The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope.

Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free.

Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain.

Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

• Why energy consumption in computing matters to small businesses right now
• How FinalSpark’s biocomputing platform actually works (in terms that won’t require a neuroscience degree)
• The realistic timeline for when this technology might affect your business
• What small businesses should actually do about emerging technologies
• The security implications nobody’s talking about yet
• The uncomfortable ethical questions around growing human neurons for computation

• Published peer-reviewed research that reached the top 1% of most-read articles in Frontiers journal
• Providing free access to 10 universities worldwide (36 applications received)
• Created APIs and documentation for remote access
• Built Discord community with 1,200+ members discussing biocomputing

• University of Michigan
• Free University of Berlin
• University of Exeter
• Lancaster University
• Leipzig University
• University of York
• Oxford Brookes University
• University of Bath
• University of Bristol
• Université Côte d’Azur (France)
• University of Tokyo

• Data centres consumed 1.5% of global electricity as of 2024
• Projected to reach 3% by 2030
• AI is accelerating growth exponentially
• Meta, Google, and OpenAI are talking about building nuclear power stations

• Human brain runs on 20 watts
• Modern AI data centres use megawatts (millions of watts)
• FinalSpark claims million-times efficiency (99.9999% reduction)
• Some sources cite up to billion-times more energy efficient

• 10,000 living neurons per organoid
• 16 organoids total
• Approximately 160,000 neurons system-wide
• Neurons survive up to 100 days in active use
• Accessible remotely by researchers worldwide

1. Energy costs always roll downhill to cloud hosting bills and SaaS subscriptions
2. AI tools your business uses (Microsoft Copilot, ChatGPT, customer service chatbots) all burn energy
3. Every interaction costs carbon, and those costs eventually reach small businesses

1. If biocomputing proves viable, benefits arrive through infrastructure improvements
2. Your cloud providers incorporate biological processors
3. Your costs decrease, capabilities increase
4. You won’t buy biocomputers any more than you buy specific processor architectures now

1. Secure current systems properly (multi-factor authentication, proper backups)
2. Train staff on cybersecurity basics
3. Achieve Cyber Essentials certification
4. Build adaptable IT infrastructure

1. Subscribe to technology news sources
2. Spend 15 minutes monthly reading about emerging tech
3. Build mental models of where technology might head
4. Prepare for paradigm shifts

1. Commercial partnerships with major tech companies
2. Published benchmarks proving practical advantages
3. Scaling demonstrations (thousands of neurons for months)
4. Security framework development
5. Independent energy validation studies

• Mad ideas sometimes win (iPhone, Netflix, electric cars)
• Companies that survive aren’t the ones that predicted the exact future
• They’re the ones who built adaptable systems that could pivot
• Focus on fundamentals whilst keeping awareness of emerging tech

• Company website and Neuroplatform information
• FinalSpark Butterfly demonstration application (control virtual butterfly using living neurons)
• Discord community (1,200+ members)
• Academic publications in Frontiers journal

• Full blog post with technical details and source verification available at thesmallbusinesscybersecurityguy.co.uk
• Research papers on biological computing
• Energy consumption studies for AI and data centres

• How do you secure computers made from living cells?
• Can you hack biological neural networks?
• Do you need neuroscience expertise to exploit vulnerabilities?
• Is a breach a cyber attack or biological warfare?
• How do you wipe a neuron’s memory?
• Can you verify data deletion?
• How do you conduct forensic analysis on biological substrates?

Ethical considerations:

• These neurons aren’t conscious or sentient (they’re biological cells performing functions)
• But they’re human neurons grown from human stem cells
• Where’s the ethical line if we can grow larger collections?
• How large before we worry about experiences or consciousness?
• How do we measure consciousness in biological systems grown for computation?
• Should these conversations happen now, before ubiquity?

