The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

Pop-Ups, Upsells & Risk: Taming the Noisy World of SaaS Admin Dashboards

10 min · 29 de may de 2026
Portada del episodio Pop-Ups, Upsells & Risk: Taming the Noisy World of SaaS Admin Dashboards

Descripción

Imagine opening your SaaS admin panel and walking into Times Square: flashing upsells, trial banners, an AI button nobody asked for, and a marketplace pitch vying for your click. In this episode, Noel Bradford—your Security Guy—takes you through that sensory overload and shows how it’s not just annoying design; it’s a security problem. When every notification screams for attention, the real alarms get lost in the noise. Through vivid scenes and sharp examples, Noel explains how attention itself is a control: systems that drown users in marketing clutter train people to ignore banners, default prompts, and even vital security warnings. He weaves practical stories about suspicious sign-ins buried under upgrade offers, API tokens created beside glossy feature tours, and admin portals that bury logs behind paywalls, painting a clear picture of how SaaS sprawl turns convenience into hidden risk for small businesses. The episode moves from diagnosis to action. Noel lays out a no-nonsense checklist—inventory your SaaS estate, assign owners, remove unused integrations and dormant admins, enforce MFA, and route genuine security alerts to a monitored place—then challenges listeners to ask vendors hard questions about log access and whether security features are deliberately gated behind premium plans. Part cautionary tale, part practical guide, this episode blends storytelling with actionable advice so listeners leave energized to declutter their dashboards and protect their businesses. If your work tools look like a shopping center, expect people to treat warnings like adverts. Listen in, then reclaim attention as the critical control it is.

Comentarios

0

Sé la primera persona en comentar

¡Regístrate ahora y únete a la comunidad de The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups!

Prueba gratis

Empieza 7 días de prueba

$99 / mes después de la prueba. · Cancela cuando quieras.

  • Podcasts solo en Podimo
  • 20 horas de audiolibros al mes
  • Podcast gratuitos

Todos los episodios

102 episodios

episode The Open Book Problem 2: How Public Records Teach Criminals Your Name artwork

The Open Book Problem 2: How Public Records Teach Criminals Your Name

Imagine someone who knows your director's calendar, your payroll provider, the IT stack listed in your job ad, and the name of the accountant who signs your invoices. They don't have to be a genius — they just read what you and the public have already told them. In this episode, Noel Bradford follows that clean, quiet path of reconnaissance from public registers to a phone call that sounds unmistakably legitimate. We open on a simple truth: most social engineering isn’t a cartoon villain guessing passwords in the dark. It’s research, timing and pressure dressed up as plausibility. Noel and Corin map the attacker’s five-step journey — selection, mapping, pretext, delivery and pressure — and show how every ordinary piece of public information becomes a tile in a convincing story. Set against the uniquely open UK landscape of registries, data brokers and oversharing on professional networks, the episode becomes a procedural drama. You’ll hear how a director’s LinkedIn post about a conference can set the stage for an urgent Friday payment request, how job ads can hand an attacker the exact platform to fake, and how a single helpdesk script can be the thin crack through which a whole company falls. Through vivid examples — supplier impersonation, emergency MFA resets, Teams messages that replicate a boss’s tone — the episode explains why static verification checks fail and why ‘because the director said so’ is an invitation to fraud. We discuss Scattered Spider not to sensationalise, but to show how identity support processes become attack surfaces and why attackers treat due diligence like reconnaissance with ill intent. Noel moves from problem to practice: concrete defensive moves you can implement today — map your public exposure, write down verification rules, require independent checks on sensitive requests, train staff on pretext and pressure (not just typos and bad links), and treat your helpdesk as a security control. The advice is practical, procedural and, yes, a little boring — because that’s exactly what prevents crime. By the end you’ll see the small, human moments that make social engineering succeed — a rushed payment, a polite phone call, a culture that prizes speed over verification — and how changing those moments can take away an attacker’s easiest building blocks. Tune in to learn what an attacker would find about your business before lunch, and what you can remove before they get hungry.

6 de jul de 202621 min
episode The Open Book Problem 1: How Your Public Records Become an Attackers' Roadmap artwork

