The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

Listen in as the Small Business Cybersecurity Guy rips through March 2026 Patch Tuesday like a mechanic with a torque wrench: blunt, precise, and impossible to ignore. This episode opens on a single, brutal premise — Windows updates are not a choose‑your‑own‑adventure. They are binary. You either deploy the cumulative payload or you leave every unpatched edge of your estate like a neon target for attackers. The stakes aren’t fireworks; they’re the slow, quiet escalation chains attackers use after a single phishing click.

We trace the real playbook attackers follow: step one, land as an ordinary user; step two, chain an Elevation of Privilege. This month Microsoft shipped six EOP fixes — graphics, kernel twice, accessibility, SMB, and WinLogon — and slapped them with "exploitation more likely." In plain English, these are the exact plumbing pieces an intruder needs to turn a compromised laptop or RDS session into full environment control. You’ll hear why delaying the patch is an active, informed choice to leave those doors open.

Then the narrative sharpens into a thriller: Copilot in Excel. A critical CVE that reads like a very small script with an outsized punch — a near‑zero‑click XSS‑style flaw that can make Copilot agent mode obediently hand over internal secrets. Picture your finance lead or CEO, spreadsheets and Copilot live, and a crafted workbook quietly acting as an insider. No macros, no drama — just a nudge that sends data where it shouldn’t. The episode makes the risk vivid and personal, not academic.

We also unpack two more critical Office RCEs via the preview pane — the sort of everyday behavior (previewing mail, browsing SharePoint) that real people do all day. Microsoft says exploitation is less likely, but only if you’re patched. The episode forces you to confront the gap between marketing calm and the real-world tradeoffs IT teams make when budgets and reboot windows collide with executive convenience.

Finally, the show gives you a short, brutal checklist — what to do this week if you run a small business or juggle multiple clients: verify actual build numbers, identify who has Copilot agent mode, sanity‑check DLP and egress for AI tools, and roll in third‑party updates like Acrobat alongside Office and Windows. It’s not a six‑month project; it’s triage and discipline. The narration is urgent but practical, a call to action delivered with the weary authority of someone who’s patched one too many servers at 2 a.m.

Tune in for a tight, no‑fluff ride through what looks quiet on the surface but is dangerously loud under it — because the difference between a quiet month and a disaster is how long you choose to stay vulnerable. Hit the blog for scripts, guides, and the deeper dive promised at the end of the episode.

Imagine your website is a billboard: a shining Cyber Essentials badge promising security and trust. Now imagine a regulator, insurer or large customer asks one awkward question — and that glossy logo turns from an asset into potential evidence against you. In this episode we walk into that exact moment and refuse to let it be a surprise.

Join Graham Falkner, Noel Bradford and our resident translator of tech, Lucy Harper as they pull apart the new Cyber Essentials changes and stitch the pieces back together into something a small business can actually use.

We start with the simple truth: the requirements document (V3.2, V3.3 and whatever comes next) is the standard you must meet, and the Willow and Danzel question sets are the forms you fill in when you buy certification. Get the wrong combination, or try to recycle last year’s answers, and assessors will fail you — quietly at first, then painfully when a tender or a claim comes along.

From there we map the conflict: scope, cloud and asset management. V3.3 pulls the rug on the old ‘that’s someone else’s problem’ attitude — cloud services, BYOD devices that touch organisational data, and remote workers are in the frame. If your asset list is a half-dead spreadsheet and some post-it notes, you cannot honestly answer whether you are compliant. The drama here is avoidable, but only if you stop pretending the messy bits aren’t part of your estate.

We decode the five controls — firewalls, secure configuration, security update management, user access control and malware protection — and translate them into Monday-morning tasks: lock down admin interfaces, remove default accounts, document inbound firewall rules, treat vendor configuration changes as security fixes, and make sure anti-malware actually blocks things rather than sitting in the tray.

