Noel Bradford delivers a direct examination of YellowKey, the reported BitLocker bypass that exploits the Windows Recovery Environment on TPM-only configurations.

This episode strips away vendor comfort narratives and green-tick dashboards to focus on what default encryption settings actually protect against when a laptop is stolen or accessed physically.

He explains how YellowKey targets trusted recovery paths rather than breaking encryption mathematics, why TPM-only BitLocker represents a convenience trade-off rather than maximum assurance, and how businesses confuse enabled controls with proven protection.

The episode provides practical guidance on identifying high-risk devices, reviewing BitLocker protectors, implementing TPM plus PIN where appropriate, locking firmware settings, restricting USB storage, and properly escrowing recovery keys.

The episode argues that physical access remains a normal business risk through stolen laptops, lost devices, and compromised bags, not merely a theoretical attack scenario.

The episode challenges boards and decision-makers to move beyond checkbox assurance and ask what their laptop security actually proves under adversarial conditions.

They said the fine was £828,000 in some headlines — the ICO said £963,900. Numbers matter, but the real scandal is deeper than a headline figure: this is about trust, monopoly, and a regulator that finally acted. In this episode the Small Business Cybersecurity Guide tells the story of how a single phishing email in September 2020 became a twenty‑month lodger inside a utility network, and how a monopoly provider of an essential service left hundreds of thousands of people exposed.

It starts small: a malicious attachment, a foothold, then complacency. For almost two years the attacker lived in the estate, quiet and unseen, until May 2022 when they began a methodical campaign of lateral movement and privilege escalation. By July they held domain administrator access — the keys to the kingdom. They weren’t stealthy ninjas; they were guests who moved in, opened the cupboards, and helped themselves.

Detection? Not artisanal monitoring or heroic threat hunting. It was system performance degradation — the IT equivalent of noticing the house is on fire because the TV has melted. The compromise produced a failed ransom demand and, eventually, a dump of more than four terabytes of stolen data on the dark web: names, addresses, emails, dates of birth, phone numbers, account details, bank sort codes, service credentials and even information that could infer disability status for priority customers. 633,887 UK people were affected.

The ICO’s findings are the part that should make every director and IT lead sit up. This wasn’t a story of exotic attack techniques — it was a catalogue of basic control failures: outdated software (Windows Server 2003 in a live environment), inadequate logging and monitoring, weak vulnerability management, no meaningful scans for long periods, and a third‑party SOC only watching 5% of the estate. That is not coverage; it’s a comfort blanket.

Hear the frustration and the anger: when customers can’t vote with their feet, protecting their data isn’t optional. This episode pushes past corporate press releases and settlements to ask what really matters — the people. What does this exposure mean for vulnerable customers, staff, and anyone who trusted a critical service provider to keep their information safe?

Then the episode turns outward with hard lessons every organisation must learn. Know your estate — you cannot protect what you cannot see. Retire legacy systems properly. Enforce least privilege so domain admin access is exceptional, not daily. Monitor the entire environment, not a token slice. Scan, patch, remediate. Test your incident response and your communications before chaos forces you to explain to frightened customers what happened to their data.

Above all, this is a governance failure. Cybersecurity isn’t just an IT problem or a checkbox for audit season — it’s board‑level risk management. The board must own the risk, demand evidence, and stop hiding behind vendor portals and PDFs that mean nothing in a crisis. The episode pulls no punches: if you haven’t modelled the cost of a breach, you’ve found the root problem.

The ICO finally acted — good. But the real question the episode leaves listeners with is uncomfortable and direct: if the regulator walked into your business tomorrow, what could you actually prove? This is a wake‑up call to utilities, regulated sectors and every UK business. Basic controls, evidence, and leadership matter. If you wait for criminals, regulators or journalists to force the issue, you’ll have bought a public kicking on credit.

Listen as the Small Business Cybersecurity Guide blends forensic detail, sharp critique and practical advice to turn a headline into a blueprint: how to stop being the next story. — Noel Bradford

It’s that time of the month: Patch Tuesday. The headlines shout 137 CVEs and a perfect 10.0 somewhere in the noise, but this episode narrows the story down from global panic to what actually matters for a small business with a server room, a handful of laptops, and a CEO who needs to log in on Monday morning.

