The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

The Small Business Cyber Security Guy
  • 0.0 (0)
  • MANAGEMENT
  • UPDATED DAILY

The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank. Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses. 🎯 WHAT YOU'LL LEARN: Cyber Essentials certification guidance Protecting against ransomware & phishing attacks GDPR compliance for small businesses Supply chain & third-party security risks Cloud security & remote work protection Budget-friendly cybersecurity tools & strategies 🏆 PERFECT FOR: UK small business owners (5-50 employees) Startup founders & entrepreneurs SME managers responsible for IT security Professional services firms Anyone wanting practical cyber protection advice Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies

  1. 19H AGO · BONUS

    November Patch Tuesday Storm: Zero‑Days, Exchange Exploits & WSUS Emergency

    Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams. Key Topics Covered Microsoft Security Updates 89 total vulnerabilities patched (12 critical, 4 zero-days) CVE-2025-0445: Windows Kernel privilege escalation (actively exploited) CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited) CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022) CVE-2025-1789: MSHTML remote code execution via Office documents CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release) 23 remote code execution vulnerabilities across Windows, Office, and developer tools Adobe Security Updates 35+ vulnerabilities patched across multiple products CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1) CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS) Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D Oracle Critical Patch Update (October 2025) 374 new security patches addressing ~260 unique CVEs CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups) 73 patches for Oracle Communications (47 remotely exploitable without authentication) 20 patches for Fusion Middleware (17 remote unauthenticated) 18 fixes for MySQL Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server SAP Security Updates 18 new security notes plus 1 updated note CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE) CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS) CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch) CVE-2025-42940: CommonCryptoLib memory corruption Mozilla Firefox Updates Firefox 145.0 released November 11th 15 security vulnerabilities fixed (8 high impact) New anti-fingerprinting measures halving trackable users Memory safety and sandbox escape prevention Apple Security Updates iOS/iPadOS 17.1 and macOS 14.1 released 100+ vulnerabilities patched across iPhones, iPads, Macs Critical kernel and WebKit bugs fixed Zero-click exploit prevention Google Security Updates Chrome 142 with 5 security bug fixes Android November 2025 bulletin (patch level 2025-11-01) CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16 Third-Party Critical Vulnerabilities WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected) WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed) Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment) Critical Action Items for Businesses IMMEDIATE (Deploy Within 24-48 Hours) Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento Windows Kernel - Patch CVE-2025-0445 zero-day exploit Edge/Chrome - Update browsers to address CVE-2025-0334 Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed WordPress Post SMTP - Update to v3.6.1 or remove plugin Cisco routers - Apply CVE-2025-20352 patches and check for compromise HIGH PRIORITY (Deploy Within 1 Week) SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887 WSUS servers - Verify