Authentication gets a starring role. V3.3 clarifies passwordless (hello FIDO2 and passkeys) and treats modern approaches as valid multi-factor methods. SMS is grudgingly still acceptable, but it’s the floor, not the ceiling. If your tenant runs on Microsoft 365 or Google Workspace, we give concrete examples of what ‘good enough’ looks like for normal users and admins.

We don’t stop at problems — we hand you a plan. Nail your scope and inventory; map assets to the five controls; enable MFA everywhere; clean up admin accounts; ensure critical vendor fixes are applied within the 14‑day window; and prepare evidence in a spreadsheet before you pay for the portal. Treat certification as a living process, not a sticker you won once.

For the procrastinators, we lay out a rapid action plan: days 1–10 define scope and update your asset list; days 11–30 enable MFA, tidy accounts and prove you can hit 14‑day patches; days 31–60 tighten firewall rules, confirm anti-malware and run a dry self-assessment against Willow or Danzel depending on your purchase date.

This episode is equal parts wake-up call and field guide — built for business owners who don’t have a security department but do have customers, contracts and reputations to protect. Listen for the practical checklist, the red flags that bite in tenders and post-breach enquiries, and the honest reassurance that Cyber Essentials will help you — if you stop gaming the edges and start being truthful about what you actually run.

By the end you’ll either feel the pressure to act or you’ll be able to explain your scope in 30 seconds. Either way, we give you the first steps: patch your systems, turn on MFA, and stop pretending the cloud is somebody else’s problem.

Imagine an attacker not as a hoodie-wearing wizard wrestling with your firewall, but as someone quietly slipping through an unlocked back door with keys they bought on the dark web. In this episode we sit down with Corrine Jefferson, a former government cyber professional who now helps UK small businesses understand how real attackers operate.

Grounded in Palo Alto Networks Unit 42's Global Incident Response Report 2026, our conversation is built on more than 750 serious, real-world investigations from October 2024 to September 2025. Not theory. Not vendor marketing. Actual cases. The numbers are stark: identity weaknesses featured in nearly 90% of incidents, and 65% of all initial access was identity-driven.

We start by setting the scene: your people live in the browser. Outlook, payroll, Teams, your CRM, and a pile of SaaS tools. That ordinary click is the battleground. Attackers buy credentials, harvest session tokens, and exploit OAuth grants. Once they have a valid login, they blend into normal traffic and move silently. Corrine brings these statistics to life with vivid examples of reused passwords, push-MFA fatigue, shared admin accounts, and contractors who still have permanent access three years after leaving.

The stakes are immediate. Unit 42 found that the fastest quarter of intrusions reached data theft in just 72 minutes, down from 285 minutes the previous year. A simulated AI-assisted attack did it in 25 minutes. That means from one careless click to your customer data being packaged for extortion can happen faster than a cup of tea.

This episode guides you away from romantic myths about firewalls and sophisticated exploits and toward the uncomfortable truth: most breaches are enabled by preventable exposure and excessive identity trust.

We walk through the failure modes that make small businesses attractive targets: recycled passwords, MFA that's easy to social-engineer, standing global admin accounts, and forgotten integrations that act like zombie doors. Corrine explains why these aren't technical puzzles for nation-states. They are human, operational, and fixable. She also lays out how attackers exploit browser-based OAuth flows and session cookies to live off long-lived access without ever triggering an alert.

This is not just a lecture. It is a plan.

If you do one thing this quarter, make it identity. If you do one thing this week, do these three: deploy phishing-resistant MFA for admins and finance roles; remove or disable all ex-employee and contractor accounts across Microsoft 365, your VPN, and remote support tools; and cut standing admin rights while shortening session lifetimes on sensitive applications.

By the end of the episode you will see the difference between spending on another perimeter box and actually locking the doors that matter. This is a call to action for small businesses: stop hoping you will not be targeted and start hardening the identities attackers are already using.

Three Actions You Can Take This Week

Action 1: Deploy Phishing-Resistant MFA

What: FIDO2 hardware security keys or passkeys. Not SMS codes. Not basic push notifications.

Where to start: Administrators, finance roles, and anyone with access to sensitive data or privileged systems.

