The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

In this episode of Small Business Cybersecurity Guy, host Maurven McLeod and guest Dr Corinne Jefferson (former US government intelligence analyst turned London-based consultant) unpack Google Threat Intelligence’s alarming report on the Defence Industrial Base (DIB) and explain exactly why it matters to small and medium-sized businesses. They move straight from the uncomfortable headline — Chinese state-linked hackers averaging 393 days of dwell time inside victim networks — to practical implications for 50–80 person companies across manufacturing, logistics, and software supply chains.

Topics covered include clear definitions (APT, UNC), the distinction between edge devices and endpoints, why firewalls and VPN appliances are attractive, under-monitored targets, and why EDR often misses the real entry points. They discuss documented campaigns (UNC-3886, UNC-5221/Brickstorm) and how multiple zero-day exploits against edge vendors have been used to gain long-term access and persistence.

The episode also examines other nation-state tradecraft: Russian actors targeting messaging apps and device-linking features, North Korean operatives obtaining remote jobs inside companies, and sophisticated recruitment-themed phishing using AI-generated reconnaissance. Maurven and Dr Jefferson highlight how attackers map supply chains professionally — meaning you can be a target even if you don’t self-identify as a defence contractor — and how ransomware and dual-use manufacturing create huge blast radii that can stop production and bankrupt small firms.

Most importantly, the hosts give a pragmatic, non-bankrupting 90-day plan for SMEs: an immediate “Edge Reality Check” to interrogate MSP visibility on VPNs/firewalls, a short-term segmentation win to reduce blast radius, and phased rollout of phishing-resistant MFA for key admin and finance accounts. They offer exact questions to ask your MSP, the metrics and controls procurement teams will soon demand, and how to frame the business case to your board.

Listeners should expect a mix of blunt intel, real-world examples, and actionable next steps to reduce risk without breaking the bank — plus a call to assume compromise, improve edge monitoring, and stop treating VPNs as magic shields. Tune in for practical guidance, concrete conversation starters for your MSP, and the motivation to make measurable security improvements this quarter.

Host Graham Falkner breaks down Microsoft’s February 2026 Patch Tuesday: more than 50 vulnerabilities across Windows and Microsoft 365, including six that were actively exploited before patches arrived. This episode explains which flaws matter, who’s affected, and the practical steps businesses should take immediately.

Coverage includes the six confirmed actively exploited vulnerabilities (triple January’s count): three security‑feature bypasses that remove user protections (including a Word document bypass that is not triggered by Outlook preview), Desktop Window Manager (DWM) flaws that allow privilege escalation — and are being exploited for a second month — a Remote Desktop Services elevation issue found by CrowdStrike, and a Remote Access Connection Manager VPN crash vulnerability with a ready‑made exploit tool in criminal circulation. CISA has added all six to its known exploited list, with federal agencies required to patch by March 3.

The episode also highlights developer‑focused risks: three serious GitHub Copilot flaws that let hidden malicious instructions run commands on a developer’s machine, and a 9.8‑severity flaw in Microsoft’s Azure Cloud Tools for Python. Faulkner explains why developers are high‑value targets and why organizations that build or buy software must prioritize these fixes.

Other major items: January’s three out‑of‑band patches rolled into February’s cumulative update; Microsoft’s upcoming certificate updates that begin expiring from June (important for old or rarely‑connected hardware); SAP’s 26 security notes including a 9.9 remote‑command vulnerability and multiple high‑risk issues that can impact supply chains; Adobe’s 40+ fixes (27 critical), and updates from BeyondTrust, Ivanti, Cisco, Fortinet and others. Note: Google’s Android bulletin for February reported no security fixes.

Special callouts: an Outlook vulnerability that can capture credentials just by previewing a crafted email in the reading pane (apply all related Outlook patches), and Microsoft’s gradual retirement of NTLM which may break legacy business apps unless you plan ahead.

Actionable priorities and patch playbook: First wave (within 24 hours) — apply all six actively exploited fixes, the Azure Python tool patch for developer teams, and all Outlook fixes. Second wave (within 72 hours) — SAP (if you run it), Exchange Server, GitHub Copilot mitigations for developer teams, BeyondTrust remote‑support fixes. Third wave (within one week) — remaining SAP and Adobe updates, Cisco, Fortinet, and other important but not‑yet‑exploited updates. Faulkner stresses verifying deployment, testing remote desktop and Office workflows, and building patch management into incident response playbooks.

Who should listen: IT managers, small business owners, developers, MSPs, and security teams responsible for patching and remote access. The episode gives clear, prioritized guidance to reduce exposure quickly and recommends sharing the full CVE tables and patch tiers with your IT team or managed service provider.

