The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml

190.2K

Downloads

Episodes

The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank.

Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses.

🎯 WHAT YOU'LL LEARN:

Cyber Essentials certification guidance
Protecting against ransomware & phishing attacks
GDPR compliance for small businesses
Supply chain & third-party security risks
Cloud security & remote work protection
Budget-friendly cybersecurity tools & strategies

🏆 PERFECT FOR:

UK small business owners (5-50 employees)
Startup founders & entrepreneurs
SME managers responsible for IT security
Professional services firms
Anyone wanting practical cyber protection advice

Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies

Episodes

5 hours ago

Facepalm Retrospective: 2025’s Greatest Cyber Fails — From 123456 to the Louvre

5 hours ago

Welcome to the Small Business Cybersecurity Guy Christmas Special with host Noel Bradford and guests Mauven MacLeod and Graham Falkner. This episode is a rapid-fire, often hilarious and sometimes horrifying roundup of the most spectacular cyber security disasters of 2025, told with a no-nonsense focus on what small businesses should learn from them.

We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA.

Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene.

We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences.

The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution.

In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents.

Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly.

The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.

#Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice

Monday Dec 15, 2025

Boards, Breaches and Accountability: Why Small Firms Need Risk Registers Now

Monday Dec 15, 2025

Do UK small businesses need cyber risk registers? Graham said no. After this 40-minute debate with Noel Bradford, he changed his mind completely.

This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers.

UK cyber security statistics that changed Graham's mind:

43% of UK small businesses experienced cyber breaches last year (DSIT 2025)
73% have no board-level cyber security responsibility
28% of SMEs say one cyber attack could close them permanently (Vodafone 2025)
Average UK small business breach costs £3,398

Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed.

Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability.

Practical cyber risk register implementation:

✓ Minimum viable cyber risk register template (8 columns, single spreadsheet)

✓ Board-level cyber security governance framework

✓ Quick remediation: enable MFA, test backup restoration, implement payment verification

✓ NCSC Board Toolkit guidance for UK SMEs

✓ Cyber insurance risk assessment requirements

Perfect for UK small business owners, SME directors, startup founders, business managers responsible for cyber security compliance, GDPR, and corporate governance.

Listen to this cyber security governance debate and learn why risk registers aren't bureaucracy - they're legal protection for directors and businesses.

Wednesday Dec 10, 2025

Urgent: Patch CVE-2025-62221 — December Patch Tuesday Breakdown

Wednesday Dec 10, 2025

Show notes

December 2025 just shipped the last Microsoft security fixes of the year. Fifty seven vulnerabilities, three zero days, and one actively exploited Windows privilege escalation that hits almost every supported build. Are you patched before the Christmas break, or are you leaving a present for attackers in January?

In this episode, Graham walks through the December Patch Tuesday release for 2025, with a focus on what actually matters for small and medium businesses. You will hear how CVE 2025 62221 in the Windows Cloud Files driver turns a low level account into full system compromise, why Office Preview Pane is once again a risk, and how AI powered tools like GitHub Copilot for JetBrains and PowerShell changes introduce new attack paths. Does your team know about any of that?

You also get a fast tour of Adobe and other vendor updates, including ColdFusion, Android, Ivanti, Fortinet, React server components and SAP. Graham then zooms out to review the full year, with more than one thousand one hundred Microsoft vulnerabilities in 2025 and privilege escalation bugs leading the pack. Finally, he explains why the five week gap before the next Patch Tuesday on thirteen January 2026 makes December patching non negotiable.

By the end of the episode you will know:

Which patches you must treat as emergency work, especially CVE 2025 62221
How Office, Copilot and PowerShell changes affect day to day risk
Why Windows 10 without Extended Security Updates is now a business liability
What to ask your IT team or provider before everyone disappears for the holidays

Are you confident your estate will survive the festive period, or do you need to push patching to the top of the list?

Monday Dec 08, 2025

The Printer Is Watching: How Your Office Gear Is the Biggest Cyber Threat

Monday Dec 08, 2025

For our 30th episode, we're tackling the cybersecurity blind spot that almost no one discusses but everyone should worry about. You've secured your laptops. You've rolled out multi-factor authentication. Your firewall is properly configured. But what about that office printer quietly storing every contract and payslip you've printed this year on a hard drive nobody ever wipes, with a password an attacker can guess in three tries?