Why it matters: Standard push-based MFA is vulnerable to adversary-in-the-middle attacks and push-bombing. FIDO2 provides phishing resistance, guessing resistance, and theft resistance.

NCSC guidance: FIDO2 is recommended by the NCSC as the strongest available MFA type for UK organisations. Hardware options include Authentrend, Keys, Platform options include Windows Hello for Business and Apple Touch ID.

Action 2: Remove Zombie Access

What to audit and disable:

• All accounts belonging to former employees
• All accounts belonging to former contractors
• Unused service accounts
• Dormant OAuth integrations and app permissions

Where to look: Microsoft 365 Admin Centre, your VPN gateway, remote support tools, and any SaaS platform connected to your business.

Why it matters: Unit 42 found that 99% of 680,000 cloud identities had excessive permissions, many unused for 60 days or more. Each one is an unlocked back door.

How to find OAuth zombies: In Microsoft 365, go to Azure Active Directory > Enterprise Applications > All Applications. Sort by last sign-in date. Revoke anything unrecognised or unused.

---

Action 3: Eliminate Standing Admin Rights

What: Move from permanent administrator accounts to just-in-time (JIT) privilege elevation.

How:

• Remove persistent administrator role grants
• Require time-bound elevation through Microsoft Entra Privileged Identity Management or equivalent
• Shorten session lifetimes on sensitive applications
• Enable strong logging on all privilege escalation events

Why it matters: A compromised account with no standing privileges yields nothing. JIT elevation changes the attacker's calculation from "I have the keys" to "I have nothing."

---

Sources and References

 

 

Source	Resource
Palo Alto Networks Unit 42	Global Incident Response Report 2026 (Full Report)
Palo Alto Networks Unit 42	Global Incident Response Report 2026 (Executive Edition)
Palo Alto Networks	Unit 42 Global IR Report 2026: Blog Summary
NCSC	Multi-Factor Authentication for Your Corporate Online Services
NCSC	Recommended Types of MFA
NCSC	Authentication Methods: Choosing the Right Type
NCSC	Cyber Essentials Scheme Overview
NCSC	NCSC: Information for Small and Medium-Sized Organisations
FIDO Alliance	FIDO2: Web Authentication Standards
MITRE ATT&CK	T1219: Remote Access Tools (Referenced in Unit 42 C2 Data)

 

#CyberSecurity #SmallBusinessSecurity #IdentitySecurity #MFA #FIDO2 #Passkeys #UKBusiness #CyberEssentials #CyberSecurityPodcast #SecurityAwareness #TechPodcast #NoBS #SmallBizTech #CyberResilience #DirectorAccountability #BusinessRisk #DataProtection #GDPR #ZeroTrust #CloudSecurity #SaaSSecurity #IncidentResponse #ThreatIntelligence #IdentityManagement #SessionSecurity #Unit42 #PaloAltoNetworks #NCSC #CyberAware #UKCyber

 

Disclaimer

This podcast provides general cybersecurity guidance based on publicly available research and industry best practices. It is not a substitute for professional security assessment or legal advice. Organisations should consult qualified security professionals and legal counsel to address their specific circumstances and regulatory requirements.

All statistics cited from the Unit 42 Global Incident Response Report 2026, published by Palo Alto Networks, covering incident response engagements between 1 October 2024 and 30 September 2025. NCSC guidance referenced is published by the UK National Cyber Security Centre. All URLs verified at time of publication.

Picture yourself tapping your card at a bustling store, the till chirps, you walk away thinking that’s the end of the story. For millions of Currys' customers, that ordinary moment in 2017 was the opening scene of a nearly decade-long drama that would ripple through courtrooms, regulator offices and countless inboxes. This episode unpeels that story — malware on thousands of point-of-sale terminals, 14 million people exposed, and a legal fight that turned a monumental failure into what worked out as roughly three and a half pence per person under the old law.

We set the scene as a crime thriller: silent malware skimming payment data across 5,390 tills for nine months, basic security absent where it mattered most, and a regulator reaching for the only enforcement tool it had under an older statute. Then the plot thickens. DSG fights back, tribunals slice and dice the ICO’s case, and years of appeals stretch this into a slow-motion moral fable about who the system really protects.

