The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce

Episode Information

Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance Farce
Episode Number: Hot Take
Release Date: 11 November 2025
Duration: Approximately 18 minute
Hosts: Mauven MacLeod & Graham Falkner
Format: Research segment with heavy sarcasm

Episode Description

Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools.

In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone.

Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme?

We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes.

If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide.

Key Topics Covered

The Surveillance Revelation

• Ofcom confirms use of unnamed third-party AI monitoring tool
• TechRadar exclusive: "We use a leading third-party provider" with zero transparency
• Government surveillance of privacy tools sets a dangerous precedent
• Comparison to authoritarian regimes (China, Russia, UAE, Iran)

The Numbers That Don't Add Up

• 1.5 million daily VPN users claim appears nowhere in official Ofcom documents
• No published methodology or verification
• VPN detection cannot determine the intent or legitimacy of use
• Analytics show VPN use is lower in countries with greater online freedom

What Actually Happened on July 25th

• The UK Online Safety Act child safety duties became fully enforceable
• Mandatory "highly effective age assurance" replaced simple checkbox verification
• Proton VPN: 1,400% surge in UK signups within hours
• NordVPN: 1,000% increase in downloads
• ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store

The Small Business Nightmare

• Business VPNs are essential security hygiene for remote work
• Ofcom's monitoring cannot distinguish legitimate business use from circumvention
• Undisclosed data collection creates unknowable privacy risks
• GDPR compliance implications when the government monitors your security tools

Section 121: The Spy Clause

• Powers to require client-side scanning of encrypted communications
• Government promises not to use "until technically feasible"
• Cryptography experts: impossible without destroying encryption
• Apple shelved similar plans in 2021
• Signal and WhatsApp threatened to leave the UK market

The Authoritarian Playbook in Action

• Scope creep within days: blocking parliamentary speeches, news coverage, forums
• A cycling forum shut down due to compliance costs
• Small platforms are closing rather than face a compliance nightmare
• Chilling effect on legitimate content and discussion

International Surveillance Creep

• 25 US states passed similar age verification laws
• EU debating Chat Control (mandatory encrypted message scanning)
• Australia is implementing age verification for search engines
• Legislative arms race using "protecting children" as a universal justification

What Small Business Owners Must Do

• Document all VPN usage for legitimate business purposes
• Maintain VPN security protocols despite surveillance theatre
• Get legal advice if operating any platform with user-generated content
• Fines up to £18 million or 10% of global revenue
• Criminal liability for senior managers

The GDPR Compliance Paradox

• How do you assess data protection risks from secret surveillance tools?
• Opacity makes compliance verification impossible
• Government monitoring creates unassessable risks to customer data

Resources & Links Mentioned

Primary Source

• TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act

Key Organizations Quoted

• Open Rights Group - James Baker's comments on surveillance precedent
• Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran

Government Resources

• Online Safety Act 2023 - UK Government legislation
• Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements
• Section 121 - Client-side scanning provisions ("spy clause")

VPN Statistics Sources

• Proton VPN: 1,400% surge report
• NordVPN: 1,000% increase report
• Apple UK App Store rankings: July 25-27, 2025

Related Coverage

• Petition to Repeal Online Safety Act: 550,000+ signatures
• Peter Kyle (UK Technology Secretary) statement on critics
• Parliamentary debate triggered by petition threshold

Additional Reading

• GDPR compliance implications of government surveillance
• Cryptography expert analysis of client-side scanning
• Apple's 2021 decision to shelve client-side scanning plans
• Signal and WhatsApp statements on Section 121

Key Quotes from Episode

Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?"

Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it."

Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics."

Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent."

Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'"

Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties."

Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'"

Action Items for Small Business Owners

Immediate Actions

1. Document VPN Usage

   • List which employees use VPNs
   • Document business purposes for encrypted connections
   • Maintain evidence of legitimate use for potential regulatory action

2. Maintain Security Protocols

   • Continue using VPNs for remote work security
   • Don't let surveillance theatre compromise actual cybersecurity
   • Protect against real threats (ransomware, phishing, etc.)