The Open Book Problem 1: How Your Public Records Become an Attackers' Roadmap

They didn’t break in. They didn’t plant malware. They opened tabs, clicked links and joined the dots. In this episode we follow the quiet, methodical work of an attacker who builds a usable portrait of a UK small business director from nothing more than public records and a search box. It begins like a detective story and ends like a cautionary tale: Companies House entries, electoral data, LinkedIn posts, DNS records and job adverts become the clues that make fraud feel personal — because it is. Through the voices of Noel Bradford and Corrine Jefferson, the episode walks you through the attacker’s timeline: the first flick through Companies House to find directors and filing rhythms, the enrichment of that picture with open-register addresses and marketing data, the human-mapping on LinkedIn, and the technical fingerprint left in DNS, MX and certificate logs. Each step is ordinary, lawful and, crucially, assembled without a single hack. We make it concrete. In twenty minutes an attacker can produce a director profile, infer email providers, spot hiring signals that leak technology stacks, and spot behavioral seams to exploit. The lure is tailored; the language is familiar; the victim feels the email is meant for them. Social engineering stops being magic and becomes efficient administration with malicious intent — a repeatable, industrialized craft that preys on transparency. But this episode isn’t just alarmism. It frames the tension between public accountability and personal risk, showing why transparency designed for credit checks and journalism also creates a joined profile attackers love. We tell the story of how digital glitter — once data leaves its source — glints everywhere, and why suppression or removal is never instant or total. By the end you’ll feel that uncomfortable nudge: search your company on Companies House, check service addresses, review LinkedIn and job adverts, and audit your domain’s email records. The narrative closes by setting the scene for the next chapter in the series and challenging every listener to ask: what did I find about myself that an attacker could use first?

29 de jun de 202620 min
episode The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency artwork

The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency

A firewall cannot save you from being badly run. For years, small businesses have been sold the idea that a perimeter box equals protection. When Fortinet disclosed exploited authentication bypass vulnerabilities, added to CISA's Known Exploited Vulnerabilities catalogue, the uncomfortable truth surfaced again: the firewall is not a wall. It is a computer at the edge of your network that runs software, has management access, and can be compromised. Defence in Depth means using multiple security layers so that when one fails, another slows the attacker, limits damage, or helps you spot the problem. The NCSC describes this as reducing single points of failure. Yet many small businesses still operate flat networks with exposed management, weak identity, old firmware, missing logs, and untested backups. This episode unpacks the Fortinet advisory, challenges the green dashboard culture, and delivers a practical checklist for the twenty-person firm. The panel argues about MSP accountability, board responsibility, and the difference between buying comfort and buying outcomes. No vendor worship. No reassurance fog. Just evidence, ownership, and the hard questions businesses should ask before the next advisory drops.

22 de jun de 202639 min
episode Erased from the Web: The Fight Over a Child's Moment artwork

Erased from the Web: The Fight Over a Child's Moment

Should Schools Remove Pupil Photos from Public Websites? A school removes all identifiable pupil photos from its website and social media. A parent complains their child's sporting achievement has been erased. The safeguarding lead sees reduced risk. The marketing lead sees lost warmth. The headteacher is caught in the middle. This What If Wednesday unpacks the tension between celebration and safeguarding in an era of facial recognition, AI manipulation, and permanent digital trails. The panel explores lawful basis, consent limits, metadata risks, and why public celebration no longer requires handing children's identities to the open internet. Practical guidance covers policy design, parent communication, safer storytelling, image audits, and leadership decisions. Schools can still celebrate pupils without treating them as searchable marketing assets. Chapters * Cold Open: The Complaint A school strips identifiable pupil photos from its public channels. A parent says their child's sporting achievement has been erased. The tension between pride, safety, and marketing is introduced. * Welcome: What If Wednesday The panel frames the scenario as a practical discussion for schools, parents, and trustees navigating image use in a changed online landscape. * The Trap Schools Walked Into Why schools published pupil photos for good reasons, and why that old model now needs urgent review in light of scraping, AI tools, and permanent exposure. * Consent Is Not a Magic Cloak Lawful basis, transparency, withdrawal rights, and why parental consent does not eliminate technical or safeguarding risk once images are public. * The New Risk Is Not Theoretical Scraping, facial matching, AI manipulation, metadata, blackmail, and cumulative exposure. The threat landscape around public pupil images has fundamentally changed. * Midroll Bumper: The Decision Point A short reset. The parent, marketing lead, and safeguarding lead are all justified. The answer is safer celebration, not silence or defensiveness. * What The School Should Say To The Parent Empathetic communication that acknowledges pride, explains the decision, and offers safer alternatives without reversing the safeguarding boundary. * What Marketing Should Do Instead How schools can still convey warmth, identity, and community without relying on identifiable pupil faces on open platforms. Storytelling, not just stock images. * What The Policy Needs On Monday Morning Practical action list: audit existing images, classify risk levels, define review questions, update parent communication, fix workflows, train staff, and review annually. * The Leadership Decision Leaders must decide what public celebration looks like now, give staff cover, avoid informal negotiation after every event, and frame the policy as protection and recognition. * Outro: The Answer Hold the safeguarding line. Explain properly. Offer safer celebration. Do the boring work. A school can celebrate children without turning them into searchable marketing assets.

15 de jun de 202627 min
episode Birthday Audit: Brutal Lessons for Small Business Cybersecurity artwork

Birthday Audit: Brutal Lessons for Small Business Cybersecurity

Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations. They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks. The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two. The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f [https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f] UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 [https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024] National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication [https://www.ncsc.gov.uk/collection/phishing-resistant-authentication]

8 de jun de 202639 min