The Small Business Cyber Security Guy | UK Cybersecurity for SMB & Startups

• The Doorman Fallacy: How Cost Cuts Become Catastrophes

  The £18,000 Saving That Cost £200,000 in Revenue Ever cut a cost that seemed obviously wasteful, only to discover you'd destroyed something far more valuable? Welcome to the Doorman Fallacy —it's probably happening in your business right now. In this episode, Noel Bradford introduces a concept from marketing expert Rory Sutherland's book "Alchemy" that explains precisely why "sensible" security cost-cutting so often leads to catastrophic consequences. Through five devastating real-world case studies, we explore how businesses optimise themselves into oblivion by defining roles too narrowly and measuring only what's easy to count. Spoiler alert: The doorman does far more than open doors. And your security measures do far more than their obvious functions. What You'll Learn The Core Concept What the Doorman Fallacy is and why it matters for cybersecurity The difference between nominal functions (what something obviously does) and actual functions (what it really does) Why efficiency optimisation without a complete understanding is just expensive destruction The five-question framework for avoiding Doorman Fallacy mistakes Five Catastrophic Case Studies 1. The Security Training Fallacy (Chapter 2) How cutting £12,000 in training led to a £70,000 Business Email Compromise attack Why training isn't about delivering information—it's about building culture The invisible value: shared language, verification frameworks, psychological safety What to measure instead of cost-per-employee-hour 2. The Cyber Insurance Fallacy (Chapter 3) The software company that saved £18,000 and lost £200,000 in client contracts Why insurance isn't just financial protection—it's a market signal Hidden benefits: third-party validation, incident response capability, customer confidence How cancelling coverage destroyed vendor relationships and sales opportunities 3. The Dave Automation Fallacy (Chapter 4) Insurance broker spent £100,000+ replacing a £50,000 IT person The £15,000 server upgrade that Dave would have known was unnecessary Institutional knowledge you can't document: vendor relationships, crisis judgment, organisational politics Why ticketing systems can't replace anthropological understanding 4. The MFA Friction Fallacy (Chapter 5) Fifteen seconds of "friction" versus three weeks of crisis response The retail client who removed MFA and suffered £65,000 in direct incident costs Why attackers specifically target businesses without MFA The reputational damage you can't quantify until it's too late 5. The Vendor Relationship Fallacy (Chapter 6) Solicitors saved £4,800 annually, lost a £150,000 client Why "identical services" aren't actually identical The difference between contractual obligations and genuine partnerships What happens when you need flexibility and you've burned your bridges Key Statistics & Case Studies 42% of business applications are unauthorised Shadow IT (relevant context) £47,000 BEC loss vs £12,000 annual training savings £200,000 lost revenue vs £18,000 insurance savings £100,000+ replacement costs vs £50,000 salary £65,000 incident costs vs marginal productivity gains £150,000 lost client vs £4,800 vendor savings Common pattern: Small measurable savings, catastrophic unmeasurable consequences. The Five-Question Framework Before cutting any security costs, ask yourself: What's the nominal function versus the actual function? What does it obviously do vs what does it really do? What invisible benefits will disappear? Be specific: not "provides value" but "provides priority incident response during emergencies" How would we replace those invisible benefits? If you can't answer this, you're making a Doorman Fallacy mistake What's the actual cost-benefit analysis, including invisible factors? Not just "save £8,000" but "save £8,000, lose security culture, increase incident risk" What's the cost of being wrong? In cybersecurity, the cost of being wrong almost always exceeds the cost of maintaining protection Practical Takeaways What to Do Tomorrow Review your most recent efficiency or cost-cutting decision. Ask: Did we define this function too narrowly? What invisible value might we have destroyed? Are we experiencing consequences we haven't connected to that decision? Better Metrics for Security Investments Instead of measuring cost-per-hour or savings-per-quarter, measure: Incident reporting rates (should go UP with good training) Verification procedure usage frequency Time-to-report for security concerns Vendor response times during emergencies Employee confidence in raising concerns Making Trade-Offs Honestly Budget constraints are legitimate. The solution isn't "never cut anything." It's: Acknowledge what you're sacrificing when you cut Admit the risks you're accepting Have plans for replacing invisible functions Make consequences visible during decision-making Ensure decision-makers bear some responsibility for outcomes Quotable Moments "The doorman's job is opening doors. So we replaced him with an automatic door. Saved £35,000 a year. Lost £200,000 in revenue because the hotel stopped feeling luxurious. That's the Doorman Fallacy." — Noel "Security training's nominal function is delivering information. Its actual function is building culture. Cut the training, lose the culture, then wonder why nobody reports suspicious emails anymore." — Noel "We saved £8,000 on training. Spent £70,000 on the Business Email Compromise attack that training would have prevented. The CFO was very proud of the efficiency gains." — Noel "You can't prove a negative. Can't show the value of the disasters you prevented because they didn't happen. So the training gets cut, the insurance gets cancelled, and everyone acts surprised when the predictable occurs." — Mauven "The efficiency consultant's dream outcome: Measurable cost eliminated, unmeasurable value destroyed, everyone confused about why things feel worse despite the improvement." — Noel Chapter Timestamps 00:00 - Pre-Roll: The Most Expensive Cost-Saving Decision 02:15 - Intro: Why Marketing Books Matter for Cybersecurity 05:30 - Chapter 1: The Book, The Fallacy, The Revelation 12:00 - Chapter 2: The Security Training Fallacy 19:30 - Chapter 3: The Cyber Insurance Fallacy 27:00 - Chapter 4: The Dave Automation Fallacy 35:30 - Chapter 5: The MFA Friction Fallacy (+ Authentrend sponsor message) 42:00 - Chapter 6: The Vendor Relationship Fallacy 49:30 - Chapter 7: Hard-Hitting Wrap-Up & Framework 58:00 - Outro: Action Items & CTAs Total Runtime: Approximately 62 minutes Sponsored By Authentrend - Biometric FIDO2 Security Solutions This episode is brought to you by Authentrend, which provides passwordless authentication solutions that address the friction problem discussed in Chapter 5. Their ATKey products use built-in fingerprint authentication—no passwords, no PIN codes, just five-second authentication that's both convenient AND phishing-resistant. Microsoft-certified, FIDO Alliance-trusted, and designed for small businesses that need enterprise-grade security without enterprise-level complexity. Learn more: authentrend.com Resources & Links Mentioned in This Episode: Rory Sutherland's "Alchemy: The Dark Art and Curious Science of Creating Magic in Brands, Business, and Life" Authentrend ATKey Products: authentrend.com Episode 3: "Dave from IT - When One Person Becomes Your Single Point of Failure" (referenced in Chapter 4) Useful Tools & Guides: Download our Doorman Fallacy Decision Framework (PDF) Template: Articulating Invisible Value in Budget Meetings Checklist: Five Questions Before Cutting Security Costs Case Study Library: Real-World Doorman Fallacy Examples UK-Specific Resources: ICO Guidance on Security Measures NCSC Small Business Cyber Security Guide Cyber Essentials Scheme Information About Your Hosts Noel Bradford brings 40+ years of IT and cybersecurity experience from Intel, Disney, and the BBC to small-business cybersecurity. Now serving as CIO/Head of Technology for a boutique security-first MSP, he specialises in translating enterprise-level security to SMB budgets and constraints. Mauven MacLeod is an ex-government cyber analyst who now works in the private sector helping businesses implement government-level security practices in commercial reality—her background bridges national security threat awareness with practical small business constraints. Support The Show New episodes every Monday at Noon UK Time! Never miss an episode! Subscribe on your favourite podcast platform: Apple Podcasts Spotify Google Podcasts RSS Feed: https://feed.podbean.com/thesmallbusinesscybersecurityguy/feed.xml Help us reach more small businesses: ⭐ Leave a review (especially appreciated if you mention which Doorman Fallacy example hit closest to home) 💬 Comment with your own efficiency optimisation horror stories 🔄 Share this episode with CFOs, procurement specialists, and anyone making security budget decisions 📧 Forward to that one colleague who keeps suggesting cost-cutting without understanding the consequences Connect with us: Website: thesmallbusinesscybersecurityguy.co.uk Blog: Visit thesmallbusinesscybersecurityguy.co.uk for full episode transcripts, implementation guides, and decision-making templates LinkedIn: https://www.linkedin.com/company/the-small-business-cyber-security-guy/ Email: [email protected] Episode Tags #Cybersecurity #SmallBusiness #SMB #InfoSec #CyberInsurance #MFA #SecurityTraining #ITManagement #BusinessSecurity #RiskManagement #DoormanFallacy #BehavioralEconomics #SecurityROI #UKBusiness #CostBenefit #SecurityCulture #IncidentResponse #VendorManagement #Authentrend #FIDO2 #PasswordlessAuthentication Legal The Small Business Cyber Security Guy Podcast provides educational information and general guidance on cybersecurity topics. Content should not be considered professional security advice for your specific situation. Always consult qualified cybersecurity professionals for implementation guidance tailored to your organisation's needs. Copyright © 2025 The Small Business Cyber Security Guy Podcast. All rights reserved. Got a question or topic suggestion? Email us at [email protected] or leave a comment below!

