A firewall cannot save you from being badly run. For years, small businesses have been sold the idea that a perimeter box equals protection. When Fortinet disclosed exploited authentication bypass vulnerabilities, added to CISA's Known Exploited Vulnerabilities catalogue, the uncomfortable truth surfaced again: the firewall is not a wall. It is a computer at the edge of your network that runs software, has management access, and can be compromised. Defence in Depth means using multiple security layers so that when one fails, another slows the attacker, limits damage, or helps you spot the problem. The NCSC describes this as reducing single points of failure.

Yet many small businesses still operate flat networks with exposed management, weak identity, old firmware, missing logs, and untested backups. This episode unpacks the Fortinet advisory, challenges the green dashboard culture, and delivers a practical checklist for the twenty-person firm. The panel argues about MSP accountability, board responsibility, and the difference between buying comfort and buying outcomes. No vendor worship. No reassurance fog. Just evidence, ownership, and the hard questions businesses should ask before the next advisory drops.

A school removes all identifiable pupil photos from its website and social media. A parent complains their child's sporting achievement has been erased. The safeguarding lead sees reduced risk. The marketing lead sees lost warmth. The headteacher is caught in the middle. This What If Wednesday unpacks the tension between celebration and safeguarding in an era of facial recognition, AI manipulation, and permanent digital trails. The panel explores lawful basis, consent limits, metadata risks, and why public celebration no longer requires handing children's identities to the open internet. Practical guidance covers policy design, parent communication, safer storytelling, image audits, and leadership decisions. Schools can still celebrate pupils without treating them as searchable marketing assets.

• Cold Open: The Complaint A school strips identifiable pupil photos from its public channels. A parent says their child's sporting achievement has been erased. The tension between pride, safety, and marketing is introduced.
• Welcome: What If Wednesday The panel frames the scenario as a practical discussion for schools, parents, and trustees navigating image use in a changed online landscape.
• The Trap Schools Walked Into Why schools published pupil photos for good reasons, and why that old model now needs urgent review in light of scraping, AI tools, and permanent exposure.
• Consent Is Not a Magic Cloak Lawful basis, transparency, withdrawal rights, and why parental consent does not eliminate technical or safeguarding risk once images are public.
• The New Risk Is Not Theoretical Scraping, facial matching, AI manipulation, metadata, blackmail, and cumulative exposure. The threat landscape around public pupil images has fundamentally changed.
• Midroll Bumper: The Decision Point A short reset. The parent, marketing lead, and safeguarding lead are all justified. The answer is safer celebration, not silence or defensiveness.
• What The School Should Say To The Parent Empathetic communication that acknowledges pride, explains the decision, and offers safer alternatives without reversing the safeguarding boundary.
• What Marketing Should Do Instead How schools can still convey warmth, identity, and community without relying on identifiable pupil faces on open platforms. Storytelling, not just stock images.
• What The Policy Needs On Monday Morning Practical action list: audit existing images, classify risk levels, define review questions, update parent communication, fix workflows, train staff, and review annually.
• The Leadership Decision Leaders must decide what public celebration looks like now, give staff cover, avoid informal negotiation after every event, and frame the policy as protection and recognition.
• Outro: The Answer Hold the safeguarding line. Explain properly. Offer safer celebration. Do the boring work. A school can celebrate children without turning them into searchable marketing assets.

Noel Bradford and Mauven MacLeod mark the first anniversary of The Small Business Cyber Security Guy by doing what they ask of small businesses: an honest review. No self-congratulation, no marketing gloss. Instead, the hosts correct the mistakes that mattered, including overuse of misleading breach statistics, presenting multi-factor authentication as a finish line rather than a foundation, and underestimating the practical friction of supplier conversations.

They revisit the year's core messages that held up under scrutiny: cyber security is a business problem, not just an IT task; backups are only meaningful if they have been tested; and certificates are not controls. Graham Falkner, Lucy Harper, and Corrine Jefferson each share what surprised them most during the year, touching on logging discipline, accountability gaps after breaches, and the increasing speed of identity-driven attacks.

The episode closes with a clear-eyed look at what remains broken, including weak accountability structures, the persistent myth that small businesses are too small to target, and the widespread failure to test recovery processes. Listeners receive three practical actions for the week: test a file restore, strengthen MFA on privileged accounts, and disable old user logins. The hosts also introduce two new daily shows joining the SBCSG network in year two.

The Daily Time Drop - https://open.spotify.com/show/033t7F4gTRfns0waaq7kHR?si=d859cf22a62f4f8f UK Government - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024

National Cyber Security Centre - https://www.ncsc.gov.uk/collection/phishing-resistant-authentication

It starts with a slow ticket, a missing laptop and a printer staging yet another tiny rebellion — the kind of problems every small business sees and understands. But behind those visible slips is a quieter, far more dangerous story: patches that didn’t run, MFA that wasn’t enforced, backups that wouldn’t restore. In this episode Noel Bradford and a panel of experts follow a simple, devastating question: if your MSP says everything is fine, what can they actually prove?

Through a sharp, practical conversation with Mit Patel, founder of Assurix, we peel back the sales decks and the polite reassurances to show how “managed IT” can mean very different things. Mit explains the difference between promises and live evidence — not certificates from three years ago, but ongoing proof that patching, EDR, backups and identity controls are working over time. Graham brings the arithmetic that spoils the cheap quote, Corinne maps the attacker’s path, and Lucy explores the trust problem buyers face when asked to pick a provider with almost no usable evidence.

Listeners are walked through the exact questions every business owner can ask without becoming a security expert: show me 90 days of patching and backup evidence; show me MFA enforcement and exceptions; explain your offboarding process and its real cost; who owns proactive maintenance and how much time do they spend on it? We hear why continuous assurance matters for cyber insurance and why a green report on one day isn’t the same as discipline over months.