CVE-2025-59287 patch installed correctly Adobe Connect - Update to version 12.10 Firefox, Chrome, Edge - Deploy browser updates organisation-wide Android devices - Deploy November 2025 security bulletin WatchGuard Firebox - Apply CVE-2025-9242 patch STANDARD PRIORITY (Deploy Within 2-4 Weeks) All other Microsoft patches - Complete Windows and Office updates Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc. Oracle - Complete October CPU deployment across all Oracle products SAP - Apply remaining security notes across SAP landscape CVE Quick Reference CVE ID Vendor Severity Status Product CVE-2025-0445 Microsoft Critical Actively Exploited Windows Kernel CVE-2025-0334 Microsoft Critical Actively Exploited Edge/Chrome V8 CVE-2025-0078 Microsoft Critical Not Exploited Yet Exchange Server CVE-2025-1789 Microsoft Critical Not Exploited Yet MSHTML CVE-2025-59287 Microsoft Critical (9.8) Actively Exploited WSUS CVE-2025-54236 Adobe Critical (9.1) Actively Exploited Magento/Commerce CVE-2025-49553 Adobe Critical (9.3) Not Exploited Yet Adobe Connect CVE-2025-61882 Oracle Critical Actively Exploited E-Business Suite CVE-2025-42890 SAP Critical (10.0) Not Exploited Yet SQL Anywhere Monitor CVE-2025-42887 SAP Critical (9.9) Not Exploited Yet Solution Manager CVE-2025-11833 WordPress Critical (9.8) Actively Exploited Post SMTP Plugin CVE-2025-20352 Cisco High Actively Exploited IOS/XE SNMP CVE-2025-9242 WatchGuard Critical Not Exploited Yet Firebox Firewalls Resources & Links Vendor Security Bulletins Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide Adobe Security Bulletins: https://helpx.adobe.com/security.html Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/ SAP Security Notes: https://support.sap.com/securitynotes Mozilla Security Advisories: https://www.mozilla.org/security/advisories/ CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog Patch Tuesday Resources Microsoft Tech Community: https://techcommunity.microsoft.com/ Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/ Security Week Patch Tuesday Coverage: https://www.securityweek.com/ Small Business Cybersecurity Resources Blog: https://thesmallbusinesscybersecurityguy.co.uk NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials Key Statistics 89 Microsoft vulnerabilities patched 4 actively exploited zero-days (Microsoft) 23 remote code execution flaws (Microsoft) 35+ Adobe vulnerabilities fixed 374 Oracle security patches 18 SAP security notes 200,000+ WordPress sites affected by Post SMTP bug 75,000 WatchGuard devices exposed online Narrator Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions. About The Small Business Cyber Security Guy Podcast The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining. Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints. Connect With Us Website: https://thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms Social Media: Follow us on LinkedIn for daily cybersecurity insights Contact: hello@thesmallbusinesscybersecurityguy.co.uk   Help us spread the word about practical cybersecurity for small businesses: ⭐ Subscribe to never miss an episode ⭐ Leave a review on Apple Podcasts or Spotify ⭐ Share this episode with other business owners who need to hear this ⭐ Comment below with topics you'd like us to cover next ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources Disclaimer This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile. Next Episode Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately. Episode Length: 10-11 minutes Difficulty Level: Intermediate to Advanced Best For: IT managers, business owners, MSP clients, anyone responsible for patching The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