  --------  

  49:25

  --------

  49:25
• Beds, Bins and DNS: How One AWS Region Outage Sank the Smart Home

  Hosts Mauven MacLeod and Graham Falkner deliver a fiery rant about the recent AWS US East 1 DNS outage and what it reveals about our dependence on cloud services. In this episode, they unpack the outage's real-world impact — from Snapchat and Venmo outages to Philips Hue bulbs and automated litter boxes going dark — and share colourful personal anecdotes, including a navigation fail on a Loch Lomond walk and a high‑tech mattress that turns into an expensive paperweight when the cloud hiccups. The pair dig into the technical and cultural roots of the problem: DNS as an ageing single point of failure, the dangers of concentrating critical infrastructure in one region, cost‑cutting that sacrifices resilience, and the worrying effects of automation and staff churn. They discuss how small businesses, banks, gaming platforms, and everyday consumers all found themselves unable to process payments, take bookings, or even turn on a light due to a single regional fault. Mauven and Graham also examine the human side of outages — exhausted sysadmins, online threads that read like group therapy, and the blurred line between human operators and automated systems shipping production code. They mock the absurdity of smart devices that need the internet to perform basic functions, and contrast that with the resilience of simple, offline tech (their beloved vinyl collections make a cameo). Finally, the episode offers a clear call to action: rethink resilience. Topics covered include multi‑cloud and hybrid strategies, decentralisation, offline fallback modes or “stupid mode” for essential devices, and the need to prioritise technical debt and redundancy over short‑term savings. Expect sharp humour, practical frustrations, and a promise of tangible fixes and advice in the next episode — plus plenty of memes and sympathy for the folks keeping the lights on.

  --------  

  11:20

  --------

  11:20
• InfoSec vs CyberSec vs IT Security: Stop Wasting Money on the Wrong One | UK SMB Reality Check

  Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks. With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business. Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now. No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs. This Episode is Sponsored by Authentrend Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025 We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag. Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works. Learn more: authentrend.com What You'll Learn Understanding the Differences What Information Security actually covers (hint: it's not just digital) Why Cybersecurity isn't the same as IT Security (despite what vendors claim) The CIA triad explained without the jargon Real-world examples showing when each approach matters UK Business Reality Current threat landscape: 43% of UK businesses breached in 2025 Why small businesses (10-49 employees) face 50% breach rates Average incident costs: £3,400 (but the real number is much higher) UK GDPR, Data Protection Act 2018, and what actually applies to you What It Actually Costs Starting from scratch: £5,000-£15,000 annually for 10-20 employees Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys) Cyber Essentials: £300-£500 (your best bang for buck) Managed security services: £300-£450/month realistic pricing When £2,000-£3,500/month managed detection makes sense Free government resources you're probably ignoring Authentication Security Reality Why SMS codes and app-based MFA still get phished How FIDO2 hardware security keys cryptographically prevent credential theft Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually Special offer mentioned in episode: Authentrend keys at £40 until December 22nd Implementation Without the Bullshit Why IT Security basics beat fancy cybersecurity tools every time The five controls that address 90% of UK SMB threats Common mistakes that waste your security budget How to prioritise when you can't afford everything Vendor red flags and what to actually look for Regulatory Requirements Decoded ICO data protection fees: £40-£60/year (mandatory) What "appropriate technical and organisational measures" really means Why recent enforcement shows reprimands over fines for SMBs Insurance requirements and how to reduce premiums How phishing-resistant authentication affects cyber insurance premiums Key Statistics Mentioned 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025 £3,400 average cost per cyber incident (excluding business impact) 60% of small businesses close within 6 months of serious data loss 85% of cyber incidents involve phishing attacks 43% of all UK businesses experienced breaches in 2025 Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords) Products & Solutions Discussed Authentication Security (Featured in Episode) Authentrend ATKey Series (Episode Sponsor) ATKey.Pro: USB-A/USB-C with NFC support ATKey.Card: Contactless card format Pricing: £45 regular, £40 special offer until December 22nd FIDO Alliance Level 2 certified Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services Deployment cost: £80-90 per employee (2 keys for backup) Why hardware security keys matter: Cryptographically bound to specific domains (phishing technically impossible) Works even when users make mistakes One-time purchase vs ongoing subscription costs Significantly reduces cyber insurance premiums Email Security Options Microsoft Defender for Office 365 Plan 1: £1.70/user/month Google Workspace Advanced Protection: £4.60/user/month Sophos Email Security: £2.50/user/month Endpoint Protection Microsoft Defender for Business: £2.50/user/month Sophos Intercept X: £3.50/user/month CrowdStrike Falcon Go: £7.00/user/month Compliance & Frameworks Cyber Essentials: £300-£500 annually ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs) Resources Mentioned Free Government Resources NCSC Small Business Guidance: ncsc.gov.uk ICO Free Templates: ico.org.uk Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations Episode Sponsor Authentrend: authentrend.com Special offer: £40 per key (regular £45) until December 22nd, 2025 ATKey.Pro and ATKey.Card models UK distributor support available Related Blog Posts (From This Week's Series) Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025" Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached" Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection" Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure" Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs" Recommended First Steps Immediate Actions (This Week) Catalogue your information - 1 day exercise to understand what you have and where it lives Register for ICO data protection fee - £40-£60 annual mandatory requirement Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd) First Month Get Cyber Essentials certified - £300-£500, addresses 90% of common threats Implement email security - £900-£1,800 annually for proper anti-phishing Deploy phishing-resistant MFA - £80-90 per employee one-time investment Configure endpoint protection - £1,200-£2,500 annually for 15-30 users First Quarter Test your backups - Don't assume they work, actually restore something Basic staff training - Use free NCSC materials, focus on phishing recognition Review and document - Simple policies using ICO templates Budget Planning 15-20 employee business, first year total: £6,200-£14,500 Email security: £900-£1,800 annually Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400) Endpoint protection: £1,200-£2,500 annually Backup systems: £600-£1,200 annually Network security: £600-£1,800 (includes one-time hardware costs) Training: £0-£1,500 annually Testing: £500-£2,000 annually Ongoing costs (Year 2+): £3,800-£11,100 annually Hosts Noel Bradford - CIO/Head of Technology, Boutique Security First MSP 40+ years enterprise security (Intel, Disney, BBC) Direct, budget-conscious, solutions-focused Enjoys challenging conventional security wisdom Known for calling out vendor bollocks Mauven MacLeod - Ex-Government Cyber Analyst Government cybersecurity background (NCSC) Glasgow-raised, practical approach Translates national security threats into business reality Focuses on what actually works for UK SMBs Our Sponsorship Disclosure Policy We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it. Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because: They provide the phishing-resistant authentication we consistently advise UK SMBs to implement Pricing makes proper authentication accessible to small businesses FIDO Alliance Level 2 certification ensures they meet security standards They align with our core message: affordable IT security fundamentals over expensive security theatre Take Action Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there. Your Next Steps Listen to the episode - Understand the differences before spending money Download the risk assessment template - Available on our blog Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd) Get Cyber Essentials certified - £300-£500 addresses most common threats Implement IT Security fundamentals - £2K-£5K gets you real protection Review quarterly - Security isn't a one-time project Subscribe & Connect Never miss an episode - Hit subscribe wherever you get your podcasts Leave us a review - It genuinely helps other UK small business owners find these conversations Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com] Got specific questions? - Drop us a comment and we might cover it in a future episode Next Week's Episode "Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses" The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead. Remember The biggest security risk is doing nothing while you debate the perfect approach. Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff. Everything else can come later. Tags #Cybersecurity #InformationSecurity #ITSecurity #UKSmallBusiness #SMB #UKGDPR #CyberEssentials #DataProtection #ICO #BusinessSecurity #CyberThreats #SecurityBudget #NCSC #UKBusiness #SmallBusinessUK #FIDO2 #PhishingResistant #MFA #Authentrend #HardwareSecurityKeys #AuthenticationSecurity