1. Secure your current systems properly
2. Implement proper backup strategies
3. Train your staff on cybersecurity basics
4. Achieve Cyber Essentials certification
5. Build IT infrastructure that serves your business objectives

• Noel Bradford (40+ years in IT, ex-Intel/Disney/BBC, current CIO)
• Graham Falkner (Tech Savy small business owner & voice over artist representing the SMB reality)
• Mauven MacLeod (ex-government cybersecurity background)

This Halloween special of the Small Business Cyber Security Guy peels back the curtain on the scariest place hackers hide: the tools and toolchains you trust. Hosts Graeme Falkner, Noel Bradford and Mauven MacLeod go ghost hunting inside compilers, build systems and update pipelines to show how supply‑chain attacks can insert backdoors that you’ll never spot by reading source code alone.

The episode revisits Ken Thompson’s classic compiler backdoor thought experiment and explains, in plain language, how a compromised compiler can propagate secrets invisibly. The hosts walk through real incidents — XcodeGhost, SolarWinds, EventStream, and Log4j — to demonstrate how attackers target development tools and upstream suppliers to compromise software at scale.

Expect practical, small-business-focused anecdotes (including a midnight accounting patch that wreaked havoc) and clear explanations of why technical debt, single-developer codebases, and blind trust in update pop-ups are dangerous. The conversation highlights how even open-source software can be compromised if maintainers or dependencies are compromised.

The episode also covers defences and takeaways: demand provenance and supply-chain transparency from vendors, insist on reproducible builds where possible, use two-person reviews and well-maintained dependencies, and protect access with strong authentication. The hosts debate how to distribute trust, verify your verifiers, and reduce single points of failure so one compromised supplier or contractor can’t haunt your whole business.

There’s a sponsor segment from Authentrend about passwordless biometric sign-ins as a way to block credential-based intrusions, along with links to resources and a trial, in the show notes. Throughout, the hosts balance technical history and horror stories with concrete steps small businesses can take now to keep their compilers and supply chains clean.

Listen for clear, actionable advice for small businesses, including how to ask vendors the right questions, when to bring in trusted IT partners, and simple measures to keep the lights on and the doors locked against the ghosts in your code. Sláinte — and may your backups never rise from the grave.

The £18,000 Saving That Cost £200,000 in Revenue

Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now.

In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count.

Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions.

What You'll Learn

The Core Concept

• What the Doorman Fallacy is and why it matters for cybersecurity
• The difference between nominal functions (what something obviously does) and actual functions (what it really does)
• Why efficiency optimisation without a complete understanding is just expensive destruction
• The five-question framework for avoiding Doorman Fallacy mistakes

Five Catastrophic Case Studies

1. The Security Training Fallacy (Chapter 2)

• How cutting £12,000 in training led to a £70,000 Business Email Compromise attack
• Why training isn't about delivering information—it's about building culture
• The invisible value: shared language, verification frameworks, psychological safety
• What to measure instead of cost-per-employee-hour

2. The Cyber Insurance Fallacy (Chapter 3)

• The software company that saved £18,000 and lost £200,000 in client contracts
• Why insurance isn't just financial protection—it's a market signal
• Hidden benefits: third-party validation, incident response capability, customer confidence
• How cancelling coverage destroyed vendor relationships and sales opportunities

3. The Dave Automation Fallacy (Chapter 4)

• Insurance broker spent £100,000+ replacing a £50,000 IT person
• The £15,000 server upgrade that Dave would have known was unnecessary
• Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics
• Why ticketing systems can't replace anthropological understanding

4. The MFA Friction Fallacy (Chapter 5)

• Fifteen seconds of "friction" versus three weeks of crisis response
• The retail client who removed MFA and suffered £65,000 in direct incident costs
• Why attackers specifically target businesses without MFA
• The reputational damage you can't quantify until it's too late

5. The Vendor Relationship Fallacy (Chapter 6)

• Solicitors saved £4,800 annually, lost a £150,000 client
• Why "identical services" aren't actually identical
• The difference between contractual obligations and genuine partnerships
• What happens when you need flexibility and you've burned your bridges

Key Statistics & Case Studies

• 42% of business applications are unauthorised Shadow IT (relevant context)
• £47,000 BEC loss vs £12,000 annual training savings
• £200,000 lost revenue vs £18,000 insurance savings
• £100,000+ replacement costs vs £50,000 salary
• £65,000 incident costs vs marginal productivity gains
• £150,000 lost client vs £4,800 vendor savings

Common pattern: Small measurable savings, catastrophic unmeasurable consequences.