    18 min

  2. 1D AGO · BONUS

    Big Brother Is Watching Your VPN — The Online Safety Act Unpacked

    The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce Episode Information Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance Farce Episode Number: Hot Take Release Date: 11 November 2025 Duration: Approximately 18 minute Hosts: Mauven MacLeod & Graham Falkner Format: Research segment with heavy sarcasm Episode Description Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools. In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone. Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme? We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes. If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide. Key Topics Covered The Surveillance Revelation Ofcom confirms use of unnamed third-party AI monitoring tool TechRadar exclusive: "We use a leading third-party provider" with zero transparency Government surveillance of privacy tools sets a dangerous precedent Comparison to authoritarian regimes (China, Russia, UAE, Iran) The Numbers That Don't Add Up 1.5 million daily VPN users claim appears nowhere in official Ofcom documents No published methodology or verification VPN detection cannot determine the intent or legitimacy of use Analytics show VPN use is lower in countries with greater online freedom What Actually Happened on July 25th The UK Online Safety Act child safety duties became fully enforceable Mandatory "highly effective age assurance" replaced simple checkbox verification Proton VPN: 1,400% surge in UK signups within hours NordVPN: 1,000% increase in downloads ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store The Small Business Nightmare Business VPNs are essential security hygiene for remote work Ofcom's monitoring cannot distinguish legitimate business use from circumvention Undisclosed data collection creates unknowable privacy risks GDPR compliance implications when the government monitors your security tools Section 121: The Spy Clause Powers to require client-side scanning of encrypted communications Government promises not to use "until technically feasible" Cryptography experts: impossible without destroying encryption Apple shelved similar plans in 2021 Signal and WhatsApp threatened to leave the UK market The Authoritarian Playbook in Action Scope creep within days: blocking parliamentary speeches, news coverage, forums A cycling forum shut down due to compliance costs Small platforms are closing rather than face a compliance nightmare Chilling effect on legitimate content and discussion International Surveillance Creep 25 US states passed similar age verification laws EU debating Chat Control (mandatory encrypted message scanning) Australia is implementing age verification for search engines Legislative arms race using "protecting children" as a universal justification What Small Business Owners Must Do Document all VPN usage for legitimate business purposes Maintain VPN security protocols despite surveillance theatre Get legal advice if operating any platform with user-generated content Fines up to £18 million or 10% of global revenue Criminal liability for senior managers The GDPR Compliance Paradox How do you assess data protection risks from secret surveillance tools? Opacity makes compliance verification impossible Government monitoring creates unassessable risks to customer data   Resources & Links Mentioned Primary Source TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act Key Organizations Quoted Open Rights Group - James Baker's comments on surveillance precedent Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran Government Resources Online Safety Act 2023 - UK Government legislation Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements Section 121 - Client-side scanning provisions ("spy clause") VPN Statistics Sources Proton VPN: 1,400% surge report NordVPN: 1,000% increase report Apple UK App Store rankings: July 25-27, 2025 Related Coverage Petition to Repeal Online Safety Act: 550,000+ signatures Peter Kyle (UK Technology Secretary) statement on critics Parliamentary debate triggered by petition threshold Additional Reading GDPR compliance implications of government surveillance Cryptography expert analysis of client-side scanning Apple's 2021 decision to shelve client-side scanning plans Signal and WhatsApp statements on Section 121 Key Quotes from Episode Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?" Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it." Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics." Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent." Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'" Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties." Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'" Action Items for Small Business Owners Immediate Actions Document VPN Usage List which employees use VPNs Document business purposes for encrypted connections Maintain evidence of legitimate use for potential regulatory action Maintain Security Protocols Continue using VPNs for remote work security Don't let surveillance theatre compromise actual cybersecurity Protect against real threats (ransomware, phishing, etc.) Assess Platform Compliance If you operate any online platform, forum, or user-generated content site Get legal advice immediately Understand massive fines (£18m or 10% global revenue) and criminal liability. Ongoing Monitoring Stay Informed Section 121 could be activated at any time EU Chat Control could affect European operations US state laws are proliferating rapidly Monitor regulatory developments actively Engage Politically Contact your MP about the surveillance of privacy tools Reference the 550,000+ signature petition Make it clear that this is unacceptable in a democracy Push back before surveillance becomes normalised GDPR Compliance Review Assess how government VPN monitoring affects data protection obligations Document that opacity makes risk assessment impossible Consult legal counsel on compliance implications Visual Elements (for YouTube/Video) Screenshot: TechRadar exclusive article headline On-screen text: "1.5 million daily VPN users" with question mark Comparison graphic: VPN use in free vs. authoritarian countries Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring Text overlay: Section 121 "spy clause" powers Map graphic: International surveillance legislation spread (UK, US, EU, Australia) Infographic: Small business action checklist Key Themes Government surveillance of privacy tools in supposed liberal democracy Technical limitations make monitoring ineffective at stated purpose Scope creep from child protection to political content blocking within days Small business caught in surveillance net designed for age verification International trend toward authoritarian internet regulation models GDPR compliance paradox when government creates unknowable privacy risks Practical cybersecurity must continue despite surveillance theatre Political engagement essential before normalization occurs Tone & Style Notes Heavy sarcasm throughout - serious WTF tone without profanity Incredulous questioning of government logic and transparency Dark humour about dystopian surveillance implications Technical precision in explaining what monitoring can/cannot do Practical focus on small business implications Political urgency without becoming preachy Professional skepticism balanced with actionable guidance CTAs (Calls to Action) Primary CTAs Subscribe wherever you get your podcasts Share with other small business owners who need this information Leave a review if you found this episode useful (or terrifying) Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources Secondary CTAs Drop a comment with questions about VPN security or regulatory compliance Contact your MP about surveillance of privacy tools Sign the petition to repeal the Online Safety Act (if not already done) Document your VPN usage for legitimate business purposes starting today Social Media Hashtags

