Episode Overview Episode Type: Series Preview TrailerDuration: 90 secondsRelease Date: December 2025Series Launch: January 2026Hosts: Noel Bradford & Mauven MacLeod What You'll Learn Three in the morning. Your phone's ringing. Someone's encrypted your customer database. What do you do? This trailer launches our most ambitious series yet: a six-module programme running January through March 2026 that transforms panic into a complete, tested incident response plan. Each module drops every two weeks, giving you time to implement before the next one arrives. Between modules, normal episodes continue covering current threats, breaches, and patches. This Series Will Give You: Complete incident response framework for small businesses Communication templates you can use during an actual incident Threat-specific playbooks for ransomware, data breaches, and system compromises Testing procedures that prove your plan works under pressure Implementation time built into the schedule Practical guidance for teams with real constraints What This Series Covers Module 1: Incident Response Foundations (Early January 2026) What You'll Build: Clear decision tree for incident classification Role definitions (even if your team is three people) Initial response procedures Documentation requirements Escalation pathways Practical Outputs: Who does what, when, and how Your first response checklist Contact list template Module 2: Building Your Response Team (Late January 2026) What You'll Build: Response team structure for small businesses Role assignments that work with limited staff External contact management Vendor coordination procedures Backup personnel plans Practical Outputs: Team roster with responsibilities External contacts database Succession planning for key roles Module 3: Communication Plans (Early February 2026) What You'll Build: Internal notification procedures Customer communication templates Regulatory reporting guidance Media handling basics Stakeholder management Practical Outputs: Communication templates ready to use Notification timelines Contact escalation matrix Module 4: Threat-Specific Playbooks (Late February 2026) What You'll Build: Ransomware response procedures Data breach protocols System compromise workflows Phishing incident handling Insider threat procedures Practical Outputs: Step-by-step playbooks for each threat type Decision trees for common scenarios Evidence preservation guides Module 5: Testing Your Plan (Early March 2026) What You'll Build: Tabletop exercise framework Simulation scenarios Assessment criteria Continuous improvement process Lessons learned documentation Practical Outputs: Test schedule Simulation scripts Improvement tracking system Module 6: Complete System Integration (Late March 2026) What You'll Build: Your complete, customised IR plan Integration with existing processes Maintenance schedule Annual review procedures Staff training programme Practical Outputs: Final incident response plan document Ongoing maintenance checklist Training materials for your team Between Modules: Normal Episodes Continue Every other week between module releases, you'll get: Latest Breach Analysis: What happened, how it happened, what you can learn Critical Security Patches: What you need to apply and why (see our December 2025 Patch Tuesday analysis) Emerging Threat Intelligence: Current attacks targeting UK small businesses Practical Implementation Guides: Hands-on advice for immediate action Because security doesn't pause whilst you're building your plan. The Two-Week Implementation Rhythm Week 1: Module episode dropsWeek 2: Implementation time + normal episodeWeek 3: Next module episode dropsWeek 4: Implementation time + normal episode This cadence gives you: Time to actually implement each module Space to ask questions and refine Current threat intelligence throughout Sustainable pace for resource-constrained teams Why This Series Matters The UK Small Busin

Welcome to the Small Business Cybersecurity Guy Christmas Special with host Noel Bradford and guests Mauven MacLeod and Graham Falkner. This episode is a rapid-fire, often hilarious and sometimes horrifying roundup of the most spectacular cyber security disasters of 2025, told with a no-nonsense focus on what small businesses should learn from them. We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA. Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene. We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences. The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution. In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents. Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly. The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.   #Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice

Do UK small businesses need cyber risk registers? Graham said no. After this 40-minute debate with Noel Bradford, he changed his mind completely. This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers. UK cyber security statistics that changed Graham's mind: 43% of UK small businesses experienced cyber breaches last year (DSIT 2025) 73% have no board-level cyber security responsibility 28% of SMEs say one cyber attack could close them permanently (Vodafone 2025) Average UK small business breach costs £3,398 Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed. Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability. Practical cyber risk register implementation: ✓ Minimum viable cyber risk register template (8 columns, single spreadsheet) ✓ Board-level cyber security governance framework ✓ Quick remediation: enable MFA, test backup restoration, implement payment verification ✓ NCSC Board Toolkit guidance for UK SMEs ✓ Cyber insurance risk assessment requirements Perfect for UK small business owners, SME directors, startup founders, business managers responsible for cyber security compliance, GDPR, and corporate governance. Listen to this cyber security governance debate and learn why risk registers aren't bureaucracy - they're legal protection for directors and businesses.

Microsoft ends 2025 with three zero days and one brutal Windows exploit. Are you patched before hackers unwrap your network?

For episode 30, we reveal the cybersecurity blind spot almost nobody discusses: IoT devices. Your office printer stores every document you’ve printed on a hard drive nobody wipes, with a password attackers can guess easily. We share a real case study of a business that spent £15,000 on security and still got breached through their printer. This episode covers why printers, CCTV, and smart devices are forgotten security risks, practical steps to secure them without enterprise budgets, and how to implement network segmentation. Plus, we celebrate reaching Top 12 in Apple Podcasts worldwide. #SmallBusinessCybersecurity #EnterpriseSecurity #CyberEssentials #UKBusiness #BusinessProtection

What if the best way to protect your business isn't copying what the successful companies do, but avoiding what the failures did wrong? Welcome to reverse benchmarking, the cybersecurity equivalent of learning from other people's face-plants so you don't repeat them. In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses. You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones. This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works. Why This Episode Matters One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident. Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast. Key Takeaways 1. Traditional Benchmarking Often Fails SMBs Copying FTSE 100 security on a shoestring budget is a losing game Enterprise solutions don't scale down effectively By the time you copy last year's "best practice," threats have evolved Context matters more than copying 2. Compliance ≠ Security Being compliant doesn't mean you're secure Compliance is like passing your driving test - it proves you know the rules, not that you'll never crash Checkbox culture creates dangerous complacency Attackers don't check your certifications before striking 3. The Statistics Are Sobering One third of SMBs hit by cyberattacks annually Average breach cost: £250,000 Some breaches: £7 million 60% of small businesses close within six months post-attack NCSC estimates 50% of UK SMBs will experience a breach each year 4. Real-World Disasters Teach Practical Lessons Target breach: Lost $162 million because HVAC vendor credentials weren't properly segmented Colonial Pipeline: Shutdown of major US fuel infrastructure from weak VPN password UK holiday park ransomware: Peak season attack forced cash-only operations Common thread: Basic security fundamentals ignored 5. Third-Party Risks Are Existential 61% of breaches involve third-party access Small vendors create backdoors into larger networks Your security is only as strong as your weakest supplier Segment vendor access ruthlessly 6. Practical Implementation Steps Build your own "disaster library" of relevant failures Hold quarterly "what went wrong" review sessions Map your business to failed case studies Ask "could this happen to us?" for every breach you read about Create no-blame culture for reporting near-misses Detailed Show Notes Introduction (00:00 - 01:24) Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls. Key Quote: "Learn from other people's face-plants so we don't repeat them." What Is Reverse Benchmarking? (01:24