Find the Blog Post here: - https://noelbradford.squarespace.com/blog/patch-tuesday-february-2026-six-zero-days-uk-smb-guide-2026

podscan_adfmJQJllh7XQBrNPLHkG9va1aIn6VKo

In this urgent episode of Small Business Cybersecurity Guy, hosts Mauven MacLeod and Graham Falkner join the notably fed-up Noel Bradford to unpack four simultaneous, high‑impact campaigns that emerged between late January and early February 2026. We walk listeners through detailed research from Trellix, Securonix, Rapid7 and Microsoft and explain why these attacks matter to every small business — even if you think you’re too small to be a target.

We open with APT28 (Fancy Bear) exploiting CVE‑2026‑21509: a weaponised Office document that triggers on open, drops an Outlook backdoor (MiniDoor/NotDoor) and a C++ implant (Beardshell) injected into svchost.exe, exfiltrating email and system data while blending traffic into legitimate cloud services.

Next, Securonix’s “Dead Vax” campaign shows how commodity criminals now match nation‑state tradecraft. Phishing delivers VHD files that mount like drives, bypass mark‑of‑the‑web warnings and execute fileless loaders that ultimately deploy AsyncRAT — giving attackers remote control, keylogging and full data access.

Rapid7’s analysis of the Chrysalis backdoor reveals a supply‑chain compromise of Notepad++ hosting infrastructure: poisoned installers selectively targeted victims, abused DLL side‑loading and trusted signed binaries to achieve persistent, encrypted backdoors and lateral movement tools. This is supply‑chain risk in practice.

Microsoft’s macOS research details multiple Stealer campaigns (Digit Stealer, Mac Sync, ClickFix, Atomic Stealer and more) distributed through poisoned Google Ads, fake AI tools and messaging apps. These attacks live off native macOS utilities, use AppleScript and Python, and harvest passwords, crypto wallets, SSH keys and cloud credentials — exposing the myth that Macs are immune.

We connect the dots: all four campaigns abused legitimate platforms and native features, used memory‑resident or fileless techniques that bypass signature AV, injected into trusted processes, and moved faster than patch cycles. The real victims are not random users but procurement staff, developers and privileged employees. Small businesses face the same capabilities for a fraction of the cost via malware-as-a-service.

On the regulatory front we cover the Data Use and Access Act (DUAA) changes that took effect in February 2026: cookie and e‑marketing fines jump to £17.5m or 4% of global turnover, new rules around children’s higher protection matters, a new lawful basis for limited public interest processing, and mandatory complaints handling procedures coming into effect on June 19. We explain why a breach today risks vastly larger financial and compliance consequences.

Finally, we give practical, prioritized guidance for small businesses: immediate zero‑cost steps (patch Office, verify Notepad++ versions, show file extensions, audit cookie banners, start a complaints procedure), technical controls to adopt (EDR/behavioral monitoring, managed email security, Mac MDM/EDR, fractionally engaged CISO/CIO), and realistic budgets and trade‑offs for a 20‑person company. Links to all source research and a detailed blog post are in the show notes for listeners who want the technical deep dive.

In this urgent episode of The Small Business Cybersecurity Guide, hosts Noel Bradford, Mauven McLeod and Graham Faulkner bring together three experts to answer one question: why you’re doing security wrong and what practical steps will actually protect your business. We cover four pressing, unconnected problems that share the same root cause — a massive gap between perceived and real security.

Dr. Sarah Chen explains passkeys in plain English: how they remove the shared secret that makes passwords vulnerable, why they defeat phishing, credential stuffing and most brute-force attacks, and exactly how small businesses should pilot them this week. She outlines a three-step rollout (check your identity platform, pilot with five users, support them through setup), recovery and accessibility considerations, device and cost guidance, and the measurable benefits — including dramatically fewer password reset tickets.

Former US government cyber analyst Corinne Jefferson unpacks the CISA ChatGPT incident, where the acting director uploaded sensitive government contracting documents to public ChatGPT despite an approved internal alternative. Corinne explains how exceptions become normalized, why convenience often defeats policy, how this damages security culture, and what organizations should do: enforce technical controls, require documented risk assessments for privileged exceptions, and ensure detection is coupled with a consistent response regardless of who triggers the alert.

Seamus O’Leary shares a practical small-business win: after realising he’d never introduced himself to his insurer’s incident response team, he discovered £18,000+ of pre-incident services already included in his cyber policy — IR plan templates, tabletop exercises, forensics retainers, quarterly scans and a 24/7 breach hotline. The episode walks through the five-week process he used to onboard the insurer’s IR team, fix gaps, run a tabletop, uncover critical weaknesses (unverified backups, unclear ransomware authority, GDPR notification issues) and win board-level funding to replace vulnerable infrastructure.

