusinessSecurity #PasswordSecurity #UKBusiness #BusinessFailure

After 17 episodes covering everything from basic password security to nation-state threats targeting corner shops, Noel and Mauven reveal what actually works, what consistently fails, and why most businesses are fighting 2019 threats with 2015 thinking while facing 2025 attack methods. 🎯 Shocking Revelations: 42% of business applications are unauthorised Shadow IT - Your parallel digital infrastructure you never knew existed Multi-factor authentication stops 90% of credential attacks - Yet businesses still resist this free silver bullet AI systems now write custom malware faster than humans can patch - Deepfakes fool CEOs, psychological manipulation targets individuals Supply chain attacks make YOU liable for everyone - Protecting clients, suppliers, and partners becomes your responsibility Most successful attacks still exploit basic failures - Unpatched systems, weak passwords, untested backups 🔥 Real Listener Questions Answered: "My IT budget is three pounds fifty and digestives - how do I justify £8/month for security?" "Staff revolt against MFA - how do I implement without workplace mutiny?" "Found 17 project management tools in use - how do I consolidate without chaos?" "Completely overwhelmed by 17 episodes - where do I actually start?" "Client angry about payment verification - how do I explain without damaging relationships?" ⚡ What Actually Works : Systematic thinking over panic-buying security products, modern endpoint protection with AI detection, verification procedures that defeat deepfakes, documentation that survives when Dave from IT leaves, regular testing cycles, and risk-based prioritisation focusing on high-impact areas first. 💥 What Consistently Fails: "Set it and forget it" security measures, relying on users to spot sophisticated AI-crafted threats, compliance theatre without genuine implementation, single-solution approaches, the "we're too small to be targeted" delusion, and treating cybersecurity as IT-only responsibility. 🎯 Three Things to Implement Immediately: Enable MFA everywhere - Free protection against 90% of credential attacks Implement payment verification procedures - Call back on known numbers before acting Test your backups regularly - Having backups ≠ having working backups 🎧 Perfect For: Business owners feeling overwhelmed by cybersecurity complexity, IT managers defending security budgets to sceptical accountants, professionals tired of vendor marketing promising magic solutions, and anyone who thinks antivirus software equals comprehensive security. From basic concepts to AI threats - the complete cybersecurity education in one retrospective episode. Subscribe for weekly episodes making enterprise-level security thinking accessible for small business budgets. Real solutions, no vendor fluff, practical advice that actually works in the real world. #SmallBusinessSecurity #CyberSecurity #MFA #ShadowIT #AIThreats #CyberEssentials #DataProtection #BusinessSecurity #TechSecurity #CyberDefense

🎧 Latest Episode Alert | Fresh intelligence from DefCon 33 reveals how AI-enhanced cyber threats to small business are accelerating rapidly. Techniques demonstrated in Las Vegas are targeting UK businesses within weeks. 🚨 Critical Cyber Threats to Small Business AI-Powered Social Engineering 85% success rates against security professionals AI psychological profiling from social media Voice synthesis for CEO impersonation attacks Multi-month fake identity campaigns Supply Chain Cyber Threats Coordinated ecosystem attacks across suppliers AI mapping of business relationships MSP compromises affecting 200+ networks Hardware backdoors surviving firmware updates Automated Attack Evolution 6-hour vulnerability-to-exploit timeline 88% evasion of traditional antivirus Custom malware for each target Cybercrime-as-a-Service platforms 🛡️ Defending Against Modern Cyber Threats Immediate Actions (Free) Multi-channel verification for financial requests Independent contact verification procedures Staff training on systematic verification Essential Tech Upgrades (£3-8/user/month) AI-powered endpoint protection (Microsoft Defender for Business, CrowdStrike) Network segmentation via modern firewalls Air-gapped backup systems ThreatLocker "Deny All by Default" protection Cyber Essentials Framework Version 3.2 updates include 14-day critical vulnerability patching, passwordless authentication recognition, and enhanced remote working requirements. 💼 Business Benefits Beyond Security Better insurance rates Government contract access Supply chain partnership opportunities Competitive advantage demonstration 🔥 TRENDING & HASHTAGS Topics: DefCon 33 findings | AI cyber attacks | Small business vulnerabilities | Supply chain security Hashtags: #CyberSecurity #SmallBusiness #DefCon33 #AISecurity #CyberThreats #BusinessProtection #UKBusiness #CyberEssentials #InfoSec #ThreatIntelligence #CyberDefense #BusinessSecurity #SecurityFirst 🚀 ENGAGEMENT HOOKS 🔥 URGENT: AI attacks now target small businesses within 6 weeks of DefCon demos 💡 FREE defence strategies that stop 85% of social engineering ⚡ Why your antivirus is useless against 2025 threats 🎯 Turn cybersecurity into competitive advantage 👍 LIKE if this helped you understand modern cyber threats 🔔 SUBSCRIBE for weekly threat intelligence 💬 COMMENT your biggest security concern 📤 SHARE with business owners using outdated protection 🎧 Listen now before these threats target YOUR business! Subscribe for weekly cyber threat intelligence. Share with business owners still using basic antivirus protection against advanced threats.