I’m Graham Falkner and in this edition of the Small Business Cyber Security Guy I walk you into the trenches of May 2026’s update cycle — the numbers, the new role AI is playing in vulnerability hunting, and the four bugs you can’t ignore. I tell the story of how an unpatched domain controller can become the pivot point for a full-blown takeover (think Zero Logon’s ghost), why every Windows endpoint’s DNS client suddenly matters again, and how an Atlassian single sign‑on plugin could let an attacker impersonate any user. These aren’t abstract CVEs on a spreadsheet; they’re concrete threats with reachable fixes.

You’ll hear exactly what to do, in the order to do it: find and patch on‑prem domain controllers in the next 48 hours (NetLogon — CVE‑2026‑41089, KBs by Windows Server version), push a small test ring for endpoint updates and watch for BitLocker recovery prompts (CVE‑2026‑41096), and treat on‑prem Dynamics 365 and Atlassian SSO as high‑priority if you run them locally. I give the KB numbers, realistic time estimates — an hour per domain controller — and a no‑hype deployment schedule that keeps your business running while you secure it.

The narrative also walks through an operational snag that will catch teams off guard: some devices may prompt for a BitLocker recovery key after reboot. I explain the three pre‑deployment checks to prevent a CEO‑level outage (adjust a TPM group policy, verify where recovery keys live, and reapply baselines later), and why you should demand a plan from your MSP before they push updates.

Along the way I bust headlines that distract — the CVE‑2026‑42826 “Perfect 10” in Azure DevOps is already mitigated by Microsoft, so there’s no customer action — and remind you that other vendors patched too: Adobe, SAP, AMD, Apple. Patch week is not a one‑vendor event.

By the end of the episode you’ll have a simple, prioritized checklist you can act on this week: identify DCs and patch them now, test endpoints tomorrow, roll out by week’s end, and verify Atlassian plugins separately. This is a story about practical choices under pressure — stop chasing every headline and start fixing what can actually hurt your business.

It starts with a tempting spreadsheet: 25 staff, a cheaper IT quote that shaves £35 per user off the bill — £10,500 a year saved, instantly seductive. Noel Bradford and Mauven McLeod open this episode by turning that neat number upside down and asking the one question every business owner should be able to answer: what exactly has been removed from the service to make that price possible?

They walk you through a story many business owners will recognise — a colourful LinkedIn pitch that sells confidence and hides compromises. The cheap provider isn’t performing miracles; they’re quietly cutting controls: enforced MFA, disciplined patching, active monitoring, behaviour-based endpoint defence, security training, incident response and documented processes. Those missing pieces turn an attractive short-term saving into a long-term gamble.

Noel and Mauven do the arithmetic and show you the cold UK data: the DCIT survey found 43% of UK businesses suffered an incident in 2024, phishing hit 85% and even a 1% ransomware prevalence still means roughly 19,000 organisations were devastated. The average materially costly breach ran to about £8,260 in 2025 — already eclipsing that supposed annual IT saving — and real-world downtime, lost orders and reputational damage can push costs far higher.

They then lift the curtain on what a security-first MSP actually spends on the plumbing: remote monitoring, EDR, DNS filtering, email protection, application control, backups, SOC monitoring, documentation and professional tooling. Strip it down honestly and the true cost lands well above fantasy bargains — industry reality makes anything under roughly £50 per user per month alarming, and in London nearer £75.

Cyber insurance isn’t a free pass. Uptake has risen, but so have denials: missing MFA, poor patch evidence, misrepresented controls and late reporting regularly void claims. Insurers now demand proof — logs, timestamps and documented processes — and bargain providers rarely collect or produce that evidence. The result: a denied claim when you most need a payout.

Ransomware is the horror story that pulls everything together. Usually seeded through phishing and unpatched systems, ransom incidents produce recovery costs that dwarf the payment demand. Noel and Mova explain why the ransom is only the opening act — downtime, forensics, legal costs, client fallout and reconstruction push many small firms to the brink.