3. Assess Platform Compliance

   • If you operate any online platform, forum, or user-generated content site
   • Get legal advice immediately
   • Understand massive fines (£18m or 10% global revenue) and criminal liability.

Ongoing Monitoring

1. Stay Informed

   • Section 121 could be activated at any time
   • EU Chat Control could affect European operations
   • US state laws are proliferating rapidly
   • Monitor regulatory developments actively

2. Engage Politically

   • Contact your MP about the surveillance of privacy tools
   • Reference the 550,000+ signature petition
   • Make it clear that this is unacceptable in a democracy
   • Push back before surveillance becomes normalised

3. GDPR Compliance Review

   • Assess how government VPN monitoring affects data protection obligations
   • Document that opacity makes risk assessment impossible
   • Consult legal counsel on compliance implications

Visual Elements (for YouTube/Video)

• Screenshot: TechRadar exclusive article headline
• On-screen text: "1.5 million daily VPN users" with question mark
• Comparison graphic: VPN use in free vs. authoritarian countries
• Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring
• Text overlay: Section 121 "spy clause" powers
• Map graphic: International surveillance legislation spread (UK, US, EU, Australia)
• Infographic: Small business action checklist

Key Themes

• Government surveillance of privacy tools in supposed liberal democracy
• Technical limitations make monitoring ineffective at stated purpose
• Scope creep from child protection to political content blocking within days
• Small business caught in surveillance net designed for age verification
• International trend toward authoritarian internet regulation models
• GDPR compliance paradox when government creates unknowable privacy risks
• Practical cybersecurity must continue despite surveillance theatre
• Political engagement essential before normalization occurs

Tone & Style Notes

• Heavy sarcasm throughout - serious WTF tone without profanity
• Incredulous questioning of government logic and transparency
• Dark humour about dystopian surveillance implications
• Technical precision in explaining what monitoring can/cannot do
• Practical focus on small business implications
• Political urgency without becoming preachy
• Professional skepticism balanced with actionable guidance

CTAs (Calls to Action)

Primary CTAs

1. Subscribe wherever you get your podcasts
2. Share with other small business owners who need this information
3. Leave a review if you found this episode useful (or terrifying)
4. Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources

Secondary CTAs

1. Drop a comment with questions about VPN security or regulatory compliance
2. Contact your MP about surveillance of privacy tools
3. Sign the petition to repeal the Online Safety Act (if not already done)
4. Document your VPN usage for legitimate business purposes starting today

Social Media Hashtags

• #OnlineSafetyAct
• #VPNSurveillance
• #CyberSecurity
• #SmallBusinessSecurity
• #DigitalPrivacy
• #GDPR
• #UKTech
• #Section121

Next Episode Setup

[To be determined based on episode schedule]

Potential follow-ups:

• Deep dive on Section 121 and encryption threats
• GDPR compliance strategies in surveillance environment
• International comparison: UK vs. other countries' approaches
• Interview with digital rights expert on fighting surveillance creep
• Practical VPN selection and configuration for small businesses

Production Notes

Technical Specifications

• Duration: Approximately 10 minutes
• Word Count: 1,847 words
• Format: Two-host conversation (Mauven & Graham)
• Tone: Punchy, sarcastic, serious WTF energy
• Language: UK spelling and grammar throughout
• Profanity: None (despite heavy sarcasm)

Research Verification

• All statistics verified against multiple sources
• TechRadar article quotes confirmed accurate
• Government legislation references checked
• VPN provider surge numbers from official company statements
• Expert quotes verified from named sources
• No unverified claims included

Character Dynamics

• Mauven MacLeod: Ex-NCSC analyst, brings government cybersecurity expertise
• Graham Falkner: Former actor/narrator, handles research segments
• Natural professional banter with pub conversation energy
• Shared incredulity at government surveillance overreach
• Complementary expertise: technical precision + narrative delivery

