

216.1K
Downloads
101
Episodes
The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank.
Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses.
đŻ WHAT YOU'LL LEARN:
- Cyber Essentials certification guidance
- Protecting against ransomware & phishing attacks
- GDPR compliance for small businesses
- Supply chain & third-party security risks
- Cloud security & remote work protection
- Budget-friendly cybersecurity tools & strategies
đ PERFECT FOR:
- UK small business owners (5-50 employees)
- Startup founders & entrepreneurs
- SME managers responsible for IT security
- Professional services firms
- Anyone wanting practical cyber protection advice
Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies
The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank.
Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses.
đŻ WHAT YOU'LL LEARN:
- Cyber Essentials certification guidance
- Protecting against ransomware & phishing attacks
- GDPR compliance for small businesses
- Supply chain & third-party security risks
- Cloud security & remote work protection
- Budget-friendly cybersecurity tools & strategies
đ PERFECT FOR:
- UK small business owners (5-50 employees)
- Startup founders & entrepreneurs
- SME managers responsible for IT security
- Professional services firms
- Anyone wanting practical cyber protection advice
Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies
Episodes

4 days ago
4 days ago
They didnât break in. They didnât plant malware. They opened tabs, clicked links and joined the dots. In this episode we follow the quiet, methodical work of an attacker who builds a usable portrait of a UK small business director from nothing more than public records and a search box. It begins like a detective story and ends like a cautionary tale: Companies House entries, electoral data, LinkedIn posts, DNS records and job adverts become the clues that make fraud feel personal â because it is.
Through the voices of Noel Bradford and Corrine Jefferson, the episode walks you through the attackerâs timeline: the first flick through Companies House to find directors and filing rhythms, the enrichment of that picture with open-register addresses and marketing data, the human-mapping on LinkedIn, and the technical fingerprint left in DNS, MX and certificate logs. Each step is ordinary, lawful and, crucially, assembled without a single hack.
We make it concrete. In twenty minutes an attacker can produce a director profile, infer email providers, spot hiring signals that leak technology stacks, and spot behavioral seams to exploit. The lure is tailored; the language is familiar; the victim feels the email is meant for them. Social engineering stops being magic and becomes efficient administration with malicious intent â a repeatable, industrialized craft that preys on transparency.
But this episode isnât just alarmism. It frames the tension between public accountability and personal risk, showing why transparency designed for credit checks and journalism also creates a joined profile attackers love. We tell the story of how digital glitter â once data leaves its source â glints everywhere, and why suppression or removal is never instant or total.
By the end youâll feel that uncomfortable nudge: search your company on Companies House, check service addresses, review LinkedIn and job adverts, and audit your domainâs email records. The narrative closes by setting the scene for the next chapter in the series and challenging every listener to ask: what did I find about myself that an attacker could use first?

Monday Jun 22, 2026
The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency
Monday Jun 22, 2026
Monday Jun 22, 2026
A firewall cannot save you from being badly run. For years, small businesses have been sold the idea that a perimeter box equals protection. When Fortinet disclosed exploited authentication bypass vulnerabilities, added to CISA's Known Exploited Vulnerabilities catalogue, the uncomfortable truth surfaced again: the firewall is not a wall. It is a computer at the edge of your network that runs software, has management access, and can be compromised. Defence in Depth means using multiple security layers so that when one fails, another slows the attacker, limits damage, or helps you spot the problem. The NCSC describes this as reducing single points of failure.
Yet many small businesses still operate flat networks with exposed management, weak identity, old firmware, missing logs, and untested backups. This episode unpacks the Fortinet advisory, challenges the green dashboard culture, and delivers a practical checklist for the twenty-person firm. The panel argues about MSP accountability, board responsibility, and the difference between buying comfort and buying outcomes. No vendor worship. No reassurance fog. Just evidence, ownership, and the hard questions businesses should ask before the next advisory drops.
Â