Regulators make the stakes worse. ICO fines and tougher technical expectations mean that skimping on controls isn’t just reckless, it can be an aggravating factor in enforcement. The cheapest IT quote won’t be an excuse in front of a regulator or in the aftermath of a client data breach.

The episode ends with practical, plain-English advice: seven questions every business should ask their provider about certification, enforced MFA, patching, EDR, proactive monitoring, incident response and insurance compliance. The message is simple — don’t buy the smallest number on a spreadsheet without understanding what you’ve agreed to carry. Spend wisely, not blindly.

How a Broken DNSSEC Signature Knocked Out .de Sites

One bad signature. Millions of websites. Gone.

On 5 May 2026, Germany's .de domain vanished from the internet for three hours. Amazon.de, Deutsche Bahn, Spiegel, DHL, major banks: all unreachable. Not hacked. Not ransomwared. One broken cryptographic record from the registry that manages 17.9 million domains.

The servers were perfectly healthy. Nobody could find them.

Corrine Jefferson and Graham Falkner break down what went wrong, why your business has the exact same invisible dependency, and what to do about it.

Read the full analysis: How a Broken DNSSEC Signature Knocked Out .de Sites

Hot Take: Google Chrome, Gemini Nano, and the 4 GB Consent Problem

Show Notes

Google Chrome has been quietly downloading a roughly 4 GB AI model called Gemini Nano onto user devices in the background. No clear consent prompt. No notification. Just a file called weights.bin turning up in a folder called OptGuideOnDeviceModel like it pays the mortgage.

In this Hot Take, Noel breaks down why this is not an "AI is evil" story. It is a consent story. A governance story. And a vendor entitlement story that every UK small business needs to take seriously.

What Noel Covers

• Why a 4 GB background download is not a minor browser update
• What Google's own developer documentation confirms about model lifecycle management, background downloads, and full model updates
• Why "it was in the documentation" is not consent
• The governance mess this creates for managed business devices
• PECR and the ICO's guidance on storage and access technologies
• The environmental cost at Chrome scale (67.97% worldwide browser share)
• Why AI Mode in Chrome and on-device Gemini Nano are not the same thing, and why the confusion matters
• The embarrassingly simple fix Google has not implemented
• What UK small businesses should actually do about it right now

Key Quote

"We have somehow built frontier AI and still can't manage the radical engineering challenge of a bloody consent prompt."

Read the Full Analysis

The full article includes the complete source documentation, PECR regulatory detail, competitive advantage strategies, board-level talking points, and a step-by-step action list for UK small businesses.

Read the full article on the blog

Sources Referenced

All 14 primary sources, including Google's own developer documentation, ICO PECR guidance, and StatCounter market share data, are cited in the full blog post.

Full source table in the article

Imagine watching the house next door burn and nodding sympathetically about smoke alarms — then never changing the battery in your own. That image opens our episode as Noel Bradford sits with Mauven MacLeod, Lucy Harper and Graham Falkner to unpack the UK Cybersecurity Breaches Survey 2025–26. This isn’t clickbait panic; it’s a weather report built from 2,112 businesses and 1,085 charities. The headline is simple and ugly: awareness rose after a year of big breaches on the news, but the boring, decisive basics slipped backwards.

The numbers feel like a betrayal: risk assessments fell from 48% to 41%, formal cybersecurity policies from 59% to 52%, and business continuity plans covering cyber plunged from 53% to 44% — nine points lost in a year. Those figures land harder when you remember that 43% of businesses still reported a breach or attack in the last 12 months. This is not rare misfortune; it’s roughly 612,000 organisations experiencing harm, often more than once — the median victim suffered three crimes in a year.

What explains the gap between knowing and doing? The episode frames it as a human story of overload, inertia and the tilt of daily fires over preventative work. Small-business owners juggle payroll, inventory and phone calls; cyber becomes a preventative chore that slides down the to-do list until a miserable Tuesday forces theatre rather than true repair. Awareness rose because the news was loud; conversion into diaries, policies and tested routines didn’t.