But this isn’t just legal theatre — it’s human fallout. We follow the people on the receiving end: anxious customers, stalled group claims, and a lone litigant whose attempt at compensation is bounced between courts and stays. By the time the Court of Appeal finally says the obvious — a retailer that can link card numbers to people must treat them as personal data — most victims are already out of time to sue. The episode shows how the machinery of justice can leave ordinary people stranded.

Alongside the outrage, we pull apart the courtroom arguments that nearly let a multinational off the hook: the dangerous idea of judging identifiability from a hacker’s viewpoint, and the peril of treating data fragments as harmless. The Court of Appeal’s eventual clarity is legally important, but the delay exposes a chilling truth — if you’ve got deep pockets, you can litigate and wait out consequences while victims go uncompensated.

This is also a playbook episode for anyone who runs a small or mid-sized business. We translate the Court of Appeal’s ruling into a simple controller’s-eye test you can run on Monday morning: if you, as the organisation, can link data to a person, it’s personal and worth protecting. From that test we give concrete, low-cost actions: map your data, cut unnecessary access, name who watches your logs, patch and MFA the essentials, and keep a one-page accountability pack that proves you took reasonable steps.

We don’t just point fingers — we hand you a route out. The Currys' saga becomes the cautionary tale that makes the normal business case for basics suddenly urgent: monitoring that notices intrusions, access reviews that kill zombie accounts, and documentation that shows you’re not winging it. Do these things and you move from case study risk to trusted steward of customer data.

Finally, the episode is a story of how law, business and people collide — a vivid reminder that prevention matters more than litigation, and that the protections for customers are only as strong as the choices organisations make before the breach. Tune in to feel the outrage, understand the legal twists, and walk away with practical steps to stop your business from becoming headline fodder nine years from now.

Picture this: you’re a minister in Europe and Washington quietly asks for a peek. Your emails, drafts and cabinet notes aren’t in a secret vault — they live on someone else’s servers. This episode opens on that impossible, very real moment and follows the ripple effects: threats of sanctions, a neutral Switzerland walking away from Palantir, and the uncomfortable truth that the UK handed that very company the keys to its health, defence and policing systems.

We meet the players: Noel Bradford, the Small Business Cybersecurity Guy, who’s spent four decades turning tape backups into survival tactics; Corinne Jefferson, an ex-US intelligence officer who refuses to say “told you so”; Mauven MacLeod, the ex-UK government cyber analyst with biscuits and sarcasm; and Graham Falkner, whose voice narrates the creeping, bureaucratic apocalypse with unnerving charm. Together they pull the camera tight on Palantir — a firm born with CIA-connected funding, hardened in intelligence use, repackaged for civilian life — and show how its DNA matters for everyone from governments to your local charity.

The episode walks you through the high-stakes decisions: Switzerland’s 2024 risk assessment that warned data could be reached by American authorities and that leaks from Palantir are architecturally unavoidable; the UK’s contrasting embrace of the same tools across NHS, the MOD and border planning; and how this divergence should set off alarms for every organization that has leaned on US SaaS as neutral plumbing.

We translate the legal jargon into a human story. Think of the Cloud Act like an American landlord who can be ordered to open a warehouse — even if your files are stored in London. Encryption doesn’t save you unless you control the keys. UK and EU data rules complicate the picture but don’t yet provide a clean escape. That legal murk leaves businesses and charities sitting on unquantified exposures — not because they’re spies, but because convenience and market share created choke points that politics or courts can exploit.

This isn’t fearmongering; it’s a practical wake-up call. Noel guides you through what to do next: a simple Cloud Act exposure audit, naming your crown-jewel data, and deciding which systems deserve extra protection or customer-managed keys. The episode offers concrete, manageable steps — split sensitive fields, demand clear vendor answers, build exit plans — so your small firm isn’t left exposed if geopolitics changes the rules.

