The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml

211.9K

Downloads

Episodes

The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank.

Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses.

🎯 WHAT YOU'LL LEARN:

Cyber Essentials certification guidance
Protecting against ransomware & phishing attacks
GDPR compliance for small businesses
Supply chain & third-party security risks
Cloud security & remote work protection
Budget-friendly cybersecurity tools & strategies

🏆 PERFECT FOR:

UK small business owners (5-50 employees)
Startup founders & entrepreneurs
SME managers responsible for IT security
Professional services firms
Anyone wanting practical cyber protection advice

Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies

Episodes

Monday Oct 20, 2025

InfoSec vs CyberSec vs IT Security: Stop Wasting Money on the Wrong One | UK SMB Reality Check

Monday Oct 20, 2025

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks.

With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business.

Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now.

No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs.

This Episode is Sponsored by Authentrend

Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025

We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag.

Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works.

Learn more: authentrend.com

What You'll Learn

Understanding the Differences

What Information Security actually covers (hint: it's not just digital)
Why Cybersecurity isn't the same as IT Security (despite what vendors claim)
The CIA triad explained without the jargon
Real-world examples showing when each approach matters

UK Business Reality

Current threat landscape: 43% of UK businesses breached in 2025
Why small businesses (10-49 employees) face 50% breach rates
Average incident costs: £3,400 (but the real number is much higher)
UK GDPR, Data Protection Act 2018, and what actually applies to you

What It Actually Costs

Starting from scratch: £5,000-£15,000 annually for 10-20 employees
Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys)
Cyber Essentials: £300-£500 (your best bang for buck)
Managed security services: £300-£450/month realistic pricing
When £2,000-£3,500/month managed detection makes sense
Free government resources you're probably ignoring

Authentication Security Reality

Why SMS codes and app-based MFA still get phished
How FIDO2 hardware security keys cryptographically prevent credential theft
Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually
Special offer mentioned in episode: Authentrend keys at £40 until December 22nd

Implementation Without the Bullshit

Why IT Security basics beat fancy cybersecurity tools every time
The five controls that address 90% of UK SMB threats
Common mistakes that waste your security budget
How to prioritise when you can't afford everything
Vendor red flags and what to actually look for

Regulatory Requirements Decoded

ICO data protection fees: £40-£60/year (mandatory)
What "appropriate technical and organisational measures" really means
Why recent enforcement shows reprimands over fines for SMBs
Insurance requirements and how to reduce premiums
How phishing-resistant authentication affects cyber insurance premiums

Key Statistics Mentioned

50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025
£3,400 average cost per cyber incident (excluding business impact)
60% of small businesses close within 6 months of serious data loss
85% of cyber incidents involve phishing attacks
43% of all UK businesses experienced breaches in 2025
Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification
40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords)

Products & Solutions Discussed

Authentication Security (Featured in Episode)

Authentrend ATKey Series (Episode Sponsor)

ATKey.Pro: USB-A/USB-C with NFC support
ATKey.Card: Contactless card format
Pricing: £45 regular, £40 special offer until December 22nd
FIDO Alliance Level 2 certified
Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services
Deployment cost: £80-90 per employee (2 keys for backup)

Why hardware security keys matter:

Cryptographically bound to specific domains (phishing technically impossible)
Works even when users make mistakes
One-time purchase vs ongoing subscription costs
Significantly reduces cyber insurance premiums

Email Security Options

Microsoft Defender for Office 365 Plan 1: £1.70/user/month
Google Workspace Advanced Protection: £4.60/user/month
Sophos Email Security: £2.50/user/month

Endpoint Protection

Microsoft Defender for Business: £2.50/user/month
Sophos Intercept X: £3.50/user/month
CrowdStrike Falcon Go: £7.00/user/month

Compliance & Frameworks

Cyber Essentials: £300-£500 annually
ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs)

Resources Mentioned

Free Government Resources

NCSC Small Business Guidance: ncsc.gov.uk
ICO Free Templates: ico.org.uk
Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk
NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations

Episode Sponsor

Authentrend: authentrend.com
Special offer: £40 per key (regular £45) until December 22nd, 2025
ATKey.Pro and ATKey.Card models
UK distributor support available

Recommended First Steps

Immediate Actions (This Week)

Catalogue your information - 1 day exercise to understand what you have and where it lives
Register for ICO data protection fee - £40-£60 annual mandatory requirement
Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd)

First Month

Get Cyber Essentials certified - £300-£500, addresses 90% of common threats
Implement email security - £900-£1,800 annually for proper anti-phishing
Deploy phishing-resistant MFA - £80-90 per employee one-time investment
Configure endpoint protection - £1,200-£2,500 annually for 15-30 users

