The Open Book Problem 1: How Your Public Records Become an Attackers' Roadmap

The Open Book Problem 1: How Your Public Records Become an Attackers' Roadmap

They didn’t break in. They didn’t plant malware. They opened tabs, clicked links and joined the dots. In this episode we follow the quiet, methodical work of an attacker who builds a usable portrait of a UK small business director from nothing more than public records and a search box. It begins like a detective story and ends like a cautionary tale: Companies House entries, electoral data, LinkedIn posts, DNS records and job adverts become the clues that make fraud feel personal — because it is. Through the voices of Noel Bradford and Corrine Jefferson, the episode walks you through the attacker’s timeline: the first flick through Companies House to find directors and filing rhythms, the enrichment of that picture with open-register addresses and marketing data, the human-mapping on LinkedIn, and the technical fingerprint left in DNS, MX and certificate logs. Each step is ordinary, lawful and, crucially, assembled without a single hack. We make it concrete. In twenty minutes an attacker can produce a director profile, infer email providers, spot hiring signals that leak technology stacks, and spot behavioral seams to exploit. The lure is tailored; the language is familiar; the victim feels the email is meant for them. Social engineering stops being magic and becomes efficient administration with malicious intent — a repeatable, industrialized craft that preys on transparency. But this episode isn’t just alarmism. It frames the tension between public accountability and personal risk, showing why transparency designed for credit checks and journalism also creates a joined profile attackers love. We tell the story of how digital glitter — once data leaves its source — glints everywhere, and why suppression or removal is never instant or total. By the end you’ll feel that uncomfortable nudge: search your company on Companies House, check service addresses, review LinkedIn and job adverts, and audit your domain’s email records. The narrative closes by setting the scene for the next chapter in the series and challenging every listener to ask: what did I find about myself that an attacker could use first?

The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency

A firewall cannot save you from being badly run. For years, small businesses have been sold the idea that a perimeter box equals protection. When Fortinet disclosed exploited authentication bypass vulnerabilities, added to CISA's Known Exploited Vulnerabilities catalogue, the uncomfortable truth surfaced again: the firewall is not a wall. It is a computer at the edge of your network that runs software, has management access, and can be compromised. Defence in Depth means using multiple security layers so that when one fails, another slows the attacker, limits damage, or helps you spot the problem. The NCSC describes this as reducing single points of failure. Yet many small businesses still operate flat networks with exposed management, weak identity, old firmware, missing logs, and untested backups. This episode unpacks the Fortinet advisory, challenges the green dashboard culture, and delivers a practical checklist for the twenty-person firm. The panel argues about MSP accountability, board responsibility, and the difference between buying comfort and buying outcomes. No vendor worship. No reassurance fog. Just evidence, ownership, and the hard questions businesses should ask before the next advisory drops.

Erased from the Web: The Fight Over a Child's Moment

Should Schools Remove Pupil Photos from Public Websites? A school removes all identifiable pupil photos from its website and social media. A parent complains their child's sporting achievement has been erased. The safeguarding lead sees reduced risk. The marketing lead sees lost warmth. The headteacher is caught in the middle. This What If Wednesday unpacks the tension between celebration and safeguarding in an era of facial recognition, AI manipulation, and permanent digital trails. The panel explores lawful basis, consent limits, metadata risks, and why public celebration no longer requires handing children's identities to the open internet. Practical guidance covers policy design, parent communication, safer storytelling, image audits, and leadership decisions. Schools can still celebrate pupils without treating them as searchable marketing assets. Chapters * Cold Open: The Complaint A school strips identifiable pupil photos from its public channels. A parent says their child's sporting achievement has been erased. The tension between pride, safety, and marketing is introduced. * Welcome: What If Wednesday The panel frames the scenario as a practical discussion for schools, parents, and trustees navigating image use in a changed online landscape. * The Trap Schools Walked Into Why schools published pupil photos for good reasons, and why that old model now needs urgent review in light of scraping, AI tools, and permanent exposure. * Consent Is Not a Magic Cloak Lawful basis, transparency, withdrawal rights, and why parental consent does not eliminate technical or safeguarding risk once images are public. * The New Risk Is Not Theoretical Scraping, facial matching, AI manipulation, metadata, blackmail, and cumulative exposure. The threat landscape around public pupil images has fundamentally changed. * Midroll Bumper: The Decision Point A short reset. The parent, marketing lead, and safeguarding lead are all justified. The answer is safer celebration, not silence or defensiveness. * What The School Should Say To The Parent Empathetic communication that acknowledges pride, explains the decision, and offers safer alternatives without reversing the safeguarding boundary. * What Marketing Should Do Instead How schools can still convey warmth, identity, and community without relying on identifiable pupil faces on open platforms. Storytelling, not just stock images. * What The Policy Needs On Monday Morning Practical action list: audit existing images, classify risk levels, define review questions, update parent communication, fix workflows, train staff, and review annually. * The Leadership Decision Leaders must decide what public celebration looks like now, give staff cover, avoid informal negotiation after every event, and frame the policy as protection and recognition. * Outro: The Answer Hold the safeguarding line. Explain properly. Offer safer celebration. Do the boring work. A school can celebrate children without turning them into searchable marketing assets.

Birthday Audit: Brutal Lessons for Small Business Cybersecurity

Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations. They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks. The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two. The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f [https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f] UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 [https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024] National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication [https://www.ncsc.gov.uk/collection/phishing-resistant-authentication]

If Your MSP Says ‘All Good’, Can They Prove It?

It starts with a slow ticket, a missing laptop and a printer staging yet another tiny rebellion — the kind of problems every small business sees and understands. But behind those visible slips is a quieter, far more dangerous story: patches that didn’t run, MFA that wasn’t enforced, backups that wouldn’t restore. In this episode Noel Bradford and a panel of experts follow a simple, devastating question: if your MSP says everything is fine, what can they actually prove? Through a sharp, practical conversation with Mit Patel, founder of Assurix, we peel back the sales decks and the polite reassurances to show how “managed IT” can mean very different things. Mit explains the difference between promises and live evidence — not certificates from three years ago, but ongoing proof that patching, EDR, backups and identity controls are working over time. Graham brings the arithmetic that spoils the cheap quote, Corinne maps the attacker’s path, and Lucy explores the trust problem buyers face when asked to pick a provider with almost no usable evidence. Listeners are walked through the exact questions every business owner can ask without becoming a security expert: show me 90 days of patching and backup evidence; show me MFA enforcement and exceptions; explain your offboarding process and its real cost; who owns proactive maintenance and how much time do they spend on it? We hear why continuous assurance matters for cyber insurance and why a green report on one day isn’t the same as discipline over months. The episode doesn't preach panic — it prescribes better questions and better accountability. You’ll hear concrete examples of what good looks like: enforced MFA, tested backups, measurable patch compliance, named escalation paths, fair offboarding and evidence dashboards a human can understand. And if your MSP can’t show that evidence, the episode explains why price comparisons alone are dangerous and how under-resourced security becomes a real business risk. By the end you’ll understand the simple premise that guides the discussion: service is visible, security is invisible — until it fails. This episode arms small business leaders with a narrative and a checklist to turn vague reassurances into verifiable proof, and gives good MSPs a roadmap to show their value beyond the lowest price. Ask for evidence, not a fleece and a smile.