This episode reveals the uncomfortable truth about Internet of Things (IoT) devices in your business. We're talking about printers, CCTV systems, smart thermostats, networked door locks, and every other "smart" device you've stopped thinking about as a computer. These forgotten devices are giving attackers a free pass into networks that are otherwise properly secured.

We share a real case study from our recent emails about a marketing agency that spent £15,000 on security, passed their audit with flying colours, and still got breached through their office printer. This isn't theoretical paranoia. This is happening right now to businesses that think they've got security sorted.

What You'll Learn

Why your office printer is possibly the biggest security risk in your building
How default passwords on "forgotten" devices create easy access points for attackers
The real story of a £15,000 security investment defeated by a £300 printer
What network segmentation actually means and why it matters for small businesses
How to create and maintain an accurate device inventory
Practical steps to secure IoT devices without enterprise budgets
Why your CCTV system might be livestreaming to the internet right now
How smart thermostats become backdoors into your network

Key Topics Covered

The Forgotten Device Problem

Modern offices are full of computers disguised as other things. Every printer, every CCTV camera, every smart thermostat, and every networked door lock is actually a computer connected to your network. Most businesses secure their obvious computers whilst completely forgetting about these devices, creating perfect entry points for attackers who aren't bothering with sophisticated social engineering when they can just log in with "admin/admin".

Real Case Study: The £15,000 Security Investment Defeated by a Printer

A 30-person marketing agency listened to our ransomware and authentication episodes, then invested £15,000 in proper security: new firewalls, endpoint protection, hardware authentication keys for every staff member, and a security audit that came back clean. Two months later, they discovered someone had been accessing their client files for weeks through their HP printer that still used factory default credentials. The printer had full network access and stored copies of everything printed. Nobody had changed the password. Nobody had checked it during the audit. Nobody even thought about it.

Default Credentials: The Epidemic Nobody Discusses

Attackers maintain databases of default passwords for thousands of devices. They don't need to crack complex passwords when they can try "admin/admin" or "admin/password" and gain access to printers, cameras, or thermostats within seconds. These devices often ship with administrative interfaces accessible from the network, and most businesses never change the defaults because they don't think of these devices as security concerns.

Network Segmentation Explained (Without Enterprise Complexity)

Network segmentation sounds enterprise-level complicated, but the basic concept is simple: not everything on your network should be able to access everything else. Your printer doesn't need access to your accounting server. Your CCTV system doesn't need to reach your customer database. Creating separate network zones for different device types means a compromised printer can't become a stepping stone to your sensitive data.

The Device Inventory Challenge

Most small businesses have no accurate list of what's actually connected to their network. They know about the laptops and servers but often forget about the smart coffee machine someone plugged in last year, the wireless access points in the meeting rooms, or the networked thermostat the facilities team installed. Without knowing what's connected, you can't secure it. We discuss practical methods for discovering and documenting every device on your network.

Practical IoT Security Steps

We break down actionable steps that don't require enterprise budgets or dedicated security teams. This includes conducting device audits, changing default passwords, implementing basic network segmentation, regular firmware updates, and creating ownership responsibility for every connected device. The goal is proportionate security that's actually achievable for small businesses.

Key Takeaways

Every connected device is a computer. If it has an IP address, it's a potential security risk that needs management and protection.
Default passwords are attackers' best friends. The first thing to do with any new device is change the administrative password. Never assume factory defaults are acceptable.
Network segmentation isn't optional anymore. IoT devices should be isolated from your main business network, even if that means starting with basic VLAN separation.
Device inventory is fundamental. You can't secure what you don't know exists. Conduct regular network scans to discover forgotten devices.
Ownership matters. Every device needs someone responsible for its security. Don't let devices become "nobody's problem" because that's when they become everyone's problem.
Security audits miss IoT devices. Standard security assessments often focus on servers and workstations whilst completely overlooking printers, cameras, and other IoT equipment.
Firmware updates apply to everything. IoT devices need security patches just like computers. Many businesses forget this entirely.
Your £15,000 security investment can be defeated by a £300 printer. Security is only as strong as your weakest link, and IoT devices are often the weakest links because they're forgotten.