Noel and the team close with a structural look at cloud sovereignty and vendor concentration: why relying on US cloud providers (AWS, Azure, Google) creates real legal and operational risk regardless of where data is physically stored, how the Cloud Act and post‑Schrems II rules change transfer obligations, and practical mitigation options — encryption with external key control, transfer impact assessments, supplementary measures, vendor diversification and multi‑cloud planning.

Key takeaways for listeners: enable and pilot passkeys to eliminate credential-based attacks; enforce technical controls and documented approvals so seniority doesn’t become an exception to security; call your insurer’s IR contacts and use the services you’ve already paid for; treat cloud region selection as latency choice, not legal sovereignty, and perform real transfer impact assessments and mitigation. The episode mixes concrete how-to steps, governance advice, and real-world examples — from phishing-defeating authentication to saving thousands by activating policy services — all aimed at helping small businesses turn security theatre into dependable protection.

In this episode of Small Business Cybersecurity Guy, hosts Mauven MacLeod, Noel Bradford and Graham Falkner walk you through Module One of their six-part incident response plan series: building your response team. Through the real-world Katie Roberts case study (name changed), they show why independence matters when a breach hits — and how an unbiased incident manager can quickly uncover the truth, coordinate response, and save a business from far worse outcomes.

Topics covered include the four core incident roles (external incident manager, technical lead, business continuity coordinator, communications lead), how to find and contract an external IM (insurance, IT referrals, retainer vs pay-per-incident), what an IM can and cannot do, authority and spending limits, and realistic costs and timelines. The hosts explain a simple, achievable four-week setup plan that takes roughly four hours of actual work, and they share templates for team structure, external contacts, authority scripts, implementation timelines, and validation checklists.

Key points and takeaways: why impartial coordination matters, how to avoid common provider cover-up biases, the practical steps Katie used to stabilise her business, a real case study of an architecture firm saved from a Friday-afternoon ransomware attack, and concrete homework: find your IM, assign three internal roles, document everything on a single page, brief and validate your team. Listeners will leave with a clear, actionable plan, links to downloadable templates, and the promise that preparation reduces cost, stress, and downtime.

Hosted by Graham Falkner, this episode is a rapid, no‑nonsense January Patch Tuesday breakdown aimed at small businesses and IT owners. Graham walks listeners through Microsoft’s unusually large release of 114 security updates, explains the essential jargon (CVE and CVSS), and highlights why severity scores don’t replace real‑world risk assessments.

The show covers the one vulnerability already being actively exploited (CVE‑2026‑2805 in Desktop Window Manager) and two other high‑risk items used in targeted attacks, plus three zero‑day bugs. Graham takes a deep dive into the critical on‑premises SharePoint emergency (Toolshell campaign, CVE‑2025‑53‑700‑70 and related issues), urging immediate patching and incident response for exposed servers. He also explains the severe Kestrel/ASP.NET Core HTTP request smuggling flaw (CVE‑2025‑55315) and the practical impact on web apps and deployment teams.

The episode reviews other major vendor fixes: SAP’s 16 security updates (including four critical vulnerabilities), Apple’s two WebKit zero days, Adobe’s 32 patches (eight critical affecting Acrobat, Reader and creative apps), HPE OneView’s unauthenticated RCE (CVE‑2025‑37164), and ongoing VMware ESXi risks. Graham calls out long‑delayed Fortinet SSL‑VPN vulnerabilities (including CVE‑2020‑12812) and newer FortiCloud SSO bypasses, stressing that overdue patching still causes widespread compromises.

Practical guidance and priorities are clear and actionable: patch Windows cumulative updates, exposed SharePoint servers, Fortinet edge devices and HPE OneView within 24 hours; address .NET/web app fixes and SAP critical patches within the next 72 hours to one week; then continue with routine maintenance for browsers, Adobe, Cisco and other software. The episode also flags upcoming deadlines and logistics—Oracle’s critical patch update on January 20 and the end of Windows 10 support—so listeners can plan maintenance windows and migrations.

Key takeaways: assume compromise if you haven’t patched exposed services, verify systems after applying updates, assign owners who can patch and redeploy quickly, and treat cumulative Windows updates as all‑or‑nothing. There are no external guests—this episode is hosted solo by Graham Faulkner and aimed at helping small organizations act fast and reduce risk in the wake of an intense Patch Tuesday.

In this episode of the Small Business Cybersecurity Guy, host Noel Bradford is joined by Mauven McLeod and Graham Falkner to unpack the Cabinet Office’s January 2026 Government Cyber Action Plan — a blunt, 100‑page admission that the UK government’s cybersecurity posture is “critically high” risk and that many of its own targets are unachievable. The trio break down the report’s headline findings, case studies of high‑profile failures, and why this matters to you even if you’ve never worked with government.