The Five-Question Framework

Before cutting any security costs, ask yourself:

1. What's the nominal function versus the actual function?
   • What does it obviously do vs what does it really do?
2. What invisible benefits will disappear?
   • Be specific: not "provides value" but "provides priority incident response during emergencies"
3. How would we replace those invisible benefits?
   • If you can't answer this, you're making a Doorman Fallacy mistake
4. What's the actual cost-benefit analysis, including invisible factors?
   • Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk"
5. What's the cost of being wrong?
   • In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection

Practical Takeaways

What to Do Tomorrow

Review your most recent efficiency or cost-cutting decision. Ask:

• Did we define this function too narrowly?
• What invisible value might we have destroyed?
• Are we experiencing consequences we haven't connected to that decision?

Better Metrics for Security Investments

Instead of measuring cost-per-hour or savings-per-quarter, measure:

• Incident reporting rates (should go UP with good training)
• Verification procedure usage frequency
• Time-to-report for security concerns
• Vendor response times during emergencies
• Employee confidence in raising concerns

Making Trade-Offs Honestly

Budget constraints are legitimate. The solution isn't "never cut anything." It's:

• Acknowledge what you're sacrificing when you cut
• Admit the risks you're accepting
• Have plans for replacing invisible functions
• Make consequences visible during decision-making
• Ensure decision-makers bear some responsibility for outcomes

Quotable Moments

"The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel

"Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel

"We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel

"You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven

"The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel

Chapter Timestamps

• 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision
• 02:15 - Intro: Why Marketing Books Matter for Cybersecurity
• 05:30 - Chapter 1: The Book, The Fallacy, The Revelation
• 12:00 - Chapter 2: The Security Training Fallacy
• 19:30 - Chapter 3: The Cyber Insurance Fallacy
• 27:00 - Chapter 4: The Dave Automation Fallacy
• 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message)
• 42:00 - Chapter 6: The Vendor Relationship Fallacy
• 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework
• 58:00 - Outro: Action Items & CTAs

Total Runtime: Approximately 62 minutes

Sponsored By

Authentrend - Biometric FIDO2 Security Solutions

This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity.

Learn more: authentrend.com

Resources & Links

Mentioned in This Episode:

• Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life"
• Authentrend ATKey Products: authentrend.com
• Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4)

Useful Tools & Guides:

• Download our Doorman Fallacy Decision Framework (PDF)
• Template: Articulating Invisible Value in Budget Meetings
• Checklist: Five Questions Before Cutting Security Costs
• Case Study Library: Real-World Doorman Fallacy Examples

UK-Specific Resources:

• ICO Guidance on Security Measures
• NCSC Small Business Cyber Security Guide
• Cyber Essentials Scheme Information

About Your Hosts

Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints.

Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints.

Support The Show

New episodes every Monday at Noon UK Time!

Never miss an episode! Subscribe on your favourite podcast platform:

• Apple Podcasts
• Spotify
• Google Podcasts
• RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml

Help us reach more small businesses:

• ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home)
• 💬 Comment with your own efficiency optimisation horror stories
• 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions
• 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences

Connect with us:

• Website: thesmallbusinesscybersecurityguy.co.uk
• Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates
• LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/
• Email: hello@thesmallbusinesscybersecurityguy.co.uk

Episode Tags

#Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication

Legal

The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs.

Copyright © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.

Got a question or topic suggestion? Email us at hello@thesmallbusinesscybersecurityguy.co.uk or leave a comment below!

Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups.

The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault.

Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo).

Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks.

With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business.

Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now.

No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs.

This Episode is Sponsored by Authentrend

Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025

We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag.

Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works.

Learn more: authentrend.com

What You'll Learn

Understanding the Differences

• What Information Security actually covers (hint: it's not just digital)
• Why Cybersecurity isn't the same as IT Security (despite what vendors claim)
• The CIA triad explained without the jargon
• Real-world examples showing when each approach matters

UK Business Reality

• Current threat landscape: 43% of UK businesses breached in 2025
• Why small businesses (10-49 employees) face 50% breach rates
• Average incident costs: £3,400 (but the real number is much higher)
• UK GDPR, Data Protection Act 2018, and what actually applies to you

What It Actually Costs

• Starting from scratch: £5,000-£15,000 annually for 10-20 employees
• Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys)
• Cyber Essentials: £300-£500 (your best bang for buck)
• Managed security services: £300-£450/month realistic pricing
• When £2,000-£3,500/month managed detection makes sense
• Free government resources you're probably ignoring

Authentication Security Reality

• Why SMS codes and app-based MFA still get phished
• How FIDO2 hardware security keys cryptographically prevent credential theft
• Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually
• Special offer mentioned in episode: Authentrend keys at £40 until December 22nd

Implementation Without the Bullshit

• Why IT Security basics beat fancy cybersecurity tools every time
• The five controls that address 90% of UK SMB threats
• Common mistakes that waste your security budget
• How to prioritise when you can't afford everything
• Vendor red flags and what to actually look for

Regulatory Requirements Decoded

• ICO data protection fees: £40-£60/year (mandatory)
• What "appropriate technical and organisational measures" really means
• Why recent enforcement shows reprimands over fines for SMBs
• Insurance requirements and how to reduce premiums
• How phishing-resistant authentication affects cyber insurance premiums

Key Statistics Mentioned

• 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025
• £3,400 average cost per cyber incident (excluding business impact)
• 60% of small businesses close within 6 months of serious data loss
• 85% of cyber incidents involve phishing attacks
• 43% of all UK businesses experienced breaches in 2025
• Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification
• 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords)

Products & Solutions Discussed

Authentication Security (Featured in Episode)

Authentrend ATKey Series (Episode Sponsor)

• ATKey.Pro: USB-A/USB-C with NFC support
• ATKey.Card: Contactless card format
• Pricing: £45 regular, £40 special offer until December 22nd
• FIDO Alliance Level 2 certified
• Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services
• Deployment cost: £80-90 per employee (2 keys for backup)

Why hardware security keys matter:

• Cryptographically bound to specific domains (phishing technically impossible)
• Works even when users make mistakes
• One-time purchase vs ongoing subscription costs
• Significantly reduces cyber insurance premiums

Email Security Options

• Microsoft Defender for Office 365 Plan 1: £1.70/user/month
• Google Workspace Advanced Protection: £4.60/user/month
• Sophos Email Security: £2.50/user/month

Endpoint Protection

• Microsoft Defender for Business: £2.50/user/month
• Sophos Intercept X: £3.50/user/month
• CrowdStrike Falcon Go: £7.00/user/month

Compliance & Frameworks

• Cyber Essentials: £300-£500 annually
• ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs)

Resources Mentioned

Free Government Resources

• NCSC Small Business Guidance: ncsc.gov.uk
• ICO Free Templates: ico.org.uk
• Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk
• NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations

Episode Sponsor

• Authentrend: authentrend.com
• Special offer: £40 per key (regular £45) until December 22nd, 2025
• ATKey.Pro and ATKey.Card models
• UK distributor support available

Related Blog Posts (From This Week's Series)

• Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025"
• Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached"
• Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection"
• Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure"
• Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs"

Recommended First Steps

Immediate Actions (This Week)

1. Catalogue your information - 1 day exercise to understand what you have and where it lives
2. Register for ICO data protection fee - £40-£60 annual mandatory requirement
3. Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd)