The episode doesn't preach panic — it prescribes better questions and better accountability. You’ll hear concrete examples of what good looks like: enforced MFA, tested backups, measurable patch compliance, named escalation paths, fair offboarding and evidence dashboards a human can understand. And if your MSP can’t show that evidence, the episode explains why price comparisons alone are dangerous and how under-resourced security becomes a real business risk.

By the end you’ll understand the simple premise that guides the discussion: service is visible, security is invisible — until it fails. This episode arms small business leaders with a narrative and a checklist to turn vague reassurances into verifiable proof, and gives good MSPs a roadmap to show their value beyond the lowest price. Ask for evidence, not a fleece and a smile.

Multi-factor authentication is essential, but not all MFA is equal. When users receive vague, repeated, or poorly explained prompts, they start treating them like cookie banners: accept, accept, make it go away. Attackers exploit this fatigue by triggering prompts under pressure, impersonating IT support, or using social engineering to bypass weak helpdesk processes. This is not a user failure; it is a design and management failure. Businesses must reduce unnecessary authentication noise, use phishing-resistant methods like number matching, train staff to recognise unexpected prompts as attack signals, and strengthen identity verification processes.

A reported prompt that turns out to be nothing is a working security culture. A prompt nobody reports because everyone fears looking stupid is how expensive conversations with insurers begin. MFA is a control, not a confession booth. If it fails, look at the whole process: the prompt design, the training, the helpdesk, the call-back procedures, and the culture that prioritises speed over verification. Stop blaming users for predictable mistakes in badly designed systems.

Shadow AI has already arrived in most UK small businesses, often through browser tabs, SaaS tool sidebars, and helpful buttons that promise to improve text. Staff are using AI to rewrite emails, summarise meetings, polish proposals, and speed up admin tasks, frequently without approval, policy, or controls. This is shadow IT all over again, but faster and with better branding. The problem is not the technology itself, but unmanaged data movement into systems nobody has reviewed.

Noel Bradford explains why banning AI without offering safe approved routes will fail, why hope is not an AI governance model, and why businesses need practical data controls that give staff clear lanes: low-risk generic tasks, controlled handling of customer data, and hard stops for sensitive material. UK Government guidance and NCSC advice make clear that AI changes the threat landscape, but the basics still matter. This episode cuts through the hype to deliver straightforward guidance on approved tools, supplier checks, human review, and early mistake reporting. AI policy is not about stopping progress; it is about stopping progress from leaking your business into someone else's platform.

Imagine opening your SaaS admin panel and walking into Times Square: flashing upsells, trial banners, an AI button nobody asked for, and a marketplace pitch vying for your click. In this episode, Noel Bradford—your Security Guy—takes you through that sensory overload and shows how it’s not just annoying design; it’s a security problem. When every notification screams for attention, the real alarms get lost in the noise.

Through vivid scenes and sharp examples, Noel explains how attention itself is a control: systems that drown users in marketing clutter train people to ignore banners, default prompts, and even vital security warnings. He weaves practical stories about suspicious sign-ins buried under upgrade offers, API tokens created beside glossy feature tours, and admin portals that bury logs behind paywalls, painting a clear picture of how SaaS sprawl turns convenience into hidden risk for small businesses.

The episode moves from diagnosis to action. Noel lays out a no-nonsense checklist—inventory your SaaS estate, assign owners, remove unused integrations and dormant admins, enforce MFA, and route genuine security alerts to a monitored place—then challenges listeners to ask vendors hard questions about log access and whether security features are deliberately gated behind premium plans.

Part cautionary tale, part practical guide, this episode blends storytelling with actionable advice so listeners leave energized to declutter their dashboards and protect their businesses. If your work tools look like a shopping center, expect people to treat warnings like adverts. Listen in, then reclaim attention as the critical control it is.

Noel Bradford opens the episode with a wry grin and a simple warning: AI has put a jet engine on vulnerability discovery, and that turbocharged speed is coming straight for your patch queue. He paints a scene that starts idyllic—researchers, vendors, and defenders holding hands in a meadow—and then smashes it into the small-business reality everyone knows: an ageing accounts package, two neglected servers, a printer that suddenly has feelings, and a spreadsheet last updated by someone called Maybe James.

Through sharp, conversational storytelling, Noel follows the trail from shiny headlines about faster vulnerability discovery to the quieter, nastier truth: more findings mean more advisories, more tickets, and more decisions. For teams already drowning in alerts—endpoint warnings, vendor advisories, and countless scanner results—AI doesn’t rescue them. It simply shines a brighter light on the rot.

The episode becomes a practical parable about what actually prevents breaches: fundamentals. Noel walks listeners through the essentials as if he were guiding a reluctant business owner around a cluttered workshop—build a real asset inventory (not a mythical one), assign clear ownership, book maintenance windows that aren’t pretend, and document exceptions with accountability. He explains how these mundane actions are the real defenses, not the latest headline-grabbing CVE score.

But the story isn’t all doom. Noel argues that AI can help—if your processes are mature. Faster discovery can help defenders and vendors if decisions are made quickly and sensibly. The heart of the episode is a leadership appeal: patch management is a business problem that touches operations, budgets, and reputations. When the business says “no” to maintenance and “later” to upgrades, it builds a swamp, and IT is left to slog through it.

The episode closes on a clear, rallying note: the AI patch wave is coming, and the question isn’t whether new vulnerabilities will appear—it’s whether your organisation has a process or just Dave, a spreadsheet, and a headache. Listen for practical measures, memorable metaphors, and a call to treat patching as governance, not theatre—because speed is now the test of your maturity.