In this provocative second instalment of the accountability series, hosts Noel Bradford and Mauven MacLeod lay out a detailed proposal for a UK cybersecurity enforcement regime that balances protection for small businesses with personal liability for negligent directors. They compare the current weak regulatory approach to the Health and Safety Executive model, cite international evidence from Singapore, and explore why criminal consequences — up to fines, disqualification and, in extreme cases, prison — might be necessary to change boardroom behaviour. The episode explains a three-tier framework: Tier 1 (micro and small businesses) protected by Cyber Essentials and criminal liability only for gross negligence; Tier 2 (25–250 employees) required to follow industry-reasonable practice with qualified oversight and documented policies; and Tier 3 (large organisations and public sector) held to the highest standards (ISO/SOC) with lower thresholds for prosecution. The hosts walk through concrete, measurable standards, outcome-based testing, and safe-harbour defences for businesses that engage accredited advisors. Key technical and organisational measures discussed include Cyber Essentials, MFA, patching and backups, incident response plans, staff training, qualified security oversight (fractional CISOs or accredited MSPs), and government-approved lists of assessors. The episode stresses practical testing — inspectors verifying controls actually work — to prevent compliance theatre and ensure certificates match reality. Noel and Mauven outline a phased five-year implementation pathway: publication and guidance, data collection and mandatory reporting, staged enforcement beginning with large organisations, then medium businesses, and finally full enforcement — all accompanied by funded support programs, subsidies, and free advisory services to help firms comply. Costs, benefits and market effects are examined: basic Tier 1 protections are framed as affordable (Cyber Essentials, free MFA), while stronger governance yields lower insurance premiums, preferential procurement, and overall reduced breach costs. The hosts discuss the need to upskill the ICO into a technically capable enforcement agency, political and industry pushback, and international alignment with EU, Singapore and Australia precedents. The episode closes with a call to action for listeners: implement the basics now (Cyber Essentials, MFA, updates), pressure MPs and industry bodies for proportionate enforcement, and spread the conversation. Expect debates about proportionality, false positives, and safeguarding SMEs, but the central case is clear: a calibrated, evidence-based accountability regime could dramatically reduce breaches and force cybersecurity into the boardroom.

What happens when business negligence causes serious harm to thousands of people? If a faulty ladder injures someone, directors face prison time. If forty million people have their data stolen due to poor security, they receive a strongly worded letter. In this provocative first episode of our two-part series, Noel and Mauven examine the shocking disparity between health and safety enforcement and cybersecurity regulation in the UK. We compare the HSE's tough approach (prison sentences, director liability, millions in fines) with the ICO's gentle touch (guidance, occasional fines, zero criminal consequences). With 40 million voter records compromised at the Electoral Commission resulting in just a formal reprimand, whilst construction directors regularly face 18-month prison sentences for single workplace accidents, we ask the uncomfortable question: why is cybersecurity enforcement essentially performative? This isn't anti-business rhetoric. This is an evidence-based examination of a broken system that fails to protect either businesses or the public, presented through statistics, case studies, and historical precedent, which demonstrates that personal accountability is effective. What You'll Learn The Two Regulators: A Tale of Vastly Different Consequences Why HSE directors face up to 2 years imprisonment, whilst the ICO never imposes criminal penalties How HSE issued 13,424 enforcement notices and 399 prosecutions in 2023-24 Why the ICO issued just £2.7 million in total UK fines, whilst EU regulators issued over £1 billion The legal frameworks that create this enforcement gap The Public-Private Accountability Divide Electoral Commission breach: 40 million records compromised, 14 months of hostile state access, consequence: formal reprimand Construction site failures: single injuries lead to prison sentences and director disqualifications Why do government organisations face minimal consequences for security failures The message this sends about who matters and who doesn't Historical Context: How HSE Transformed Workplace Safety 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974 How personal criminal liability changed director behaviour overnight The construction industry transformation from dangerous to safety-conscious Evidence that accountability actually works when properly enforced Arguments Against Director Liability (And Why They Fail) "Security is too complex for criminal standards" - why doesn't this hold up "Small businesses can't afford proper security" - HSE already handles proportionate enforcement "Innovation will suffer" - data showing the opposite effect in the safety sector "Current system works fine" - statistics proving it demonstrably doesn't The Current State of Inertia Why ICO enforcement focuses on "guidance and support" over punishment Political pressure keeps cybersecurity consequences minimal Business lobby resistance to accountability measures The broken incentive structure that rewards negligence Key Statistics Referenced HSE Enforcement 2023-24: 13,424 enforcement notices issued 399 prosecutions brought £73.8 million in fines Regular prison sentences (average 12-18 months for serious breaches) ICO Enforcement 2023-24: £2.7 million total fines across all UK GDPR violations Zero prison sentences imposed Zero director disqualifications Focus on "guidance and support" over punishment Electoral Commission Breach: 40 million UK voter records compromised The hostile state actor maintained access for 14 months Basic security failures: poor patching, weak passwords, inadequate monitoring Consequence: Formal reprimand only Impact Statistics: 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974 EU regulators issued over £1 billion in GDPR fines (vs the UK's £2.7 million) Keymark Construction director: 18 months' prison for fatal fall (2023) Notable Cases Discussed Health and Safety Enforcement Keymark C

Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams. Key Topics Covered Microsoft Security Updates 89 total vulnerabilities patched (12 critical, 4 zero-days) CVE-2025-0445: Windows Kernel privilege escalation (actively exploited) CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited) CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022) CVE-2025-1789: MSHTML remote code execution via Office documents CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release) 23 remote code execution vulnerabilities across Windows, Office, and developer tools Adobe Security Updates 35+ vulnerabilities patched across multiple products CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1) CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS) Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D Oracle Critical Patch Update (October 2025) 374 new security patches addressing ~260 unique CVEs CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups) 73 patches for Oracle Communications (47 remotely exploitable without authentication) 20 patches for Fusion Middleware (17 remote unauthenticated) 18 fixes for MySQL Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server SAP Security Updates 18 new security notes plus 1 updated note CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE) CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS) CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch) CVE-2025-42940: CommonCryptoLib memory corruption Mozilla Firefox Updates Firefox 145.0 released November 11th 15 security vulnerabilities fixed (8 high impact) New anti-fingerprinting measures halving trackable users Memory safety and sandbox escape prevention Apple Security Updates iOS/iPadOS 17.1 and macOS 14.1 released 100+ vulnerabilities patched across iPhones, iPads, Macs Critical kernel and WebKit bugs fixed Zero-click exploit prevention Google Security Updates Chrome 142 with 5 security bug fixes Android November 2025 bulletin (patch level 2025-11-01) CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16 Third-Party Critical Vulnerabilities WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected) WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed) Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment) Critical Action Items for Businesses IMMEDIATE (Deploy Within 24-48 Hours) Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento Windows Kernel - Patch CVE-2025-0445 zero-day exploit Edge/Chrome - Update browsers to address CVE-2025-0334 Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed WordPress Post SMTP - Update to v3.6.1 or remove plugin Cisco routers - Apply CVE-2025-20352 patches and check for compromise HIGH PRIORITY (Deploy Within 1 Week) SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887 WSUS servers - Verify CVE-2025-59287 patch installed correctly Adobe Connect - Update to version 12.10 Firefox, Chrome, Edge - Deploy browser updates organisation-wide Android devices - Deploy November 2025 security bulletin WatchGuard