    19 min

  3. 2D AGO

    From SMS to FIDO2: A Small Business Guide to Phishing‑Resistant Authentication

    In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security. Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers. The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites. Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers. The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts. Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice. Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

    33 min

  4. 4D AGO · BONUS

    Ignored Audits, Ancient Servers, and a Cherry Picker — Inside the Louvre Jewel Robbery

    On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly. Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade. In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032. This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right. Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed. Key Takeaways The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response. Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't complete until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't be completed until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement About The Host Noel Bradford brings over 40 years of IT and cybersecurity experience across enterprise and SMB sectors, including roles at Intel, Disney, and BBC. Currently serving as CIO and Head of Technology for a boutique security-first MSP, Noel specialises in translating enterprise-grade cybersecurity expertise into practical, affordable solutions for UK small businesses with 5-50 employees. His philosophy centres on "perfect security is the enemy of any security at all," focusing on real-world constraints and actionable advice over theoretical discussions. Noel's direct, no-nonsense approach has helped "The Small Business Cyber Security Guy Podcast" achieve Top 90 Business Podcast status in the USA and Top 170 in the UK, with a unique cross-Atlantic audience (47% American, 39% British). Legal & Disclaimer The information provided in this podcast is for educational and informational purposes only and should not be construed as professional cybersecurity, legal, or financial advice. Listeners should consult qualified professionals for guidance specific to their circumstances. Product and service mentions, including sponsors, are provided for informational purposes. The host and podcast do not guarantee results from implementing suggested strategies or using mentioned products. All case studies and incidents discussed are based on publicly available information and reporting. Facts are verified against multiple authoritative sources before publication. © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.   Credits Host: Noel Bradford Production: The Small Business Cyber Security Guy Productions Editing: Noel Bradford Research: Graham Falkner Show Notes: Graham Falkner Special Thanks: ANSSI (for their audit work that we wish the Louvre had acted upon), Libération journalist Brice Le Borgne (for his investigative reporting), and UK small businesses everywhere who take security more seriously than world-famous museums apparently do. Episode Tags #Cybersecurity #SmallBusiness #UKBusiness #PasswordSecurity #Louvre #DataBreach #HardwareAuthentication #FIDO2 #CyberAccountability #InformationSecurity #RiskManagement #SMBSecurity #CyberNews #HotTake #BusinessPodcast Next Episode: Coming Soon - Criminal Accountability for Cybersecurity Negligence (Two-Part Series) Average Episode Downloads: 3,000+ per day at peak Listener Demographics: 47% USA, 39% UK, 14% Other Target Audience: UK SMBs with 5-50 employees

    12 min

  5. NOV 3 · BONUS

    No More Excuses: Cyber Essentials Forces MFA on Every Cloud Service (Apr 2026)

    In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope. Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free. Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain. Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

    8 min

  6. NOV 3

    FinalSpark, Ethics & Security: What Living-Neuron Computers Mean for Your Company