  --------  

  37:40

  --------

  37:40
• Discord's Data Breach and the UK's Digital ID Debacle

  Noel and Mauven unpack Discord’s third-party breach that exposed government-ID checks from age-appeal cases, then weigh it against Westminster’s push for a nationwide digital ID. It’s a frank look at how outsourcing, age-verification mandates and data-hungry processes collide with real-world security on the ground. Expect straight talk and practical fixes for UK SMBs. What we cover What actually happened at Discord: a contractor compromise affecting support/Trust & Safety workflows, not Discord’s core systems; notifications issued; vendor relationship severed; law-enforcement engaged. Why age-verification data is dynamite: passports and licences used for “prove your age” are a high-value, high-liability dataset for any platform or vendor. The UK digital ID plan, clarified: free digital ID, phased rollout this Parliament, and mandatory for Right to Work checks rather than everyone by default. What that means for employers, suppliers and software choices. Public sentiment vs promised safety: Britons broadly back “age checks” in principle but expect more data compromise and censorship risk, and doubt effectiveness. Why it matters to UK SMBs You can’t outsource accountability. If a payroll, KYC, helpdesk or verification vendor mishandles data, your customers still see your name on the breach notice. Age and identity checks creep into ordinary business flows. HR onboarding, ticketing, and customer support can accumulate sensitive documents if you let them. Centralising identity increases the jackpot for attackers. Your job is to minimise what you collect and partition what you must keep. Key takeaways Do not collect what you can’t protect. Prefer attribute proofs over document uploads. Limit blast radius. Separate systems, short retention, hard deletion, and vendor access that is time-boxed and device-checked. Contract like you mean it. Specify MFA, device compliance, immutable logging, breach SLAs, and verifiable deletion in vendor agreements. Prepare your Right-to-Work path now. Choose flows that avoid copying and storing underlying documents. Action checklist for SMB owners Map every place you’re collecting ID or age proof today. Kill non-essential collection. Where age is required, adopt attribute-based verification that proves “over 18” without revealing full identity. Move any remaining uploads behind automatic redaction, strict retention, and encryption with keys you control. Enforce vendor MFA via your IdP, require compliant devices, and review access logs weekly. Run DPIAs for onboarding, support and HR flows that touch identity documents. Rehearse your breach comms. Aim to say: “only an age token was exposed, not source documents.” Chapter outline Setting the scene: a breach born in the support queue Why ID uploads are a liability multiplier The UK’s digital ID plan, without the spin Vendor risk is your risk Practical fixes you can implement before lunch Q&A and what to do if you uploaded ID to Discord If you think you’re affected Treat notices as real; monitor credit; be alert to targeted phishing; don’t re-upload documents to unsolicited “verification” links. Support the show Subscribe, rate and review. Share this episode with a business owner who still stores passport scans in their helpdesk. Send questions or topic requests for future episodes.

