PRIME MEMBER EXCLUSIVE | 3 Months Free Trial

Auto-renews at INR 199/mo after 3 months. Cancel anytime. Offer ends 15 July, 2026.
Hot Takes from the Small Business Cyber Security Guy cover art

Hot Takes from the Small Business Cyber Security Guy

Hot Takes from the Small Business Cyber Security Guy

Written by: The Small Business Cyber Security Guy
Listen for free

Hot Takes

Hot Takes is the sharp, fast moving opinion show from The Small Business Cyber Security Guy team.

This is where we cut through the noise, the vendor nonsense, the breathless headlines, and the cyber doom theatre that small businesses get served far too often. Each episode takes one current cyber security story, claim, breach, statistic, policy change, or industry talking point and asks the question that actually matters:

What does this mean for a real small business?

Expect blunt analysis, practical advice, and a healthy suspicion of anyone trying to sell fear in a shiny PDF.

We cover topics including cyber attacks, data breaches, ransomware, supply chain risk, Microsoft 365 security, compliance, Cyber Essentials, bad MSP behaviour, weak governance, and the many creative ways organisations manage to trip over their own shoelaces.

No hoodies.
No Matrix code.
No corporate fog machine.

Just straight talk, useful context, and clear takeaways for business owners, directors, IT teams, and anyone else trying to keep the lights on without becoming a full time cyber security analyst.

Bold opinions. Practical advice. Made for small businesses.

Economics Management Management & Leadership
Episodes
  • Why Small Businesses Keep Failing ICO Audits (And How to Fix It This Week)
    Jul 3 2026
    Why Small Businesses Keep Failing ICO Audits (And How to Fix It This Week)

    The Information Commissioner’s Office isn’t hunting your business, but that doesn’t stop small organisations from making the same three avoidable mistakes. Host Noel Bradford examines twelve recent ICO enforcement notices to identify the most common failures: no documented breach response process, insufficient staff training on what constitutes personal data, and no record of processing activities. These aren’t exotic compliance gaps requiring expensive consultants or new platforms. They’re basic governance failures that can be fixed with a one-page process document, practical staff training, and a simple spreadsheet. The real exposure isn’t regulatory enforcement, it’s the internal fog that leaves staff unable to recognise or report incidents, managers unclear on ownership, and directors unable to explain what data the business holds. This episode cuts through vendor fear-mongering and compliance theatre to deliver three practical actions any small business can implement immediately, with no budget required.

    Chapters
    • Cold Open The ICO is not actively hunting small businesses, which makes the persistent compliance failures all the more frustrating.
    • Intro Analysis of twelve recent ICO enforcement notices reveals three recurring, avoidable failures that don’t require consultants or expensive tools to fix.
    • Failure One: No Documented Breach Response Process Organisations freeze when incidents occur because nobody knows who to call, what to document, or when the clock starts. The real damage begins with the paralysis, not the breach itself.
    • Failure Two: No Staff Training on Personal Data Employees cannot recognise breaches if they don’t understand that personal data includes names, addresses, payroll information, and customer records, not just obviously sensitive material.
    • Failure Three: No Record of Processing Activities Businesses cannot answer basic questions about what personal data they hold, why they hold it, where it lives, or how long they keep it. This isn’t bureaucracy, it’s stock control for trust.
    • The Vendor Problem None of these three failures required vendor solutions to prevent. Fear-based marketing keeps small businesses terrified rather than informed, selling tools instead of addressing governance gaps.
    • The Real Exposure The true risk isn’t ICO enforcement but internal fog: staff who don’t know what to report, managers unclear on ownership, and directors unable to explain data holdings when complaints arrive.
    • What to Do This Week Three practical actions requiring no budget: write a one-page breach response process, train staff with real examples from your business, and build a basic record of processing activities.
    • The Team Meeting Test Ask your team three questions: who would you tell if you sent personal data to the wrong person, what would you document, and where is our list of personal data holdings. Silence reveals your incident.
    • Close Read three public ICO notices before your next management meeting to understand what small organisations keep getting wrong and why the fixes are boring, free, and available immediately.
    Links
    • https://ico.org.uk/for-organisations/report-a-breach/
    • https://ico.org.uk/for-organisations/accountability-framework/records-of-processing/
    • https://ico.org.uk/action-weve-taken/enforcement/
    Links
    • https://www.expressvpn.com/blog/
    • https://techcrunch.com/
    • https://cybernews.com/
    • https://www.scmagazine.com/
    • https://www.bitdefender.com/
    • https://www.securitymagazine.com/
    • https://www.wired.com/
    • https://vpnmentor.com/
    Show More Show Less
    10 mins
  • When Your Security Stack Becomes the Attack Surface
    Jul 2 2026
    When Your Security Stack Becomes the Attack Surface

