

216.1K
Downloads
101
Episodes
The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank.
Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses.
🎯 WHAT YOU'LL LEARN:
- Cyber Essentials certification guidance
- Protecting against ransomware & phishing attacks
- GDPR compliance for small businesses
- Supply chain & third-party security risks
- Cloud security & remote work protection
- Budget-friendly cybersecurity tools & strategies
🏆 PERFECT FOR:
- UK small business owners (5-50 employees)
- Startup founders & entrepreneurs
- SME managers responsible for IT security
- Professional services firms
- Anyone wanting practical cyber protection advice
Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies
The UK's leading small business cybersecurity podcast, helping SMEs protect against cyber threats without breaking the bank.
Join cybersecurity veterans Noel Bradford (CIO at Boutique Security First MSP) and Mauven MacLeod (ex-UK Government Cyber Analyst) as they translate enterprise-level security expertise into practical, affordable solutions for UK small businesses.
🎯 WHAT YOU'LL LEARN:
- Cyber Essentials certification guidance
- Protecting against ransomware & phishing attacks
- GDPR compliance for small businesses
- Supply chain & third-party security risks
- Cloud security & remote work protection
- Budget-friendly cybersecurity tools & strategies
🏆 PERFECT FOR:
- UK small business owners (5-50 employees)
- Startup founders & entrepreneurs
- SME managers responsible for IT security
- Professional services firms
- Anyone wanting practical cyber protection advice
Every episode delivers actionable cybersecurity advice that you can implement immediately, featuring real UK case studies
Episodes

Thursday May 07, 2026
When Germany's .de Went Missing: A DNSSEC Fable of One Bad Signature
Thursday May 07, 2026
Thursday May 07, 2026
How a Broken DNSSEC Signature Knocked Out .de Sites
One bad signature. Millions of websites. Gone.
On 5 May 2026, Germany's .de domain vanished from the internet for three hours. Amazon.de, Deutsche Bahn, Spiegel, DHL, major banks: all unreachable. Not hacked. Not ransomwared. One broken cryptographic record from the registry that manages 17.9 million domains.
The servers were perfectly healthy. Nobody could find them.
Corrine Jefferson and Graham Falkner break down what went wrong, why your business has the exact same invisible dependency, and what to do about it.
Read the full analysis: How a Broken DNSSEC Signature Knocked Out .de Sites

Wednesday May 06, 2026
Chrome's Hidden AI: The 4GB Surprise Eating Your Disk and Bandwidth
Wednesday May 06, 2026
Wednesday May 06, 2026
Hot Take: Google Chrome, Gemini Nano, and the 4 GB Consent Problem
Show Notes
Google Chrome has been quietly downloading a roughly 4 GB AI model called Gemini Nano onto user devices in the background. No clear consent prompt. No notification. Just a file called weights.bin turning up in a folder called OptGuideOnDeviceModel like it pays the mortgage.
In this Hot Take, Noel breaks down why this is not an "AI is evil" story. It is a consent story. A governance story. And a vendor entitlement story that every UK small business needs to take seriously.
What Noel Covers
- Why a 4 GB background download is not a minor browser update
- What Google's own developer documentation confirms about model lifecycle management, background downloads, and full model updates
- Why "it was in the documentation" is not consent
- The governance mess this creates for managed business devices
- PECR and the ICO's guidance on storage and access technologies
- The environmental cost at Chrome scale (67.97% worldwide browser share)
- Why AI Mode in Chrome and on-device Gemini Nano are not the same thing, and why the confusion matters
- The embarrassingly simple fix Google has not implemented
- What UK small businesses should actually do about it right now
Key Quote
"We have somehow built frontier AI and still can't manage the radical engineering challenge of a bloody consent prompt."
Read the Full Analysis
The full article includes the complete source documentation, PECR regulatory detail, competitive advantage strategies, board-level talking points, and a step-by-step action list for UK small businesses.
Read the full article on the blog
Sources Referenced
All 14 primary sources, including Google's own developer documentation, ICO PECR guidance, and StatCounter market share data, are cited in the full blog post.