Resources & References

Mentioned in This Episode

Previous Episodes Referenced:
- Episode 17: Social Engineering - The Human Firewall Under Siege
- Ransomware episodes (multiple)
- Authentication episodes featuring Mark Bell
- Cyber Essentials episodes
- Electoral Commission accountability episode
Hardware Authentication: AuthenTrend hardware keys (mentioned as sponsor)
Case Studies: Marketing agency breach via printer (anonymized client)

Practical Action Steps

This Week:

Find your printer's admin interface. Log in. If you can't remember the password, that's probably because it's still set to "admin". Change it. Now.
List five connected devices that aren't computers or phones. These are your starting inventory.
Check one device's firmware. Is it up to date? When was it last updated? Who's responsible for keeping it current?

This Month:

Complete device inventory. Use network scanning tools to discover everything connected to your network. Document it all.
Change all default passwords. Every printer, camera, thermostat, and access point needs unique, strong credentials.
Assess your network segmentation. Can your printer access your file server? It shouldn't. Start planning basic network separation.
Assign device ownership. Every device needs someone responsible for its security, updates, and maintenance.

This Quarter:

Implement basic network segmentation. Even simple VLAN separation is better than everything on one network.
Create update schedules. IoT devices need regular firmware updates just like computers.
Review and test. Verify your device inventory is accurate. Check that passwords actually changed. Confirm segmentation works.

Who Should Listen to This Episode?

This episode is particularly relevant for:

Small business owners who've invested in cybersecurity but may have overlooked IoT devices
IT managers and solo IT staff responsible for securing business networks with limited resources
Office managers who purchase and install connected devices without considering security implications
Business owners who think they've "done security" but haven't considered printers, cameras, and similar devices
Anyone who's ever said "it's just a printer" when security concerns were raised

Why This Episode Matters

We've covered passwords, multi-factor authentication, ransomware, supply chain attacks, shadow IT, and social engineering across 30 episodes. We've discussed major breaches at household names and examined what it takes to protect heads of state. But we've deliberately avoided IoT security until now because we knew it would make people uncomfortable, possibly angry, and definitely worried.

The uncomfortable truth is that whilst you've been securing laptops and servers, your office printer has had full network access, stores every document you print, and still uses the password it shipped with. The CCTV system protecting your premises might be livestreaming to the internet because nobody changed the default settings. The smart thermostat saving you money on heating is potentially giving attackers a way into your network.

This isn't theoretical paranoia. We're seeing breaches through IoT devices happen to businesses that have otherwise invested properly in cybersecurity. The marketing agency case study we discuss spent £15,000 on security and still got breached through a printer nobody thought to check during the security audit.

IoT security is the blind spot in small business cybersecurity. This episode gives you the knowledge and practical steps to finally address it without enterprise budgets or dedicated security teams.

Celebrating 30 Episodes

This milestone episode also marks an important achievement for the podcast. Since launching in June 2025, we've:

Reached Top 12 in Apple Podcasts Management category worldwide
Peaked at 3,500 daily downloads
Built an audience that's 47% US, 37% UK despite being a UK-focused show
Made cybersecurity almost entertaining whilst maintaining technical accuracy
Helped businesses actually implement security improvements, not just understand threats

We're genuinely grateful to everyone who's been listening, sharing, and most importantly, doing the work. The chart positions and download numbers are nice, but what matters more is when someone emails to say they've finally sorted Cyber Essentials or retired Dave from IT as a single point of failure.

Coming Up

Episode 31 (Next Week): Regular episode format continues with another crucial small business cybersecurity topic

Episode 32 (22nd December): Christmas Special - a festive take on cybersecurity for small businesses

Connect With Us

Need Help?

