The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

• November Patch Tuesday Storm: Zero‑Days, Exchange Exploits & WSUS Emergency

  Graham Falkner delivers an authoritative deep dive into November 2025's Patch Tuesday updates, covering the most critical security vulnerabilities affecting businesses of all sizes. This month brings a perfect storm of actively exploited zero-days, critical Exchange Server flaws, and hundreds of patches across Microsoft, Adobe, Oracle, SAP, and third-party vendors. From Windows kernel exploits to e-commerce platform takeovers, November's vulnerability landscape demands immediate attention from IT teams. Key Topics Covered Microsoft Security Updates 89 total vulnerabilities patched (12 critical, 4 zero-days) CVE-2025-0445: Windows Kernel privilege escalation (actively exploited) CVE-2025-0334: Chrome V8/Edge JavaScript engine RCE (actively exploited) CVE-2025-0078: Exchange Server unauthenticated RCE (CRITICAL - affects Exchange 2016/2019/2022) CVE-2025-1789: MSHTML remote code execution via Office documents CVE-2025-59287: WSUS vulnerability (9.8 CVSS, actively exploited, required re-release) 23 remote code execution vulnerabilities across Windows, Office, and developer tools Adobe Security Updates 35+ vulnerabilities patched across multiple products CVE-2025-54236: Adobe Commerce/Magento input validation flaw (9.1 CVSS, actively exploited, Priority 1) CVE-2025-49553: Adobe Connect XSS vulnerability (9.3 CVSS) Patches for Illustrator, FrameMaker, Photoshop, InDesign, Animate, Bridge, Substance 3D Oracle Critical Patch Update (October 2025) 374 new security patches addressing ~260 unique CVEs CVE-2025-61882: Oracle E-Business Suite zero-day (exploited by ransomware groups) 73 patches for Oracle Communications (47 remotely exploitable without authentication) 20 patches for Fusion Middleware (17 remote unauthenticated) 18 fixes for MySQL Updates for PeopleSoft, JD Edwards, Siebel, Oracle Commerce, Database Server SAP Security Updates 18 new security notes plus 1 updated note CVE-2025-42890: SQL Anywhere Monitor hardcoded credentials (10.0 CVSS - PERFECT SCORE) CVE-2025-42887: SAP Solution Manager code injection (9.9 CVSS) CVE-2025-42944: NetWeaver Java insecure deserialisation (updated patch) CVE-2025-42940: CommonCryptoLib memory corruption Mozilla Firefox Updates Firefox 145.0 released November 11th 15 security vulnerabilities fixed (8 high impact) New anti-fingerprinting measures halving trackable users Memory safety and sandbox escape prevention Apple Security Updates iOS/iPadOS 17.1 and macOS 14.1 released 100+ vulnerabilities patched across iPhones, iPads, Macs Critical kernel and WebKit bugs fixed Zero-click exploit prevention Google Security Updates Chrome 142 with 5 security bug fixes Android November 2025 bulletin (patch level 2025-11-01) CVE-2025-48593 and CVE-2025-48581 affecting Android 13-16 Third-Party Critical Vulnerabilities WordPress Post SMTP plugin: CVE-2025-11833 (9.8 CVSS, actively exploited, 200,000+ sites affected) WatchGuard Firebox: CVE-2025-9242 (critical out-of-bounds write, 75,000 devices exposed) Cisco IOS/XE routers: CVE-2025-20352 (SNMP service, actively exploited for rootkit deployment) Critical Action Items for Businesses IMMEDIATE (Deploy Within 24-48 Hours) Microsoft Exchange Server - Apply CVE-2025-0078 patch or isolate internet-facing servers Adobe Commerce/Magento - Deploy CVE-2025-54236 hotfix immediately if running Magento Windows Kernel - Patch CVE-2025-0445 zero-day exploit Edge/Chrome - Update browsers to address CVE-2025-0334 Oracle E-Business Suite - Verify CVE-2025-61882 patch deployed WordPress Post SMTP - Update to v3.6.1 or remove plugin Cisco routers - Apply CVE-2025-20352 patches and check for compromise HIGH PRIORITY (Deploy Within 1 Week) SAP systems - Apply critical patches for CVE-2025-42890 and CVE-2025-42887 WSUS servers - Verify CVE-2025-59287 patch installed correctly Adobe Connect - Update to version 12.10 Firefox, Chrome, Edge - Deploy browser updates organisation-wide Android devices - Deploy November 2025 security bulletin WatchGuard Firebox - Apply CVE-2025-9242 patch STANDARD PRIORITY (Deploy Within 2-4 Weeks) All other Microsoft patches - Complete Windows and Office updates Adobe Creative Suite - Update Illustrator, Photoshop, InDesign, etc. Oracle - Complete October CPU deployment across all Oracle products SAP - Apply remaining security notes across SAP landscape CVE Quick Reference CVE ID Vendor Severity Status Product CVE-2025-0445 Microsoft Critical