Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations.

They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks.

The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two.

The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024

National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication

It starts with a slow ticket, a missing laptop and a printer staging yet another tiny rebellion — the kind of problems every small business sees and understands. But behind those visible slips is a quieter, far more dangerous story: patches that didn’t run, MFA that wasn’t enforced, backups that wouldn’t restore. In this episode Noel Bradford and a panel of experts follow a simple, devastating question: if your MSP says everything is fine, what can they actually prove?

Through a sharp, practical conversation with Mit Patel, founder of Assurix, we peel back the sales decks and the polite reassurances to show how “managed IT” can mean very different things. Mit explains the difference between promises and live evidence — not certificates from three years ago, but ongoing proof that patching, EDR, backups and identity controls are working over time. Graham brings the arithmetic that spoils the cheap quote, Corinne maps the attacker’s path, and Lucy explores the trust problem buyers face when asked to pick a provider with almost no usable evidence.

Listeners are walked through the exact questions every business owner can ask without becoming a security expert: show me 90 days of patching and backup evidence; show me MFA enforcement and exceptions; explain your offboarding process and its real cost; who owns proactive maintenance and how much time do they spend on it? We hear why continuous assurance matters for cyber insurance and why a green report on one day isn’t the same as discipline over months.

The episode doesn't preach panic — it prescribes better questions and better accountability. You’ll hear concrete examples of what good looks like: enforced MFA, tested backups, measurable patch compliance, named escalation paths, fair offboarding and evidence dashboards a human can understand. And if your MSP can’t show that evidence, the episode explains why price comparisons alone are dangerous and how under-resourced security becomes a real business risk.

By the end you’ll understand the simple premise that guides the discussion: service is visible, security is invisible — until it fails. This episode arms small business leaders with a narrative and a checklist to turn vague reassurances into verifiable proof, and gives good MSPs a roadmap to show their value beyond the lowest price. Ask for evidence, not a fleece and a smile.

Multi-factor authentication is essential, but not all MFA is equal. When users receive vague, repeated, or poorly explained prompts, they start treating them like cookie banners: accept, accept, make it go away. Attackers exploit this fatigue by triggering prompts under pressure, impersonating IT support, or using social engineering to bypass weak helpdesk processes. This is not a user failure; it is a design and management failure. Businesses must reduce unnecessary authentication noise, use phishing-resistant methods like number matching, train staff to recognise unexpected prompts as attack signals, and strengthen identity verification processes.

A reported prompt that turns out to be nothing is a working security culture. A prompt nobody reports because everyone fears looking stupid is how expensive conversations with insurers begin. MFA is a control, not a confession booth. If it fails, look at the whole process: the prompt design, the training, the helpdesk, the call-back procedures, and the culture that prioritises speed over verification. Stop blaming users for predictable mistakes in badly designed systems.