The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

Shadow AI Is Just Shadow IT Wearing a Cape

Shadow AI has already arrived in most UK small businesses, often through browser tabs, SaaS tool sidebars, and helpful buttons that promise to improve text. Staff are using AI to rewrite emails, summarise meetings, polish proposals, and speed up admin tasks, frequently without approval, policy, or controls. This is shadow IT all over again, but faster and with better branding. The problem is not the technology itself, but unmanaged data movement into systems nobody has reviewed. Noel Bradford explains why banning AI without offering safe approved routes will fail, why hope is not an AI governance model, and why businesses need practical data controls that give staff clear lanes: low-risk generic tasks, controlled handling of customer data, and hard stops for sensitive material. UK Government guidance and NCSC advice make clear that AI changes the threat landscape, but the basics still matter. This episode cuts through the hype to deliver straightforward guidance on approved tools, supplier checks, human review, and early mistake reporting. AI policy is not about stopping progress; it is about stopping progress from leaking your business into someone else's platform.

Pop-Ups, Upsells & Risk: Taming the Noisy World of SaaS Admin Dashboards

Imagine opening your SaaS admin panel and walking into Times Square: flashing upsells, trial banners, an AI button nobody asked for, and a marketplace pitch vying for your click. In this episode, Noel Bradford—your Security Guy—takes you through that sensory overload and shows how it’s not just annoying design; it’s a security problem. When every notification screams for attention, the real alarms get lost in the noise. Through vivid scenes and sharp examples, Noel explains how attention itself is a control: systems that drown users in marketing clutter train people to ignore banners, default prompts, and even vital security warnings. He weaves practical stories about suspicious sign-ins buried under upgrade offers, API tokens created beside glossy feature tours, and admin portals that bury logs behind paywalls, painting a clear picture of how SaaS sprawl turns convenience into hidden risk for small businesses. The episode moves from diagnosis to action. Noel lays out a no-nonsense checklist—inventory your SaaS estate, assign owners, remove unused integrations and dormant admins, enforce MFA, and route genuine security alerts to a monitored place—then challenges listeners to ask vendors hard questions about log access and whether security features are deliberately gated behind premium plans. Part cautionary tale, part practical guide, this episode blends storytelling with actionable advice so listeners leave energized to declutter their dashboards and protect their businesses. If your work tools look like a shopping center, expect people to treat warnings like adverts. Listen in, then reclaim attention as the critical control it is.

AI vs The Patch Queue: When Faster Discovery Breaks Business

Noel Bradford opens the episode with a wry grin and a simple warning: AI has put a jet engine on vulnerability discovery, and that turbocharged speed is coming straight for your patch queue. He paints a scene that starts idyllic—researchers, vendors, and defenders holding hands in a meadow—and then smashes it into the small-business reality everyone knows: an ageing accounts package, two neglected servers, a printer that suddenly has feelings, and a spreadsheet last updated by someone called Maybe James. Through sharp, conversational storytelling, Noel follows the trail from shiny headlines about faster vulnerability discovery to the quieter, nastier truth: more findings mean more advisories, more tickets, and more decisions. For teams already drowning in alerts—endpoint warnings, vendor advisories, and countless scanner results—AI doesn’t rescue them. It simply shines a brighter light on the rot. The episode becomes a practical parable about what actually prevents breaches: fundamentals. Noel walks listeners through the essentials as if he were guiding a reluctant business owner around a cluttered workshop—build a real asset inventory (not a mythical one), assign clear ownership, book maintenance windows that aren’t pretend, and document exceptions with accountability. He explains how these mundane actions are the real defenses, not the latest headline-grabbing CVE score. But the story isn’t all doom. Noel argues that AI can help—if your processes are mature. Faster discovery can help defenders and vendors if decisions are made quickly and sensibly. The heart of the episode is a leadership appeal: patch management is a business problem that touches operations, budgets, and reputations. When the business says “no” to maintenance and “later” to upgrades, it builds a swamp, and IT is left to slog through it. The episode closes on a clear, rallying note: the AI patch wave is coming, and the question isn’t whether new vulnerabilities will appear—it’s whether your organisation has a process or just Dave, a spreadsheet, and a headache. Listen for practical measures, memorable metaphors, and a call to treat patching as governance, not theatre—because speed is now the test of your maturity.