First Quarter

Test your backups - Don't assume they work, actually restore something
Basic staff training - Use free NCSC materials, focus on phishing recognition
Review and document - Simple policies using ICO templates

Budget Planning

15-20 employee business, first year total: £6,200-£14,500

Email security: £900-£1,800 annually
Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400)
Endpoint protection: £1,200-£2,500 annually
Backup systems: £600-£1,200 annually
Network security: £600-£1,800 (includes one-time hardware costs)
Training: £0-£1,500 annually
Testing: £500-£2,000 annually

Ongoing costs (Year 2+): £3,800-£11,100 annually

Hosts

Noel Bradford - CIO/Head of Technology, Boutique Security First MSP

40+ years enterprise security (Intel, Disney, BBC)
Direct, budget-conscious, solutions-focused
Enjoys challenging conventional security wisdom
Known for calling out vendor bollocks

Mauven MacLeod - Ex-Government Cyber Analyst

Government cybersecurity background (NCSC)
Glasgow-raised, practical approach
Translates national security threats into business reality
Focuses on what actually works for UK SMBs

Our Sponsorship Disclosure Policy

We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it.

Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because:

They provide the phishing-resistant authentication we consistently advise UK SMBs to implement
Pricing makes proper authentication accessible to small businesses
FIDO Alliance Level 2 certification ensures they meet security standards
They align with our core message: affordable IT security fundamentals over expensive security theatre

Take Action

Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there.

Your Next Steps

Listen to the episode - Understand the differences before spending money
Download the risk assessment template - Available on our blog
Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd)
Get Cyber Essentials certified - £300-£500 addresses most common threats
Implement IT Security fundamentals - £2K-£5K gets you real protection
Review quarterly - Security isn't a one-time project

Subscribe & Connect

Never miss an episode - Hit subscribe wherever you get your podcasts
Leave us a review - It genuinely helps other UK small business owners find these conversations
Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com]
Got specific questions? - Drop us a comment and we might cover it in a future episode

Next Week's Episode

"Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses"

The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead.

Remember

The biggest security risk is doing nothing while you debate the perfect approach.

Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff.

Everything else can come later.

Discord's Data Breach and the UK's Digital ID Debacle

Thursday Oct 16, 2025

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs.

What we cover

What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged.
Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor.
The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices.
Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness.

Why it matters to UK SMBs

You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice.
Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them.
Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep.

Key takeaways

Do not collect what you can’t protect. Prefer attribute proofs over document uploads.
Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked.
Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements.
Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents.

Action checklist for SMB owners

Map every place you’re collecting ID or age proof today. Kill non-essential collection.
Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity.
Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control.
Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly.
Run DPIAs for onboarding, support and HR flows that touch identity documents.
Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.”

Chapter outline

Setting the scene: a breach born in the support queue
Why ID uploads are a liability multiplier
The UK’s digital ID plan, without the spin
Vendor risk is your risk
Practical fixes you can implement before lunch
Q&A and what to do if you uploaded ID to Discord

If you think you’re affected

Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links.

Support the show

Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk.
Send questions or topic requests for future episodes.

Wednesday Oct 15, 2025

172 Security Holes Just Got Patched - But Is YOUR Business Already Compromised?

Wednesday Oct 15, 2025

Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours.

Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today.

Key Topics Covered

The Scale of the Problem

172 total vulnerabilities patched across Microsoft's ecosystem
Six zero-day flaws (actively exploited or publicly known before patches released)
Eight critical vulnerabilities that could allow unauthorised code execution
Elevation of privilege, remote code execution, and information disclosure threats

Windows 10: End of an Era

15 October 2025 marks the final day of free security updates for Windows 10
Extended Security Updates (ESU) now required for continued protection
Time to seriously plan your Windows 11 migration or budget for ESU costs

Real-World Impact

Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK.

Windows 11 October 2025 Features

Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2:

Improved Phishing Protection
Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox.

Enhanced Device Control Settings
Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.)

Wi-Fi Security Dashboard
No IT degree required. Plain-language summary of your network's safety status that anyone can understand.

Built-in Password Manager Improvements
Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best.

AI Actions in File Explorer
Smarter file organisation and quick task shortcuts

Notification Centre on Secondary Monitors
Finally works properly where you click it

Moveable System Indicators
Customise where volume and brightness indicators appear

Administrator Protection
Additional security layer for privileged accounts

Passkey Support for Third-Party Providers
More flexibility in authentication methods

Practical Action Steps

Immediate Tasks (This Week)

Schedule Your Updates
Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse.

Verify Installation Success
Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point.

Back Up Before Updating
Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly.

