Most small businesses have been building a public intelligence profile for years without realising it. Every LinkedIn update, team photo, and website contact page adds detail to a picture that anyone can view, including those with malicious intent. This episode examines open source intelligence (OSINT) and how publicly available information becomes the foundation for targeted attacks like spear phishing and invoice fraud. Noel Bradford walks through the reconnaissance process, from Companies House filings to social media posts, demonstrating how an attacker can map your business, identify key staff, and craft convincing impersonation emails in under twenty minutes. The episode provides practical steps for auditing your own digital footprint, including what to check on search engines, how to review your Companies House entry, and why listing every software tool on LinkedIn might not be wise. This is not about disappearing from the internet; it is about making conscious choices about what you publish and understanding who else is reading it.

• Welcome Introduction to the concept of OSINT and how small businesses inadvertently publish reconnaissance material about themselves through normal business activities.
• Body A detailed walkthrough of public information sources including Companies House, LinkedIn, business websites, and social media. Explains how attackers use this data to construct targeted spear phishing campaigns, with practical examples of reconnaissance leading to invoice fraud and credential theft. Concludes with five actionable steps for auditing and managing your business’s public profile.
• Outro Final reminder that OSINT is simply reading publicly available information with intent, and that small businesses can reduce risk by auditing their own footprint and making conscious publishing decisions.

• https://www.gov.uk/government/organisations/companies-house
• https://www.linkedin.com
• https://www.ncsc.gov.uk/guidance/phishing

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

The Cyber Essentials scheme is transitioning from its Willow platform to the new Danzell version, with a go-live date now set for 6 July. Noel Bradford cuts through the noise to explain what this extension actually means for small businesses holding or pursuing certification. If you are mid-assessment, you need to check with your certification body about completion requirements. If you are planning a new assessment, you will be working under the updated Danzell question set, which brings tightened wording and updated evidence requirements across the five core technical controls. Businesses often hear the word ‘extended’ and relax, but your certificate expiry date has not changed. Contract requirements remain in force. This episode walks through the practical steps you need to take now, whether you are renewing, starting fresh, or supporting clients through the transition. The platform update reflects real shifts in how small businesses operate, from cloud services to remote working. Prepare properly, read the updated guidance, and do not wait for your assessor to chase you.

• Welcome Noel Bradford introduces the topic: the Cyber Essentials platform transition, a shifted deadline, and why businesses need to update their plans accordingly.
• Platform Transition Explained The Cyber Essentials scheme is moving from Willow to Danzell, with a new go-live date of 6 July. Noel explains what each platform is, who runs the scheme, and why the word ‘extended’ does not mean businesses can relax. He covers what the transition means for mid-assessment businesses, those starting fresh, and the practical differences in the Danzell question set. The five core technical controls remain, but wording, scope questions, and evidence requirements have been updated. Noel warns against reusing old templates, stresses the importance of checking your certificate expiry date, and highlights the risk of confusing the platform delay with your personal compliance deadline. He also addresses MSPs and IT support businesses, urging them to communicate the change to clients now rather than waiting for panic calls later.
• Outro Noel summarises the key actions: talk to your certification body if you are mid-assessment, get the Danzell guidance if you are planning a new assessment, and check your certificate expiry date today. The extension is not a problem; ignoring it is.

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

Noel Bradford examines passkeys, a rare security improvement that reduces phishing risk and removes the burden of password memorisation. Drawing on NCSC guidance, he explains why passkeys are resistant to credential theft, how they use cryptography tied to the service you’re logging into, and why they can be easier for users than traditional passwords. He then offers practical adoption advice for small businesses: prioritise high-value accounts, choose approved credential managers, plan device recovery carefully, and train users without the hype. Passkeys won’t fix bad governance or unmanaged devices, but they do represent a serious upgrade from password-based authentication. For accounts that touch money, data, or admin access, this is progress worth planning properly.

• Welcome Noel opens by framing passkeys as a rare security improvement that may make life safer and less annoying. He notes the NCSC recommends using passkeys over passwords wherever they’re available, and describes passwords as tired after decades of asking normal people to behave like flawless security robots.
• Why Passkeys Are Better Than Passwords Noel explains that passkeys move the security burden from human memory to devices proving identity properly. They are resistant to phishing because they use cryptography tied to the service, so fake sites cannot trick users into handing over reusable secrets. He offers practical adoption advice: prioritise high-value accounts (admin, finance, email, cloud), choose approved credential managers, plan device recovery, train users in plain English, and avoid half-rolled-out projects. Passkeys do not fix bad governance or unmanaged devices, but they do reduce credential theft risk.
• Outro Noel closes by saying passkeys are not magic, but they are a serious upgrade from passwords. They reduce phishing risk and password fatigue. Check which key business services already support passkeys, prioritise critical accounts, document recovery, train users, and keep strong passwords and multi-factor authentication where passkeys are not yet available.