When Cybercrime Stops the Till: Why It's a Business Problem, Not IT's

Noel Bradford opens the episode with a blunt question: what does a cyber attack really cost your business? He takes us out of the server cupboard and into the meeting room, where time lost, money gone, reputations dented and growth stalled are the metrics that actually matter. Through vivid examples—payment fraud that empties a ledger, ransomware that freezes production, a supplier breach that hands customers to a competitor—Noel shows how an email, a weak password or a forgotten server can cascade into an existential business crisis. The narrative follows small businesses facing an uncomfortable truth: cybercrime is no longer an edge-case IT headache, it’s a predictable criminal business model that targets people, process and trust. Noel cites fresh data that brings the story to life—fraud, scams and attacks are climbing—and he paints a picture of criminals with playbooks, support desks and supply chains that mirror legitimate industry behaviour. The result? An urgent call to move cyber from back-office grudge purchase to front-page boardroom agenda. Rather than drowning listeners in technical jargon, the episode uses sharp, practical questions to reframe risk: what would stop you trading? which systems must be restored first? who can authorize emergency spend? Those questions drive the story into real-world decisions—payment controls, MFA, backup testing, supplier access reviews—and expose how leadership failures, not just missing patches, make incidents costly. Noel’s voice guides listeners from complacency to clarity. He unmasks common excuses—‘that server’s fine’, ‘we’ll sort it after the quarter’—and shows the human moments that save or sink companies: the staff member who spots a scam, the CFO who questions a change of bank details, the manager who can’t find an incident owner when minutes matter. The stakes are personal: customers lose trust, staff waste time, opportunities evaporate and the business pays the bill. The episode closes as a call to arms and to common sense. Cybersecurity becomes business continuity with a login prompt: add cybercrime to the risk register, map systems that stop trading, budget for resilience and, crucially, assign accountability. Noel leaves listeners with a clear storyline to act on—lead from the top, test your recovery, and treat cyber the cost of doing business before it treats you like lunch.

Don't Worship the Green Tick: Why Backups Won't Save You

Noel Bradford opens the episode with a provocation: backups are sacred in small businesses, but too often they're a comforting myth. Picture a bright Monday at 9am — the backup dashboard is full of green ticks, the MSP report lands in an inbox that breathes a little easier, and then a criminal in muddy boots asks the question nobody practised: what can you actually recover, by when, and who knows how? This episode walks listeners through the moments when assumptions collapse. It's not the encryption that usually kills a business — it's the downtime, the missing passwords, the licence keys lost in a cupboard of doom, the renamed folders that quietly excluded critical data for years. Bradford stitches together real-world missteps into a narrative that makes the stakes painfully clear: a back-up is an ingredient, not a plan. You'll hear why green ticks and dashboards are little more than participation trophies unless somebody has rehearsed the restore. The host paints vivid scenes of restores that take days, data that is stale, and the awkward management meetings that follow: "Why didn't anyone test this?" — a question delivered with the cool late-arrival of hindsight. Practical guidance arrives as character and plot: follow the NCSC ransomware guidance, heed ICO data-protection duties if personal data is involved, and for U.S. listeners map the same hard lessons to Stop Ransomware guidance. The episode turns policy into action — keep protected copies, separate backup admin access, document recovery priorities, and most importantly, test restores so that belief becomes evidence. Bradford dismantles cloud complacency with a sharp scene: Microsoft 365 or Google Workspace may keep a service running, but platform availability is not the same as your ability to recover a deleted or compromised dataset. That gap is where assumptions die — and where attackers exploit your good intentions. The heart of the episode is a series of hard questions that force organisations out of warm thinking and into recovery planning: what systems must be back by lunchtime, who declares the incident, who calls the insurer, how do you contact staff and customers if email is gone, and where are the credentials if your password manager is offline? Each question is a beat in the story, a test of whether a business has a plan or just hope. By the end, the message is plain and urgent: buy recovery, not reassurance. Test restores, document processes, define Recovery Time and Point Objectives in plain English, protect copies from deletion, and rehearse the incident playbook until the drama becomes boring. The episode closes like a scene change — make recovery ordinary now, before attackers make it dramatic.