Recovery Planning

Know Your Rollback Options
Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works.

Document Your Process
Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days.

Long-Term Security Habits

Regular Review Schedule
Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?"

Consider Automation
Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist.

Staff Training
Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers.

Key Quotes from the Episode

"When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind."

"These updates have real-world impact. I'm not talking theoretical."

"Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind."

"Not updating isn't just risky, it's old-fashioned."

"The strongest business is the one that learns just a bit faster than the crooks."

UK Business Context

Why This Matters for Small Businesses

Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust.

Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates.

Regulatory Considerations

Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches:

GDPR obligations require appropriate security measures
ICO enforcement takes security seriously
Professional indemnity insurers increasingly audit cybersecurity practices
Client trust depends on demonstrating you protect their data properly

Technical Details (For the IT-Minded)

Vulnerability Breakdown

80 Elevation of Privilege vulnerabilities
31 Remote Code Execution flaws
28 Information Disclosure issues
11 Security Feature Bypass vulnerabilities
11 Denial of Service flaws
10 Spoofing vulnerabilities
1 Tampering vulnerability

Notable Zero-Days Patched

CVE-2025-24990: Agere Modem driver vulnerability (actively exploited)
CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited)
CVE-2025-24052: Agere Modem driver (publicly disclosed)
CVE-2025-2884: TPM 2.0 implementation flaw
CVE-2025-0033: AMD EPYC processor vulnerability
CVE-2025-47827: IGEL OS Secure Boot bypass

Removed Components

Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update.

Resources and Further Reading

Official Microsoft Sources

Third-Party Analysis

UK-Specific Resources

Episode Credits

Host: Graham Falkner
Production: The Small Business Cyber Security Guy Podcast
Copyright: 2025 - All Rights Reserved

Call to Action

Help Other Small Businesses Stay Secure

Like this Hot Take if you found it useful
Subscribe to catch every episode as we release them
Share with other UK small business owners who need to hear this
Comment with your own update horror stories or success stories

Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic.

Stay Connected

Visit thesmallbusinesscybersecurityguy.co.uk for:

Complete episode archive
Written guides and checklists
Additional resources for UK small businesses
Ways to submit questions for future episodes

Related Episodes

Looking for more context on topics mentioned in this Hot Take? Check out these related episodes:

Episode 17: Social Engineering - The Human Firewall Under Siege
Why staff training matters more than you think, and how attackers exploit human psychology

Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI
AI-powered attacks and how small businesses can defend against sophisticated threats

Enhanced Supply Chain Security
Understanding vendor dependencies and how updates fit into broader security strategy

Tuesday Oct 14, 2025

Why the Chancellor Just Wrote to UK CEOs: Cyber Attacks Surge 50%

Tuesday Oct 14, 2025

Ministers have sent an urgent letter to UK business leaders after the NCSC handled 204 nationally significant cyber incidents in the past year, with 18 "highly significant" incidents – a 50% increase for the third consecutive year. Join Mauven MacLeod and Graham Falkner as they unpack the government's wake-up call and translate ministerial warnings into concrete actions every business leader can take today.

What You'll Learn

Why the Chancellor and three Cabinet Ministers personally co-signed an urgent letter to UK business leaders - Ministerial letter on cyber security
The shocking NCSC statistics: nearly half of all incidents were nationally significant, with highly significant incidents up 50%
Real-world impact: empty supermarket shelves, healthcare disruption causing deaths, and £300m+ losses for single organisations
The three specific government requests that will have an immediate impact on your cyber resilience - Ministerial letter on cyber security
Practical first steps you can take this week (most are free)

Key Quotes

"Any leader who fails to prepare for that scenario is jeopardising their business's future... It is time to act." - Richard Horne, CEO of NCSC

"Hostile cyber activity in the UK is growing more intense, frequent and sophisticated. There is a direct and active threat to our economic and national security." - Ministerial Letter, 13 October 2025 - Ministerial letter on cyber security

"While you can plan meticulously, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency and unpredictability of a live attack is unlike anything you can rehearse." - Shirine Khoury-Haq, CEO of The Co-op Group

Resources Mentioned

Ministerial Letter (13 Oct 2025)
NCSC Annual Review 2025
Free Cyber Governance Training for Boards
Early Warning Service (Free) - 13,000+ organisations already signed up
Cyber Essentials - 92% reduction in insurance claims
Cyber Action Toolkit - Free for small businesses

Take Action This Week

Sign up for NCSC Early Warning (free)
Read the ministerial letter
Add cyber security to your next Board agenda
Check if MFA is enabled on critical systems

About the Hosts

Mauven MacLeod - Ex-NCSC cyber security expert with Glasgow roots who translates government-level threat intelligence into practical advice for small businesses.

