The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

When Cybercrime Stops the Till: Why It's a Business Problem, Not IT's

12 min · 27. Mai 2026
Episode When Cybercrime Stops the Till: Why It's a Business Problem, Not IT's Cover

Beschreibung

Noel Bradford opens the episode with a blunt question: what does a cyber attack really cost your business? He takes us out of the server cupboard and into the meeting room, where time lost, money gone, reputations dented and growth stalled are the metrics that actually matter. Through vivid examples—payment fraud that empties a ledger, ransomware that freezes production, a supplier breach that hands customers to a competitor—Noel shows how an email, a weak password or a forgotten server can cascade into an existential business crisis. The narrative follows small businesses facing an uncomfortable truth: cybercrime is no longer an edge-case IT headache, it’s a predictable criminal business model that targets people, process and trust. Noel cites fresh data that brings the story to life—fraud, scams and attacks are climbing—and he paints a picture of criminals with playbooks, support desks and supply chains that mirror legitimate industry behaviour. The result? An urgent call to move cyber from back-office grudge purchase to front-page boardroom agenda. Rather than drowning listeners in technical jargon, the episode uses sharp, practical questions to reframe risk: what would stop you trading? which systems must be restored first? who can authorize emergency spend? Those questions drive the story into real-world decisions—payment controls, MFA, backup testing, supplier access reviews—and expose how leadership failures, not just missing patches, make incidents costly. Noel’s voice guides listeners from complacency to clarity. He unmasks common excuses—‘that server’s fine’, ‘we’ll sort it after the quarter’—and shows the human moments that save or sink companies: the staff member who spots a scam, the CFO who questions a change of bank details, the manager who can’t find an incident owner when minutes matter. The stakes are personal: customers lose trust, staff waste time, opportunities evaporate and the business pays the bill. The episode closes as a call to arms and to common sense. Cybersecurity becomes business continuity with a login prompt: add cybercrime to the risk register, map systems that stop trading, budget for resilience and, crucially, assign accountability. Noel leaves listeners with a clear storyline to act on—lead from the top, test your recovery, and treat cyber the cost of doing business before it treats you like lunch.

Kommentare

0

Sei die erste Person, die kommentiert

Melde dich jetzt an und werde Teil der The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups-Community!

Loslegen

2 Monate für 1 €

Dann 4,99 € / Monat · Jederzeit kündbar.

  • Podcasts nur bei Podimo
  • 20 Stunden Hörbücher / Monat
  • Alle kostenlosen Podcasts

Alle Folgen

102 Folgen

Episode The Open Book Problem 2: How Public Records Teach Criminals Your Name Cover

The Open Book Problem 2: How Public Records Teach Criminals Your Name

Imagine someone who knows your director's calendar, your payroll provider, the IT stack listed in your job ad, and the name of the accountant who signs your invoices. They don't have to be a genius — they just read what you and the public have already told them. In this episode, Noel Bradford follows that clean, quiet path of reconnaissance from public registers to a phone call that sounds unmistakably legitimate. We open on a simple truth: most social engineering isn’t a cartoon villain guessing passwords in the dark. It’s research, timing and pressure dressed up as plausibility. Noel and Corin map the attacker’s five-step journey — selection, mapping, pretext, delivery and pressure — and show how every ordinary piece of public information becomes a tile in a convincing story. Set against the uniquely open UK landscape of registries, data brokers and oversharing on professional networks, the episode becomes a procedural drama. You’ll hear how a director’s LinkedIn post about a conference can set the stage for an urgent Friday payment request, how job ads can hand an attacker the exact platform to fake, and how a single helpdesk script can be the thin crack through which a whole company falls. Through vivid examples — supplier impersonation, emergency MFA resets, Teams messages that replicate a boss’s tone — the episode explains why static verification checks fail and why ‘because the director said so’ is an invitation to fraud. We discuss Scattered Spider not to sensationalise, but to show how identity support processes become attack surfaces and why attackers treat due diligence like reconnaissance with ill intent. Noel moves from problem to practice: concrete defensive moves you can implement today — map your public exposure, write down verification rules, require independent checks on sensitive requests, train staff on pretext and pressure (not just typos and bad links), and treat your helpdesk as a security control. The advice is practical, procedural and, yes, a little boring — because that’s exactly what prevents crime. By the end you’ll see the small, human moments that make social engineering succeed — a rushed payment, a polite phone call, a culture that prizes speed over verification — and how changing those moments can take away an attacker’s easiest building blocks. Tune in to learn what an attacker would find about your business before lunch, and what you can remove before they get hungry.