Actively Exploited Windows Kernel CVE-2025-0334 Microsoft Critical Actively Exploited Edge/Chrome V8 CVE-2025-0078 Microsoft Critical Not Exploited Yet Exchange Server CVE-2025-1789 Microsoft Critical Not Exploited Yet MSHTML CVE-2025-59287 Microsoft Critical (9.8) Actively Exploited WSUS CVE-2025-54236 Adobe Critical (9.1) Actively Exploited Magento/Commerce CVE-2025-49553 Adobe Critical (9.3) Not Exploited Yet Adobe Connect CVE-2025-61882 Oracle Critical Actively Exploited E-Business Suite CVE-2025-42890 SAP Critical (10.0) Not Exploited Yet SQL Anywhere Monitor CVE-2025-42887 SAP Critical (9.9) Not Exploited Yet Solution Manager CVE-2025-11833 WordPress Critical (9.8) Actively Exploited Post SMTP Plugin CVE-2025-20352 Cisco High Actively Exploited IOS/XE SNMP CVE-2025-9242 WatchGuard Critical Not Exploited Yet Firebox Firewalls Resources & Links Vendor Security Bulletins Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide Adobe Security Bulletins: https://helpx.adobe.com/security.html Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/ SAP Security Notes: https://support.sap.com/securitynotes Mozilla Security Advisories: https://www.mozilla.org/security/advisories/ CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog Patch Tuesday Resources Microsoft Tech Community: https://techcommunity.microsoft.com/ Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/ Security Week Patch Tuesday Coverage: https://www.securityweek.com/ Small Business Cybersecurity Resources Blog: https://thesmallbusinesscybersecurityguy.co.uk NCSC Small Business Guide: https://www.ncsc.gov.uk/smallbusiness Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials Key Statistics 89 Microsoft vulnerabilities patched 4 actively exploited zero-days (Microsoft) 23 remote code execution flaws (Microsoft) 35+ Adobe vulnerabilities fixed 374 Oracle security patches 18 SAP security notes 200,000+ WordPress sites affected by Post SMTP bug 75,000 WatchGuard devices exposed online Narrator Graham Falkner brings his distinctive voice to The Small Business Cyber Security Guy Podcast's research segments. With a background as a former movie trailer narrator and Shakespearean actor, Graham delivers technical security information with gravitas and authority, providing the factual foundation for Noel and Mauven's practical discussions. About The Small Business Cyber Security Guy Podcast The Small Business Cyber Security Guy Podcast translates enterprise-grade cybersecurity into practical, affordable solutions for small and medium businesses. Hosted by Noel Bradford (40+ years IT/cybersecurity veteran) and Mauven MacLeod (ex-NCSC government analyst), the show combines deep technical expertise with authentic British humour to make cybersecurity accessible, actionable, and entertaining. Target Audience: UK small businesses (5-50 employees) who need practical cybersecurity advice within real-world budget and resource constraints. Connect With Us Website: https://thesmallbusinesscybersecurityguy.co.uk Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms Social Media: Follow us on LinkedIn for daily cybersecurity insights Contact: [email protected]   Help us spread the word about practical cybersecurity for small businesses: ⭐ Subscribe to never miss an episode ⭐ Leave a review on Apple Podcasts or Spotify ⭐ Share this episode with other business owners who need to hear this ⭐ Comment below with topics you'd like us to cover next ⭐ Visit the blog at thesmallbusinesscybersecurityguy.co.uk for written guides and resources Disclaimer This podcast provides educational information about cybersecurity topics. While we strive for accuracy, the threat landscape changes rapidly. Information is current as of November 2025 but may become outdated. Always verify patch information with official vendor sources and test updates in your specific environment before deployment. The hosts are not liable for any actions taken based on this information. Always implement cybersecurity measures appropriate to your business needs and risk profile. Next Episode Stay tuned for our next episode where Noel and Mauven discuss practical patch management strategies for small businesses, including how to prioritise updates when you can't deploy everything immediately. Episode Length: 10-11 minutes Difficulty Level: Intermediate to Advanced Best For: IT managers, business owners, MSP clients, anyone responsible for patching The Small Business Cyber Security Guy Podcast - Making Enterprise Cybersecurity Practical for Small Businesses