🚨 Episode 11: When Your Safety Net Becomes the TargetBackup Security Under Fire + Business Email Compromise Reality Check Your backups aren't protecting you anymore—they're the primary target. In this explosive double-header episode, we expose why 94% of ransomware attacks now target backup systems first, and how Business Email Compromise enables these devastating attacks. 🎯 What You'll Learn:Backup Reality Check: Why "immutable" storage isn't, and cloud sync ≠ backup protection Cloud Provider Truth Bomb: Neither Microsoft nor Google guarantee your data integrity BEC Epidemic: How £35+ billion in global losses connect to backup destruction Modern Attack Chains: Email compromise → reconnaissance → backup annihilation What Actually Works: Third-party solutions, testing reality, budget truths 💡 Key Takeaways:Only 27% of businesses successfully recover all data after incidents 30-40% of cyber insurance claims denied due to backup inadequacies Proper backup solutions cost £20-100/month, not £500+ Process controls beat technical controls for BEC prevention Multi-channel verification saves businesses millions 🎙️ Hosts & Guests:Noel Bradford - The Small Business Cyber Security Guy Mauven MacLeod - Ex-NCSC Cyber Expert Oliver Sterling - Veteran IT & Cyber Specialist Lucy Harper & Graham Falkner - Announcing The 10-Minute Cyber Fix daily show! 📺 NEW: The 10-Minute Cyber FixStarting Monday! Daily cybersecurity news analysis with Lucy Harper. Perfect for commute listening—cutting through vendor panic and media hyperbole to deliver what actually matters for YOUR business. 🔗 Essential Resources:Veeam Ransomware Trends Report 2024 - 94% backup targeting statistics FBI IC3 BEC Report 2023 - £35+ billion global losses Microsoft Online Services Terms - "Commercially reasonable efforts" reality NCSC BEC Guidance - UK government protection advice Action Fraud BEC Statistics - UK-specific loss data Cyber Essentials Scheme - UK government backup guidance Google Cloud Terms of Service - Data responsibility clauses 💰 Vendor Solutions Mentioned:Third-Party Backup: Veeam Backup for Microsoft 365, Druva, Barracuda, Dropsuite, SkyKick Key Point: Your cloud provider's backup ISN'T enough—you need independent protection. ⚠️ Critical Actions:Implement multi-channel verification for all financial requests Test backup restoration regularly, not just backup completion Deploy third-party backup for cloud services Document procedures that work under pressure Train staff on BEC recognition and response 🎯 Next Week Preview:Advanced Persistent Threats targeting SMBs - How nation-state techniques filter down to everyday criminals. Special guest from UK's Cyber Security Agency. 📱 Connect With Us:💼 LinkedIn: Mauven's getting job offers—someone's listening! 📧 Consulting: Real-world security help for small businesses 🎧 Daily Fix: Subscribe for Monday's launch of The 10-Minute Cyber Fix ⚖️ Disclaimer: Educational content only. Consult qualified professionals for business-specific advice. Not affiliated with any government agency or vendor. 🔥 If this episode saved you from a backup disaster or BEC scam, hit subscribe and share with fellow business owners who still think "it's in the cloud" means "it's safe"!