By the end you’ll see the world differently: your email and CRM aren’t just tools, they’re legal and geopolitical choices. The narrative closes on an urgent but solvable note — map your dependencies, protect what matters, and start asking the awkward questions. The story lands as both a warning and a roadmap: serious, fixable, and essential for anyone who cares where their data really lives.

In this episode of Small Business Cybersecurity Guy, host Maurven McLeod and guest Dr Corinne Jefferson (former US government intelligence analyst turned London-based consultant) unpack Google Threat Intelligence’s alarming report on the Defence Industrial Base (DIB) and explain exactly why it matters to small and medium-sized businesses. They move straight from the uncomfortable headline — Chinese state-linked hackers averaging 393 days of dwell time inside victim networks — to practical implications for 50–80 person companies across manufacturing, logistics, and software supply chains.

Topics covered include clear definitions (APT, UNC), the distinction between edge devices and endpoints, why firewalls and VPN appliances are attractive, under-monitored targets, and why EDR often misses the real entry points. They discuss documented campaigns (UNC-3886, UNC-5221/Brickstorm) and how multiple zero-day exploits against edge vendors have been used to gain long-term access and persistence.

The episode also examines other nation-state tradecraft: Russian actors targeting messaging apps and device-linking features, North Korean operatives obtaining remote jobs inside companies, and sophisticated recruitment-themed phishing using AI-generated reconnaissance. Maurven and Dr Jefferson highlight how attackers map supply chains professionally — meaning you can be a target even if you don’t self-identify as a defence contractor — and how ransomware and dual-use manufacturing create huge blast radii that can stop production and bankrupt small firms.

Most importantly, the hosts give a pragmatic, non-bankrupting 90-day plan for SMEs: an immediate “Edge Reality Check” to interrogate MSP visibility on VPNs/firewalls, a short-term segmentation win to reduce blast radius, and phased rollout of phishing-resistant MFA for key admin and finance accounts. They offer exact questions to ask your MSP, the metrics and controls procurement teams will soon demand, and how to frame the business case to your board.

Listeners should expect a mix of blunt intel, real-world examples, and actionable next steps to reduce risk without breaking the bank — plus a call to assume compromise, improve edge monitoring, and stop treating VPNs as magic shields. Tune in for practical guidance, concrete conversation starters for your MSP, and the motivation to make measurable security improvements this quarter.

Host Graham Falkner breaks down Microsoft’s February 2026 Patch Tuesday: more than 50 vulnerabilities across Windows and Microsoft 365, including six that were actively exploited before patches arrived. This episode explains which flaws matter, who’s affected, and the practical steps businesses should take immediately.

Coverage includes the six confirmed actively exploited vulnerabilities (triple January’s count): three security‑feature bypasses that remove user protections (including a Word document bypass that is not triggered by Outlook preview), Desktop Window Manager (DWM) flaws that allow privilege escalation — and are being exploited for a second month — a Remote Desktop Services elevation issue found by CrowdStrike, and a Remote Access Connection Manager VPN crash vulnerability with a ready‑made exploit tool in criminal circulation. CISA has added all six to its known exploited list, with federal agencies required to patch by March 3.

The episode also highlights developer‑focused risks: three serious GitHub Copilot flaws that let hidden malicious instructions run commands on a developer’s machine, and a 9.8‑severity flaw in Microsoft’s Azure Cloud Tools for Python. Faulkner explains why developers are high‑value targets and why organizations that build or buy software must prioritize these fixes.

Other major items: January’s three out‑of‑band patches rolled into February’s cumulative update; Microsoft’s upcoming certificate updates that begin expiring from June (important for old or rarely‑connected hardware); SAP’s 26 security notes including a 9.9 remote‑command vulnerability and multiple high‑risk issues that can impact supply chains; Adobe’s 40+ fixes (27 critical), and updates from BeyondTrust, Ivanti, Cisco, Fortinet and others. Note: Google’s Android bulletin for February reported no security fixes.