Monday May 04, 2026
Why 43% of UK Businesses Got Hit — and Why the Basics Let Them Down
Monday May 04, 2026
Monday May 04, 2026
Imagine watching the house next door burn and nodding sympathetically about smoke alarms — then never changing the battery in your own. That image opens our episode as Noel Bradford sits with Mauven MacLeod, Lucy Harper and Graham Falkner to unpack the UK Cybersecurity Breaches Survey 2025–26. This isn’t clickbait panic; it’s a weather report built from 2,112 businesses and 1,085 charities. The headline is simple and ugly: awareness rose after a year of big breaches on the news, but the boring, decisive basics slipped backwards.
The numbers feel like a betrayal: risk assessments fell from 48% to 41%, formal cybersecurity policies from 59% to 52%, and business continuity plans covering cyber plunged from 53% to 44% — nine points lost in a year. Those figures land harder when you remember that 43% of businesses still reported a breach or attack in the last 12 months. This is not rare misfortune; it’s roughly 612,000 organisations experiencing harm, often more than once — the median victim suffered three crimes in a year.
What explains the gap between knowing and doing? The episode frames it as a human story of overload, inertia and the tilt of daily fires over preventative work. Small-business owners juggle payroll, inventory and phone calls; cyber becomes a preventative chore that slides down the to-do list until a miserable Tuesday forces theatre rather than true repair. Awareness rose because the news was loud; conversion into diaries, policies and tested routines didn’t.
Phishing is still the thief in the night: 69% of the most disruptive incidents, and for 51% of breached businesses phishing alone was the culprit. The old advice — spot the typos, spot the scam — is breaking down as AI writes believable bait. The human being is no longer the reliable last line. So the fight shifts to identity: two-factor authentication and other account protections stop one mistake becoming total catastrophe. Progress exists — MFA adoption climbed from 40% to 47% — but more than half of firms remain exposed.
The survey throws up other startling blindspots: 22% of the most senior people responsible for cyber didn’t know if their organisation had cyber insurance; only 15% formally review immediate suppliers and a tiny 6% review the wider supply chain; 31% of businesses are using or considering AI but only 24% of those have any controls in place. These are not theoretical gaps — they are the plumbing and the paperwork that determine whether a single clicked link turns into a multi-week catastrophe.
We refuse to finish on gloom. The episode turns evidence into a razor-sharp, do-able checklist you can act on this week. Five prioritised moves: turn on MFA everywhere that matters; get your cyber insurance confirmed in writing and save the policy where two people can find it; write a one-page breach list with names and first actions; institute three simple AI rules (don’t paste customer data into public tools, don’t feed contracts or financials into unknown models, and always human-check AI outputs before sending); and review the three suppliers who can touch your systems or customer data.
There’s also practical advice on when to DIY and when to pay. If you’re tiny and organised, you can implement the basics yourself. If your Microsoft tenancy, sensitive customer data, or backups are beyond your comfort, pay for competence — spend where mistakes are expensive. The point of each suggestion is the same: decisions, dated and tested, beat good intentions left on the sofa.
By the episode’s close Noel, Mauven, Lucy and Graham press the same ask: turn concern into calendar time. Pick one thing this week — MFA, insurance confirmation, a breach list, supplier questions or simple AI rules — and do it. These are small, affordable, and powerful first steps. The survey’s verdict is harsh but useful: the fixes are often obvious. The hard part is choosing to stop drifting.
Listen for the stories, the statistics and the practical push to act. If this episode rattles you, let it. Drift kills small firms. One decision, one scheduled action, can change the story from a miserable Tuesday to a business that survives the next headline.

