The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

Join hosts Noel Bradford and Mauven McLeod in this Back-to-School special of the Small Business Cybersecurity Guy podcast as they trace a line from 1980s schoolroom mischief to modern, large-scale breaches that put millions of students and small organisations at risk. Through recollections of early BBC Model B and Novell-era antics, the episode uses real recent incidents to expose how weak passwords, written credentials and opportunistic insiders create systemic security failures.

The episode unpacks headline-making investigations and statistics — including the ICO analysis showing that students are behind a majority of school data breaches, the PowerSchool compromise that affected tens of millions of records and led to extortion demands, and targeted campaigns such as Vice Society and the evolving Kiddo International incident. The hosts explain the motivations behind student-led breaches (curiosity, dares, financial gain, and revenge) and how those same drivers also appear within small businesses.

Noel and Mauven explain why insider threats matter, even when they aren’t sophisticated: most breaches exploit simple weaknesses, such as reused or guessable passwords, written notes, shared admin accounts, and a lack of access controls. Producer Graham contributes a live update on ongoing incidents, and the episode highlights how these events translate into operational disruptions — including school closures, days of downtime, and long-term reputational and legal fallout.

Practical defence is the episode’s focus: clear, actionable guidance covers immediate steps (audit access, enable multi-factor authentication, remove unnecessary privileges), short-term actions (implement logging and monitoring, deploy password managers, set up incident response procedures) and longer-term resilience measures (regular access reviews, backups, staff training and cultural change). The hosts emphasise designing security around human behaviour so staff follow safe practices instead of working around them.

Listeners will get a concise checklist of recommended technical controls — MFA, role-based access, privileged account separation, activity logging and reliable backups — alongside cultural advice: leadership buy-in, recognisable rewards for good security behaviour, and channels for curious employees to learn responsibly. The episode also highlights regulatory shifts, such as the introduction of mandatory Cyber Essentials for certain educational institutions, and links these requirements to small business risk management.

Expect vivid anecdotes, practical takeaways and a clear call-to-action: if a curious teenager can bypass your systems, it’s time to harden them. Whether you run a two-person firm or a growing small business, this episode provides the context, evidence, and step-by-step priorities to reduce insider risk, detect misuse quickly, and recover from incidents without compromising your customers’ trust.

Co-op's CEO has just confirmed that their cybersecurity disaster cost £80 million. The attackers? Teenagers are using basic social engineering. In this Hot Takes episode, we break down how "We've contained the incident" turned into an £80 million earnings wipeout, and why the final bill could reach £400-500 million once legal claims are settled.

This isn't just another breach story - it's a wake-up call for every UK business owner who thinks "it won't happen to us."

Key Topics Covered

The Attack Breakdown [0:30]

• April 2024 attack by the Scattered Spider group
• Social engineering, not sophisticated exploits
• 6.5 million members affected (100% of Co-op members)
• 2,300 stores disrupted, 800 funeral homes on paper systems

The Real Cost [1:45]

• £80 million confirmed earnings impact
• £206 million total sales impact
• £20 million in direct incident costs
• Zero cyber insurance coverage

Why It Could Get Much Worse [2:30]

• Pending ICO fine: £15-20 million likely
• Individual GDPR compensation claims: £25-£150 per person
• Potential £325 million member compensation exposure
• Final bill estimate: £400-500 million

Lessons for UK Small Businesses [3:15]

• Social engineering beats technical defences
• Cyber insurance is essential, not optional
• Business continuity failures amplify costs
• Training matters more than firewalls

Key Statistics

• £80 million - Confirmed earnings impact
• 6.5 million - Customers affected (every single member)
• £12 - Cost per affected customer (low by UK standards)
• £325 million - Potential member compensation exposure
• 17-20 years old - Age of arrested suspects
• 2,300+ - Stores affected by operational disruption

Resources & Links

Full Analysis:
Read the complete breakdown: Link 

Key Sources Cited:

• ICO Statement on Retail Cyber Incidents
• Computer Weekly: Co-op breach coverage
• Insurance Insider: Co-op's lack of cyber coverage
• UK Government Cyber Security Breaches Survey 2025

Action Items for Listeners

1. Check your cyber insurance policy - Do you have coverage? Is it adequate?
2. Review employee training - When was the last time your team received social engineering awareness training?
3. Test business continuity - Can your operations survive 2 weeks offline?
4. Read the full blog post - Get all the details and cost breakdowns

Quote of the Episode

"Co-op's disaster isn't a cybersecurity failure. It's a business leadership failure. And if you're listening to this thinking your business is different, you're next."