Special callouts: an Outlook vulnerability that can capture credentials just by previewing a crafted email in the reading pane (apply all related Outlook patches), and Microsoft’s gradual retirement of NTLM which may break legacy business apps unless you plan ahead.

Actionable priorities and patch playbook: First wave (within 24 hours) — apply all six actively exploited fixes, the Azure Python tool patch for developer teams, and all Outlook fixes. Second wave (within 72 hours) — SAP (if you run it), Exchange Server, GitHub Copilot mitigations for developer teams, BeyondTrust remote‑support fixes. Third wave (within one week) — remaining SAP and Adobe updates, Cisco, Fortinet, and other important but not‑yet‑exploited updates. Faulkner stresses verifying deployment, testing remote desktop and Office workflows, and building patch management into incident response playbooks.

Who should listen: IT managers, small business owners, developers, MSPs, and security teams responsible for patching and remote access. The episode gives clear, prioritized guidance to reduce exposure quickly and recommends sharing the full CVE tables and patch tiers with your IT team or managed service provider.

 

Find the Blog Post here: - https://noelbradford.squarespace.com/blog/patch-tuesday-february-2026-six-zero-days-uk-smb-guide-2026

 

podscan_adfmJQJllh7XQBrNPLHkG9va1aIn6VKo

In this urgent episode of Small Business Cybersecurity Guy, hosts Mauven MacLeod and Graham Falkner join the notably fed-up Noel Bradford to unpack four simultaneous, high‑impact campaigns that emerged between late January and early February 2026. We walk listeners through detailed research from Trellix, Securonix, Rapid7 and Microsoft and explain why these attacks matter to every small business — even if you think you’re too small to be a target.

We open with APT28 (Fancy Bear) exploiting CVE‑2026‑21509: a weaponised Office document that triggers on open, drops an Outlook backdoor (MiniDoor/NotDoor) and a C++ implant (Beardshell) injected into svchost.exe, exfiltrating email and system data while blending traffic into legitimate cloud services.

Next, Securonix’s “Dead Vax” campaign shows how commodity criminals now match nation‑state tradecraft. Phishing delivers VHD files that mount like drives, bypass mark‑of‑the‑web warnings and execute fileless loaders that ultimately deploy AsyncRAT — giving attackers remote control, keylogging and full data access.

Rapid7’s analysis of the Chrysalis backdoor reveals a supply‑chain compromise of Notepad++ hosting infrastructure: poisoned installers selectively targeted victims, abused DLL side‑loading and trusted signed binaries to achieve persistent, encrypted backdoors and lateral movement tools. This is supply‑chain risk in practice.

Microsoft’s macOS research details multiple Stealer campaigns (Digit Stealer, Mac Sync, ClickFix, Atomic Stealer and more) distributed through poisoned Google Ads, fake AI tools and messaging apps. These attacks live off native macOS utilities, use AppleScript and Python, and harvest passwords, crypto wallets, SSH keys and cloud credentials — exposing the myth that Macs are immune.

We connect the dots: all four campaigns abused legitimate platforms and native features, used memory‑resident or fileless techniques that bypass signature AV, injected into trusted processes, and moved faster than patch cycles. The real victims are not random users but procurement staff, developers and privileged employees. Small businesses face the same capabilities for a fraction of the cost via malware-as-a-service.

On the regulatory front we cover the Data Use and Access Act (DUAA) changes that took effect in February 2026: cookie and e‑marketing fines jump to £17.5m or 4% of global turnover, new rules around children’s higher protection matters, a new lawful basis for limited public interest processing, and mandatory complaints handling procedures coming into effect on June 19. We explain why a breach today risks vastly larger financial and compliance consequences.

Finally, we give practical, prioritized guidance for small businesses: immediate zero‑cost steps (patch Office, verify Notepad++ versions, show file extensions, audit cookie banners, start a complaints procedure), technical controls to adopt (EDR/behavioral monitoring, managed email security, Mac MDM/EDR, fractionally engaged CISO/CIO), and realistic budgets and trade‑offs for a 20‑person company. Links to all source research and a detailed blog post are in the show notes for listeners who want the technical deep dive.