    Microsoft’s security tools are supposed to protect small businesses, but recent vulnerabilities have turned that premise on its head. GreatXML exploits weaknesses in BitLocker and the Windows Recovery Environment, allowing attackers with physical access to bypass disk encryption protections. RoguePlanet, meanwhile, leverages a race condition in Microsoft Defender’s malware protection engine to escalate privileges to SYSTEM level. Both issues highlight an uncomfortable reality: the integrated security stack that SMBs have been told to trust can itself become part of the threat model. This episode examines what went wrong, where responsibility lies, and why small businesses must stop treating vendor tooling as articles of faith. BitLocker and Defender remain valuable components of enterprise defence, but they require proper configuration, monitoring, and a realistic understanding of their limitations. Physical access attacks matter when laptops travel with staff. Local privilege escalation matters when attackers already have a foothold. And vendor responses matter when defenders are left scrambling to assess risk while corporate statements remain vague. The episode dissects both vulnerabilities, critiques Microsoft’s handling of the disclosure process, questions the researcher’s approach to public release, and ultimately argues that SMBs must move from buying comfort to buying outcomes. Security tools reduce risk; they do not eliminate the need for judgement, hardening, or accountability.

    Chapters
    • Cold Open Microsoft security tools became part of the attack surface.
    • Intro Setting up the issue: when the safety rails become the attack path, and why small businesses should care.
    • What GreatXML Is Explaining the BitLocker and Windows Recovery Environment vulnerability that exploits unattend.xml and recovery state.
    • What RoguePlanet Is Breaking down the Microsoft Defender race condition that enables local privilege escalation to SYSTEM level.
    • Who Am I Angry At? Assigning responsibility between Microsoft’s process failures and the researcher’s public disclosure approach.
    • The Real Business Lesson Why SMBs must stop buying comfort and start demanding outcomes, configuration discipline, and monitoring.
    • The Closing Punch Final verdict on trust, transparency, and the need for engineering responses over brand management.
    Links
    • https://nvd.nist.gov/vuln/detail/CVE-2026-50656
    • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
    Links
    • https://www.expressvpn.com/blog/
    • https://techcrunch.com/
    • https://cybernews.com/
    • https://www.scmagazine.com/
    • https://www.bitdefender.com/
    • https://www.securitymagazine.com/
    • https://www.wired.com/
    • https://vpnmentor.com/
    Show More Show Less
    9 mins
  • Your Business Is an Open Book
    Jun 6 2026
    Your Business Is an Open Book

    Most small businesses have been building a public intelligence profile for years without realising it. Every LinkedIn update, team photo, and website contact page adds detail to a picture that anyone can view, including those with malicious intent. This episode examines open source intelligence (OSINT) and how publicly available information becomes the foundation for targeted attacks like spear phishing and invoice fraud. Noel Bradford walks through the reconnaissance process, from Companies House filings to social media posts, demonstrating how an attacker can map your business, identify key staff, and craft convincing impersonation emails in under twenty minutes. The episode provides practical steps for auditing your own digital footprint, including what to check on search engines, how to review your Companies House entry, and why listing every software tool on LinkedIn might not be wise. This is not about disappearing from the internet; it is about making conscious choices about what you publish and understanding who else is reading it.

    Chapters
    • Welcome Introduction to the concept of OSINT and how small businesses inadvertently publish reconnaissance material about themselves through normal business activities.
    • Body A detailed walkthrough of public information sources including Companies House, LinkedIn, business websites, and social media. Explains how attackers use this data to construct targeted spear phishing campaigns, with practical examples of reconnaissance leading to invoice fraud and credential theft. Concludes with five actionable steps for auditing and managing your business’s public profile.
    • Outro Final reminder that OSINT is simply reading publicly available information with intent, and that small businesses can reduce risk by auditing their own footprint and making conscious publishing decisions.
    Links
    • https://www.gov.uk/government/organisations/companies-house
    • https://www.linkedin.com
    • https://www.ncsc.gov.uk/guidance/phishing
    Links
    • https://www.expressvpn.com/blog/
    • https://techcrunch.com/
    • https://cybernews.com/
    • https://www.scmagazine.com/
    • https://www.bitdefender.com/
    • https://www.securitymagazine.com/
    • https://www.wired.com/
    • https://vpnmentor.com/
    Show More Show Less
    11 mins
adbl_web_anon_alc_button_suppression_t1
No reviews yet