First Month

4. Get Cyber Essentials certified - £300-£500, addresses 90% of common threats
5. Implement email security - £900-£1,800 annually for proper anti-phishing
6. Deploy phishing-resistant MFA - £80-90 per employee one-time investment
7. Configure endpoint protection - £1,200-£2,500 annually for 15-30 users

First Quarter

8. Test your backups - Don't assume they work, actually restore something
9. Basic staff training - Use free NCSC materials, focus on phishing recognition
10. Review and document - Simple policies using ICO templates

Budget Planning

15-20 employee business, first year total: £6,200-£14,500

• Email security: £900-£1,800 annually
• Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400)
• Endpoint protection: £1,200-£2,500 annually
• Backup systems: £600-£1,200 annually
• Network security: £600-£1,800 (includes one-time hardware costs)
• Training: £0-£1,500 annually
• Testing: £500-£2,000 annually

Ongoing costs (Year 2+): £3,800-£11,100 annually

Hosts

Noel Bradford - CIO/Head of Technology, Boutique Security First MSP

• 40+ years enterprise security (Intel, Disney, BBC)
• Direct, budget-conscious, solutions-focused
• Enjoys challenging conventional security wisdom
• Known for calling out vendor bollocks

Mauven MacLeod - Ex-Government Cyber Analyst

• Government cybersecurity background (NCSC)
• Glasgow-raised, practical approach
• Translates national security threats into business reality
• Focuses on what actually works for UK SMBs

Our Sponsorship Disclosure Policy

We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it.

Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because:

• They provide the phishing-resistant authentication we consistently advise UK SMBs to implement
• Pricing makes proper authentication accessible to small businesses
• FIDO Alliance Level 2 certification ensures they meet security standards
• They align with our core message: affordable IT security fundamentals over expensive security theatre

Take Action

Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there.

Your Next Steps

1. Listen to the episode - Understand the differences before spending money
2. Download the risk assessment template - Available on our blog
3. Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd)
4. Get Cyber Essentials certified - £300-£500 addresses most common threats
5. Implement IT Security fundamentals - £2K-£5K gets you real protection
6. Review quarterly - Security isn't a one-time project

Subscribe & Connect

• Never miss an episode - Hit subscribe wherever you get your podcasts
• Leave us a review - It genuinely helps other UK small business owners find these conversations
• Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com]
• Got specific questions? - Drop us a comment and we might cover it in a future episode

Next Week's Episode

"Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses"

The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead.

Remember

The biggest security risk is doing nothing while you debate the perfect approach.

Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff.

Everything else can come later.

Tags

#Cybersecurity #InformationSecurity #ITSecurity #UKSmallBusiness #SMB #UKGDPR #CyberEssentials #DataProtection #ICO #BusinessSecurity #CyberThreats #SecurityBudget #NCSC #UKBusiness #SmallBusinessUK #FIDO2 #PhishingResistant #MFA #Authentrend #HardwareSecurityKeys #AuthenticationSecurity

Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs.

What we cover

• What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged.

• Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor.

• The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices.

• Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness.

Why it matters to UK SMBs

• You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice.

• Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them.

• Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep.

Key takeaways

1. Do not collect what you can’t protect. Prefer attribute proofs over document uploads.

2. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked.

3. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements.

4. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents.

Action checklist for SMB owners

• Map every place you’re collecting ID or age proof today. Kill non-essential collection.

• Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity.

• Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control.

• Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly.

• Run DPIAs for onboarding, support and HR flows that touch identity documents.

• Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.”

Chapter outline

• Setting the scene: a breach born in the support queue

• Why ID uploads are a liability multiplier

• The UK’s digital ID plan, without the spin

• Vendor risk is your risk

• Practical fixes you can implement before lunch

• Q&A and what to do if you uploaded ID to Discord

If you think you’re affected

• Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links.

Support the show

• Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk.

• Send questions or topic requests for future episodes.