Graham Falkner - The unmistakable voice from UK cinema trailers, now bringing his theatrical gravitas and storytelling skills to demystify cybersecurity for business leaders.

Connect

Visit our blog: thesmallbusinesscybersecurityguy.co.uk

Like the show? Subscribe, leave a review, and share with colleagues.

Episode Length: ~8 minutes

Bottom line: Nearly half of NCSC incidents are now nationally significant. It's time to act.

Monday Oct 13, 2025

Extra Credit: The Corrections, The Code, and The Safeguarding Bombshell

Monday Oct 13, 2025

We were wrapping up our interview with Tammy Buchanan about the Kido nursery breach when she said: "Actually, there were some really important points I forgot to make."

So we grabbed another cup of tea, broke out the custard creams, and kept recording.

Then, during the tea break, Graham discovered something on Twitter: VX-Underground, a credible malware research collective, had posted a screenshot of what appears to be a Kido GitHub repository containing API code. Files that typically contain system credentials. A potential smoking gun.

In Part 2, Tammy reveals what was missed in Part 1, including the game-changing fact that cybersecurity is now officially linked to safeguarding in the 2025 Keeping Children Safe in Education guidance. We examine the repository screenshot and discuss what it suggests about how breaches like this happen.

This isn't theory. This appears to be a real-world example of the vulnerability that could lead to children's data being stolen. And your child's school might have the same exposure.

Recorded in the same session as Part 1. This is what happens when cybersecurity news moves faster than podcast recording sessions.

Currently ranked in the Top 100 Apple Business Podcasts (US)

This episode is sponsored by Authentrend Biomentric Hardware

Why Listen to Part 2?

If you listened to Part 1 and thought "that's bad but it won't happen to us," Part 2 will change your mind.

The game-changer: Cybersecurity is now safeguarding, not just IT. Schools can't ignore it anymore.

The smoking gun: A screenshot showing what appears to be exposed code—the exact type of vulnerability experts warn about.

The corrections: What we got wrong in Part 1, and why the reality is even more serious.

What You'll Learn

The Major Revelations

Cyber Security = Safeguarding (2025 Guidance)
- First time explicitly linked in statutory guidance
- Changes everything about how schools must respond
- Makes Kido a safeguarding failure, not just IT breach
- Gives cyber the legal teeth it's never had
The Repository Screenshot
- VX-Underground documented what appears to be Kido's code
- Files that typically contain credentials visible
- Repository has since been removed
- Suggests how breach may have occurred
Partial MFA = No MFA
- Schools enable MFA for head teachers but not everyone
- Like "locking doors but leaving windows open"
- Must be ALL staff with system access or it's useless
The Third Party Illusion
- Schools think IT providers handle compliance
- DfE Standards explicitly say schools must verify
- Cannot outsource responsibility

Practical Takeaways

Why phone-based MFA conflicts with safeguarding policies (and what to do)
The NCSC Cyber Assessment Framework for schools
Questions to ask developers about code repositories
How to audit custom software
What "Time Off In Lieu" means for training

The VX-Underground Discovery (Important Context)

What We Can Confirm

On 28 September 2025, VX-Underground (a credible malware research collective) posted a screenshot showing what appears to be a GitHub repository:

Repository name: kido-fullstack/mykido-api
Files visible: Including mail.py (typically contains email credentials in Python apps)
Repository stats: 2 contributors, 0 issues, 0 stars, 0 forks
Current status: Repository has been removed
VX-Underground's assessment: Called it "f**king slop piece of s**t"
See: https://www.instagram.com/reel/DPUjd9mj2tG/

What We Cannot Independently Verify

The actual contents of the files (repository is down)
Whether repository was public or had limited visibility
That this definitively caused the breach
What specific credentials may have been present

Why It Matters

This screenshot shows the exact type of vulnerability cybersecurity experts warn about:

Custom code pushed to repositories without proper security review
Files that typically contain credentials visible in structure
Pattern common in education sector (confirmed by Tammy)
Explains how Famly data could be accessed without Famly infrastructure breach

We present this as a plausible explanation based on professional analysis, not as a confirmed fact.

The Safeguarding Game-Changer

2025 Keeping Children Safe in Education Guidance

For the first time, statutory safeguarding guidance for UK schools explicitly mentions taking appropriate actions to meet the Cyber Security Standard.

What this means:

Cybersecurity is no longer optional IT work
It's a safeguarding responsibility with Ofsted implications
Schools respond to safeguarding requirements (unlike IT recommendations)
Governors have safeguarding oversight duties that now include cyber
The Kido breach is officially a safeguarding failure

When it takes effect: The 2025 guidance is already in force. Schools should be implementing now.