The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce Episode Information Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance FarceEpisode Number: Hot TakeRelease Date: 11 November 2025Duration: Approximately 18 minuteHosts: Mauven MacLeod & Graham FalknerFormat: Research segment with heavy sarcasm Episode Description Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools. In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone. Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme? We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes. If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide. Key Topics Covered The Surveillance Revelation Ofcom confirms use of unnamed third-party AI monitoring tool TechRadar exclusive: "We use a leading third-party provider" with zero transparency Government surveillance of privacy tools sets a dangerous precedent Comparison to authoritarian regimes (China, Russia, UAE, Iran) The Numbers That Don't Add Up 1.5 million daily VPN users claim appears nowhere in official Ofcom documents No published methodology or verification VPN detection cannot determine the intent or legitimacy of use Analytics show VPN use is lower in countries with greater online freedom What Actually Happened on July 25th The UK Online Safety Act child safety duties became fully enforceable Mandatory "highly effective age assurance" replaced simple checkbox verification Proton VPN: 1,400% surge in UK signups within hours NordVPN: 1,000% increase in downloads ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store The Small Business Nightmare Business VPNs are essential security hygiene for remote work Ofcom's monitoring cannot distinguish legitimate business use from circumvention Undisclosed data collection creates unknowable privacy risks GDPR compliance implications when the government monitors your security tools Section 121: The Spy Clause Powers to require client-side scanning of encrypted communications Government promises not to use "until technically feasible" Cryptography experts: impossible without destroying encryption Apple shelved similar plans in 2021 Signal and WhatsApp threatened to leave the UK market The Authoritarian Playbook in Action Scope creep within days: blocking parliamentary speeches, news coverage, forums A cycling forum shut down due to compliance costs Small platforms are closing rather than face a compliance nightmare Chilling effect on legitimate content and discussion International Surveillance Creep 25 US states passed similar age verification laws EU debating Chat Control (mandatory encrypted message scanning) Australia is implementing age verification for search engines Legislative arms race using "protecting children" as a universal justification What Small Business Owners Must Do Document all VPN usage for legitimate business purposes Maintain VPN security protocols despite surveillance theatre Get legal advice if operating any platform with user-generated content Fines up to £18 million or 10% of global revenue Criminal l

In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security. Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers. The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites. Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers. The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts. Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice. Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly. Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade. In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032. This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right. Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed. Key Takeaways The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response. Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't complete until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000

In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope. Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free. Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain. Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

What if I told you there’s a laboratory in Switzerland where scientists are building computers from living human neurons?   Sounds like science fiction, right? But it’s happening right now, and the energy crisis driving this research is about to affect every small business owner’s cloud computing bills.   In this episode, Noel, Graham, and Mauven explore FinalSpark’s revolutionary biocomputing platform. This Swiss company has created the Neuroplatform, a system using approximately 160,000 living human neurons to perform computational tasks. Their goal?   Solving the massive energy consumption problem created by artificial intelligence and modern data centres.   Your brain runs on 20 watts of power. Current AI data centres consume megawatts.   FinalSpark claims their biological processors could use a million times less energy than traditional computing. That’s not incremental improvement – that’s fundamental transformation.   But here’s the catch: this technology is still early, really early. So why should small business owners care about laboratory experiments with brain cells?   Because the energy costs driving this research are already affecting your Azure bills, your SaaS subscriptions, and your cloud hosting fees. And understanding where technology is heading helps you make better decisions about where to invest your limited resources.   What You’ll Learn Why energy consumption in computing matters to small businesses right now How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree) The realistic timeline for when this technology might affect your business What small businesses should actually do about emerging technologies The security implications nobody’s talking about yet The uncomfortable ethical questions around growing human neurons for computation   Key Quotes   Noel Bradford:“Training a single large AI model produces the same carbon emissions as five cars create during their entire lifetime. And that statistic is from 2019. Modern models like GPT-4 produce 50 to 100 times more emissions than that.”   Graham Falkner:“So naturally they thought, you know what, let’s just use actual neurons instead. Because that’s a perfectly reasonable next step when your silicon experiments don’t work.”   Mauven MacLeod:“Bloody hell. Today’s topic just got properly mental.”   Noel Bradford on timeline:“In the next 12 months, nothing. Ignore biocomputing entirely. Focus on the security basics most businesses are probably still getting wrong.”   On security implications:“How do you secure a computer made from living cells? Do you need to understand neuroscience to exploit vulnerabilities in bioprocessors? If someone breaches a living computer system, is it a cyber attack or biological warfare?”   About FinalSpark Founded by: Dr. Martin Kutter and Dr. Fred Jordan Location: Vevey, Switzerland Previous company: Alpvision (anti-counterfeiting specialists) Current project: The Neuroplatform   Research credentials: Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal Providing free access to 10 universities worldwide (36 applications received) Created APIs and documentation for remote access Built Discord community with 1,200+ members discussing biocomputing Participating universities: University of Michigan Free University of Berlin University of Exeter Lancaster University Leipzig University University of York Oxford Brookes University University of Bath University of Bristol Université Côte d’Azur (France) University of Tokyo Key Facts from the Episode   Energy consumption statistics: Data centres consumed 1.5% of global electricity as of 2024 Projected to reach 3% by 2030 AI is accelerating growth exponentially Meta, Google, and OpenAI are talking about building nuclear power stations   The biocomputing advantage: Human brain runs on 20 watts Modern AI data centres use megawatts (millions of watts) FinalSpark claims mill