    What if I told you there’s a laboratory in Switzerland where scientists are building computers from living human neurons?   Sounds like science fiction, right? But it’s happening right now, and the energy crisis driving this research is about to affect every small business owner’s cloud computing bills.   In this episode, Noel, Graham, and Mauven explore FinalSpark’s revolutionary biocomputing platform. This Swiss company has created the Neuroplatform, a system using approximately 160,000 living human neurons to perform computational tasks. Their goal?   Solving the massive energy consumption problem created by artificial intelligence and modern data centres.   Your brain runs on 20 watts of power. Current AI data centres consume megawatts.   FinalSpark claims their biological processors could use a million times less energy than traditional computing. That’s not incremental improvement – that’s fundamental transformation.   But here’s the catch: this technology is still early, really early. So why should small business owners care about laboratory experiments with brain cells?   Because the energy costs driving this research are already affecting your Azure bills, your SaaS subscriptions, and your cloud hosting fees. And understanding where technology is heading helps you make better decisions about where to invest your limited resources.   What You’ll Learn Why energy consumption in computing matters to small businesses right now How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree) The realistic timeline for when this technology might affect your business What small businesses should actually do about emerging technologies The security implications nobody’s talking about yet The uncomfortable ethical questions around growing human neurons for computation   Key Quotes   Noel Bradford:“Training a single large AI model produces the same carbon emissions as five cars create during their entire lifetime. And that statistic is from 2019. Modern models like GPT-4 produce 50 to 100 times more emissions than that.”   Graham Falkner:“So naturally they thought, you know what, let’s just use actual neurons instead. Because that’s a perfectly reasonable next step when your silicon experiments don’t work.”   Mauven MacLeod:“Bloody hell. Today’s topic just got properly mental.”   Noel Bradford on timeline:“In the next 12 months, nothing. Ignore biocomputing entirely. Focus on the security basics most businesses are probably still getting wrong.”   On security implications:“How do you secure a computer made from living cells? Do you need to understand neuroscience to exploit vulnerabilities in bioprocessors? If someone breaches a living computer system, is it a cyber attack or biological warfare?”   About FinalSpark Founded by: Dr. Martin Kutter and Dr. Fred Jordan Location: Vevey, Switzerland Previous company: Alpvision (anti-counterfeiting specialists) Current project: The Neuroplatform   Research credentials: Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal Providing free access to 10 universities worldwide (36 applications received) Created APIs and documentation for remote access Built Discord community with 1,200+ members discussing biocomputing Participating universities: University of Michigan Free University of Berlin University of Exeter Lancaster University Leipzig University University of York Oxford Brookes University University of Bath University of Bristol Université Côte d’Azur (France) University of Tokyo Key Facts from the Episode   Energy consumption statistics: Data centres consumed 1.5% of global electricity as of 2024 Projected to reach 3% by 2030 AI is accelerating growth exponentially Meta, Google, and OpenAI are talking about building nuclear power stations   The biocomputing advantage: Human brain runs on 20 watts Modern AI data centres use megawatts (millions of watts) FinalSpark claims million-times efficiency (99.9999% reduction) Some sources cite up to billion-times more energy efficient   The Neuroplatform specifications: 10,000 living neurons per organoid 16 organoids total Approximately 160,000 neurons system-wide Neurons survive up to 100 days in active use Accessible remotely by researchers worldwide   Why This Matters for Small Businesses   Immediate concerns: Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy Every interaction costs carbon, and those costs eventually reach small businesses Future implications: If biocomputing proves viable, benefits arrive through infrastructure improvements Your cloud providers incorporate biological processors Your costs decrease, capabilities increase You won’t buy biocomputers any more than you buy specific processor architectures now   What to watch for (2-5 year