Monday Apr 27, 2026
Cyber UK 2026: The Front Line Arrives — What Small Businesses Must Do Now
Monday Apr 27, 2026
Monday Apr 27, 2026
When a government minister stood on a podium in Glasgow and said, “the cyber front line is already here,” it did not sound like a warning. It sounded like a cold, unavoidable truth.
In this episode, Noel Bradford is joined by Maurven and Graham, who attended Cyber UK 2026, to unpack what was said, what was left unsaid, and what it means for the small businesses quietly sitting inside UK supply chains.
The scale of the threat is no longer theoretical. Nationally significant cyber incidents are rising sharply. A single breach at Jaguar Land Rover reportedly cost nearly £2 billion across its supplier network. Nation state actors and ruthless criminal gangs are attacking faster, harder, and with greater precision. The old excuse of “we are too small to be targeted” is now dangerously out of date.
Noel, Maurven, and Graham break down the numbers, the reaction in the Glasgow conference hall, and the blunt reality behind the headlines. Government pledges may change the landscape, but they will not protect your business unless you act.
The episode also examines the government’s voluntary Cyber Resilience Pledge and why it matters. The most important part may be the supply chain effect. Large organisations that sign the pledge could start expecting their suppliers to hold Cyber Essentials certification. That may make Cyber Essentials a practical requirement for winning and keeping business, even if it is not yet written into law.
The team also explains why the ÂŁ90 million funding commitment matters, but why small firms should not expect a sudden cash windfall. The immediate pressure will come from reputation, procurement, and customer expectations, not regulation.
There is also a reality check on AI. Powerful new models can now find deep, old vulnerabilities in hours. That gives attackers more speed and scale. But for most small businesses, the answer is not a six figure AI security platform. It is getting the basics right, faster.
Patch properly. Check whether your IT provider is ready for machine speed attacks. Start Cyber Essentials. Review AI use inside your business. Sign up to NCSC Early Warning.
By the end of the episode, you will have five practical, low cost actions you can take this week to move from passive hope to active defence.
If your business relies on larger customers, this episode gives you the timeline, the threat picture, and the checklist you need before the next procurement email lands.

Monday Apr 20, 2026
Monday Apr 20, 2026
Every office has that moment: the site won’t load, someone whispers “DNS,” and immediately half the room turns into a jury with opinions but no evidence. In this episode of Small Business Cybersecurity Guy, Noel Bradford, Mauven MacLeod, Lucy Harper and Graham Falkner turn that reflexive blame into a story—part detective work, part practical guide—about why DNS so often gets accused, what really breaks, and how to stop losing hours to assumptions.

Wednesday Apr 15, 2026
167 CVEs and Counting: Patch Tuesday Throws the Kitchen Sink
Wednesday Apr 15, 2026
Wednesday Apr 15, 2026
167 vulnerabilities. Two zero-days. One already used in live attacks. Graham Falkner breaks down April's Patch Tuesday and what your business needs to do today — in under 10 minutes.
Â
For full show notes etc: see https://thesmallbusinesscybersecurityguy.co.uk/blog/patch-tuesday-april-2026-sharepoint-zero-day-uk-smb/