Date: 23 September 2025 — Host Mauven McLeod delivers a furious, fast-paced analysis of two seismic cyber incidents and what they mean for UK and global businesses. This episode examines the Jaguar Land Rover and Collins Aerospace ransomware attacks, the human-driven methods that enabled them, and why they represent the first significant test of the EU's Digital Operational Resilience Act (DORA).

Topics covered include the scale of the damage (JLR reportedly losing up to £5 million per day and sector-wide losses potentially exceeding £1 billion), the criminal methodology (simple social engineering and help-desk manipulation by groups linked to Lapsus-style actors), and the cascading supply-chain impacts across automotive and aviation sectors. The episode references confirmations from Anissa about Collins’ ransomware compromise and notes reactions from industry figures such as Chris MacDonald at the Department for Business and Trade, as well as large providers like Tata Consultancy Services, Microsoft and RTX/Collins Aerospace.

Key points you’ll take away: these attacks were largely preventable with basic controls — MFA (hardware keys), formal helpdesk identity verification, callback confirmation, network segmentation and focused security training — yet failures persist even at well-resourced organisations. Crucially, the episode explains DORA’s cross-border reach (applicable since 17 January 2025), how EU authorities can designate critical ICT third-party providers (including non-EU firms), the reporting and continuity obligations this triggers for financial entities, and the potential penalties (including fines up to around 1% of global turnover) and oversight mechanisms now coming into play.

Practical guidance for listeners covers immediate steps: map vendor dependencies and identify any providers serving EU financial entities; review and update contracts for DORA alignment; update incident response and continuity plans to reflect DORA reporting requirements; and deploy low-cost, high-impact controls like hardware MFA, strict helpdesk processes and segmentation. The episode also critiques the UK government’s reactive crisis management during these incidents and warns of an accelerating enforcement wave: designations, cross-border scrutiny and contractual overhauls are expected to intensify through 2025.

Ultimately, Moven argues this is the start of a new era — one where regulatory exposure flows through vendor dependencies and where organisational will, not technical capability, is the biggest barrier to resilience. Listeners will finish with a clear sense of urgency, the regulatory risks to assess, and concrete next steps to reduce operational and regulatory fallout from future incidents.

This episode explores the risks of relying on a single IT manager as an entire IT department.

Hosts Noel Bradford and Mauven MacLeod unpack why paying one person a modest salary is not the same as buying a full team of specialists, and they share vivid real-world horror stories — from a sudden resignation that paralysed a 40-person engineering firm, to a ruined holiday when backups failed, to a marketing agency locked out by a burnt-out IT manager.

Key topics include the cost mismatch between expectations and reality, how knowledge concentration creates critical single points of failure, signs that your IT lead is drowning (long hours, no lunch breaks, defensiveness, lack of documentation), and how poor management decisions can make things worse.

Practical solutions are given: document everything, hire a competent number two rather than a trainee, engage managed service providers for specialist and 24/7 support, move critical services to cloud platforms to reduce on-site burden, and start with small, affordable steps like basic support contracts or break-fix services.

The episode includes personal anecdotes from Noel (the "Donny" and zoo-day stories) and a discussion of when to involve external help, how to create continuity plans, and three immediate actions business owners can take today.

Listeners are encouraged to have an open conversation with their IT person, assess real costs and risks, and take steps to protect both their systems and their staff from burnout and catastrophic failure.

Most small business owners think CIO stands for "Chief I-Fix-Everything Officer" and CISO means "Chief I-Worry-About-Security Officer." In this episode, Noel Bradford (actual CIO/CISO) breaks down what these executive roles actually do and why your business desperately needs this strategic thinking - without the six-figure salary.

Discover how fractional CIO/CISO services let 20-100 employee businesses access Fortune 500 expertise for £15,000-35,000 annually instead of £120,000+ for full-time hiring.

What You'll Learn

• The Real Difference Between CIO and CISO: Technology strategy vs security strategy (and why one person can do both).
• Why Dave from IT Needs Help: The unfair burden of strategic decisions on operational staff.
• Fractional Services Explained: How to get executive-level guidance for 8-12 hours per month.
• ROI Reality Check: Technology inefficiencies probably cost you more than £15k annually
• Finding Quality Providers: Red flags vs genuine executive experience.
• Integration Strategy: Treating fractional executives like Non-Executive Directors.

Key Takeaways

• Strategic technology and security leadership isn't just for large corporations.
• Fractional services cost £15,000-35,000 annually vs £120,000+ for full-time hiring
• Sound fractional executives enhance internal capabilities rather than replacing them.
• Treat fractional CIO/CISO like Non-Executive Directors - invite them to board meetings.
• Start with a current state assessment (£3,000-6,000) before ongoing engagement.