If you need direct assistance with IoT device security, Cyber Essentials, network segmentation, or any topic we've covered, contact us at: hello@thesmallbusinesscybersecurityguy.co.uk

Website & Resources

Visit thesmallbusinesscybersecurityguy.co.uk for:

Detailed guides on everything we've discussed
Step-by-step walkthroughs for printer security, camera configuration, and network segmentation
Device inventory templates and checklists
All episode show notes and transcripts

Subscribe & Follow

Apple Podcasts: Currently Top 12 in Management category worldwide
Spotify: New episodes every week
All major podcast platforms: Search for "The Small Business Cyber Security Guy"

Share This Episode

Know someone who's ever said "it's just a printer"? They need this episode in their life. Share it with:

Business owners who think they've got security sorted
IT managers dealing with limited budgets and forgotten devices
Office managers who purchase connected devices
Anyone responsible for small business network security

Support the Show

If you've had real value from this podcast:

Leave a review on Apple Podcasts or Spotify - tell us what you've actually changed in your business
Share episodes with other business owners who need to hear this
Tell us what's landing - your feedback helps us create more useful content
Subscribe so you don't miss episodes

About the Hosts

Noel Bradford

With over 40 years in IT and cybersecurity across enterprises including Intel, Disney, and BBC, Noel now serves as CIO/Head of Technology for a boutique security-first MSP. He brings enterprise-level expertise to small business constraints, translating million-pound solutions into hundred-pound budgets. His mission is making cybersecurity practical and achievable for resource-constrained small businesses.

Mauven MacLeod

Former government cyber analyst, Mauven, brings systematic threat analysis and government-level security thinking to commercial reality. With her Glasgow roots and ex-government background, she translates complex security concepts into practical advice for small businesses, asking the questions business owners actually need answered.

Graham Falkner

Regular contributor and co-host for special episodes, Graham adds additional perspective and helps make complex cybersecurity topics accessible to small business audiences. His role includes managing the legal disclaimers and ensuring content remains grounded in practical business reality.

Legal Disclaimer

Everything discussed in this episode is for general guidance and educational purposes. It's meant to point you in the right direction but absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What worked brilliantly for one business might be completely inappropriate for another.

We do our very best to keep everything accurate and current, but the cybersecurity world moves faster than a caffeinated squirrel. Things can change between when we record and when you're listening, so always double-check critical technical details with qualified professionals before making major changes to your systems.

If we've mentioned any websites, products, or services, we're giving you information, not necessarily endorsing them. We can't be responsible for what happens on their end or if things go sideways when you use them.

If you're dealing with serious cybersecurity incidents, actual data breaches, or complex compliance issues, please talk to proper professionals rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team.

Think of us as your knowledgeable mates down the pub who work in cybersecurity, not your official contracted consultants. We care about your business, but we're not your insurance policy.

Stay safe out there, keep learning, and remember: when in doubt, get a second opinion from someone who can see your specific situation.

Episode 30 | December 2025 | The Small Business Cyber Security Guy Podcast

Monday Nov 24, 2025

Prison for Negligent Directors? Rebooting UK Cyber Enforcement

Monday Nov 24, 2025

In this provocative second instalment of the accountability series, hosts Noel Bradford and Mauven MacLeod lay out a detailed proposal for a UK cybersecurity enforcement regime that balances protection for small businesses with personal liability for negligent directors. They compare the current weak regulatory approach to the Health and Safety Executive model, cite international evidence from Singapore, and explore why criminal consequences — up to fines, disqualification and, in extreme cases, prison — might be necessary to change boardroom behaviour.

The episode explains a three-tier framework: Tier 1 (micro and small businesses) protected by Cyber Essentials and criminal liability only for gross negligence; Tier 2 (25–250 employees) required to follow industry-reasonable practice with qualified oversight and documented policies; and Tier 3 (large organisations and public sector) held to the highest standards (ISO/SOC) with lower thresholds for prosecution. The hosts walk through concrete, measurable standards, outcome-based testing, and safe-harbour defences for businesses that engage accredited advisors.

Key technical and organisational measures discussed include Cyber Essentials, MFA, patching and backups, incident response plans, staff training, qualified security oversight (fractional CISOs or accredited MSPs), and government-approved lists of assessors. The episode stresses practical testing — inspectors verifying controls actually work — to prevent compliance theatre and ensure certificates match reality.

Noel and Mauven outline a phased five-year implementation pathway: publication and guidance, data collection and mandatory reporting, staged enforcement beginning with large organisations, then medium businesses, and finally full enforcement — all accompanied by funded support programs, subsidies, and free advisory services to help firms comply.