• https://www.ncsc.gov.uk/collection/device-security-guidance/authentication-policy/use-passkeys-instead-of-passwords
• https://www.cisa.gov/secure-our-world/use-strong-passwords

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

Multi-factor authentication is essential, but not all MFA is equal. When users receive vague, repeated, or poorly explained prompts, they start treating them like cookie banners: accept, accept, make it go away. Attackers exploit this fatigue by triggering prompts under pressure, impersonating IT support, or using social engineering to bypass weak helpdesk processes. This is not a user failure; it is a design and management failure. Businesses must reduce unnecessary authentication noise, use phishing-resistant methods like number matching, train staff to recognise unexpected prompts as attack signals, and strengthen identity verification processes. A reported prompt that turns out to be nothing is a working security culture. A prompt nobody reports because everyone fears looking stupid is how expensive conversations with insurers begin. MFA is a control, not a confession booth. If it fails, look at the whole process: the prompt design, the training, the helpdesk, the call-back procedures, and the culture that prioritises speed over verification. Stop blaming users for predictable mistakes in badly designed systems.

• Welcome Noel defends MFA while attacking poor MFA design, lazy user blame, and weak verification processes. Not all MFA is equal: some is clear and strong, some is so noisy and vague that users treat prompts like cookie banners. That is design failure, not user failure.
• Body Noel explains why MFA fatigue happens and how attackers exploit pressure, urgency, and process gaps. Attackers trigger repeated prompts, impersonate IT, and use social engineering. Businesses must ask why users received repeated prompts, why prompts were unclear, why training was absent, and why helpdesk processes were weak. MFA is a decision point, not a magic forcefield. UK SMBs should use number matching, reduce pointless prompts, teach staff what unexpected prompts mean, and strengthen helpdesk verification. MFA fatigue is often a management failure wearing a user blame costume. People are not the weakest link; unsupported people are.
• Outro Noel closes by stating that MFA is a control, not a confession booth. If it fails, look at the whole process: the prompt, the training, the helpdesk, the call-back process, the culture. Move away from simple push approval, train staff to report unexpected prompts, reduce authentication noise, and strengthen identity checks. Stop blaming users for predictable mistakes in badly designed systems.

• https://www.ncsc.gov.uk/collection/small-business-guide
• https://www.cisa.gov/
• https://www.ftc.gov/business-guidance/small-businesses
• https://www.fcc.gov/general/cybersecurity-small-business

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

WiFi feels like plumbing. It’s boring, invisible, and trusted by default. But research from Karlsruhe Institute of Technology shows that ordinary WiFi signals can now identify people with near-perfect accuracy, even when they’re not carrying an active device. This isn’t science fiction or a reason to panic. It’s a signal that infrastructure we consider neutral can become surveillance without looking like it. For small businesses, the challenge isn’t the technology itself. WiFi, sensors, CCTV, door access, and meeting room systems can all be genuinely useful. The problem is treating them as operational kit rather than privacy decisions. Noel Bradford walks through the uncomfortable reality that clever dashboards, vendor promises, and boring boxes on the ceiling can quietly collect more data than anyone has thought through. The solution isn’t to rip access points off the wall. It’s to stop assuming that boring infrastructure is harmless infrastructure, and to ask the awkward governance questions before the router starts behaving like a camera.

• Welcome Noel introduces WiFi identification research and frames it as an invisible surveillance problem, not a reason to panic.
• Body Noel explains the WiFi sensing research in plain English and connects it to privacy, small business infrastructure, CCTV-style thinking, and practical governance.
• Outro Noel closes by saying WiFi surveillance is not a panic story, but it proves infrastructure can become surveillance and needs governance.

• https://www.sciencedaily.com/releases/2026/05/260522.htm

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

SaaS dashboards are increasingly cluttered with upsells, AI buttons, trial offers, and partner adverts, turning essential admin portals into noisy digital shopping centres. This creates a serious security problem: when every banner demands attention, users learn to ignore warnings, including genuine security alerts about suspicious logins, new integrations, or privilege changes. For small businesses managing limited admin resources, this clutter destroys the attention needed to spot real threats. The NCSC cloud security principles remind us that shared responsibility means businesses still own access, configuration, and data decisions, even in SaaS environments. SaaS sprawl compounds the issue: too many tools, too many integrations, too many admin accounts, and not enough people asking what each service can actually see. This is not just a usability complaint; it is a governance, supplier risk, and data protection concern. Vendors must stop treating admin portals like marketing real estate and give administrators clarity, exportable logs, and usable security signals. Small businesses, meanwhile, must review their SaaS estate, assign ownership, remove dormant integrations, enforce MFA, and route security alerts to monitored channels. Attention is a finite control, and SaaS clutter is selling it back to businesses one popup at a time.

