Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations.

They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks.

The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two.

The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024

National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication

It starts with a slow ticket, a missing laptop and a printer staging yet another tiny rebellion — the kind of problems every small business sees and understands. But behind those visible slips is a quieter, far more dangerous story: patches that didn’t run, MFA that wasn’t enforced, backups that wouldn’t restore. In this episode Noel Bradford and a panel of experts follow a simple, devastating question: if your MSP says everything is fine, what can they actually prove?

Through a sharp, practical conversation with Mit Patel, founder of Assurix, we peel back the sales decks and the polite reassurances to show how “managed IT” can mean very different things. Mit explains the difference between promises and live evidence — not certificates from three years ago, but ongoing proof that patching, EDR, backups and identity controls are working over time. Graham brings the arithmetic that spoils the cheap quote, Corinne maps the attacker’s path, and Lucy explores the trust problem buyers face when asked to pick a provider with almost no usable evidence.

Listeners are walked through the exact questions every business owner can ask without becoming a security expert: show me 90 days of patching and backup evidence; show me MFA enforcement and exceptions; explain your offboarding process and its real cost; who owns proactive maintenance and how much time do they spend on it? We hear why continuous assurance matters for cyber insurance and why a green report on one day isn’t the same as discipline over months.

The episode doesn't preach panic — it prescribes better questions and better accountability. You’ll hear concrete examples of what good looks like: enforced MFA, tested backups, measurable patch compliance, named escalation paths, fair offboarding and evidence dashboards a human can understand. And if your MSP can’t show that evidence, the episode explains why price comparisons alone are dangerous and how under-resourced security becomes a real business risk.

By the end you’ll understand the simple premise that guides the discussion: service is visible, security is invisible — until it fails. This episode arms small business leaders with a narrative and a checklist to turn vague reassurances into verifiable proof, and gives good MSPs a roadmap to show their value beyond the lowest price. Ask for evidence, not a fleece and a smile.

Multi-factor authentication is essential, but not all MFA is equal. When users receive vague, repeated, or poorly explained prompts, they start treating them like cookie banners: accept, accept, make it go away. Attackers exploit this fatigue by triggering prompts under pressure, impersonating IT support, or using social engineering to bypass weak helpdesk processes. This is not a user failure; it is a design and management failure. Businesses must reduce unnecessary authentication noise, use phishing-resistant methods like number matching, train staff to recognise unexpected prompts as attack signals, and strengthen identity verification processes.

A reported prompt that turns out to be nothing is a working security culture. A prompt nobody reports because everyone fears looking stupid is how expensive conversations with insurers begin. MFA is a control, not a confession booth. If it fails, look at the whole process: the prompt design, the training, the helpdesk, the call-back procedures, and the culture that prioritises speed over verification. Stop blaming users for predictable mistakes in badly designed systems.

Shadow AI has already arrived in most UK small businesses, often through browser tabs, SaaS tool sidebars, and helpful buttons that promise to improve text. Staff are using AI to rewrite emails, summarise meetings, polish proposals, and speed up admin tasks, frequently without approval, policy, or controls. This is shadow IT all over again, but faster and with better branding. The problem is not the technology itself, but unmanaged data movement into systems nobody has reviewed.

Noel Bradford explains why banning AI without offering safe approved routes will fail, why hope is not an AI governance model, and why businesses need practical data controls that give staff clear lanes: low-risk generic tasks, controlled handling of customer data, and hard stops for sensitive material. UK Government guidance and NCSC advice make clear that AI changes the threat landscape, but the basics still matter. This episode cuts through the hype to deliver straightforward guidance on approved tools, supplier checks, human review, and early mistake reporting. AI policy is not about stopping progress; it is about stopping progress from leaking your business into someone else's platform.

Imagine opening your SaaS admin panel and walking into Times Square: flashing upsells, trial banners, an AI button nobody asked for, and a marketplace pitch vying for your click. In this episode, Noel Bradford—your Security Guy—takes you through that sensory overload and shows how it’s not just annoying design; it’s a security problem. When every notification screams for attention, the real alarms get lost in the noise.

Through vivid scenes and sharp examples, Noel explains how attention itself is a control: systems that drown users in marketing clutter train people to ignore banners, default prompts, and even vital security warnings. He weaves practical stories about suspicious sign-ins buried under upgrade offers, API tokens created beside glossy feature tours, and admin portals that bury logs behind paywalls, painting a clear picture of how SaaS sprawl turns convenience into hidden risk for small businesses.

The episode moves from diagnosis to action. Noel lays out a no-nonsense checklist—inventory your SaaS estate, assign owners, remove unused integrations and dormant admins, enforce MFA, and route genuine security alerts to a monitored place—then challenges listeners to ask vendors hard questions about log access and whether security features are deliberately gated behind premium plans.

Part cautionary tale, part practical guide, this episode blends storytelling with actionable advice so listeners leave energized to declutter their dashboards and protect their businesses. If your work tools look like a shopping center, expect people to treat warnings like adverts. Listen in, then reclaim attention as the critical control it is.

Noel Bradford opens the episode with a wry grin and a simple warning: AI has put a jet engine on vulnerability discovery, and that turbocharged speed is coming straight for your patch queue. He paints a scene that starts idyllic—researchers, vendors, and defenders holding hands in a meadow—and then smashes it into the small-business reality everyone knows: an ageing accounts package, two neglected servers, a printer that suddenly has feelings, and a spreadsheet last updated by someone called Maybe James.