Diagnostic Questions

You probably need fractional CIO/CISO services if you answer "yes" to several of these:

• Technology decisions are made reactively rather than strategically
• Increasing tech spending without clear ROI visibility
• Security/compliance concerns are constantly pushed down the priority list
• Internal IT person making strategic decisions while handling operations
• Current systems won't scale with business growth plans
• Regulatory compliance anxiety about technology approaches

Episode Highlights

Real-World Example: A 15-person marketing agency saved £300/month and improved security by consolidating from multiple cloud storage solutions to a single strategic platform.

Cost Comparison: Fractional services at £150-350/hour for 8 hours monthly vs full-time CIO/CISO at £100,000-180,000 annually plus benefits and normal staffing costs.

Next Steps

1. Honest self-assessment of current technology/security decision-making
2. Calculate the annual cost of technology inefficiencies and security risks
3. Research fractional providers with genuine senior executive experience
4. Consider starting with the current state assessment project

Connect With Us

Hit subscribe, leave a review mentioning whether you're considering fractional services, and share with business owners making technology decisions without strategic guidance.

Remember: You don't need enterprise budgets to get enterprise thinking. And be kind to Dave - he's doing his best.

#FractionalCIO #FractionalCISO #CIO #CISO #ChiefInformationOfficer #ChiefInformationSecurityOfficer #FractionalExecutive #ITLeadership #TechnologyStrategy #SecurityStrategy #SmallBusiness #SMB #SmallBusinessOwners #Entrepreneurs #BusinessOwners #StartupLife #GrowingBusiness #ScaleUp #BusinessGrowth #SMBTech #ITStrategy #TechnologyLeadership #BusinessTechnology #ITManagement #DigitalTransformation #TechStack #CloudStrategy #ITBudget #TechnologyRoadmap #SystemsIntegration

September 2025 Patch Tuesday: Critical Business Update

Special Edition with Graham Falkner

Microsoft's September Patch Tuesday brings 81 security fixes, including 9 critical vulnerabilities already being exploited by attackers. This episode provides essential business guidance for small business owners navigating these updates safely and efficiently.

Key Topics Covered:

• Business impact of 81 security vulnerabilities
• Four critical threats affecting small businesses
• SharePoint Server active exploitation campaigns
• Network authentication bypass vulnerabilities
• 7-day practical deployment strategy
• Windows 10 end-of-life planning (October 14th deadline)
• Cyber Essentials compliance requirements

Critical Action Items:

• Days 1-2: Assess SharePoint installations and document processing systems
• Days 3-7: Deploy controlled testing and priority system updates
• Days 8-14: Complete production environment deployment
• Immediate: Audit all Windows 10 devices and plan migration

Windows 10 Urgent Notice:

Support ends October 14th, 2025. This may be the final security update for Windows 10 systems. Extended Security Updates available at significant cost. Migration planning required immediately.

Compliance Requirements:

Cyber Essentials certified organisations must deploy updates by September 23rd, 2025. Earlier deployment recommended for business risk management.

Vulnerable Systems Requiring Priority Attention:

• SharePoint Server installations (under active attack)
• Systems processing external documents and email attachments
• Network authentication infrastructure
• Customer data handling environments

Known Compatibility Issues:

• PowerShell Direct connection failures in virtualised environments
• SMB signing requirements affecting older network storage
• MSI installer UAC prompt changes

Sources:

• Microsoft Security Response Center - September 2025 Security Updates
• Verizon 2024 Data Breach Investigations Report
• UK GDPR Article 32 - Security of Processing Requirements
• Cyber Essentials Certification Guidelines

Resources:

Comprehensive deployment guides, compatibility checklists, and Windows 11 migration planning available at: thesmallbusinesscybersecurityguy.co.uk

Technical support documentation: Microsoft KB5065426, KB5065431, KB5065429

Next Steps:

Subscribe for regular cybersecurity updates. Share with business owners who need this information. Visit our website for detailed implementation guidance.

This episode provides educational information only. Always implement cybersecurity measures appropriate to your specific business needs and risk profile.

Hashtags:

#CyberSecurity #SmallBusiness #Windows10 #PatchTuesday #Microsoft #BusinessSecurity #ITSecurity #CyberEssentials #Windows11 #SecurityUpdates #BusinessContinuity #UKBusiness #Compliance #GDPR #CyberInsurance #NetworkSecurity #SharePoint #BusinessTech #InfoSec #DigitalSecurity

Episode Summary

The Electoral Commission suffered a 14-month data breach affecting 40 million UK voters, yet faced zero ICO enforcement action. Meanwhile, small businesses receive crushing GDPR fines for minor infractions. This explosive episode exposes dangerous double standards leaving SMBs vulnerable while government bodies escape accountability.