Costs, benefits and market effects are examined: basic Tier 1 protections are framed as affordable (Cyber Essentials, free MFA), while stronger governance yields lower insurance premiums, preferential procurement, and overall reduced breach costs. The hosts discuss the need to upskill the ICO into a technically capable enforcement agency, political and industry pushback, and international alignment with EU, Singapore and Australia precedents.

The episode closes with a call to action for listeners: implement the basics now (Cyber Essentials, MFA, updates), pressure MPs and industry bodies for proportionate enforcement, and spread the conversation. Expect debates about proportionality, false positives, and safeguarding SMEs, but the central case is clear: a calibrated, evidence-based accountability regime could dramatically reduce breaches and force cybersecurity into the boardroom.

Monday Nov 17, 2025

When Ransomware Kills: Should Directors Face Prison for Cyber Negligence?

Monday Nov 17, 2025

What happens when business negligence causes serious harm to thousands of people? If a faulty ladder injures someone, directors face prison time. If forty million people have their data stolen due to poor security, they receive a strongly worded letter.

In this provocative first episode of our two-part series, Noel and Mauven examine the shocking disparity between health and safety enforcement and cybersecurity regulation in the UK. We compare the HSE's tough approach (prison sentences, director liability, millions in fines) with the ICO's gentle touch (guidance, occasional fines, zero criminal consequences).

With 40 million voter records compromised at the Electoral Commission resulting in just a formal reprimand, whilst construction directors regularly face 18-month prison sentences for single workplace accidents, we ask the uncomfortable question: why is cybersecurity enforcement essentially performative?

This isn't anti-business rhetoric. This is an evidence-based examination of a broken system that fails to protect either businesses or the public, presented through statistics, case studies, and historical precedent, which demonstrates that personal accountability is effective.

What You'll Learn

The Two Regulators: A Tale of Vastly Different Consequences

Why HSE directors face up to 2 years imprisonment, whilst the ICO never imposes criminal penalties
How HSE issued 13,424 enforcement notices and 399 prosecutions in 2023-24
Why the ICO issued just £2.7 million in total UK fines, whilst EU regulators issued over £1 billion
The legal frameworks that create this enforcement gap

The Public-Private Accountability Divide

Electoral Commission breach: 40 million records compromised, 14 months of hostile state access, consequence: formal reprimand
Construction site failures: single injuries lead to prison sentences and director disqualifications
Why do government organisations face minimal consequences for security failures
The message this sends about who matters and who doesn't

Historical Context: How HSE Transformed Workplace Safety

85% reduction in workplace fatalities since the Health and Safety at Work Act 1974
How personal criminal liability changed director behaviour overnight
The construction industry transformation from dangerous to safety-conscious
Evidence that accountability actually works when properly enforced

Arguments Against Director Liability (And Why They Fail)

"Security is too complex for criminal standards" - why doesn't this hold up
"Small businesses can't afford proper security" - HSE already handles proportionate enforcement
"Innovation will suffer" - data showing the opposite effect in the safety sector
"Current system works fine" - statistics proving it demonstrably doesn't

The Current State of Inertia

Why ICO enforcement focuses on "guidance and support" over punishment
Political pressure keeps cybersecurity consequences minimal
Business lobby resistance to accountability measures
The broken incentive structure that rewards negligence

Key Statistics Referenced

HSE Enforcement 2023-24:
- 13,424 enforcement notices issued
- 399 prosecutions brought
- £73.8 million in fines
- Regular prison sentences (average 12-18 months for serious breaches)
ICO Enforcement 2023-24:
- £2.7 million total fines across all UK GDPR violations
- Zero prison sentences imposed
- Zero director disqualifications
- Focus on "guidance and support" over punishment
Electoral Commission Breach:
- 40 million UK voter records compromised
- The hostile state actor maintained access for 14 months
- Basic security failures: poor patching, weak passwords, inadequate monitoring
- Consequence: Formal reprimand only
Impact Statistics:
- 85% reduction in workplace fatalities since the Health and Safety at Work Act 1974
- EU regulators issued over £1 billion in GDPR fines (vs the UK's £2.7 million)
- Keymark Construction director: 18 months' prison for fatal fall (2023)

Notable Cases Discussed

Health and Safety Enforcement

Keymark Construction (2023): Director sentenced to 18 months imprisonment following fatal fall due to inadequate safety measures
Corporate Manslaughter Act 2007: Multiple organisations convicted when management failures caused death