Content Strategy

• Small business cybersecurity focus maintained throughout
• Practical implications prioritized over abstract privacy philosophy
• Action items clear and immediately implementable
• Balances outrage with constructive guidance
• Positions podcast as authoritative voice on UK cybersecurity policy

SEO Keywords

• Ofcom VPN monitoring
• Online Safety Act surveillance
• UK VPN usage 2025
• Business VPN security
• Section 121 encryption
• Small business cybersecurity UK
• GDPR VPN compliance
• Government VPN tracking
• Age verification VPN
• UK internet surveillance

Related Episodes

[To be linked as series develops]

Potential related content:

• Online Safety Act initial coverage (if previously covered)
• GDPR compliance series
• VPN security best practices
• Encryption fundamentals
• Remote work security

Episode Tags

Topics: VPN Surveillance, Online Safety Act, Ofcom, Government Monitoring, Privacy, Encryption, Section 121, Age Verification, GDPR, Small Business Security

Category: Technology, Cybersecurity, Privacy, Government Policy, Business

Difficulty Level: Intermediate (technical concepts explained accessibly)

Target Audience: Small business owners (5-50 employees), IT managers, privacy advocates, UK businesses

Geographic Focus: United Kingdom (with international context)

Credits

Hosts: Mauven MacLeod, Graham Falkner
Research: Advanced web research on Ofcom VPN monitoring
Script: Based on TechRadar exclusive and verified sources
Production: Graham Falkner
Music: The Small Business Cyber Security Guy

Disclaimer

This podcast episode provides commentary and analysis on publicly reported information about UK government surveillance policies. Nothing in this episode constitutes legal advice. Small business owners should consult qualified legal counsel regarding compliance with the Online Safety Act and related regulations. The opinions expressed are those of the hosts and do not represent legal or professional advice.

All statistics and quotes have been verified against multiple sources and represent information available as of the episode recording date. The regulatory landscape continues to evolve rapidly.

Blog Post Companion

Full written breakdown available at: thesmallbusinesscybersecurityguy.co.uk

Blog post should include:

• Complete source list with hyperlinks
• Detailed analysis of Section 121 implications
• Step-by-step VPN documentation guide for businesses
• GDPR compliance checklist
• Template for MP correspondence
• Updated information on the petition and parliamentary response
• International comparison chart
• Technical explainer: How VPN detection works (and doesn't work)
• Additional expert commentary
• Community discussion forum

Last Updated: [Date]
Version: 1.0
Status: Ready for production

In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security.

Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers.

The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites.

Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers.

The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts.

Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice.

Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend

The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope.

Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free.

Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain.

Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

• Why energy consumption in computing matters to small businesses right now
• How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree)
• The realistic timeline for when this technology might affect your business
• What small businesses should actually do about emerging technologies
• The security implications nobody’s talking about yet
• The uncomfortable ethical questions around growing human neurons for computation

• Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal
• Providing free access to 10 universities worldwide (36 applications received)
• Created APIs and documentation for remote access
• Built Discord community with 1,200+ members discussing biocomputing

• University of Michigan
• Free University of Berlin
• University of Exeter
• Lancaster University
• Leipzig University
• University of York
• Oxford Brookes University
• University of Bath
• University of Bristol
• Université Côte d’Azur (France)
• University of Tokyo

• Data centres consumed 1.5% of global electricity as of 2024
• Projected to reach 3% by 2030
• AI is accelerating growth exponentially
• Meta, Google, and OpenAI are talking about building nuclear power stations

• Human brain runs on 20 watts
• Modern AI data centres use megawatts (millions of watts)
• FinalSpark claims million-times efficiency (99.9999% reduction)
• Some sources cite up to billion-times more energy efficient

• 10,000 living neurons per organoid
• 16 organoids total
• Approximately 160,000 neurons system-wide
• Neurons survive up to 100 days in active use
• Accessible remotely by researchers worldwide

1. Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions
2. AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy
3. Every interaction costs carbon, and those costs eventually reach small businesses