Monday Apr 13, 2026
From Tokens to Copilot: Fixing the Gaps in Your Microsoft 365 Defenses
Monday Apr 13, 2026
Monday Apr 13, 2026
They said they were secure because they’d turned on Microsoft 365 and MFA. That should have been the end of the conversation — except it wasn’t. In this episode we follow a small-business sagawhere confidence meets complacency: a tidy subscription, a proud admin ticked off in the dashboard, and then a perfectly ordinary Tuesday when the finance inbox receives a believable invoice and the lights go out on the company bank balance. This is not a movie heist; it’s bureaucratic sabotage — dull, precise, and devastating.
We pull the curtain back on how attackers pick the quietest path: mailbox rules that hide replies, forgotten connectors that bypass protections, OAuth prompts that invite parasites in, and session tokens that act like stolen wristbands. We show how MFA, while invaluable, is only one plank in a creaky bridge — and how adversary‑in‑the‑middle phishing, device‑code tricks, and consent abuse let threat actors walk straight across it.
Through vivid examples — a supplier invoice quietly altered, a payroll request that arrives at just the wrong time, an attacker living in a thread already trusted by your staff — the episode explains why ordinary-looking messages are the most lethal. We interview the patterns, the tiny settings that become permanent vulnerabilities, and the human moments where haste replaces verification. The drama is mundane; the impact is not.
We also look at the shiny things: Copilot and other productivity tools that can amplify both good work and a breach. If your permissions are messy, Copilot becomes a supercharged searchlight for attackers. If your tenant is tidy, it’s a time-saver. The story shows how the same feature can be helpful or harmful depending on the housekeeping behind it.
Finally, we turn tension into action with a clear, practical plan: check DMARC, hunt for forwarding rules, revoke suspicious app consents, remove unnecessary admins, and insist on a second verification channel for any money-moving requests. The episode closes with a simple promise — you do not need a fortress on a sandwich budget, you need fewer stupid gaps, better checks, and a bit more suspicion. Listen to this as a warning, a how‑to, and a Monday‑morning checklist for making your business noisier to attackers and faster to respond when things go wrong.

Monday Apr 06, 2026
Monday Apr 06, 2026
What if you did everything right — paid the premiums, bought the policy — and on breach day they simply said, "nope"? This episode opens with that cold shock: a tiny answer on a form you filled 18 months ago about MFA, a quiet clause about state-backed operations, and suddenly a million-pound disaster is met with silence. I'm Mauven McLeod, joined by Noel Bradford and the velvet tonsils of Graham Faulkner, and we walk you into the room where insurers, forensics and legal tests meet your reality.
We tell the story through the eyes of small business owners — the manufacturer in Leeds, the dental practice in Cardiff — who thought they had done the right thing. You hear the panic calls, the blame-shifting over who completed the proposal form, and the slow, meticulous forensic process that turns your answers into evidence. This is not a lecture; it's a play-by-play of how a policy transforms from protection into an argument when paperwork and proof diverge.
Along the way we unpack the legal scaffolding that makes insurers act this way: the Insurance Act 2015 and the duty of fair presentation, the three flavours of misrepresentation (innocent, negligent, reckless), and why a single "yes" about multi-factor authentication can become Exhibit A in a claim dispute. We bring to life the tension between good intentions and hard evidence, and why the regulator expects a real connection between the breach and any policy condition.
We get technical without losing the plot. MFA becomes the episode's poster child; backups, patching, supported software and default admin accounts follow. You hear real examples of partial deployments, legacy carve-outs, and the kind of sloppy patching that turns an insurer's willingness to pay into a months-long negotiation. We explain how forensic teams reconstruct your environment and why the proposal form is no longer just a quote-getter — it's the baseline against which you will be judged.
Then we raise the stakes: Lloyd's model clauses and the state-backed cyber exclusion that can turn collateral damage from a global campaign into a denied claim. Attribution is messy, the wording can be sweeping, and even a small business can find itself arguing with the market if a headline-grabbing attack drags them into a wider campaign.
But this is a practical show as much as a cautionary tale. We hand you a pre-breach checklist you can act on this week: pull your proposal and policy, run a line-by-line reality check, harden MFA, tidy backups and patching, document tests and keep the proof. We explain what to do in the first 24–72 hours of a live incident — contain, preserve evidence, call the insurer or hotline, avoid freelance ransom payments, and keep a simple incident log that becomes priceless later.
By the time we close, you'll understand the ugly truth and the hopeful fix: cyber insurance can save your business, but only if you treat it as a living contract that matches the reality of your IT. This episode is a roadmap and a warning: prepare a little now, keep the evidence, ask awkward questions about your insurance, and you hugely increase the chance you get the support you paid for when it matters most.