Cybersecurity Non-Enforcement

Electoral Commission (2023-24): 40 million voter records compromised by hostile state actor, 14 months of system access, consequence was formal reprimand with no financial penalty or personal liability
British Airways GDPR Fine: Initially £183 million, reduced to £20 million, no director consequences despite preventable security failures

Why This Matters for Small Businesses

This isn't about attacking business owners. It's about exposing a system that fails everyone:

Honest businesses suffer when competitors cut security corners without consequences
Directors lack incentive to invest in security when breaches only result in fines the company pays
Small businesses become collateral damage when larger organisations treat security as optional
The current approach demonstrably doesn't work - breaches increase year on year despite ICO "guidance"

Understanding this enforcement gap helps you see why cybersecurity culture hasn't undergone the same transformation as workplace safety culture. Part 2 will explore what accountability with teeth would actually look like, and how to protect SMEs whilst implementing it.

Resources Mentioned

HSE Annual Report 2023-24: Full enforcement statistics and prosecution details
ICO Enforcement Data: Annual reports showing UK GDPR fine totals
Health and Safety at Work Act 1974: Foundation legislation that transformed UK workplace safety
Corporate Manslaughter and Corporate Homicide Act 2007: Criminal liability framework for organisations
Electoral Commission Breach Report: Technical details of 14-month compromise
EU GDPR Enforcement Tracker: Comparison of UK vs European enforcement approaches

Hosts

Noel Bradford 40+ years in IT/Cybersecurity across enterprise and SMB sectors. Former Intel, Disney, BBC. Current CIO/Head of Technology for boutique security-first MSP. Brings enterprise-level knowledge to small business constraints.

Mauven MacLeod Ex-NCSC Government Cybersecurity Analyst with deep threat intelligence expertise. Glasgow-based security professional who translates complex government-level security concepts into practical SMB advice.

Coming in Part 2

"What If Cyber Had Corporate Manslaughter? The Case for Personal Liability"

We'll explore:

Specific legislative framework for "Corporate Cyber Manslaughter"
SME protection mechanisms (proportionate thresholds)
How other countries successfully implement director liability
Expected cultural transformations
Practical compliance guidance
What "reasonable care" actually means for small businesses

Take Action

Share Your Thoughts: Should directors face criminal liability for gross cybersecurity negligence? Comment on our website or social media.
Prepare for Part 2: Start thinking about what security measures you currently have in place. Could you demonstrate "reasonable care" if asked?
Review Your Security: Whilst we wait for better enforcement, don't wait to improve your security. Free resources available from NCSC.
Subscribe: Make sure you don't miss Part 2, where we build the case for what enforcement with teeth would actually look like.
Forward This Episode: Every business owner needs to understand why the current system fails them.

Episode Details

Runtime: 42 minutes

Release Date: November 17th 2025

Series: Part 1 of 2

Category: Cybersecurity, Business, Technology, Policy

Content Warning: Discussion of regulatory failures, system criticism, and calls for significant policy change. Evidence-based but provocative examination of current enforcement approaches.

Connect With Us

Website: thesmallbusinesscybersecurityguy.co.uk

LinkedIn: [The Small Business Cyber Security Guy]

Email: hello@thesmallbusinesscybersecurityguy.co.uk

Transcript

Full episode transcript available on our website at thesmallbusinesscybersecurityguy.co.uk

Support the Show

If this episode opened your eyes to the enforcement gap, please:

Leave a 5-star review on Apple Podcasts
Share with business owners in your network
Follow us on LinkedIn for ongoing discussion
Subscribe to ensure you catch Part 2

Next Episode: Part 2 - What If Cyber Had Corporate Manslaughter?

All Episodes: thesmallbusinesscybersecurityguy.co.uk/podcasts

The Small Business Cybersecurity Guy Podcast offers practical, actionable cybersecurity advice for UK small businesses. We translate enterprise-grade security into affordable, implementable solutions for businesses with 5-50 employees.

Disclaimer: This podcast provides general information and discussion about cybersecurity and business topics. This is not intended as legal, regulatory, or professional advice. Listeners should consult qualified professionals for personalised guidance tailored to their specific circumstances.

