A firewall cannot save you from being badly run. For years, small businesses have been sold the idea that a perimeter box equals protection. When Fortinet disclosed exploited authentication bypass vulnerabilities, added to CISA's Known Exploited Vulnerabilities catalogue, the uncomfortable truth surfaced again: the firewall is not a wall. It is a computer at the edge of your network that runs software, has management access, and can be compromised. Defence in Depth means using multiple security layers so that when one fails, another slows the attacker, limits damage, or helps you spot the problem. The NCSC describes this as reducing single points of failure.

Yet many small businesses still operate flat networks with exposed management, weak identity, old firmware, missing logs, and untested backups. This episode unpacks the Fortinet advisory, challenges the green dashboard culture, and delivers a practical checklist for the twenty-person firm. The panel argues about MSP accountability, board responsibility, and the difference between buying comfort and buying outcomes. No vendor worship. No reassurance fog. Just evidence, ownership, and the hard questions businesses should ask before the next advisory drops.

A school removes all identifiable pupil photos from its website and social media. A parent complains their child's sporting achievement has been erased. The safeguarding lead sees reduced risk. The marketing lead sees lost warmth. The headteacher is caught in the middle. This What If Wednesday unpacks the tension between celebration and safeguarding in an era of facial recognition, AI manipulation, and permanent digital trails. The panel explores lawful basis, consent limits, metadata risks, and why public celebration no longer requires handing children's identities to the open internet. Practical guidance covers policy design, parent communication, safer storytelling, image audits, and leadership decisions. Schools can still celebrate pupils without treating them as searchable marketing assets.

• Cold Open: The Complaint A school strips identifiable pupil photos from its public channels. A parent says their child's sporting achievement has been erased. The tension between pride, safety, and marketing is introduced.
• Welcome: What If Wednesday The panel frames the scenario as a practical discussion for schools, parents, and trustees navigating image use in a changed online landscape.
• The Trap Schools Walked Into Why schools published pupil photos for good reasons, and why that old model now needs urgent review in light of scraping, AI tools, and permanent exposure.
• Consent Is Not a Magic Cloak Lawful basis, transparency, withdrawal rights, and why parental consent does not eliminate technical or safeguarding risk once images are public.
• The New Risk Is Not Theoretical Scraping, facial matching, AI manipulation, metadata, blackmail, and cumulative exposure. The threat landscape around public pupil images has fundamentally changed.
• Midroll Bumper: The Decision Point A short reset. The parent, marketing lead, and safeguarding lead are all justified. The answer is safer celebration, not silence or defensiveness.
• What The School Should Say To The Parent Empathetic communication that acknowledges pride, explains the decision, and offers safer alternatives without reversing the safeguarding boundary.
• What Marketing Should Do Instead How schools can still convey warmth, identity, and community without relying on identifiable pupil faces on open platforms. Storytelling, not just stock images.
• What The Policy Needs On Monday Morning Practical action list: audit existing images, classify risk levels, define review questions, update parent communication, fix workflows, train staff, and review annually.
• The Leadership Decision Leaders must decide what public celebration looks like now, give staff cover, avoid informal negotiation after every event, and frame the policy as protection and recognition.
• Outro: The Answer Hold the safeguarding line. Explain properly. Offer safer celebration. Do the boring work. A school can celebrate children without turning them into searchable marketing assets.

Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations.

They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks.

The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two.

The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024

National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication