What if the best way to protect your business isn't copying what the successful companies do, but avoiding what the failures did wrong? Welcome to reverse benchmarking, the cybersecurity equivalent of learning from other people's face-plants so you don't repeat them.
In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses.
You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones.
This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works.
Why This Episode Matters
One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident.
Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast.
Key Takeaways
1. Traditional Benchmarking Often Fails SMBs
Copying FTSE 100 security on a shoestring budget is a losing game
Enterprise solutions don't scale down effectively
By the time you copy last year's "best practice," threats have evolved
Context matters more than copying
2. Compliance ā Security
Being compliant doesn't mean you're secure
Compliance is like passing your driving test - it proves you know the rules, not that you'll never crash
Checkbox culture creates dangerous complacency
Attackers don't check your certifications before striking
3. The Statistics Are Sobering
One third of SMBs hit by cyberattacks annually
Average breach cost: Ā£250,000
Some breaches: Ā£7 million
60% of small businesses close within six months post-attack
NCSC estimates 50% of UK SMBs will experience a breach each year
4. Real-World Disasters Teach Practical Lessons
Target breach: Lost $162 million because HVAC vendor credentials weren't properly segmented
Colonial Pipeline: Shutdown of major US fuel infrastructure from weak VPN password
UK holiday park ransomware: Peak season attack forced cash-only operations
Common thread: Basic security fundamentals ignored
5. Third-Party Risks Are Existential
61% of breaches involve third-party access
Small vendors create backdoors into larger networks
Your security is only as strong as your weakest supplier
Segment vendor access ruthlessly
6. Practical Implementation Steps
Build your own "disaster library" of relevant failures
Hold quarterly "what went wrong" review sessions
Map your business to failed case studies
Ask "could this happen to us?" for every breach you read about
Create no-blame culture for reporting near-misses
Detailed Show Notes
Introduction (00:00 - 01:24)
Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls.
Key Quote: "Learn from other people's face-plants so we don't repeat them."
What Is Reverse Benchmarking? (01:24 - 03:46)
Traditional benchmarking means copying what successful companies do. Reverse benchmarking flips this around: study the worst failures in your industry and make certain you don't repeat them.
The Problem with Traditional Benchmarking:
Big enterprises have massive IT teams and unlimited budgets
Trying to copy enterprise security on SMB resources is futile
Benchmarking looks backwards - by the time you implement, hackers have moved on
If everyone in your industry has the same gap, benchmarking won't reveal it
Why It Matters Now:
One third of SMBs were hit by cyberattacks in the past year
Average cost: Ā£250,000, with some reaching Ā£7 million
60% of small businesses close within six months of a cyberattack
Most small business owners still think they're too small to be targeted
UK Context: The National Cyber Security Centre (NCSC) estimates around half of UK SMBs will experience a breach each year. Coin flip odds. If you're sitting in a board meeting saying "hackers won't bother with us," you might as well hang a sign reading "free Wi-Fi, no password."
The Compliance Trap (03:46 - 06:15)
Many businesses believe being compliant means they're secure. This is cybersecurity's biggest misconception.
Compliance vs Security:
Compliance is like passing your driving test - it means you know the rules, not that you'll never crash
Or that you're a good driver
Microsoft's security GM: "Some SMBs believe being compliant means they're safe. It doesn't."
Hackers don't check whether you've got ISO certification before attacking
The Checkbox Culture:
"We did our annual password change. Job done."
Hackers respond: "Challenge accepted."
Following checklists creates false sense of security
Real security requires ongoing vigilance, not annual tick-boxes
The Hidden Risk: If everyone in your industry has the same security gap but meets the same compliance standards, benchmarking against them won't reveal your shared vulnerability. You're all vulnerable together, congratulating each other on your certifications.
Case Study 1: The Target Breach (06:15 - 09:42)
One of retail history's most infamous breaches demonstrates how third-party access becomes a catastrophic liability.
What Happened:
December 2013: Hackers stole 40 million credit card numbers and 70 million customer records
Entry point: HVAC contractor with network access
Attackers used vendor credentials to access Target's corporate network
Then moved laterally to payment systems
The Aftermath:
Direct losses: $162 million
CEO resigned
CIO resigned
Board chairman resigned
Countless hours dealing with breach response, forensics, legal battles
The Lesson: Your security is only as strong as your weakest supplier. That HVAC company, plumber, or IT consultant with network access? They're potential backdoors. Target's enterprise-grade security was bypassed through a small contractor's weak credentials.
For Small Businesses:
61% of breaches involve third-party access
Small businesses often provide services to larger enterprises
Your compromise becomes their breach
Vendor management isn't optional
Practical Actions:
Segment vendor access ruthlessly
No contractor needs access to your entire network
Use separate credentials for third parties
Monitor vendor access continuously
Regular vendor security audits
Case Study 2: Colonial Pipeline (09:42 - 12:28)
In May 2021, a single compromised password shut down a major fuel pipeline supplying 45% of the US East Coast's fuel.