6. Juli 202621 min
Episode The Open Book Problem 1: How Your Public Records Become an Attackers' Roadmap Cover

The Open Book Problem 1: How Your Public Records Become an Attackers' Roadmap

They didn’t break in. They didn’t plant malware. They opened tabs, clicked links and joined the dots. In this episode we follow the quiet, methodical work of an attacker who builds a usable portrait of a UK small business director from nothing more than public records and a search box. It begins like a detective story and ends like a cautionary tale: Companies House entries, electoral data, LinkedIn posts, DNS records and job adverts become the clues that make fraud feel personal — because it is. Through the voices of Noel Bradford and Corrine Jefferson, the episode walks you through the attacker’s timeline: the first flick through Companies House to find directors and filing rhythms, the enrichment of that picture with open-register addresses and marketing data, the human-mapping on LinkedIn, and the technical fingerprint left in DNS, MX and certificate logs. Each step is ordinary, lawful and, crucially, assembled without a single hack. We make it concrete. In twenty minutes an attacker can produce a director profile, infer email providers, spot hiring signals that leak technology stacks, and spot behavioral seams to exploit. The lure is tailored; the language is familiar; the victim feels the email is meant for them. Social engineering stops being magic and becomes efficient administration with malicious intent — a repeatable, industrialized craft that preys on transparency. But this episode isn’t just alarmism. It frames the tension between public accountability and personal risk, showing why transparency designed for credit checks and journalism also creates a joined profile attackers love. We tell the story of how digital glitter — once data leaves its source — glints everywhere, and why suppression or removal is never instant or total. By the end you’ll feel that uncomfortable nudge: search your company on Companies House, check service addresses, review LinkedIn and job adverts, and audit your domain’s email records. The narrative closes by setting the scene for the next chapter in the series and challenging every listener to ask: what did I find about myself that an attacker could use first?

29. Juni 202620 min
Episode The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency Cover

The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency

A firewall cannot save you from being badly run. For years, small businesses have been sold the idea that a perimeter box equals protection. When Fortinet disclosed exploited authentication bypass vulnerabilities, added to CISA's Known Exploited Vulnerabilities catalogue, the uncomfortable truth surfaced again: the firewall is not a wall. It is a computer at the edge of your network that runs software, has management access, and can be compromised. Defence in Depth means using multiple security layers so that when one fails, another slows the attacker, limits damage, or helps you spot the problem. The NCSC describes this as reducing single points of failure. Yet many small businesses still operate flat networks with exposed management, weak identity, old firmware, missing logs, and untested backups. This episode unpacks the Fortinet advisory, challenges the green dashboard culture, and delivers a practical checklist for the twenty-person firm. The panel argues about MSP accountability, board responsibility, and the difference between buying comfort and buying outcomes. No vendor worship. No reassurance fog. Just evidence, ownership, and the hard questions businesses should ask before the next advisory drops.

22. Juni 202639 min
Episode Erased from the Web: The Fight Over a Child's Moment Cover

Erased from the Web: The Fight Over a Child's Moment

Should Schools Remove Pupil Photos from Public Websites? A school removes all identifiable pupil photos from its website and social media. A parent complains their child's sporting achievement has been erased. The safeguarding lead sees reduced risk. The marketing lead sees lost warmth. The headteacher is caught in the middle. This What If Wednesday unpacks the tension between celebration and safeguarding in an era of facial recognition, AI manipulation, and permanent digital trails. The panel explores lawful basis, consent limits, metadata risks, and why public celebration no longer requires handing children's identities to the open internet. Practical guidance covers policy design, parent communication, safer storytelling, image audits, and leadership decisions. Schools can still celebrate pupils without treating them as searchable marketing assets. Chapters * Cold Open: The Complaint A school strips identifiable pupil photos from its public channels. A parent says their child's sporting achievement has been erased. The tension between pride, safety, and marketing is introduced. * Welcome: What If Wednesday The panel frames the scenario as a practical discussion for schools, parents, and trustees navigating image use in a changed online landscape. * The Trap Schools Walked Into Why schools published pupil photos for good reasons, and why that old model now needs urgent review in light of scraping, AI tools, and permanent exposure. * Consent Is Not a Magic Cloak Lawful basis, transparency, withdrawal rights, and why parental consent does not eliminate technical or safeguarding risk once images are public. * The New Risk Is Not Theoretical Scraping, facial matching, AI manipulation, metadata, blackmail, and cumulative exposure. The threat landscape around public pupil images has fundamentally changed. * Midroll Bumper: The Decision Point A short reset. The parent, marketing lead, and safeguarding lead are all justified. The answer is safer celebration, not silence or defensiveness. * What The School Should Say To The Parent Empathetic communication that acknowledges pride, explains the decision, and offers safer alternatives without reversing the safeguarding boundary. * What Marketing Should Do Instead How schools can still convey warmth, identity, and community without relying on identifiable pupil faces on open platforms. Storytelling, not just stock images. * What The Policy Needs On Monday Morning Practical action list: audit existing images, classify risk levels, define review questions, update parent communication, fix workflows, train staff, and review annually. * The Leadership Decision Leaders must decide what public celebration looks like now, give staff cover, avoid informal negotiation after every event, and frame the policy as protection and recognition. * Outro: The Answer Hold the safeguarding line. Explain properly. Offer safer celebration. Do the boring work. A school can celebrate children without turning them into searchable marketing assets.

15. Juni 202627 min
Episode Birthday Audit: Brutal Lessons for Small Business Cybersecurity Cover

Birthday Audit: Brutal Lessons for Small Business Cybersecurity

Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations. They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks. The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two. The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f [https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f] UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 [https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024] National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication [https://www.ncsc.gov.uk/collection/phishing-resistant-authentication]

8. Juni 202639 min