  --------  

  17:38

  --------

  17:38
• Big Brother Is Watching Your VPN — The Online Safety Act Unpacked

  The Spy Who Monitored Me - Ofcom's VPN Surveillance Farce Episode Information Episode Title: The Spy Who Monitored Me: Ofcom's VPN Surveillance Farce Episode Number: Hot Take Release Date: 11 November 2025 Duration: Approximately 18 minute Hosts: Mauven MacLeod & Graham Falkner Format: Research segment with heavy sarcasm Episode Description Ofcom's monitoring VPNs with a secret AI tool they refuse to name. Because nothing says "liberal democracy" quite like government surveillance of privacy tools. In this punchy episode, Mauven and Graham dissect TechRadar's exclusive revelation that Ofcom is using an unnamed third-party AI monitoring system to track VPN usage following the Online Safety Act. With 1.5 million daily users allegedly bypassing age verification, the UK's communications regulator has decided the solution is... monitoring everyone. Spoiler alert: the technology can't distinguish between your accounting manager accessing company systems and someone bypassing age checks. But why let technical limitations get in the way of a good surveillance programme? We examine the mysterious, unnamed AI tool, the questionable 1.5 million user statistic that appears nowhere in official documents, Section 121's encryption-breaking powers that remain dormant in the Act, and what this means for small businesses using VPNs for legitimate security purposes. If you've ever wondered what it's like when a supposedly liberal democracy starts copying China's approach to internet regulation, this episode is your depressing guide. Key Topics Covered The Surveillance Revelation Ofcom confirms use of unnamed third-party AI monitoring tool TechRadar exclusive: "We use a leading third-party provider" with zero transparency Government surveillance of privacy tools sets a dangerous precedent Comparison to authoritarian regimes (China, Russia, UAE, Iran) The Numbers That Don't Add Up 1.5 million daily VPN users claim appears nowhere in official Ofcom documents No published methodology or verification VPN detection cannot determine the intent or legitimacy of use Analytics show VPN use is lower in countries with greater online freedom What Actually Happened on July 25th The UK Online Safety Act child safety duties became fully enforceable Mandatory "highly effective age assurance" replaced simple checkbox verification Proton VPN: 1,400% surge in UK signups within hours NordVPN: 1,000% increase in downloads ProtonVPN beat ChatGPT to become the #1 free app on Apple UK App Store The Small Business Nightmare Business VPNs are essential security hygiene for remote work Ofcom's monitoring cannot distinguish legitimate business use from circumvention Undisclosed data collection creates unknowable privacy risks GDPR compliance implications when the government monitors your security tools Section 121: The Spy Clause Powers to require client-side scanning of encrypted communications Government promises not to use "until technically feasible" Cryptography experts: impossible without destroying encryption Apple shelved similar plans in 2021 Signal and WhatsApp threatened to leave the UK market The Authoritarian Playbook in Action Scope creep within days: blocking parliamentary speeches, news coverage, forums A cycling forum shut down due to compliance costs Small platforms are closing rather than face a compliance nightmare Chilling effect on legitimate content and discussion International Surveillance Creep 25 US states passed similar age verification laws EU debating Chat Control (mandatory encrypted message scanning) Australia is implementing age verification for search engines Legislative arms race using "protecting children" as a universal justification What Small Business Owners Must Do Document all VPN usage for legitimate business purposes Maintain VPN security protocols despite surveillance theatre Get legal advice if operating any platform with user-generated content Fines up to £18 million or 10% of global revenue Criminal liability for senior managers The GDPR Compliance Paradox How do you assess data protection risks from secret surveillance tools? Opacity makes compliance verification impossible Government monitoring creates unassessable risks to customer data   Resources & Links Mentioned Primary Source TechRadar Exclusive: Ofcom is monitoring VPNs following Online Safety Act Key Organizations Quoted Open Rights Group - James Baker's comments on surveillance precedent Check Point Software - Graeme Stewart's comparison to China, Russia, and Iran Government Resources Online Safety Act 2023 - UK Government legislation Ofcom Online