• Welcome Noel opens by attacking the way SaaS dashboards now mix work, adverts, upsells, alerts, and AI clutter, arguing that when every button screams for attention, nobody hears the one that matters.
• Body Noel explains how cluttered SaaS dashboards create warning fatigue, hide security signals, increase integration risk, and make small businesses worse at managing cloud services. He covers shared responsibility under NCSC cloud security principles, the governance risks of SaaS sprawl, and practical steps for reviewing the SaaS estate, reducing noise, and demanding better vendor transparency.
• Outro Noel closes by arguing that SaaS clutter destroys attention and that small businesses need ownership, review, and better vendor questions. He provides a checklist: create a SaaS tool list, assign owners, remove unused integrations, route security alerts properly, and ask vendors how they separate security signals from marketing noise.

• https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles
• https://www.cisa.gov/resources-tools/resources/secure-by-demand

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

AI-assisted vulnerability discovery is accelerating the rate at which security flaws are found and reported. For researchers and vendors, this is progress. For small businesses already struggling with patch management, it means more advisories, more prioritisation pressure, and more noise. Noel Bradford warns that faster discovery will expose weak processes, not fix them. Without a proper asset inventory, clear ownership, agreed maintenance windows, and documented exceptions, businesses risk drowning in patch queues they cannot manage. This episode cuts through the hype to explain why AI-driven vulnerability intelligence demands better fundamentals, not heroic firefighting. UK businesses can start with Cyber Essentials as a baseline for supported software and security updates. US organisations can map similar thinking through CISA’s Secure by Demand guidance. The message is consistent: faster threat intelligence only helps if your business can make faster, informed decisions. Speed without process is just louder failure.

• Welcome Noel opens by warning that AI-assisted vulnerability discovery may help defenders, but it will also increase patch pressure for small businesses.
• Body Noel explains that faster vulnerability discovery means more patch noise, more prioritisation pressure, and a greater need for asset inventory, supported software, and maintenance windows.
• Outro Noel closes by warning that AI will expose weak patch processes and gives practical SMB actions.

• https://www.ncsc.gov.uk/
• https://www.gov.uk/
• https://www.ncsc.gov.uk/cyberessentials/overview
• https://www.cisa.gov/

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/

Cyber crime has become a mainstream business risk, yet many UK SMBs still treat it as an IT problem to be quietly managed between printer issues and password resets. In this Hot Take, Noel Bradford argues that scams, fraud, ransomware, and account compromise belong on the risk register alongside cashflow, supplier risk, and customer retention. Drawing on recent British Chambers of Commerce data showing that 21% of firms experienced cyber attacks and 20% reported fraud or scams in the past year, Noel challenges the notion that security is an optional grudge purchase. He makes the case that cyber incidents ultimately land in the business, not just the server cupboard, affecting finance, operations, sales, HR, legal, and leadership. The episode reframes security spending as growth protection and resilience, not compliance theatre, and offers practical questions business owners should ask before an incident forces them to learn the hard way. For UK SMBs and US listeners alike, the message is clear: if cyber only lives in your IT budget, leadership has already failed the first test.

• Welcome Noel opens by framing cyber crime as a business problem with IT consequences, not just a server cupboard issue. He highlights the real costs: time lost, money lost, trust lost, growth delayed, and staff pulled into incidents they didn’t cause.
• Cyber Crime as Business Risk Noel unpacks recent British Chambers of Commerce data showing that 21% of UK firms experienced cyber attacks and 20% reported fraud or scams. He argues that cyber incidents, whether ransomware, invoice fraud, or account takeover, all land in the business, affecting finance, operations, sales, HR, legal, and leadership. He challenges the habit of treating cyber as a grudge purchase and calls for it to be budgeted alongside cashflow, supplier risk, and customer retention. The section includes US parallels via FTC and CISA guidance, and closes with practical questions business owners should ask to map risk, assign decision ownership, and plan resilience before an incident strikes.
• Outro Noel delivers the Hot Take: cyber crime is now a cost of doing business and must be treated as such. He urges leaders to add cyber and fraud to the risk register, review payment controls, assign incident decision owners, map critical systems, and budget for resilience. He warns that firewalls won’t fix weak governance or rebuild trust, and leadership must act before an incident, not during a panicked Teams call.

• https://www.britishchambers.org.uk/
• https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024
• https://www.ftc.gov/business-guidance/small-businesses
• https://www.cisa.gov/resources-tools/resources/small-business-resources

• https://www.expressvpn.com/blog/
• https://techcrunch.com/
• https://cybernews.com/
• https://www.scmagazine.com/
• https://www.bitdefender.com/
• https://www.securitymagazine.com/
• https://www.wired.com/
• https://vpnmentor.com/