timeline): •Early commercial applications in specialised tasks •Medical diagnostics applications •Pattern recognition improvements •Industry adoption signals   Practical Takeaways for Business Owners   Do these things now: Secure current systems properly (multi-factor authentication, proper backups) Train staff on cybersecurity basics Achieve Cyber Essentials certification Build adaptable IT infrastructure   Build awareness: Subscribe to technology news sources Spend 15 minutes monthly reading about emerging tech Build mental models of where technology might head Prepare for paradigm shifts Watch for these milestones: Commercial partnerships with major tech companies Published benchmarks proving practical advantages Scaling demonstrations (thousands of neurons for months) Security framework development Independent energy validation studies Remember: Mad ideas sometimes win (iPhone, Netflix, electric cars) Companies that survive aren’t the ones that predicted the exact future They’re the ones who built adaptable systems that could pivot Focus on fundamentals whilst keeping awareness of emerging tech   Resources Mentioned FinalSpark: Company website and Neuroplatform information FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons) Discord community (1,200+ members) Academic publications in Frontiers journal Further reading: Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk Research papers on biological computing Energy consumption studies for AI and data centres The Uncomfortable Questions We Need to Answer   As Noel, Graham, and Mauven discuss in the episode, biocomputing raises security and ethical questions that nobody has answers for yet:   Security concerns: How do you secure computers made from living cells? Can you hack biological neural networks? Do you need neuroscience expertise to exploit vulnerabilities? Is a breach a cyber attack or biological warfare? How do you wipe a neuron’s memory? Can you verify data deletion? How do you conduct forensic analysis on biological substrates? Ethical considerations: These neurons aren’t conscious or sentient (they’re biological cells performing functions) But they’re human neurons grown from human stem cells Where’s the ethical line if we can grow larger collections? How large before we worry about experiences or consciousness? How do we measure consciousness in biological systems grown for computation? Should these conversations happen now, before ubiquity? The hosts emphasize that awareness isn’t the same as answers, but these discussions need to happen before the technology becomes widespread.   What the Hosts Say You Should Actually Do   After 22 minutes of discussing living neurons, Swiss laboratories, and energy crises, the practical advice is refreshingly straightforward:   Do Nothing different for now at least!   Seriously. Don’t change your technology strategy based on biocomputing research. Instead: Secure your current systems properly Implement proper backup strategies Train your staff on cybersecurity basics Achieve Cyber Essentials certification Build IT infrastructure that serves your business objectives   Why? Because the exciting developments in biocomputing don’t change the fact that most UK small businesses still haven’t done the tedious, essential security work that prevents 95% of attacks.   As Noel puts it: “The companies that survive aren’t the ones that predicted the exact future. They’re the ones who built adaptable systems that could pivot when the future arrived unexpectedly.”   Next Steps Subscribe to the podcast so you don’t miss future episodes exploring where technology is heading and what it means for your business.   Leave a review if you found this episode valuable. Reviews genuinely help other small business owners find the show. Takes 30 seconds, makes a real difference.   Share this episode with business owners who need to understand how energy costs are about to affect their cloud computing bills.   Visit the blog at thesmallbusinesscybersecurityguy.co.uk for the comprehensive write-up with all technical details, source verification, and links to the research.   Comment with your thoughts: Do you think biocomputing is the future or an expensive dead end? Your questions sometimes become future episodes.   About The Small Business Cyber Security Guy Podcast Practical cybersecurity advice for UK small businesses, delivered with humour and authentic British personality.   Hosted by Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO) Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality) Mauven MacLeod (ex-government cybersecurity background) New episodes weekly Website: thesmallbusinesscybersecurityguy.co.uk Podcast feed: https://feed.podbean.com/