Safety Guidance - Hundreds of pages of vague compliance requirements Section 121 - Client-side scanning provisions ("spy clause") VPN Statistics Sources Proton VPN: 1,400% surge report NordVPN: 1,000% increase report Apple UK App Store rankings: July 25-27, 2025 Related Coverage Petition to Repeal Online Safety Act: 550,000+ signatures Peter Kyle (UK Technology Secretary) statement on critics Parliamentary debate triggered by petition threshold Additional Reading GDPR compliance implications of government surveillance Cryptography expert analysis of client-side scanning Apple's 2021 decision to shelve client-side scanning plans Signal and WhatsApp statements on Section 121 Key Quotes from Episode Mauven: "Nothing says 'liberal democracy' quite like government agencies tracking privacy tools. What's next, monitoring who buys curtains?" Graham: "Train its models. That's AI speak for 'we're hoovering up data and hoping the algorithm figures it out.' As a former actor, I can recognise corporate theatre when I see it." Mauven: "The 1.5 million number appears exclusively in media reports citing 'Ofcom estimates.' It's like citing your mate Dave as a source on quantum physics." Graham: "So Ofcom creates a law that makes people deeply uncomfortable about their privacy, people respond by protecting their privacy, and Ofcom's solution is to monitor those privacy tools? It's like putting cameras in the changing rooms to make sure people aren't being indecent." Mauven: "James Baker from the Open Rights Group nailed it when he told TechRadar that VPN monitoring sets 'a concerning precedent more often associated with repressive governments than liberal democracies.'" Graham: "Peter Kyle, the UK Technology Secretary, literally said critics of the Online Safety Act are 'on the side of predators.' That's not policy debate. That's emotional blackmail designed to shut down legitimate concerns about civil liberties." Mauven: "George Orwell is looking at this thinking 'bit on the nose, isn't it?'" Action Items for Small Business Owners Immediate Actions Document VPN Usage List which employees use VPNs Document business purposes for encrypted connections Maintain evidence of legitimate use for potential regulatory action Maintain Security Protocols Continue using VPNs for remote work security Don't let surveillance theatre compromise actual cybersecurity Protect against real threats (ransomware, phishing, etc.) Assess Platform Compliance If you operate any online platform, forum, or user-generated content site Get legal advice immediately Understand massive fines (£18m or 10% global revenue) and criminal liability. Ongoing Monitoring Stay Informed Section 121 could be activated at any time EU Chat Control could affect European operations US state laws are proliferating rapidly Monitor regulatory developments actively Engage Politically Contact your MP about the surveillance of privacy tools Reference the 550,000+ signature petition Make it clear that this is unacceptable in a democracy Push back before surveillance becomes normalised GDPR Compliance Review Assess how government VPN monitoring affects data protection obligations Document that opacity makes risk assessment impossible Consult legal counsel on compliance implications Visual Elements (for YouTube/Video) Screenshot: TechRadar exclusive article headline On-screen text: "1.5 million daily VPN users" with question mark Comparison graphic: VPN use in free vs. authoritarian countries Timeline graphic: July 25th enforcement → VPN surge → Ofcom monitoring Text overlay: Section 121 "spy clause" powers Map graphic: International surveillance legislation spread (UK, US, EU, Australia) Infographic: Small business action checklist Key Themes Government surveillance of privacy tools in supposed liberal democracy Technical limitations make monitoring ineffective at stated purpose Scope creep from child protection to political content blocking within days Small business caught in surveillance net designed for age verification International trend toward authoritarian internet regulation models GDPR compliance paradox when government creates unknowable privacy risks Practical cybersecurity must continue despite surveillance theatre Political engagement essential before normalization occurs Tone & Style Notes Heavy sarcasm throughout - serious WTF tone without profanity Incredulous questioning of government logic and transparency Dark humour about dystopian surveillance implications Technical precision in explaining what monitoring can/cannot do Practical focus on small business implications Political urgency without becoming preachy Professional skepticism balanced with actionable guidance CTAs (Calls to Action) Primary CTAs Subscribe wherever you get your podcasts Share with other small business owners who need this information Leave a review if you found this episode useful (or terrifying) Visit the blog at thesmallbusinesscybersecurityguy.co.uk for full breakdown with sources Secondary CTAs Drop a comment with questions about VPN security or regulatory compliance Contact your MP about surveillance of privacy tools Sign the petition to repeal the Online Safety Act (if not already done) Document your VPN usage for legitimate business purposes starting today Social Media Hashtags #OnlineSafetyAct #VPNSurveillance #CyberSecurity #SmallBusinessSecurity #DigitalPrivacy #GDPR #UKTech #Section121 Next Episode Setup [To be determined based on episode schedule] Potential follow-ups: Deep dive on Section 121 and encryption threats GDPR compliance strategies in surveillance environment International comparison: UK vs. other countries' approaches Interview with digital rights expert on fighting surveillance creep Practical VPN selection and configuration for small businesses Production Notes Technical Specifications Duration: Approximately 10 minutes Word Count: 1,847 words Format: Two-host conversation (Mauven & Graham) Tone: Punchy, sarcastic, serious WTF energy Language: UK spelling and grammar throughout Profanity: None (despite heavy sarcasm) Research Verification All statistics verified against multiple sources TechRadar article quotes confirmed accurate Government legislation references checked VPN provider surge numbers from official company statements Expert quotes verified from named sources No unverified claims included Character Dynamics Mauven MacLeod: Ex-NCSC analyst, brings government cybersecurity expertise Graham Falkner: Former actor/narrator, handles research segments Natural professional banter with pub conversation energy Shared incredulity at government surveillance overreach Complementary expertise: technical precision + narrative delivery Content Strategy Small business cybersecurity focus maintained throughout Practical implications prioritized over abstract privacy philosophy Action items clear and immediately implementable Balances outrage with constructive guidance Positions podcast as authoritative voice on UK cybersecurity policy SEO Keywords Ofcom VPN monitoring Online Safety Act surveillance UK VPN usage 2025 Business VPN security Section 121 encryption Small business cybersecurity UK GDPR VPN compliance Government VPN tracking Age verification VPN UK internet surveillance Related Episodes [To be linked as series develops] Potential related content: Online Safety Act initial coverage (if previously covered) GDPR compliance series VPN security best practices Encryption fundamentals Remote work security Episode Tags Topics: VPN Surveillance, Online Safety Act, Ofcom, Government Monitoring, Privacy, Encryption, Section 121, Age Verification, GDPR, Small Business Security Category: Technology, Cybersecurity, Privacy, Government Policy, Business Difficulty Level: Intermediate (technical concepts explained accessibly) Target Audience: Small business owners (5-50 employees), IT managers, privacy advocates, UK businesses Geographic Focus: United Kingdom (with international context) Credits Hosts: Mauven MacLeod, Graham Falkner Research: Advanced web research on Ofcom VPN monitoring Script: Based on TechRadar exclusive and verified sources Production: Graham Falkner Music: The Small Business Cyber Security Guy Disclaimer This podcast episode provides commentary and analysis on publicly reported information about UK government surveillance policies. Nothing in this episode constitutes legal advice. Small business owners should consult qualified legal counsel regarding compliance with the Online Safety Act and related regulations. The opinions expressed are those of the hosts and do not represent legal or professional advice. All statistics and quotes have been verified against multiple sources and represent information available as of the episode recording date. The regulatory landscape continues to evolve rapidly. Blog Post Companion Full written breakdown available at: thesmallbusinesscybersecurityguy.co.uk Blog post should include: Complete source list with hyperlinks Detailed analysis of Section 121 implications Step-by-step VPN documentation guide for businesses GDPR compliance checklist Template for MP correspondence Updated information on the petition and parliamentary response International comparison chart Technical explainer: How VPN detection works (and doesn't work) Additional expert commentary Community discussion forum Last Updated: [Date] Version: 1.0 Status: Ready for production