1. If biocomputing proves viable, benefits arrive through infrastructure improvements
2. Your cloud providers incorporate biological processors
3. Your costs decrease, capabilities increase
4. You won’t buy biocomputers any more than you buy specific processor architectures now

1. Secure current systems properly (multi-factor authentication, proper backups)
2. Train staff on cybersecurity basics
3. Achieve Cyber Essentials certification
4. Build adaptable IT infrastructure

1. Subscribe to technology news sources
2. Spend 15 minutes monthly reading about emerging tech
3. Build mental models of where technology might head
4. Prepare for paradigm shifts

1. Commercial partnerships with major tech companies
2. Published benchmarks proving practical advantages
3. Scaling demonstrations (thousands of neurons for months)
4. Security framework development
5. Independent energy validation studies

• Mad ideas sometimes win (iPhone, Netflix, electric cars)
• Companies that survive aren’t the ones that predicted the exact future
• They’re the ones who built adaptable systems that could pivot
• Focus on fundamentals whilst keeping awareness of emerging tech

• Company website and Neuroplatform information
• FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons)
• Discord community (1,200+ members)
• Academic publications in Frontiers journal

• Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk
• Research papers on biological computing
• Energy consumption studies for AI and data centres

• How do you secure computers made from living cells?
• Can you hack biological neural networks?
• Do you need neuroscience expertise to exploit vulnerabilities?
• Is a breach a cyber attack or biological warfare?
• How do you wipe a neuron’s memory?
• Can you verify data deletion?
• How do you conduct forensic analysis on biological substrates?

Ethical considerations:

• These neurons aren’t conscious or sentient (they’re biological cells performing functions)
• But they’re human neurons grown from human stem cells
• Where’s the ethical line if we can grow larger collections?
• How large before we worry about experiences or consciousness?
• How do we measure consciousness in biological systems grown for computation?
• Should these conversations happen now, before ubiquity?

1. Secure your current systems properly
2. Implement proper backup strategies
3. Train your staff on cybersecurity basics
4. Achieve Cyber Essentials certification
5. Build IT infrastructure that serves your business objectives

• Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO)
• Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality)
• Mauven MacLeod (ex-government cybersecurity background)

This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone.

The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale.

Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised.

The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business.

There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean.

Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

The £18,000 Saving That Cost £200,000 in Revenue

Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now.

In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count.

Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions.

What You'll Learn

The Core Concept

• What the Doorman Fallacy is and why it matters for cybersecurity
• The difference between nominal functions (what something obviously does) and actual functions (what it really does)
• Why efficiency optimisation without a complete understanding is just expensive destruction
• The five-question framework for avoiding Doorman Fallacy mistakes

Five Catastrophic Case Studies

1. The Security Training Fallacy (Chapter 2)

• How cutting £12,000 in training led to a £70,000 Business Email Compromise attack
• Why training isn't about delivering information—it's about building culture
• The invisible value: shared language, verification frameworks, psychological safety
• What to measure instead of cost-per-employee-hour

2. The Cyber Insurance Fallacy (Chapter 3)

• The software company that saved £18,000 and lost £200,000 in client contracts
• Why insurance isn't just financial protection—it's a market signal
• Hidden benefits: third-party validation, incident response capability, customer confidence
• How cancelling coverage destroyed vendor relationships and sales opportunities

3. The Dave Automation Fallacy (Chapter 4)

• Insurance broker spent £100,000+ replacing a £50,000 IT person
• The £15,000 server upgrade that Dave would have known was unnecessary
• Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics
• Why ticketing systems can't replace anthropological understanding

4. The MFA Friction Fallacy (Chapter 5)

• Fifteen seconds of "friction" versus three weeks of crisis response
• The retail client who removed MFA and suffered £65,000 in direct incident costs
• Why attackers specifically target businesses without MFA
• The reputational damage you can't quantify until it's too late

5. The Vendor Relationship Fallacy (Chapter 6)

• Solicitors saved £4,800 annually, lost a £150,000 client
• Why "identical services" aren't actually identical
• The difference between contractual obligations and genuine partnerships
• What happens when you need flexibility and you've burned your bridges

Key Statistics & Case Studies

• 42% of business applications are unauthorised Shadow IT (relevant context)
• £47,000 BEC loss vs £12,000 annual training savings
• £200,000 lost revenue vs £18,000 insurance savings
• £100,000+ replacement costs vs £50,000 salary
• £65,000 incident costs vs marginal productivity gains
• £150,000 lost client vs £4,800 vendor savings

Common pattern: Small measurable savings, catastrophic unmeasurable consequences.