    23 min

  7. OCT 31 · BONUS

    Ghosts in the Machine — Halloween Special: When Your Tools Turn on You

    This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone. The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale. Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised. The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business. There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean. Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

    13 min

  8. OCT 27

    The Doorman Fallacy: How Cost Cuts Become Catastrophes

    The £18,000 Saving That Cost £200,000 in Revenue Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now. In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count. Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions. What You'll Learn The Core Concept What the Doorman Fallacy is and why it matters for cybersecurity The difference between nominal functions (what something obviously does) and actual functions (what it really does) Why efficiency optimisation without a complete understanding is just expensive destruction The five-question framework for avoiding Doorman Fallacy mistakes Five Catastrophic Case Studies 1. The Security Training Fallacy (Chapter 2) How cutting £12,000 in training led to a £70,000 Business Email Compromise attack Why training isn't about delivering information—it's about building culture The invisible value: shared language, verification frameworks, psychological safety What to measure instead of cost-per-employee-hour 2. The Cyber Insurance Fallacy (Chapter 3) The software company that saved £18,000 and lost £200,000 in client contracts Why insurance isn't just financial protection—it's a market signal Hidden benefits: third-party validation, incident response capability, customer confidence How cancelling coverage destroyed vendor relationships and sales opportunities 3. The Dave Automation Fallacy (Chapter 4) Insurance broker spent £100,000+ replacing a £50,000 IT person The £15,000 server upgrade that Dave would have known was unnecessary Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics Why ticketing systems can't replace anthropological understanding 4. The MFA Friction Fallacy (Chapter 5) Fifteen seconds of "friction" versus three weeks of crisis response The retail client who removed MFA and suffered £65,000 in direct incident costs Why attackers specifically target businesses without MFA The reputational damage you can't quantify until it's too late 5. The Vendor Relationship Fallacy (Chapter 6) Solicitors saved £4,800 annually, lost a £150,000 client Why "identical services" aren't actually identical The difference between contractual obligations and genuine partnerships What happens when you need flexibility and you've burned your bridges Key Statistics & Case Studies 42% of business applications are unauthorised Shadow IT (relevant context) £47,000 BEC loss vs £12,000 annual training savings £200,000 lost revenue vs £18,000 insurance savings £100,000+ replacement costs vs £50,000 salary £65,000 incident costs vs marginal productivity gains £150,000 lost client vs £4,800 vendor savings Common pattern: Small measurable savings, catastrophic unmeasurable consequences. The Five-Question Framework Before cutting any security costs, ask yourself: What's the nominal function versus the actual function? What does it obviously do vs what does it really do? What invisible benefits will disappear? Be specific: not "provides value" but "provides priority incident response during emergencies" How would we replace those invisible benefits? If you can't answer this, you're making a Doorman Fallacy mistake What's the actual cost-benefit analysis, including invisible factors? Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk" What's the cost of being wrong? In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection Practical Takeaways What to Do Tomorrow Review your most recent efficiency or cost-cutting decision. Ask: Did we define this function too narrowly? What invisible value might we have destroyed? Are we experiencing consequences we haven't connected to that decision? Better Metrics for Security Investments Instead of measuring cost-per-hour or savings-per-quarter, measure: Incident reporting rates (should go UP with good training) Verification procedure usage frequency Time-to-report for security concerns Vendor response times during emergencies Employee confidence in raising concerns Making Trade-Offs Honestly Budget constraints are legitimate. The solution isn't "never cut anything." It's: Acknowledge what you're sacrificing when you cut Admit the risks you're accepting Have plans for replacing invisible functions Make consequences visible during decision-making Ensure decision-makers bear some responsibility for outcomes Quotable Moments "The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel "Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel "We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel "You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven "The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel Chapter Timestamps 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision 02:15 - Intro: Why Marketing Books Matter for Cybersecurity 05:30 - Chapter 1: The Book, The Fallacy, The Revelation 12:00 - Chapter 2: The Security Training Fallacy 19:30 - Chapter 3: The Cyber Insurance Fallacy 27:00 - Chapter 4: The Dave Automation Fallacy 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message) 42:00 - Chapter 6: The Vendor Relationship Fallacy 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework 58:00 - Outro: Action Items & CTAs Total Runtime: Approximately 62 minutes Sponsored By Authentrend - Biometric FIDO2 Security Solutions This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity. Learn more: authentrend.com Resources & Links Mentioned in This Episode: Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life" Authentrend ATKey Products: authentrend.com Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4) Useful Tools & Guides: Download our Doorman Fallacy Decision Framework (PDF) Template: Articulating Invisible Value in Budget Meetings Checklist: Five Questions Before Cutting Security Costs Case Study Library: Real-World Doorman Fallacy Examples UK-Specific Resources: ICO Guidance on Security Measures NCSC Small Business Cyber Security Guide Cyber Essentials Scheme Information About Your Hosts Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints. Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints. Support The Show New episodes every Monday at Noon UK Time! Never miss an episode! Subscribe on your favourite podcast platform: Apple Podcasts Spotify Google Podcasts RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml Help us reach more small businesses: ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home) 💬 Comment with your own efficiency optimisation horror stories 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences Connect with us: Website: thesmallbusinesscybersecurityguy.co.uk Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/ Email: hello@thesmallbusinesscybersecurityguy.co.uk Episode Tags #Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication Legal The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be co

    51 min
See All (45)

Trailer

About

The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank. Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses. 🎯 WHAT YOU'LL LEARN: Cyber Essentials certification guidance Protecting against ransomware & phishing attacks GDPR compliance for small businesses Supply chain & third-party security risks Cloud security & remote work protection Budget-friendly cybersecurity tools & strategies 🏆 PERFECT FOR: UK small business owners (5-50 employees) Startup founders & entrepreneurs SME managers responsible for IT security Professional services firms Anyone wanting practical cyber protection advice Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies

Information