What Happened:
Ransomware attack forced shutdown of 5,500-mile pipeline
Entry point: Weak VPN password
No multi-factor authentication (MFA) on VPN access
Company paid $4.4 million ransom (partially recovered later)
The Impact:
Fuel shortages across southeastern United States
Panic buying, price spikes
Emergency government declarations
Week-long shutdown of critical infrastructure
The Lesson: Credentials are your front door. If you're not protecting them properly, you've left the door unlocked with a welcome mat out for attackers.
For Small Businesses: The Colonial Pipeline didn't fail because of sophisticated zero-day exploits or nation-state malware. They failed because they didn't have MFA enabled on remote access.
Your Action Items:
Enable MFA everywhere, particularly VPN access
Enforce strong password policies
Monitor for credential compromise
Phishing-resistant MFA (hardware tokens or biometrics) for privileged access
Regular access reviews
The Cost-Benefit Reality:
Hardware security keys: Ā£40-70 per user
Potential breach cost: Ā£250,000 average
MFA prevents 99.9% of automated credential attacks
The mathematics are straightforward
Case Study 3: UK Holiday Park Ransomware (12:28 - 15:15)
Closer to home, a UK holiday park discovered that timing matters when ransomware strikes.
What Happened:
Ransomware attack during peak summer season
All booking systems encrypted
Payment processing down
Guest check-ins disrupted
The Business Impact:
Had to operate cash-only during busiest period
Couldn't process new bookings
Lost revenue during most profitable weeks
Guest experience severely compromised
Reputation damage
The Lesson: Attackers choose timing deliberately. They struck during peak season when the business would be most desperate to restore operations quickly and most likely to pay the ransom.
For Small Businesses: Seasonal businesses are particularly vulnerable during peak periods. That's precisely when attackers strike, knowing you can't afford downtime.
Your Defence Strategy:
Offline, air-gapped backups tested regularly
Incident response plan practiced before peak season
Alternative payment processing methods ready
Staff trained on ransomware procedures
Crisis communication templates prepared
The Backup Reality: Having backups isn't enough. You need to test restoration procedures. The middle of a ransomware attack is not the time to discover your backups don't work or take three weeks to restore.
Why Reverse Benchmarking Works Better (15:15 - 17:45)
Traditional approaches focus on aspirational goals. Reverse benchmarking focuses on avoiding catastrophic failures.
The Psychological Advantage:
Failures provide concrete examples of what not to do
Success stories often omit the messy details
Disasters reveal the actual attack patterns you'll face
Real consequences make lessons stick
The Practical Advantage:
You learn what actually breaks in the real world
Not theoretical best practices that might work
Understand attack chains step by step
See how small gaps become massive breaches
The Cost Advantage:
Avoiding one disaster pays for years of modest security investment
You don't need enterprise budgets to avoid enterprise mistakes
Focus resources on genuine vulnerabilities
Not on impressive-sounding but irrelevant controls
The Timeliness Advantage:
Recent failures reflect current threat landscape
More relevant than last year's "best practices"
See how threats evolve in real-time
Adapt defences to actual attack methods
Building Your Disaster Library (17:45 - 19:29)
Practical implementation of reverse benchmarking for your business.
Step 1: Collect Relevant Failures
Focus on breaches in similar-sized businesses
Same industry or adjacent sectors
Similar technology stack
Geographic relevance (UK regulations, threat actors)
Step 2: Quarterly Review Sessions
"What went wrong" meetings with your team
Review recent breaches systematically
Ask: "Could this happen to us?"
Identify similar vulnerabilities in your environment
Step 3: Map to Your Environment
For each breach, trace the attack path
Identify which elements exist in your business
Where are your equivalent vulnerabilities?
What would the impact be if it happened to you?
Step 4: Prioritise Actions
Not every lesson requires immediate implementation
Focus on high-probability, high-impact scenarios first
Quick wins vs long-term projects
Balance cost against realistic risk
Step 5: Create Your "Anti-Playbook"
Document what you'll never do based on failure analysis
Share with team so everyone knows the "forbidden" approaches
Update as new disasters emerge
Make it living document, not static policy
Resources to Monitor:
NCSC Weekly Threat Reports
Information Commissioner's Office (ICO) breach reports
Industry-specific security bulletins
UK Cyber Security News
Global breach databases with UK filter
Creating a No-Blame Culture (19:29 - 20:45)
If people hide mistakes, you lose the chance to fix vulnerabilities before an actual breach occurs.
The Aviation Model: Airlines improve safety by fostering no-blame culture for near-misses. They want to hear about every close call so they can fix systemic issues before disaster strikes.
Applying This to Cybersecurity: If Janet in accounting falls for a phishing test, berating her is counterproductive. Instead, make it a learning opportunity for everyone. Next time, she might be the one to spot a real phishing attempt and save your business.
Practical Implementation:
"Lessons learned" sessions, not "who screwed up" meetings
Focus on systems and processes, not individuals
Reward reporting of near-misses
Share failures anonymously when needed
Celebrate catches of suspicious activity
The Payoff: Fear doesn't work. Education does. When people feel safe reporting potential issues, you catch problems early before they become breaches.
Summary and Call to Action (20:45 - 21:37)
Sometimes the best way to secure your business is by studying the worst failures out there and doing the opposite.