Why schools don't know: Most haven't read the updated guidance yet. Awareness is the first problem.

Critical Corrections from Part 1

1. The MFA Misconception

What we said in Part 1: "Only 50% of schools have MFA enabled"

What Tammy clarified: That 50% is misleading because many schools have partial MFA - only for senior staff like head teachers and SENCOs.

The reality: Partial MFA = NO MFA. It's like locking your front door but leaving all the windows open. Attackers target the weakest link, not the strongest.

The phone problem: Many MFA solutions require phones for authentication, but safeguarding policies ban phones in classrooms. Schools need hardware tokens or authenticator apps on shared devices.

Where MFA works: Primarily email systems currently - but email is the gateway to everything else (password resets, system access, parent communications).

2. The Compliance Responsibility Myth

The misconception: "We pay an IT company, so they're handling DfE Digital Standards compliance for us."

The reality: DfE Standards explicitly state it's the organisation's responsibility to ask: "Are we meeting this standard? How do we meet this standard?"

What IT providers should do: Help implement technical controls

What schools must do: Verify compliance is actually happening

Who's responsible: School leadership, governors, senior management - not outsourceable

3. Training and TOIL

Correction: Staff must be given Time Off In Lieu (TOIL) for cybersecurity training. They cannot be expected to complete training unpaid outside work hours.

Why it matters: Schools operating on tight budgets must account for training time in scheduling and costs.

Resources Mentioned

Statutory Guidance and Standards

Keeping Children Safe in Education 2025

Statutory safeguarding guidance for schools
First explicit link between cybersecurity and safeguarding
Available: UK Government website / DfE publications
ACTION: Read Section on Cyber Security Standard

DfE Digital Standards for Schools

Sets out cyber security requirements
Six standards schools should meet by 2030
Schools must actively verify compliance
ACTION: Ask your school "Are we meeting these?"

Free Security Resources

NCSC Cyber Assessment Framework (CAF)

Designed specifically for small businesses and schools
Written in accessible language (not technical jargon)
Covers: access control, incident management, supply chain security
Free to use
LINK: ncsc.gov.uk

NCSC Early Years Settings Guidance

Bespoke guidance for nurseries
Practical steps for settings without IT expertise
LINK: ncsc.gov.uk

GitHub Secret Scanning

Free for public repositories
Detects exposed credentials in code
Schools should use if they have repositories
ACTION: Enable on all repositories

Tammy's Resources

DfE Digital Standards Webinars

Regular sessions explaining standards in simple terms
How to track progress and implementation
Contact Tammy for upcoming dates

Guest Expert

Tammy Buchanan

Title: Senior Data Protection Consultant
Organisation: Data Protection Education
Background:

15 years in UK education sector
12 years working directly in schools (8 years technician, 4 years IT manager)
"Recovering Dave from IT"

What makes Tammy credible: She's not a theoretical expert. She's been the person fixing school printers at 8am, dealing with budget constraints, navigating safeguarding policies. When she says "schools don't have the expertise," she's speaking from lived experience.

Expertise:

Data protection compliance in education
Information security for schools and MATs
DfE Digital Standards implementation
GDPR for the education sector
Cyber resilience on school budgets

Contact Tammy

Email: info@dataprotection.education
LinkedIn: Tammy Buchanan (personal) / Data Protection Education (company page)
Services:

Compliance assessments
DfE Digital Standards webinars
Data protection consultancy for schools and MATs
Incident response support

Questions Parents Should Ask Their School

Copy these questions and email them to your head teacher:

Security Basics

Do you have multi-factor authentication (MFA) enabled for ALL staff with system access (not just senior leadership)?
How often do staff receive cybersecurity training, and is Time Off In Lieu provided for this training?
Where is your incident response plan, and when was it last tested?

Custom Software and Code

Do we have any custom-built software, integrations, or scripts?
If yes: Where is the source code stored? (GitHub, GitLab, etc.)
Who has access to our code repositories?
Have repositories been scanned for exposed credentials?
Do former developers or contractors still have access to our systems?

Compliance and Governance

Are we meeting the DfE Digital Standards, and how is this verified?
Who on the governing body is responsible for data protection and cyber resilience?
How are you addressing cybersecurity as part of your safeguarding responsibilities under the 2025 Keeping Children Safe in Education guidance?

Third Party Platforms

Which platforms hold our children's data? (Famly, Tapestry, Arbor, etc.)
How do you verify these platforms are securely configured?
Does our IT provider handle compliance verification, or do you verify it yourselves?

