Most small businesses have been building a public intelligence profile for years without realising it. Every LinkedIn update, team photo, and website contact page adds detail to a picture that anyone can view, including those with malicious intent. This episode examines open source intelligence (OSINT) and how publicly available information becomes the foundation for targeted attacks like spear phishing and invoice fraud. Noel Bradford walks through the reconnaissance process, from Companies House filings to social media posts, demonstrating how an attacker can map your business, identify key staff, and craft convincing impersonation emails in under twenty minutes. The episode provides practical steps for auditing your own digital footprint, including what to check on search engines, how to review your Companies House entry, and why listing every software tool on LinkedIn might not be wise. This is not about disappearing from the internet; it is about making conscious choices about what you publish and understanding who else is reading it.

• Welcome Introduction to the concept of OSINT and how small businesses inadvertently publish reconnaissance material about themselves through normal business activities.
• Body A detailed walkthrough of public information sources including Companies House, LinkedIn, business websites, and social media. Explains how attackers use this data to construct targeted spear phishing campaigns, with practical examples of reconnaissance leading to invoice fraud and credential theft. Concludes with five actionable steps for auditing and managing your business’s public profile.
• Outro Final reminder that OSINT is simply reading publicly available information with intent, and that small businesses can reduce risk by auditing their own footprint and making conscious publishing decisions.

• https://www.gov.uk/government/organisations/companies-house
• https://www.linkedin.com
• https://www.ncsc.gov.uk/guidance/phishing

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

The Cyber Essentials scheme is transitioning from its Willow platform to the new Danzell version, with a go-live date now set for 6 July. Noel Bradford cuts through the noise to explain what this extension actually means for small businesses holding or pursuing certification. If you are mid-assessment, you need to check with your certification body about completion requirements. If you are planning a new assessment, you will be working under the updated Danzell question set, which brings tightened wording and updated evidence requirements across the five core technical controls. Businesses often hear the word ‘extended’ and relax, but your certificate expiry date has not changed. Contract requirements remain in force. This episode walks through the practical steps you need to take now, whether you are renewing, starting fresh, or supporting clients through the transition. The platform update reflects real shifts in how small businesses operate, from cloud services to remote working. Prepare properly, read the updated guidance, and do not wait for your assessor to chase you.

• Welcome Noel Bradford introduces the topic: the Cyber Essentials platform transition, a shifted deadline, and why businesses need to update their plans accordingly.
• Platform Transition Explained The Cyber Essentials scheme is moving from Willow to Danzell, with a new go-live date of 6 July. Noel explains what each platform is, who runs the scheme, and why the word ‘extended’ does not mean businesses can relax. He covers what the transition means for mid-assessment businesses, those starting fresh, and the practical differences in the Danzell question set. The five core technical controls remain, but wording, scope questions, and evidence requirements have been updated. Noel warns against reusing old templates, stresses the importance of checking your certificate expiry date, and highlights the risk of confusing the platform delay with your personal compliance deadline. He also addresses MSPs and IT support businesses, urging them to communicate the change to clients now rather than waiting for panic calls later.
• Outro Noel summarises the key actions: talk to your certification body if you are mid-assessment, get the Danzell guidance if you are planning a new assessment, and check your certificate expiry date today. The extension is not a problem; ignoring it is.

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

Noel Bradford examines passkeys, a rare security improvement that reduces phishing risk and removes the burden of password memorisation. Drawing on NCSC guidance, he explains why passkeys are resistant to credential theft, how they use cryptography tied to the service you’re logging into, and why they can be easier for users than traditional passwords. He then offers practical adoption advice for small businesses: prioritise high-value accounts, choose approved credential managers, plan device recovery carefully, and train users without the hype. Passkeys won’t fix bad governance or unmanaged devices, but they do represent a serious upgrade from password-based authentication. For accounts that touch money, data, or admin access, this is progress worth planning properly.

• Welcome Noel opens by framing passkeys as a rare security improvement that may make life safer and less annoying. He notes the NCSC recommends using passkeys over passwords wherever they’re available, and describes passwords as tired after decades of asking normal people to behave like flawless security robots.
• Why Passkeys Are Better Than Passwords Noel explains that passkeys move the security burden from human memory to devices proving identity properly. They are resistant to phishing because they use cryptography tied to the service, so fake sites cannot trick users into handing over reusable secrets. He offers practical adoption advice: prioritise high-value accounts (admin, finance, email, cloud), choose approved credential managers, plan device recovery, train users in plain English, and avoid half-rolled-out projects. Passkeys do not fix bad governance or unmanaged devices, but they do reduce credential theft risk.
• Outro Noel closes by saying passkeys are not magic, but they are a serious upgrade from passwords. They reduce phishing risk and password fatigue. Check which key business services already support passkeys, prioritise critical accounts, document recovery, train users, and keep strong passwords and multi-factor authentication where passkeys are not yet available.

• https://www.ncsc.gov.uk/collection/device-security-guidance/authentication-policy/use-passkeys-instead-of-passwords
• https://www.cisa.gov/secure-our-world/use-strong-passwords

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/