Tuesday Nov 11, 2025

November Patch Tuesday Storm: Zero‑Days, Exchange Exploits & WSUS Emergency

Tuesday Nov 11, 2025

Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams.

Key Topics Covered

Microsoft Security Updates

89 total vulnerabilities patched (12 critical, 4 zero-days)
CVE-2025-0445: Windows Kernel privilege escalation (actively exploited)
CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited)
CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022)
CVE-2025-1789: MSHTML remote code execution via Office documents
CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release)
23 remote code execution vulnerabilities across Windows, Office, and developer tools

Adobe Security Updates

35+ vulnerabilities patched across multiple products
CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1)
CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS)
Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D

Oracle Critical Patch Update (October 2025)

374 new security patches addressing ~260 unique CVEs
CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups)
73 patches for Oracle Communications (47 remotely exploitable without authentication)
20 patches for Fusion Middleware (17 remote unauthenticated)
18 fixes for MySQL
Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server

SAP Security Updates

18 new security notes plus 1 updated note
CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE)
CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS)
CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch)
CVE-2025-42940: CommonCryptoLib memory corruption

Mozilla Firefox Updates

Firefox 145.0 released November 11th
15 security vulnerabilities fixed (8 high impact)
New anti-fingerprinting measures halving trackable users
Memory safety and sandbox escape prevention

Apple Security Updates

iOS/iPadOS 17.1 and macOS 14.1 released
100+ vulnerabilities patched across iPhones, iPads, Macs
Critical kernel and WebKit bugs fixed
Zero-click exploit prevention

Google Security Updates

Chrome 142 with 5 security bug fixes
Android November 2025 bulletin (patch level 2025-11-01)
CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16

Third-Party Critical Vulnerabilities

WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected)
WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed)
Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment)

Critical Action Items for Businesses

IMMEDIATE (Deploy Within 24-48 Hours)

Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers
Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento
Windows Kernel - Patch CVE-2025-0445 zero-day exploit
Edge/Chrome - Update browsers to address CVE-2025-0334
Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed
WordPress Post SMTP - Update to v3.6.1 or remove plugin
Cisco routers - Apply CVE-2025-20352 patches and check for compromise

HIGH PRIORITY (Deploy Within 1 Week)

SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887
WSUS servers - Verify CVE-2025-59287 patch installed correctly
Adobe Connect - Update to version 12.10
Firefox, Chrome, Edge - Deploy browser updates organisation-wide
Android devices - Deploy November 2025 security bulletin
WatchGuard Firebox - Apply CVE-2025-9242 patch

STANDARD PRIORITY (Deploy Within 2-4 Weeks)

All other Microsoft patches - Complete Windows and Office updates
Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc.
Oracle - Complete October CPU deployment across all Oracle products
SAP - Apply remaining security notes across SAP landscape

CVE Quick Reference

CVE ID	Vendor	Severity	Status	Product
CVE-2025-0445	Microsoft	Critical	Actively Exploited	Windows Kernel
CVE-2025-0334	Microsoft	Critical	Actively Exploited	Edge/Chrome V8
CVE-2025-0078	Microsoft	Critical	Not Exploited Yet	Exchange Server
CVE-2025-1789	Microsoft	Critical	Not Exploited Yet	MSHTML
CVE-2025-59287	Microsoft	Critical (9.8)	Actively Exploited	WSUS
CVE-2025-54236	Adobe	Critical (9.1)	Actively Exploited	Magento/Commerce
CVE-2025-49553	Adobe	Critical (9.3)	Not Exploited Yet	Adobe Connect
CVE-2025-61882	Oracle	Critical	Actively Exploited	E-Business Suite
CVE-2025-42890	SAP	Critical (10.0)	Not Exploited Yet	SQL Anywhere Monitor
CVE-2025-42887	SAP	Critical (9.9)	Not Exploited Yet	Solution Manager
CVE-2025-11833	WordPress	Critical (9.8)	Actively Exploited	Post SMTP Plugin
CVE-2025-20352	Cisco	High	Actively Exploited	IOS/XE SNMP
CVE-2025-9242	WatchGuard	Critical	Not Exploited Yet	Firebox Firewalls