Phishing is still the thief in the night: 69% of the most disruptive incidents, and for 51% of breached businesses phishing alone was the culprit. The old advice — spot the typos, spot the scam — is breaking down as AI writes believable bait. The human being is no longer the reliable last line. So the fight shifts to identity: two-factor authentication and other account protections stop one mistake becoming total catastrophe. Progress exists — MFA adoption climbed from 40% to 47% — but more than half of firms remain exposed.

The survey throws up other startling blindspots: 22% of the most senior people responsible for cyber didn’t know if their organisation had cyber insurance; only 15% formally review immediate suppliers and a tiny 6% review the wider supply chain; 31% of businesses are using or considering AI but only 24% of those have any controls in place. These are not theoretical gaps — they are the plumbing and the paperwork that determine whether a single clicked link turns into a multi-week catastrophe.

We refuse to finish on gloom. The episode turns evidence into a razor-sharp, do-able checklist you can act on this week. Five prioritised moves: turn on MFA everywhere that matters; get your cyber insurance confirmed in writing and save the policy where two people can find it; write a one-page breach list with names and first actions; institute three simple AI rules (don’t paste customer data into public tools, don’t feed contracts or financials into unknown models, and always human-check AI outputs before sending); and review the three suppliers who can touch your systems or customer data.

There’s also practical advice on when to DIY and when to pay. If you’re tiny and organised, you can implement the basics yourself. If your Microsoft tenancy, sensitive customer data, or backups are beyond your comfort, pay for competence — spend where mistakes are expensive. The point of each suggestion is the same: decisions, dated and tested, beat good intentions left on the sofa.

By the episode’s close Noel, Mauven, Lucy and Graham press the same ask: turn concern into calendar time. Pick one thing this week — MFA, insurance confirmation, a breach list, supplier questions or simple AI rules — and do it. These are small, affordable, and powerful first steps. The survey’s verdict is harsh but useful: the fixes are often obvious. The hard part is choosing to stop drifting.

Listen for the stories, the statistics and the practical push to act. If this episode rattles you, let it. Drift kills small firms. One decision, one scheduled action, can change the story from a miserable Tuesday to a business that survives the next headline.

When a government minister stood on a podium in Glasgow and said, “the cyber front line is already here,” it did not sound like a warning. It sounded like a cold, unavoidable truth.

In this episode, Noel Bradford is joined by Maurven and Graham, who attended Cyber UK 2026, to unpack what was said, what was left unsaid, and what it means for the small businesses quietly sitting inside UK supply chains.

The scale of the threat is no longer theoretical. Nationally significant cyber incidents are rising sharply. A single breach at Jaguar Land Rover reportedly cost nearly £2 billion across its supplier network. Nation state actors and ruthless criminal gangs are attacking faster, harder, and with greater precision. The old excuse of “we are too small to be targeted” is now dangerously out of date.

Noel, Maurven, and Graham break down the numbers, the reaction in the Glasgow conference hall, and the blunt reality behind the headlines. Government pledges may change the landscape, but they will not protect your business unless you act.

The episode also examines the government’s voluntary Cyber Resilience Pledge and why it matters. The most important part may be the supply chain effect. Large organisations that sign the pledge could start expecting their suppliers to hold Cyber Essentials certification. That may make Cyber Essentials a practical requirement for winning and keeping business, even if it is not yet written into law.

The team also explains why the £90 million funding commitment matters, but why small firms should not expect a sudden cash windfall. The immediate pressure will come from reputation, procurement, and customer expectations, not regulation.

There is also a reality check on AI. Powerful new models can now find deep, old vulnerabilities in hours. That gives attackers more speed and scale. But for most small businesses, the answer is not a six figure AI security platform. It is getting the basics right, faster.

Patch properly. Check whether your IT provider is ready for machine speed attacks. Start Cyber Essentials. Review AI use inside your business. Sign up to NCSC Early Warning.

By the end of the episode, you will have five practical, low cost actions you can take this week to move from passive hope to active defence.

If your business relies on larger customers, this episode gives you the timeline, the threat picture, and the checklist you need before the next procurement email lands.