Through sharp, conversational storytelling, Noel follows the trail from shiny headlines about faster vulnerability discovery to the quieter, nastier truth: more findings mean more advisories, more tickets, and more decisions. For teams already drowning in alerts—endpoint warnings, vendor advisories, and countless scanner results—AI doesn’t rescue them. It simply shines a brighter light on the rot.

The episode becomes a practical parable about what actually prevents breaches: fundamentals. Noel walks listeners through the essentials as if he were guiding a reluctant business owner around a cluttered workshop—build a real asset inventory (not a mythical one), assign clear ownership, book maintenance windows that aren’t pretend, and document exceptions with accountability. He explains how these mundane actions are the real defenses, not the latest headline-grabbing CVE score.

But the story isn’t all doom. Noel argues that AI can help—if your processes are mature. Faster discovery can help defenders and vendors if decisions are made quickly and sensibly. The heart of the episode is a leadership appeal: patch management is a business problem that touches operations, budgets, and reputations. When the business says “no” to maintenance and “later” to upgrades, it builds a swamp, and IT is left to slog through it.

The episode closes on a clear, rallying note: the AI patch wave is coming, and the question isn’t whether new vulnerabilities will appear—it’s whether your organisation has a process or just Dave, a spreadsheet, and a headache. Listen for practical measures, memorable metaphors, and a call to treat patching as governance, not theatre—because speed is now the test of your maturity.

Noel Bradford opens the episode with a blunt question: what does a cyber attack really cost your business? He takes us out of the server cupboard and into the meeting room, where time lost, money gone, reputations dented and growth stalled are the metrics that actually matter. Through vivid examples—payment fraud that empties a ledger, ransomware that freezes production, a supplier breach that hands customers to a competitor—Noel shows how an email, a weak password or a forgotten server can cascade into an existential business crisis.

The narrative follows small businesses facing an uncomfortable truth: cybercrime is no longer an edge-case IT headache, it’s a predictable criminal business model that targets people, process and trust. Noel cites fresh data that brings the story to life—fraud, scams and attacks are climbing—and he paints a picture of criminals with playbooks, support desks and supply chains that mirror legitimate industry behaviour. The result? An urgent call to move cyber from back-office grudge purchase to front-page boardroom agenda.

Rather than drowning listeners in technical jargon, the episode uses sharp, practical questions to reframe risk: what would stop you trading? which systems must be restored first? who can authorize emergency spend? Those questions drive the story into real-world decisions—payment controls, MFA, backup testing, supplier access reviews—and expose how leadership failures, not just missing patches, make incidents costly.

Noel’s voice guides listeners from complacency to clarity. He unmasks common excuses—‘that server’s fine’, ‘we’ll sort it after the quarter’—and shows the human moments that save or sink companies: the staff member who spots a scam, the CFO who questions a change of bank details, the manager who can’t find an incident owner when minutes matter. The stakes are personal: customers lose trust, staff waste time, opportunities evaporate and the business pays the bill.

The episode closes as a call to arms and to common sense. Cybersecurity becomes business continuity with a login prompt: add cybercrime to the risk register, map systems that stop trading, budget for resilience and, crucially, assign accountability. Noel leaves listeners with a clear storyline to act on—lead from the top, test your recovery, and treat cyber the cost of doing business before it treats you like lunch.

Noel Bradford opens the episode with a provocation: backups are sacred in small businesses, but too often they're a comforting myth. Picture a bright Monday at 9am — the backup dashboard is full of green ticks, the MSP report lands in an inbox that breathes a little easier, and then a criminal in muddy boots asks the question nobody practised: what can you actually recover, by when, and who knows how?

This episode walks listeners through the moments when assumptions collapse. It's not the encryption that usually kills a business — it's the downtime, the missing passwords, the licence keys lost in a cupboard of doom, the renamed folders that quietly excluded critical data for years. Bradford stitches together real-world missteps into a narrative that makes the stakes painfully clear: a back-up is an ingredient, not a plan.

You'll hear why green ticks and dashboards are little more than participation trophies unless somebody has rehearsed the restore. The host paints vivid scenes of restores that take days, data that is stale, and the awkward management meetings that follow: "Why didn't anyone test this?" — a question delivered with the cool late-arrival of hindsight.

Practical guidance arrives as character and plot: follow the NCSC ransomware guidance, heed ICO data-protection duties if personal data is involved, and for U.S. listeners map the same hard lessons to Stop Ransomware guidance. The episode turns policy into action — keep protected copies, separate backup admin access, document recovery priorities, and most importantly, test restores so that belief becomes evidence.

Bradford dismantles cloud complacency with a sharp scene: Microsoft 365 or Google Workspace may keep a service running, but platform availability is not the same as your ability to recover a deleted or compromised dataset. That gap is where assumptions die — and where attackers exploit your good intentions.

The heart of the episode is a series of hard questions that force organisations out of warm thinking and into recovery planning: what systems must be back by lunchtime, who declares the incident, who calls the insurer, how do you contact staff and customers if email is gone, and where are the credentials if your password manager is offline? Each question is a beat in the story, a test of whether a business has a plan or just hope.

By the end, the message is plain and urgent: buy recovery, not reassurance. Test restores, document processes, define Recovery Time and Point Objectives in plain English, protect copies from deletion, and rehearse the incident playbook until the drama becomes boring. The episode closes like a scene change — make recovery ordinary now, before attackers make it dramatic.