This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone. The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale. Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised. The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business. There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean. Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

The £18,000 Saving That Cost £200,000 in Revenue Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now. In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count. Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions. What You'll Learn The Core Concept What the Doorman Fallacy is and why it matters for cybersecurity The difference between nominal functions (what something obviously does) and actual functions (what it really does) Why efficiency optimisation without a complete understanding is just expensive destruction The five-question framework for avoiding Doorman Fallacy mistakes Five Catastrophic Case Studies 1. The Security Training Fallacy (Chapter 2) How cutting £12,000 in training led to a £70,000 Business Email Compromise attack Why training isn't about delivering information—it's about building culture The invisible value: shared language, verification frameworks, psychological safety What to measure instead of cost-per-employee-hour 2. The Cyber Insurance Fallacy (Chapter 3) The software company that saved £18,000 and lost £200,000 in client contracts Why insurance isn't just financial protection—it's a market signal Hidden benefits: third-party validation, incident response capability, customer confidence How cancelling coverage destroyed vendor relationships and sales opportunities 3. The Dave Automation Fallacy (Chapter 4) Insurance broker spent £100,000+ replacing a £50,000 IT person The £15,000 server upgrade that Dave would have known was unnecessary Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics Why ticketing systems can't replace anthropological understanding 4. The MFA Friction Fallacy (Chapter 5) Fifteen seconds of "friction" versus three weeks of crisis response The retail client who removed MFA and suffered £65,000 in direct incident costs Why attackers specifically target businesses without MFA The reputational damage you can't quantify until it's too late 5. The Vendor Relationship Fallacy (Chapter 6) Solicitors saved £4,800 annually, lost a £150,000 client Why "identical services" aren't actually identical The difference between contractual obligations and genuine partnerships What happens when you need flexibility and you've burned your bridges Key Statistics & Case Studies 42% of business applications are unauthorised Shadow IT (relevant context) £47,000 BEC loss vs £12,000 annual training savings £200,000 lost revenue vs £18,000 insurance savings £100,000+ replacement costs vs £50,000 salary £65,000 incident costs vs marginal productivity gains £150,000 lost client vs £4,800 vendor savings Common pattern: Small measurable savings, catastrophic unmeasurable consequences. The Five-Question Framework Before cutting any security costs, ask yourself: What's the nominal function versus the actual function? What does it obviously do vs what does it really do? What invisible benefits will disappear? Be specific: not "provides value" but "provides priority incident response during emergencies" How would we replace those invisible benefits? If you can't answer this, you're making a Doorman Fallacy mistake What's the actual cost-benefit analysis, including invisible factors? Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk" What's the cost of being wrong? In cybersecurity, the cost of being wrong almost always exceeds the cost of

Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups. The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault. Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo). Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks. With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business. Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now. No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs. This Episode is Sponsored by Authentrend Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025 We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag. Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works. Learn more: authentrend.com What You'll Learn Understanding the Differences What Information Security actually covers (hint: it's not just digital) Why Cybersecurity isn't the same as IT Security (despite what vendors claim) The CIA triad explained without the jargon Real-world examples showing when each approach matters UK Business Reality Current threat landscape: 43% of UK businesses breached in 2025 Why small businesses (10-49 employees) face 50% breach rates Average incident costs: £3,400 (but the real number is much higher) UK GDPR, Data Protection Act 2018, and what actually applies to you What It Actually Costs Starting from scratch: £5,000-£15,000 annually for 10-20 employees Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys) Cyber Essentials: £300-£500 (your best bang for buck) Managed security services: £300-£450/month realistic pricing When £2,000-£3,500/month managed detection makes sense Free government resources you're probably ignoring Authentication Security Reality Why SMS codes and app-based MFA still get phished How FIDO2 hardware security keys cryptographically prevent credential theft Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually Special offer mentioned in episode: Authentrend keys at £40 until December 22nd Implementation Without the Bullshit Why IT Security basics beat fancy cybersecurity tools every time The five controls that address 90% of UK SMB threats Common mistakes that waste your security budget How to prioritise when you can't afford everything Vendor red flags and what to actually look for Regulatory Requirements Decoded ICO data protection fees: £40-£60/year (mandatory) What "appropriate technical and organisational measures" really means Why recent enforcement shows reprimands over fines for SMBs Insurance requirements and how to reduce premiums How phishing-resistant authentication affects cyber insurance premiums Key Statistics Mentioned 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025 £3,400 average cost per cyber incident (excluding business impact) 60% of small businesses close within 6 months of serious data loss 85% of cyber incidents involve phishing attacks 43% of all UK businesses experienc

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs. What we cover What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged. Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor. The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices. Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness. Why it matters to UK SMBs You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice. Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them. Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep. Key takeaways Do not collect what you can’t protect. Prefer attribute proofs over document uploads. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents. Action checklist for SMB owners Map every place you’re collecting ID or age proof today. Kill non-essential collection. Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity. Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control. Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly. Run DPIAs for onboarding, support and HR flows that touch identity documents. Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.” Chapter outline Setting the scene: a breach born in the support queue Why ID uploads are a liability multiplier The UK’s digital ID plan, without the spin Vendor risk is your risk Practical fixes you can implement before lunch Q&A and what to do if you uploaded ID to Discord If you think you’re affected Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links. Support the show Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk. Send questions or topic requests for future episodes.

Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours. Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today. Key Topics Covered The Scale of the Problem 172 total vulnerabilities patched across Microsoft's ecosystem Six zero-day flaws (actively exploited or publicly known before patches released) Eight critical vulnerabilities that could allow unauthorised code execution Elevation of privilege, remote code execution, and information disclosure threats Windows 10: End of an Era 15 October 2025 marks the final day of free security updates for Windows 10 Extended Security Updates (ESU) now required for continued protection Time to seriously plan your Windows 11 migration or budget for ESU costs Real-World Impact Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK. Windows 11 October 2025 Features Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2: Improved Phishing ProtectionEnhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox. Enhanced Device Control SettingsBrilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.) Wi-Fi Security DashboardNo IT degree required. Plain-language summary of your network's safety status that anyone can understand. Built-in Password Manager ImprovementsNow flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best. AI Actions in File ExplorerSmarter file organisation and quick task shortcuts Notification Centre on Secondary MonitorsFinally works properly where you click it Moveable System IndicatorsCustomise where volume and brightness indicators appear Administrator ProtectionAdditional security layer for privileged accounts Passkey Support for Third-Party ProvidersMore flexibility in authentication methods Practical Action Steps Immediate Tasks (This Week) Schedule Your UpdatesBlock out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse. Verify Installation SuccessDon't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point. Back Up Before UpdatingProtect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly. Recovery Planning Know Your Rollback OptionsWindows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works. Document Your ProcessHave a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days. Long-Term Security Habits Regular Review ScheduleTreat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?" Consider AutomationIntru