Monday Jun 15, 2026
Erased from the Web: The Fight Over a Child's Moment
Monday Jun 15, 2026
Monday Jun 15, 2026
Should Schools Remove Pupil Photos from Public Websites?
A school removes all identifiable pupil photos from its website and social media. A parent complains their child's sporting achievement has been erased. The safeguarding lead sees reduced risk. The marketing lead sees lost warmth. The headteacher is caught in the middle. This What If Wednesday unpacks the tension between celebration and safeguarding in an era of facial recognition, AI manipulation, and permanent digital trails. The panel explores lawful basis, consent limits, metadata risks, and why public celebration no longer requires handing children's identities to the open internet. Practical guidance covers policy design, parent communication, safer storytelling, image audits, and leadership decisions. Schools can still celebrate pupils without treating them as searchable marketing assets.
Chapters
- Cold Open: The Complaint
A school strips identifiable pupil photos from its public channels. A parent says their child's sporting achievement has been erased. The tension between pride, safety, and marketing is introduced. - Welcome: What If Wednesday
The panel frames the scenario as a practical discussion for schools, parents, and trustees navigating image use in a changed online landscape. - The Trap Schools Walked Into
Why schools published pupil photos for good reasons, and why that old model now needs urgent review in light of scraping, AI tools, and permanent exposure. - Consent Is Not a Magic Cloak
Lawful basis, transparency, withdrawal rights, and why parental consent does not eliminate technical or safeguarding risk once images are public. - The New Risk Is Not Theoretical
Scraping, facial matching, AI manipulation, metadata, blackmail, and cumulative exposure. The threat landscape around public pupil images has fundamentally changed. - Midroll Bumper: The Decision Point
A short reset. The parent, marketing lead, and safeguarding lead are all justified. The answer is safer celebration, not silence or defensiveness. - What The School Should Say To The Parent
Empathetic communication that acknowledges pride, explains the decision, and offers safer alternatives without reversing the safeguarding boundary. - What Marketing Should Do Instead
How schools can still convey warmth, identity, and community without relying on identifiable pupil faces on open platforms. Storytelling, not just stock images. - What The Policy Needs On Monday Morning
Practical action list: audit existing images, classify risk levels, define review questions, update parent communication, fix workflows, train staff, and review annually. - The Leadership Decision
Leaders must decide what public celebration looks like now, give staff cover, avoid informal negotiation after every event, and frame the policy as protection and recognition. - Outro: The Answer
Hold the safeguarding line. Explain properly. Offer safer celebration. Do the boring work. A school can celebrate children without turning them into searchable marketing assets.

Monday Jun 08, 2026
Birthday Audit: Brutal Lessons for Small Business Cybersecurity
Monday Jun 08, 2026
Monday Jun 08, 2026
Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations.
They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks.
The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two.
The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f
UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024
National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication
Â

Monday Jun 01, 2026
If Your MSP Says âAll Goodâ, Can They Prove It?
Monday Jun 01, 2026
Monday Jun 01, 2026
It starts with a slow ticket, a missing laptop and a printer staging yet another tiny rebellion â the kind of problems every small business sees and understands. But behind those visible slips is a quieter, far more dangerous story: patches that didnât run, MFA that wasnât enforced, backups that wouldnât restore. In this episode Noel Bradford and a panel of experts follow a simple, devastating question: if your MSP says everything is fine, what can they actually prove?
Through a sharp, practical conversation with Mit Patel, founder of Assurix, we peel back the sales decks and the polite reassurances to show how âmanaged ITâ can mean very different things. Mit explains the difference between promises and live evidence â not certificates from three years ago, but ongoing proof that patching, EDR, backups and identity controls are working over time. Graham brings the arithmetic that spoils the cheap quote, Corinne maps the attackerâs path, and Lucy explores the trust problem buyers face when asked to pick a provider with almost no usable evidence.
Listeners are walked through the exact questions every business owner can ask without becoming a security expert: show me 90 days of patching and backup evidence; show me MFA enforcement and exceptions; explain your offboarding process and its real cost; who owns proactive maintenance and how much time do they spend on it? We hear why continuous assurance matters for cyber insurance and why a green report on one day isnât the same as discipline over months.
The episode doesn't preach panic â it prescribes better questions and better accountability. Youâll hear concrete examples of what good looks like: enforced MFA, tested backups, measurable patch compliance, named escalation paths, fair offboarding and evidence dashboards a human can understand. And if your MSP canât show that evidence, the episode explains why price comparisons alone are dangerous and how under-resourced security becomes a real business risk.
By the end youâll understand the simple premise that guides the discussion: service is visible, security is invisible â until it fails. This episode arms small business leaders with a narrative and a checklist to turn vague reassurances into verifiable proof, and gives good MSPs a roadmap to show their value beyond the lowest price. Ask for evidence, not a fleece and a smile.