Don't accept: "We have an IT company, they handle all this."
Do accept: Specific answers with evidence of verification.

Questions Schools Should Ask Developers

If you have any custom software, ask your developer:

Where is the source code stored?
Is the repository public or private?
Who currently has access to the repository?
Are there any credentials, API keys, or connection strings in the code?
How are secrets managed? (Environment variables, secret management tools?)
When was the code last security reviewed?
Has the repository been scanned for exposed secrets?
What happens if you're not available? Who else can access/maintain this?

Red flags:

"What do you mean by credentials in the code?"
"It's a private repo, it's fine."
"I'll get round to moving those credentials out eventually."
Cannot answer who else has access

The Bigger Picture

Why This Matters Beyond Kido

The pattern Tammy sees constantly:

School needs custom integration between systems
Hire developer (staff, parent volunteer, local contractor)
Developer builds something functional
Developer has zero security training
Code pushed to GitHub/GitLab for convenience
No security review, no secrets management
Repository sits there for months/years
Former contractors still have access
No documentation of what exists or where
School doesn't know to check

One credential compromise = full breach

The Education Sector Reality

Constraints schools face:

No dedicated IT staff (part-time technician comes twice a week)
No cybersecurity budget
Volunteer governors with no technical expertise
Staff expected to train in unpaid time
Third-party providers without clear responsibility
Safeguarding policies that conflict with security best practice
An overwhelming number of platforms and systems
Turnover of staff and contractors

What needs to change:

Make cyber security statutory with Ofsted oversight
Provide funding for proper implementation
Link explicitly to safeguarding (now happening!)
Require IT providers to verify compliance
Train governors on cybersecurity oversight
Make DfE Digital Standards non-negotiable

The safeguarding link is the breakthrough - schools MUST respond to safeguarding requirements.

Key Quotes

Tammy on partial MFA:

"It's like locking your front and back doors and then leaving all the downstairs windows open. I consider that to be NOT having MFA enabled."

Tammy on the safeguarding link:

"Schools can ignore IT recommendations. They can say 'no budget, we'll get to it eventually.' But you cannot ignore safeguarding. Safeguarding is non-negotiable."

Tammy on the repository:

"This is actually more common than people think, especially in education. Somebody builds something, pushes it to GitHub for version control, and doesn't think about security."

Tammy on compliance responsibility:

"Your IT provider should help you meet the standards, but the responsibility for checking remains with the school leadership. And most schools don't realise that."

Noel on the repository screenshot:

"The attack vector wasn't sophisticated hacking. It appears to be 'your code was accessible on the internet with the keys to the kingdom visible in the files.'"

What's Next?

If You're a Parent

Email your school the questions above
Don't accept vague reassurances
Ask for specific evidence that they're meeting DfE Digital Standards
Remember: you're asking about safeguarding, not just IT

If You're a School Leader

Read the 2025 Keeping Children Safe in Education guidance
Audit all custom software and code repositories
Enable MFA for ALL staff (find solutions for phone conflict)
Document what you have and who has access
Verify DfE Digital Standards compliance yourself
Contact Tammy or similar experts for gap analysis

If You're a Governor

Add cyber security to safeguarding oversight
Ask the head teacher the same questions parents should ask
Don't accept "our IT company handles it"
Consider appointing a digital lead on the governing body
Ensure cyber security is a standing agenda item

Social Media Sharing

Share this episode if:

You're a parent with kids in nursery or school
You're a school governor or school leader
You work in education
You're concerned about children's data protection
You want schools to take cyber security seriously

Tag: #CyberSecurity #Education #Safeguarding #DataProtection #Kido #DfEDigitalStandards

Share quote: "Cyber security is now officially SAFEGUARDING in UK schools. Not optional IT. Not nice-to-have. SAFEGUARDING. This changes everything."

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk
Blog: Full breakdown of repository screenshot analysis
Subscribe: Available on all major podcast platforms
Review: Leave us a review and tell us what you think
Comment: What security topic should we cover next?

Currently ranked Top 100 Apple Business Podcasts (US)

Related Episodes

Part 1: The Education Data Protection Gap (listen first)

Main interview with Tammy Buchanan
Overview of Kido breach
Systematic failures in education security
35-40 minutes

The Kido Hot Take

Initial reaction to breach announcement
Why nurseries are targets
Immediate implications

Episode Credits

Hosts:

Noel Bradford (The Veteran Solution Provider)
Mauven MacLeod (The Government-Trained Practitioner)
Graham Falkner (Producer/Researcher)

Guest:

Tammy Buchanan (Data Protection Education)

Production:

Same session recording as Part 1
Tea break transition edited
Cold open recorded post-session
Natural conversation maintained

Special mention:

Custard creams (the real MVPs)
VX-Underground (for documenting the repository before it vanished)

Legal Disclaimer

This podcast provides general information about cybersecurity topics for educational purposes. Listeners should consult a professional for their specific situation.