Key Principles:
Traditional benchmarking can lead you astray for SMBs
Reverse benchmarking provides genuine security advantage
Study disasters: Target, Colonial Pipeline, holiday park ransomware
Build it into regular practice, not one-off exercise
Your Mindset Shift: Think of yourself as Sherlock Holmes of cyber failures. Every incident is a case study that makes your business smarter. In cybersecurity, boring is good. If nothing's happening, it means your defences are working.
Immediate Actions:
Start your disaster library this week
Schedule your first quarterly review session
Map one recent breach to your business environment
Implement one lesson learned from this episode
Share this approach with your team
Resources Mentioned
Statistics and Studies
National Cyber Security Centre (NCSC): UK SMB breach probability estimates
Microsoft Security: Compliance vs security research
Industry reports: 61% of breaches involve third-party access
Bernard Ma: Quote on benchmarking limitations
Case Studies Referenced
Target Corporation data breach (2013): HVAC vendor compromise, 40 million cards stolen, $162 million loss
Colonial Pipeline ransomware (2021): VPN password compromise, $4.4 million ransom, critical infrastructure shutdown
UK holiday park ransomware: Peak season attack, cash-only operations
UK Regulatory and Advisory Bodies
National Cyber Security Centre (NCSC): www.ncsc.gov.uk
Information Commissioner's Office (ICO): www.ico.org.uk
Recommended Reading
NCSC Weekly Threat Reports
ICO breach notifications and enforcement actions
Industry-specific security bulletins
UK Cyber Security News aggregators
Practical Checklist: Start Your Reverse Benchmarking Practice
This Week:
Create a folder or document for your "disaster library"
Sign up for NCSC weekly threat report emails
Identify three recent breaches in businesses similar to yours
Schedule your first quarterly "what went wrong" review meeting
This Month:
Map one major breach to your business environment
Identify your equivalent vulnerabilities to the mapped breach
Implement one quick-win lesson from disaster analysis
Share this approach with your leadership team
This Quarter:
Hold your first formal reverse benchmarking session
Build your "anti-playbook" of forbidden approaches
Establish no-blame reporting culture for near-misses
Review and update third-party access controls
Ongoing:
Weekly review of new breach reports
Monthly check: "Could this happen to us?"
Quarterly team review sessions
Annual comprehensive vulnerability mapping
Questions for Your Team
Use these discussion prompts in your quarterly review sessions:
Which recent breach in our industry most closely resembles our business model?
Do we have the same entry points that attackers used in [specific breach]?
What would be our equivalent business impact if we experienced this type of attack?
Which quick fixes could we implement this month to avoid similar failures?
What systemic vulnerabilities do we share with failed organisations?
Are we making the same assumptions that led to their breach?
Would our backup and recovery process work in a real crisis?
Do our third-party vendors have access they don't need?
Where are we relying on compliance rather than actual security?
What's our single point of failure that resembles their weakness?
Next Episode Preview
Episode 30: The Office Printer Hacker Saga
Yes, office printers are a genuine security risk. Sounds hilarious, but it's genuinely scary. We'll explore why that seemingly innocent device in the corner is actually a network-connected computer with hard drives, stored documents, and often the same default admin password it shipped with.
You'll discover the printer botnet that attacked an entire city, the university students who made campus printers output memes, and why your MFP (multi-function printer) knows more about your business than you'd be comfortable with.
If you think printers are just about paper jams and toner costs, this episode will open your eyes to why printer security belongs in your threat model. Subscribe so you don't miss it.
Share Your Story
Have you learned from a cybersecurity blunder, either your own or someone else's? We'd love to hear about it. Send your story to us (anonymously if you prefer), and we might feature it in a future episode.
Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming episodes.
Connect With The Show
Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms
Leave a Review: Your reviews help other small business owners find practical cybersecurity advice
Website: thesmallbusinesscybersecurityguy.co.uk
Email:
[email protected]
Legal Disclaimer
The views and opinions expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of any organisations they work for, employers, advertisers, sponsors, or any other entities connected to the show.
This podcast is for general educational and informational purposes only. It should not be treated as professional advice tailored specifically to your business circumstances. Your situation is unique, and you should consult with qualified cybersecurity professionals before implementing significant changes to your systems.
Whilst we strive to keep all information accurate and current, the cybersecurity landscape evolves rapidly. Always verify critical technical details with qualified professionals before making major decisions.
We cannot accept liability for any losses or problems that may result from following the suggestions in this podcast. Please think of us as knowledgeable colleagues sharing insights, not contracted consultants providing formal advice. When in doubt, get a second opinion from someone who can assess your specific situation.
Copyright Ā© 2025 The Small Business Cyber Security Guy. All rights reserved.
Episode Tags
#Cybersecurity #SmallBusiness #ReverseBenchmarking #CyberThreats #DataBreach #UKBusiness #SMBSecurity #InformationSecurity #ThreatIntelligence #SecurityStrategy #BusinessProtection #CyberResilience #RiskManagement #SecurityPodcast #UKCyber #NCSC #ThirdPartyRisk #ComplianceVsSecurity #CyberEducation #BusinessContinuity
UK