Resources & Links

Vendor Security Bulletins

Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide
Adobe Security Bulletins: https://helpx.adobe.com/security.html
Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/
SAP Security Notes: https://support.sap.com/securitynotes
Mozilla Security Advisories: https://www.mozilla.org/security/advisories/
CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Patch Tuesday Resources

Microsoft Tech Community: https://techcommunity.microsoft.com/
Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/
Security Week Patch Tuesday Coverage: https://www.securityweek.com/

Small Business Cybersecurity Resources

Blog: https://thesmallbusinesscybersecurityguy.co.uk
NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness
Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials

Key Statistics

89 Microsoft vulnerabilities patched
4 actively exploited zero-days (Microsoft)
23 remote code execution flaws (Microsoft)
35+ Adobe vulnerabilities fixed
374 Oracle security patches
18 SAP security notes
200,000+ WordPress sites affected by Post SMTP bug
75,000 WatchGuard devices exposed online

Narrator

Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions.

About The Small Business Cyber Security Guy Podcast

The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining.

Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints.

Connect With Us

Website: https://thesmallbusinesscybersecurityguy.co.uk
Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms
Social Media: Follow us on LinkedIn for daily cybersecurity insights
Contact: hello@thesmallbusinesscybersecurityguy.co.uk

Help us spread the word about practical cybersecurity for small businesses:

⭐ Subscribe to never miss an episode
⭐ Leave a review on Apple Podcasts or Spotify
⭐ Share this episode with other business owners who need to hear this
⭐ Comment below with topics you'd like us to cover next
⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources

Disclaimer

This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile.

Next Episode

Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately.

Episode Length: 10-11 minutes
Difficulty Level: Intermediate to Advanced
Best For: IT managers, business owners, MSP clients, anyone responsible for patching

The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

Episodes

What You'll Learn

Key Topics Covered

The Forgotten Device Problem

Real Case Study: The £15,000 Security Investment Defeated by a Printer

Default Credentials: The Epidemic Nobody Discusses

Network Segmentation Explained (Without Enterprise Complexity)

The Device Inventory Challenge

Practical IoT Security Steps

Key Takeaways

Resources & References

Mentioned in This Episode

Recommended Reading & Tools

Practical Action Steps

This Week:

This Month:

This Quarter:

Who Should Listen to This Episode?

Why This Episode Matters

Celebrating 30 Episodes

Coming Up

Connect With Us

Need Help?

Website & Resources

Subscribe & Follow

Share This Episode

Support the Show

About the Hosts

Noel Bradford

Mauven MacLeod

Graham Falkner

Legal Disclaimer

Why This Episode Matters

Key Takeaways

Detailed Show Notes

Introduction (00:00 - 01:24)

What Is Reverse Benchmarking? (01:24 - 03:46)

The Compliance Trap (03:46 - 06:15)

Case Study 1: The Target Breach (06:15 - 09:42)

Case Study 2: Colonial Pipeline (09:42 - 12:28)

Case Study 3: UK Holiday Park Ransomware (12:28 - 15:15)

Why Reverse Benchmarking Works Better (15:15 - 17:45)

Building Your Disaster Library (17:45 - 19:29)

Creating a No-Blame Culture (19:29 - 20:45)

Summary and Call to Action (20:45 - 21:37)

Resources Mentioned

Statistics and Studies

Case Studies Referenced

UK Regulatory and Advisory Bodies

Recommended Reading

Practical Checklist: Start Your Reverse Benchmarking Practice

Questions for Your Team

Next Episode Preview

Share Your Story

Connect With The Show

Legal Disclaimer

Episode Tags

What You'll Learn

The Two Regulators: A Tale of Vastly Different Consequences

The Public-Private Accountability Divide

Historical Context: How HSE Transformed Workplace Safety

Arguments Against Director Liability (And Why They Fail)

The Current State of Inertia

Key Statistics Referenced

Notable Cases Discussed

Health and Safety Enforcement

Cybersecurity Non-Enforcement

Why This Matters for Small Businesses

Resources Mentioned

Hosts

Coming in Part 2

Take Action

Episode Details

Connect With Us

Tags

Transcript

Support the Show

Key Topics Covered

Microsoft Security Updates

Adobe Security Updates