Regarding the repository screenshot: We present analysis based on a screenshot from a credible source (VX-Underground). The repository has been removed and we cannot independently verify its contents. Our discussion represents a professional assessment based on typical development practices, not a confirmed fact about the specific breach mechanism.

The views expressed by guests are their own and do not necessarily reflect the views of the hosts or production team.

Transcript

Full transcript available at: thesmallbusinesscybersecurityguy.co.uk/transcripts

Accessibility: Contact us for alternative formats

Next Episode

Next time: Infosec, Cybersec, and IT security - They are the same right?? Spoiler Alert: No they are not!

Coming soon: More deep dives into small business cyber security. Subscribe so you don't miss it.

Stay safe out there. Check your repositories. Enable MFA for everyone. And remember, cybersecurity is safeguarding now.

Tuesday Oct 07, 2025

Detention: The Day 8,000 Children's Data Went Missing

Tuesday Oct 07, 2025

Episode Description

Following the Kido nursery breach where 8,000 children's photos were stolen and posted online, we sit down with education sector expert Tammy Buchanan. With 15 years working in UK schools and now consulting on data protection compliance, Tammy reveals the shocking reality of cybersecurity in British education. From nurseries using platforms like Famly and Tapestry to primary schools struggling with basic MFA implementation, this conversation exposes systematic failures that put every child's data at risk. If you're a parent, school governor, or education professional, this episode will change how you think about school security.

Currently ranked in the Top 100 Apple Business Podcasts (US)

What You'll Learn

Why only 50% of schools have multi-factor authentication enabled
The difference between early years providers and mainstream schools
How photo-rich platforms create unique vulnerabilities for nurseries
Why DFE digital standards remain unknown to most schools
The governance problem: volunteers without power
Who actually gets things done when head teachers won't prioritise security
Why schools keep breaches quiet and what that means for parents
Practical steps parents can demand from their child's school today
The Cyber Essentials challenge for small schools with limited budgets
How COVID pushed schools years ahead without proper security foundations

Guest Contact Details

Tammy Buchanan
Senior Data Protection Consultant
Data Protection Education

Email: info@dataprotection.education
LinkedIn: Search for Tammy Buchanan or visit the Data Protection Education company page
Website: Data Protection Education

Tammy and her team (including a solicitor) work with schools across the UK on data protection compliance, information security, and cyber resilience. They provide free resources and news updates for schools on their LinkedIn page.

Resources Mentioned

Government and Regulatory:

DFE Digital Standards (Department for Education)
NCSC (National Cyber Security Centre) staff training resources
ICO (Information Commissioner's Office) breach log and guidance
Ofsted inspection framework
Safeguarding regulations

Platforms Discussed:

Famly (early years learning journey platform)
Tapestry (early years learning journey platform)
Arbor (school management information system)
Bromcom (school management information system)

Security Standards:

Cyber Essentials certification
Multi-factor authentication (MFA) implementation
Incident response planning

Additional Resources:

The Small Business Cyber Security Guy blog: thesmallbusinesscybersecurityguy.co.uk
Data Protection Education news page (free resources for schools)

Key Statistics from This Episode

50% or less of schools have MFA enabled
8,000 children's photos stolen in the Kido breach
12 years Tammy worked directly in schools before consulting
15 years Tammy has been in the education sector overall
2030 target date for schools to meet six DFE digital standards

Questions Parents Should Ask Their School

Do you have multi-factor authentication enabled on all systems?
How often do staff receive cybersecurity training?
Where is your incident response plan and when was it last tested?
Who on the governing body is responsible for data protection and cyber resilience?
Are you working towards the DFE digital standards?
Which third-party platforms hold my child's data and photos?
How do you monitor and configure security settings on these platforms?