The Shocking Facts

• Breach Duration: 14 months (August 2021 - October 2022)
• Affected People: 40 million UK voters' data accessible
• Attack Method: ProxyShell vulnerabilities - patches available months before breach
• Attribution: Chinese state-affiliated actors (APT31)
• ICO Response: "No enforcement action taken"

Security Failures That Would Destroy Small Businesses

• Default passwords still in use
• No password policy
• Multi-factor authentication not universal
• Critical security patches ignored for months
• One account used original issued password

ICO's Dangerous Double Standard

While the Electoral Commission faces zero consequences for exposing 40 million people's data, small businesses routinely receive thousands in fines for single email attachment breaches. This regulatory hypocrisy creates false security expectations and leaves SMBs as easy targets for cybercriminals and regulators.

Immediate Action Required: Patch Tuesday Compliance

The Electoral Commission's breach used ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) patched months earlier. Every day you delay Microsoft updates increases breach risk and regulatory exposure.

Critical Steps Today:

1. Apply Microsoft Updates Now: Stop reading, patch systems, then continue
2. Audit Password Security: Eliminate default, weak, or original passwords
3. Implement Universal MFA: Multi-factor authentication on all accounts

Key Takeaways

• Government bodies receive preferential ICO treatment despite massive failures
• Small businesses face disproportionate scrutiny and penalties
• Basic security hygiene prevents most cyberattacks
• Professional cybersecurity help costs less than ICO fines
• Regulatory consistency doesn't exist - protect yourself accordingly

Why This Matters for Your Business

If the Electoral Commission can ignore basic cybersecurity for 14 months without consequences, imagine what happens when your business makes similar mistakes. The ICO needs examples - and it won't be government bodies.

Resources

• Microsoft Security Updates Portal
• NCSC Small Business Guidance
• ICO Data Protection Guidelines
• ProxyShell Vulnerability Database

Get Help

Need cybersecurity basics, patch management, or GDPR compliance help? Don't become the ICO's next small business example.

Email: help@thesmallbusinesscybersecurity.co.uk
Website: thesmallbusinesscybersecurity.co.uk

Related Episodes

• Episode 8: White House CIO Insights - Government Security
• Episode 9: Cyber Essentials Framework
• Episode 6: Shadow IT Risks

Keywords

#ElectoralCommissionhack, #ICO #doublestandards, #GDPR, #PatchTuesday, #Microsoftupdates, #ProxyShellvulnerability

🚨 SHOCKING: 60% of Small Businesses Shut Down Forever After Cyberattacks

96% of hackers target YOUR business, not big corporations. Think you're too small to be a target? Think again.

Noel and Mauven reveal the brutal truth about cybersecurity that could save your business - or expose why you're already at risk.

💀 The Terrifying Reality:

• ​82% of ransomware attacks target businesses under 1,000 employees
• ​Small business employees face 350% MORE attacks than enterprise workers
• ​Average cyber incident costs UK businesses £362,000
• ​Only 17% of small businesses have cyber insurance

🛡️ What You'll Discover:

• ​The FREE security fix that stops most attacks (costs nothing, takes 30 seconds)
• ​Why Multi-Factor Authentication is your business lifeline
• ​How Cyber Essentials certification makes you 92% less likely to get attacked
• ​Government programs most business owners don't know exist
• ​Why this is a BUSINESS issue, not an IT problem

🎯 Perfect For:

• ​Small & medium business owners
• ​Anyone worried about cyber threats
• ​Business leaders who think they're "too small" to be targeted
• ​Companies looking for practical, affordable security solutions

💡 Key Takeaways:

• ​Multi-Factor Authentication everywhere - Enable it on email, accounting systems, cloud storage, and remote access. This one change stops the vast majority of attacks.
• ​Cyber Essentials certification - Organizations with this UK government scheme are 92% less likely to make insurance claims. Plus, Noel's preferred certification body includes up to £250,000 in cyber insurance coverage as part of the package!
• ​Staff training that actually works - Monthly 5-minute team discussions about real threats, not boring annual presentations.
• ​The 3-2-1 backup rule - Three copies of data, two different storage types, one completely offline.

⚡ Real Talk:

This isn't fear-mongering - it's business reality. Every day you delay basic cybersecurity is another day you're gambling with everything you've built.

The cost of prevention is ALWAYS less than the cost of recovery.

🔗 Take Action:

Start this week: Enable MFA on your email, research Cyber Essentials, schedule team security discussions.

Your future self will thank you.

Want to know more about Cyber Essentials certification with included insurance? Reach out to Noel directly.

Like what you heard? Subscribe, leave a review, and share with other business owners who need to hear this.

#Cybersecurity #SmallBusiness #CyberEssentials #BusinessSecurity #UKBusiness