Sunday May 31, 2026
MFA Fatigue Is a Management Failure, Not a User Problem
Sunday May 31, 2026
Sunday May 31, 2026
Multi-factor authentication is essential, but not all MFA is equal. When users receive vague, repeated, or poorly explained prompts, they start treating them like cookie banners: accept, accept, make it go away. Attackers exploit this fatigue by triggering prompts under pressure, impersonating IT support, or using social engineering to bypass weak helpdesk processes. This is not a user failure; it is a design and management failure. Businesses must reduce unnecessary authentication noise, use phishing-resistant methods like number matching, train staff to recognise unexpected prompts as attack signals, and strengthen identity verification processes.
A reported prompt that turns out to be nothing is a working security culture. A prompt nobody reports because everyone fears looking stupid is how expensive conversations with insurers begin. MFA is a control, not a confession booth. If it fails, look at the whole process: the prompt design, the training, the helpdesk, the call-back procedures, and the culture that prioritises speed over verification. Stop blaming users for predictable mistakes in badly designed systems.

Saturday May 30, 2026
Shadow AI Is Just Shadow IT Wearing a Cape
Saturday May 30, 2026
Saturday May 30, 2026
Shadow AI has already arrived in most UK small businesses, often through browser tabs, SaaS tool sidebars, and helpful buttons that promise to improve text. Staff are using AI to rewrite emails, summarise meetings, polish proposals, and speed up admin tasks, frequently without approval, policy, or controls. This is shadow IT all over again, but faster and with better branding. The problem is not the technology itself, but unmanaged data movement into systems nobody has reviewed.
Noel Bradford explains why banning AI without offering safe approved routes will fail, why hope is not an AI governance model, and why businesses need practical data controls that give staff clear lanes: low-risk generic tasks, controlled handling of customer data, and hard stops for sensitive material. UK Government guidance and NCSC advice make clear that AI changes the threat landscape, but the basics still matter. This episode cuts through the hype to deliver straightforward guidance on approved tools, supplier checks, human review, and early mistake reporting. AI policy is not about stopping progress; it is about stopping progress from leaking your business into someone else's platform.

Friday May 29, 2026
Pop-Ups, Upsells & Risk: Taming the Noisy World of SaaS Admin Dashboards
Friday May 29, 2026
Friday May 29, 2026
Imagine opening your SaaS admin panel and walking into Times Square: flashing upsells, trial banners, an AI button nobody asked for, and a marketplace pitch vying for your click. In this episode, Noel Bradfordâyour Security Guyâtakes you through that sensory overload and shows how itâs not just annoying design; itâs a security problem. When every notification screams for attention, the real alarms get lost in the noise.
Through vivid scenes and sharp examples, Noel explains how attention itself is a control: systems that drown users in marketing clutter train people to ignore banners, default prompts, and even vital security warnings. He weaves practical stories about suspicious sign-ins buried under upgrade offers, API tokens created beside glossy feature tours, and admin portals that bury logs behind paywalls, painting a clear picture of how SaaS sprawl turns convenience into hidden risk for small businesses.
The episode moves from diagnosis to action. Noel lays out a no-nonsense checklistâinventory your SaaS estate, assign owners, remove unused integrations and dormant admins, enforce MFA, and route genuine security alerts to a monitored placeâthen challenges listeners to ask vendors hard questions about log access and whether security features are deliberately gated behind premium plans.
Part cautionary tale, part practical guide, this episode blends storytelling with actionable advice so listeners leave energized to declutter their dashboards and protect their businesses. If your work tools look like a shopping center, expect people to treat warnings like adverts. Listen in, then reclaim attention as the critical control it is.