Key Takeaways

For Parents:

Schools are having breaches regularly but keeping them quiet
Most schools lack basic security like MFA
Your child's photos on learning journey apps create unique risks
You have the right to ask questions about data protection
Schools respond to parental pressure

For School Leaders:

Documentation matters for ICO compliance
Training needs updating regularly, not the same video for three years
Incident response plans are useless if nobody knows where they are
School business managers need authority, not just responsibility
Other schools' examples work better than external expert advice

For Governors:

Cybersecurity needs to be statutory to get real traction
Digital lead on governing body remains unfilled at many schools
You need both knowledge and authority to make change happen
Physical security analogies help boards understand cyber risks

The Big Picture

This episode exposes a systematic failure in UK education cybersecurity. Schools operate under considerable constraints, including volunteer governance, stretched budgets, and part-time IT support. Meanwhile, they hold treasure troves of children's data on platforms configured by people who lack security expertise. The Kido breach reveals what happens when one password unlocks 8,000 children's intimate moments. Most schools are one credential compromise away from the same fate. Until cybersecurity becomes statutory or linked to Ofsted inspections, progress will remain painfully slow.

Connect With The Show

Website: thesmallbusinesscybersecurityguy.co.uk
Subscribe: Available on all major podcast platforms
Social Media: Find us on LinkedIn

Help us grow: Leave a review, subscribe, and share this episode with parents, teachers, and school governors who need to hear this message.

Wednesday Oct 01, 2025

Why Windows 11 25H2 Is a Quiet Security Game-Changer

Wednesday Oct 01, 2025

Host Graham Faulkner dives into Windows 11 25H2 in this solo episode, explaining why this understated update matters for security, stability, and small-business productivity. He breaks down how 25H2 arrives as an Enablement Package (EKB), what that means if you’re already on 24H2, and why the streamlined rollout keeps disruptions to a minimum.

The episode covers key technical and practical changes: removal of legacy components like PowerShell 2.0 and WMIC, continued performance improvements (CPU scheduling, memory management, faster startups), and expanded Wi‑Fi 7 support. Graham highlights Microsoft’s shift toward continuous monthly innovation and why that helps maintain a more secure, reliable environment without waiting for big yearly releases.

Security is a major focus: Graham explains Microsoft’s Secure Future initiative, which brings AI-assisted secure coding and enhanced vulnerability detection into the development and post-release lifecycle. He frames these advances for small business owners, showing how better detection and automated security practices reduce risk and downtime.

Practical deployment and lifecycle details are explained clearly: support-cycle resets (24 months for Home/Pro, 36 months for Enterprise/Education), how to get 25H2 via the “Get the Latest Updates” toggle, controlled rollouts and device holds, and enterprise deployment options like Windows AutoPatch and the Microsoft 365 Admin Center. He also covers admin-friendly improvements such as removing preinstalled Microsoft Store apps with Intune or Group Policy.

The episode closes with hands-on advice: check the Windows Release Health Hub for known issues, back up critical machines before upgrading, verify driver and app compatibility, and prepare rollback plans for important systems. Graham adds a personal anecdote about preparing his vinyl-catalog PC for the update and stresses that 25H2 is about steady, practical improvements—safer, faster, and less disruptive for both single machines and fleets.

Episodes

This Episode is Sponsored by Authentrend

What You'll Learn

Understanding the Differences

UK Business Reality

What It Actually Costs

Authentication Security Reality

Implementation Without the Bullshit

Regulatory Requirements Decoded

Key Statistics Mentioned

Products & Solutions Discussed

Authentication Security (Featured in Episode)

Email Security Options

Endpoint Protection

Compliance & Frameworks

Resources Mentioned

Free Government Resources

Episode Sponsor

Related Blog Posts (From This Week's Series)

Recommended First Steps

Immediate Actions (This Week)

First Month

First Quarter

Budget Planning

Hosts

Our Sponsorship Disclosure Policy

Take Action

Your Next Steps

Subscribe & Connect

Next Week's Episode

Remember

Tags

What we cover

Why it matters to UK SMBs

Key takeaways

Action checklist for SMB owners

Chapter outline

If you think you’re affected

Support the show

Key Topics Covered

The Scale of the Problem

Windows 10: End of an Era

Real-World Impact

Windows 11 October 2025 Features

Practical Action Steps

Immediate Tasks (This Week)

Recovery Planning

Long-Term Security Habits

Key Quotes from the Episode

UK Business Context

Why This Matters for Small Businesses

Regulatory Considerations

Technical Details (For the IT-Minded)

Vulnerability Breakdown

Notable Zero-Days Patched

Removed Components

Resources and Further Reading

Official Microsoft Sources

Third-Party Analysis

UK-Specific Resources

Episode Credits

Call to Action

Help Other Small Businesses Stay Secure

Stay Connected

Related Episodes

What You'll Learn

Key Quotes

Resources Mentioned

Take Action This Week

About the Hosts

Connect

Why Listen to Part 2?

What You'll Learn

The Major Revelations

Practical Takeaways

The VX-Underground Discovery (Important Context)

What We Can Confirm

What We Cannot Independently Verify

Why It Matters

The Safeguarding Game-Changer