Key revelations from the Plan covered in the episode include: roughly 28% of government IT is legacy and cannot be defended with modern tools; repeated systemic failures across departments (poor patching, weak passwords, lack of monitoring); high‑cost incidents such as the British Library ransomware recovery and the CrowdStrike outage that cost the UK economy billions; and the Electoral Commission breach that exposed millions of voter records. The hosts explain the language the report uses — from “historical underinvestment” to “not achievable” targets — and what those admissions mean in plain English.

The episode also examines the Cabinet Office’s proposed response: new accountability rules giving accounting officers (permanent secretaries) personal responsibility for cyber risk, routine cyber risk reporting to boards, escalation mechanisms, and potential consequences including removal or public parliamentary scrutiny. The hosts discuss how this mirrors the health & safety/HSE accountability model and why public‑sector reform will likely set the precedent for private‑sector regulation (including implications of forthcoming cyber security and resilience legislation).

Financing and timelines are analysed too: the government has allocated around £210 million to kickstart a central cyber transformation unit with milestones through 2029, but the hosts stress this is a down payment — true remediation will take years and likely billions. The Plan’s investment priorities (visibility/monitoring, accountability, supply‑chain assurance, incident response and skills) form a checklist for businesses to adopt now.

Supply‑chain requirements are a central takeaway: departments will require security schedules, certification (Cyber Essentials, Cyber Essentials Plus, ISO 27001 where appropriate), and documented evidence of controls. These requirements will cascade down through primes to second‑ and third‑tier suppliers, so small businesses should expect tightened demands for proof of security and that compliance will become a competitive advantage.

The hosts finish with practical, actionable advice for small businesses: treat cyber risk as board‑level risk; establish personal accountability and clear escalation; prioritise visibility and monitoring; inventory and pragmatically manage legacy systems; obtain appropriate certifications (Cyber Essentials Plus, ISO etc.) if you have or might have public‑sector exposure; segregate and protect government work; build or improve incident response capability; and use this moment to push cultural change so security is embedded across the organisation.

Throughout the episode Noel, Mauven and Graham provide candid analysis, real examples from recent government failures, and specific steps SMBs can take now to reduce risk and gain a competitive edge as regulation and procurement expectations tighten. Listeners are pointed to the full Government Cyber Action Plan on gov.uk and the podcast blog for a detailed breakdown and sources.

In this episode Mauven McLeod and Graham Faulkner (with Noel Bradford joining partway through) unpack a worrying trend: adversary‑in‑the‑middle (AITM) attacks that steal session tokens and completely bypass conventional multi‑factor authentication (MFA). Using Microsoft’s recent telemetry (a 146% jump in AITM incidents) as a backdrop, they explain how transparent proxy phishing pages relay credentials and MFA approvals to capture session tokens and gain hours of unrestricted access to Microsoft 365 accounts.

The hosts explain, in plain technical terms, why SMS codes, authenticator app push prompts and one‑time codes fail against these attacks and why the stolen session token becomes a single‑factor credential for attackers. They describe what attackers typically do after compromise — mailbox reconnaissance, forwarding rules, OAuth app persistence, and registering new authentication methods — and highlight the scale of automated phishing‑as‑a‑service tools that make these attacks cheap and fast.

The episode then walks through the practical, phishing‑resistant solutions every small business should consider: Windows Hello for Business, hardware security keys (YubiKey, Authentrend and similar), and passkeys on mobile devices. For each option they cover how it works, deployment requirements, licensing or purchase costs, user experience trade‑offs, and which users to prioritize for rollout.

Mauven and Graham recommend a tiered, risk‑based rollout strategy: protect admin and privileged accounts first, then finance/HR/executives, and finally the wider workforce over months. They discuss real‑world gotchas — legacy apps that don’t support modern auth, BYOD complications, mobile workflows, and the need for a secured “break glass” account — plus expected labour, training and hardware costs for a typical 30‑user small business.

Beyond replacing or upgrading MFA, the hosts cover essential complementary controls: conditional access policies, continuous access evaluation (CAE) to shorten token windows, blocking legacy authentication (SMTP/IMAP/POP), impossible‑travel detection, and concrete incident response steps (revoking sessions, removing rogue MFA methods and OAuth apps, checking forwarding rules and mailbox rules, and doing forensics on accessed data).

The episode closes with an immediate to‑do list for small businesses: verify MFA is actually enabled, remove SMS/email MFA methods, plan a phishing‑resistant rollout starting with tier‑1 users, enable conditional access and CAE, and budget for training and support. They also preview an upcoming multi‑episode series to help businesses build a practical incident response plan.

Listeners can expect a technically grounded but actionable discussion aimed at business owners and IT staff: why traditional MFA is still valuable, why it’s not enough against AITM, and exactly how to adopt phishing‑resistant authentication to close that gap.