  --------  

  11:30

  --------

  11:30
• 172 Security Holes Just Got Patched - But Is YOUR Business Already Compromised?

  Microsoft has released the October 2025 Patch Tuesday update, and the numbers tell a serious story: 172 security flaws patched, six of them zero-day exploits already in the wild. For UK small businesses, this is more than routine maintenance; these updates protect against vulnerabilities that attackers are actively exploiting to break into systems like yours. Graham Falkner cuts through the technical jargon to explain what these updates actually mean for your business, shares a real-world story of a local bakery that nearly lost everything, and walks through the practical steps you need to take today. Key Topics Covered The Scale of the Problem 172 total vulnerabilities patched across Microsoft's ecosystem Six zero-day flaws (actively exploited or publicly known before patches released) Eight critical vulnerabilities that could allow unauthorised code execution Elevation of privilege, remote code execution, and information disclosure threats Windows 10: End of an Era 15 October 2025 marks the final day of free security updates for Windows 10 Extended Security Updates (ESU) now required for continued protection Time to seriously plan your Windows 11 migration or budget for ESU costs Real-World Impact Linda's Bakery nearly lost a week's worth of turnover after ransomware exploited an unpatched zero-day vulnerability. The attack was fast, the data was locked, and only a quick backup restoration saved her business. Graham uses this story to demonstrate why these updates have tangible consequences for small businesses across the UK. Windows 11 October 2025 Features Beyond patching vulnerabilities, the October update brings nine useful new features for Windows 11 versions 25H2 and 24H2: Improved Phishing Protection Enhanced defences that make it genuinely harder for dodgy links to trick your staff. Think of it as a digital bouncer for your inbox. Enhanced Device Control Settings Brilliant if you operate in an environment where staff might plug in random gadgets. (Yes, coffee shop owners with drawers full of mystery USB sticks, we're looking at you.) Wi-Fi Security Dashboard No IT degree required. Plain-language summary of your network's safety status that anyone can understand. Built-in Password Manager Improvements Now flags when you've reused weak passwords. No more scribbling your favourite biscuit on a Post-it and hoping for the best. AI Actions in File Explorer Smarter file organisation and quick task shortcuts Notification Centre on Secondary Monitors Finally works properly where you click it Moveable System Indicators Customise where volume and brightness indicators appear Administrator Protection Additional security layer for privileged accounts Passkey Support for Third-Party Providers More flexibility in authentication methods Practical Action Steps Immediate Tasks (This Week) Schedule Your Updates Block out an hour when losing a computer for a reboot won't derail your entire operation. Updates can be inconvenient, but getting compromised because you delayed them is far worse. Verify Installation Success Don't assume updates installed correctly. Open Windows Update settings and check for failed installations. Graham shares a personal story about his jukebox PC that reinforces this point. Back Up Before Updating Protect your important data before applying updates. If something breaks, you'll need that backup to restore operations quickly. Recovery Planning Know Your Rollback Options Windows lets you roll back recent updates through the Advanced Recovery menu. Don't wait until disaster strikes to learn how this works. Document Your Process Have a written plan for what to do if an update causes problems. Graham learned this the hard way when his vinyl room jukebox went silent for days. Long-Term Security Habits Regular Review Schedule Treat security reviews like your car's MOT. Schedule them in your diary and actually do them. Ask yourself: "Are my defences still relevant to the threats out there?" Consider Automation Intrusion detection tools and vulnerability scanners aren't just for large multinationals anymore. They fit comfortably into small business operations, often catching and patching issues before you even know they exist. Staff Training Technology can only protect you so far. The biggest security gaps usually sit between the keyboard and the chair. Regular training on spotting dodgy emails and not