The Five-Question Framework

Before cutting any security costs, ask yourself:

1. What's the nominal function versus the actual function?
   • What does it obviously do vs what does it really do?
2. What invisible benefits will disappear?
   • Be specific: not "provides value" but "provides priority incident response during emergencies"
3. How would we replace those invisible benefits?
   • If you can't answer this, you're making a Doorman Fallacy mistake
4. What's the actual cost-benefit analysis, including invisible factors?
   • Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk"
5. What's the cost of being wrong?
   • In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection

Practical Takeaways

What to Do Tomorrow

Review your most recent efficiency or cost-cutting decision. Ask:

• Did we define this function too narrowly?
• What invisible value might we have destroyed?
• Are we experiencing consequences we haven't connected to that decision?

Better Metrics for Security Investments

Instead of measuring cost-per-hour or savings-per-quarter, measure:

• Incident reporting rates (should go UP with good training)
• Verification procedure usage frequency
• Time-to-report for security concerns
• Vendor response times during emergencies
• Employee confidence in raising concerns

Making Trade-Offs Honestly

Budget constraints are legitimate. The solution isn't "never cut anything." It's:

• Acknowledge what you're sacrificing when you cut
• Admit the risks you're accepting
• Have plans for replacing invisible functions
• Make consequences visible during decision-making
• Ensure decision-makers bear some responsibility for outcomes

Quotable Moments

"The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel

"Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel

"We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel

"You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven

"The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel

Chapter Timestamps

• 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision
• 02:15 - Intro: Why Marketing Books Matter for Cybersecurity
• 05:30 - Chapter 1: The Book, The Fallacy, The Revelation
• 12:00 - Chapter 2: The Security Training Fallacy
• 19:30 - Chapter 3: The Cyber Insurance Fallacy
• 27:00 - Chapter 4: The Dave Automation Fallacy
• 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message)
• 42:00 - Chapter 6: The Vendor Relationship Fallacy
• 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework
• 58:00 - Outro: Action Items & CTAs

Total Runtime: Approximately 62 minutes

Sponsored By

Authentrend - Biometric FIDO2 Security Solutions

This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity.

Learn more: authentrend.com

Resources & Links

Mentioned in This Episode:

• Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life"
• Authentrend ATKey Products: authentrend.com
• Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4)

Useful Tools & Guides:

• Download our Doorman Fallacy Decision Framework (PDF)
• Template: Articulating Invisible Value in Budget Meetings
• Checklist: Five Questions Before Cutting Security Costs
• Case Study Library: Real-World Doorman Fallacy Examples

UK-Specific Resources:

• ICO Guidance on Security Measures
• NCSC Small Business Cyber Security Guide
• Cyber Essentials Scheme Information

About Your Hosts

Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints.

Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints.

Support The Show

New episodes every Monday at Noon UK Time!

Never miss an episode! Subscribe on your favourite podcast platform:

• Apple Podcasts
• Spotify
• Google Podcasts
• RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml

Help us reach more small businesses:

• ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home)
• 💬 Comment with your own efficiency optimisation horror stories
• 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions
• 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences

Connect with us:

• Website: thesmallbusinesscybersecurityguy.co.uk
• Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates
• LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/
• Email: hello@thesmallbusinesscybersecurityguy.co.uk

Episode Tags

#Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication

Legal

The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs.

Copyright © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Got a question or topic suggestion? Email us at hello@thesmallbusinesscybersecurityguy.co.uk or leave a comment below!

Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups.

The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault.

Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo).

Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.