  --------  

  18:41

  --------

  18:41
• From SMS to FIDO2: A Small Business Guide to Phishing‑Resistant Authentication

  In this episode of the Small Business Cybersecurity Guide, hosts Noel Bradford and Mauven McLeod are joined by Mark Bell from Authentrend (episode sponsor) to explain why the mobile phone, long promoted as a convenient authentication tool, can be one of the weakest links in your business security. Using real-world examples, including a recent breach of a 15-person firm that relied on SMS one-time passwords, the trio outlines how simple attacks, such as SIM swapping and code interception, make SMS and many authenticator app workflows vulnerable to targeted attackers. The hosts define multi-factor authentication in plain terms and introduce FIDO2/passkeys and hardware security keys as effective, phishing-resistant alternatives. Mark describes how hardware keys utilise public-key cryptography and local biometric verification (fingerprint on the key), ensuring that private credentials never leave the device, thereby preventing attackers from reusing intercepted codes or tricking users into authenticating to fake sites. Practical implementation advice is covered in detail: start with a risk assessment, deploy keys in phases (prioritise privileged accounts and executives), run a pilot with high-risk users, and require at least two keys per user for redundancy. They discuss costs (roughly £45 per key, with a 10-year lifespan), the productivity and help-desk savings from passwordless authentication, the effects on cyber insurance and compliance (including Cyber Essentials updates and the gap between compliance and proper protection), and strategies for legacy systems and remote workers. The episode also highlights human factors, including making authentication easy to use (biometric keys), providing clear training and internal champions, and anticipating user resistance, which can be managed through leadership buy-in and phased rollouts. Listeners are urged to assess their critical accounts, prioritise hardware keys for high-risk users, and run a small pilot rather than waiting for discounts — because, as the guests stress, hardware keys can stop roughly 80% of credential-based breaches in practice. Guests and links: Noel Bradford and Mauven MacLeod (hosts), with guest Mark Bell from Authentrend The show notes include links to Authentrend products,NCSC guidance on passkeys and FIDO2, and step-by-step implementation resources for small businesses.

  --------  

  32:36

  --------

  32:36
• Ignored Audits, Ancient Servers, and a Cherry Picker — Inside the Louvre Jewel Robbery

  On October 19th, 2025, four men dressed as construction workers stole €102 million in French crown jewels from the Louvre Museum in just seven minutes. The heist was poorly executed—thieves dropped items and failed to target the most valuable pieces—yet they succeeded spectacularly. Why? Because the world's most visited museum had been ignoring basic cybersecurity warnings for over a decade. In this hot take, Noel Bradford examines the shocking details that emerged after the heist: the password to the Louvre's video surveillance system was "LOUVRE." Security software was protected by "THALES" (the vendor's name). Windows 2000 and Server 2003 systems were still in operation years after support ended. And a 2015 security audit with 40 pages of recommendations won't be fully implemented until 2032. This episode examines the consequences of institutions ignoring expert warnings, the importance of accountability, and what UK small businesses can learn from a €102 million failure. Spoiler: if your security is better than the Louvre's, you're doing something right. Key Message: Security failures often begin long before the day of the breach. They start years earlier when warnings go unaddressed. Key Takeaways The Louvre's password was "LOUVRE." If one of the world's most prestigious institutions used the building's name as its surveillance system password, your organisation probably has similar problems. Ten years of warnings, zero action - ANSSI identified critical vulnerabilities in 2014. Security upgrades recommended in 2015 won't be completed until 2032. Ignoring expert advice is organisational negligence. Resources aren't the problem - The Louvre had budget, expertise, and free government audits. They chose to prioritise palace restoration (€60M) over security infrastructure. It's about priorities, not resources. Hardware authentication solves password problems - FIDO2 security keys can't be guessed, phished, or compromised through weak passwords. At £30-50 per key, they're cheaper than one day of operational disruption. The accountability gap enables negligence - Government institutions face no consequences for catastrophic security failures, while UK SMBs receive ICO fines and potential closure for less. This double standard undermines security culture. Your security might be better than that of the Louvre. If you've enabled MFA, run supported operating systems, and have basic password policies, you're already ahead of a museum protecting the Mona Lisa. That's encouraging and concerning. Security failures often begin years before a breach - The October 2025 heist was made possible by decisions (or non-decisions) that stretched back to 2014. Prevention requires consistent action, not crisis response. Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't complete until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement Case Studies Referenced The Louvre Heist (October 2025) Incident: €102 million in French crown jewels stolen in 7 minutes Root causes: Password "LOUVRE" for surveillance, outdated systems (Windows 2000/Server 2003), unmonitored access points Audit history: 2014 ANSSI audit identified vulnerabilities, 2015 audit provided 40-page recommendations Accountability: Director retained position, no terminations, Culture Minister initially denied security failure Timeline: Security upgrades recommended in 2015 won't be completed until 2032 KNP Logistics (Referenced) Industry: East Yorkshire haulage firm Incident: Ransomware attack, £850,000 ransom demand Outcome: Couldn't pay, business entered administration, 70 jobs lost Contrast: Small business faces closure; national institution faces no consequences Electoral Commission (Referenced) Incident: Data breach affecting 40 million UK voters Outcome: No job losses, no significant consequences Relevance: Government accountability gap vs private sector enforcement About The Host Noel Bradford brings over 40 years of IT and cybersecurity experience across enterprise and SMB sectors, including roles at Intel, Disney, and BBC. Currently serving as CIO and Head of Technology for a boutique security-first MSP, Noel specialises in translating enterprise-grade cybersecurity expertise into practical, affordable solutions for UK small businesses with 5-50 employees. His philosophy centres on "perfect security is the enemy of any security at all," focusing on real-world constraints and actionable advice over theoretical discussions. Noel's direct, no-nonsense approach has helped "The Small Business Cyber Security Guy Podcast" achieve Top 90 Business Podcast status in the USA and Top 170 in the UK, with a unique cross-Atlantic audience (47% American, 39% British). Legal & Disclaimer The information provided in this podcast is for educational and informational purposes only and should not be construed as professional cybersecurity, legal, or financial advice. Listeners should consult qualified professionals for guidance specific to their circumstances. Product and service mentions, including sponsors, are provided for informational purposes. The host and podcast do not guarantee results from implementing suggested strategies or using mentioned products. All case studies and incidents discussed are based on publicly available information and reporting. Facts are verified against multiple authoritative sources before publication. © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved.   Credits Host: Noel Bradford Production: The Small Business Cyber Security Guy Productions Editing: Noel Bradford Research: Graham Falkner Show Notes: Graham Falkner Special Thanks: ANSSI (for their audit work that we wish the Louvre had acted upon), Libération journalist Brice Le Borgne (for his investigative reporting), and UK small businesses everywhere who take security more seriously than world-famous museums apparently do. Episode Tags #Cybersecurity #SmallBusiness #UKBusiness #PasswordSecurity #Louvre #DataBreach #HardwareAuthentication #FIDO2 #CyberAccountability #InformationSecurity #RiskManagement #SMBSecurity #CyberNews #HotTake #BusinessPodcast Next Episode: Coming Soon - Criminal Accountability for Cybersecurity Negligence (Two-Part Series) Average Episode Downloads: 3,000+ per day at peak Listener Demographics: 47% USA, 39% UK, 14% Other Target Audience: UK SMBs with 5-50 employees    

  --------  

  11:36

  --------

  11:36
• No More Excuses: Cyber Essentials Forces MFA on Every Cloud Service (Apr 2026)

  In this episode Graham and Mauven break down a major overhaul to Cyber Essentials coming into force from April 2026. The hosts explain the headline change — mandatory multi-factor authentication (MFA) for every cloud service with no loopholes — and how the scheme has tightened scoping so any internet-connected service or system that processes company data is now in scope. Topics covered include the new emphasis on passwordless authentication (passkeys, FIDO2 hardware keys, and biometrics), why the NCSC is pushing these technologies, and the practical security benefits and limits of passwordless solutions. They also discuss the real-world impact on small businesses: thousands currently relying on weak passwords or shadow IT will face failed assessments, unsupported software will trigger instant fails, and many firms will need to budget for MFA where it’s not free. Graham and Mauven share concrete, actionable advice for listeners: inventory every cloud service (including forgotten Dropbox or personal Gmail accounts used for work), involve the whole team, enable MFA everywhere possible (and budget for paid options), collect and document evidence (screenshots, logs), map networks and implement segmentation where needed, and plan early to avoid rush and audit pain. Key takeaways: the bar is being raised to reduce simple attacks, passwordless is being validated as a practical option, expect a drop in pass rates at renewal time, and businesses should start preparing now or face chaotic assessment outcomes. Hosts: Graham Falkner and Mauven MacLeod.

  --------  

  7:45

  --------

  7:45

More Business podcasts

Trending Business podcasts

About The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups

The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups: Podcasts in Family