clicking every link matters more than you think. All the AI in the world means nothing if someone opens the virtual front door for attackers. Key Quotes from the Episode "When you've got bugs that can lead to unauthorised access, stolen data, or a business-crippling ransomware attack, you simply can't afford to fall behind." "These updates have real-world impact. I'm not talking theoretical." "Don't leave your business exposed whilst attackers are combing these patch notes, looking for firms running behind." "Not updating isn't just risky, it's old-fashioned." "The strongest business is the one that learns just a bit faster than the crooks." UK Business Context Why This Matters for Small Businesses Whether you're a florist in Aberdeen or a solicitor's office in Kent, cybersecurity isn't about ticking an IT box. These updates protect your ability to keep the cash register ringing and maintain customer trust. Business-crippling ransomware attacks don't just happen to large corporations. Small businesses are increasingly targeted because attackers know you often lack dedicated IT resources and may be running behind on updates. Regulatory Considerations Whilst Graham doesn't dive deep into compliance in this Hot Take, remember that unpatched systems can create regulatory headaches: GDPR obligations require appropriate security measures ICO enforcement takes security seriously Professional indemnity insurers increasingly audit cybersecurity practices Client trust depends on demonstrating you protect their data properly Technical Details (For the IT-Minded) Vulnerability Breakdown 80 Elevation of Privilege vulnerabilities 31 Remote Code Execution flaws 28 Information Disclosure issues 11 Security Feature Bypass vulnerabilities 11 Denial of Service flaws 10 Spoofing vulnerabilities 1 Tampering vulnerability Notable Zero-Days Patched CVE-2025-24990: Agere Modem driver vulnerability (actively exploited) CVE-2025-59230: Windows Remote Access Connection Manager (actively exploited) CVE-2025-24052: Agere Modem driver (publicly disclosed) CVE-2025-2884: TPM 2.0 implementation flaw CVE-2025-0033: AMD EPYC processor vulnerability CVE-2025-47827: IGEL OS Secure Boot bypass Removed Components Microsoft removed the Agere Modem driver (ltmdm64.sys) after evidence of abuse for privilege escalation. If you rely on Fax modem hardware using this driver, it will cease functioning after this update. Resources and Further Reading Official Microsoft Sources Microsoft October 2025 Patch Tuesday Security Update Guide Windows 11 Version 25H2 Known Issues Windows 10 Extended Security Updates Information Third-Party Analysis BleepingComputer: October 2025 Patch Tuesday Coverage Windows Central: 9 New Features in October Update Cybersecurity News: Detailed Vulnerability Analysis UK-Specific Resources NCSC Small Business Guide Cyber Essentials Scheme ICO Data Protection Guidance Episode Credits Host: Graham Falkner Production: The Small Business Cyber Security Guy Podcast Copyright: 2025 - All Rights Reserved Call to Action Help Other Small Businesses Stay Secure Like this Hot Take if you found it useful Subscribe to catch every episode as we release them Share with other UK small business owners who need to hear this Comment with your own update horror stories or success stories Your engagement helps us reach more small businesses who desperately need practical cybersecurity guidance. Every share might save another business from becoming next month's ransomware statistic. Stay Connected Visit thesmallbusinesscybersecurityguy.co.uk for: Complete episode archive Written guides and checklists Additional resources for UK small businesses Ways to submit questions for future episodes Related Episodes Looking for more context on topics mentioned in this Hot Take? Check out these related episodes: Episode 17: Social Engineering - The Human Firewall Under Siege Why staff training matters more than you think, and how attackers exploit human psychology Episode 10: White House CIO Insights Part 3 - Advanced Threats & AI AI-powered attacks and how small businesses can defend against sophisticated threats Enhanced Supply Chain Security Understanding vendor dependencies and how updates fit into broader security strategy

  --------  

  8:06

  --------

  8:06

More Business podcasts

Trending Business podcasts

About The Small Business Cyber Security Guy | UK Cybersecurity for SMB & Startups

The Small Business Cyber Security Guy | UK Cybersecurity for SMB & Startups: Podcasts in Family