Birthday Audit: Brutal Lessons for Small Business Cybersecurity

One year ago, I sat in this chair and recorded the first episode of a podcast nobody had asked for. No audience, no reviews, no idea if a single small business owner in the country would ever press play. Hey, I was there too. And now look at us, 90 odd episodes deep. So it's our birthday, Morven. One. That's your lot. So here's the deal for today. No breaking incident, no vendor to kick, just us looking back at 12 months. What we got right, what we got wrong, and the stuff that's still broken, no matter how loud we shouted about it The honest version. Not the LinkedIn version The Honest version, always, Welcome back to the Small Business Cybersecurity Guy. I'm Noel Bradford. And I'm Malvern McLeod. And apparently we've survived a whole year. Survived is doing a lot of work in that sentence. It's earning its keep. Right. Quick frame for anyone new. And there are a lot of you now, so welcome. This show exists to do one job. Take the security advice the big firms keep behind a six-figure invoice, then hand it to a business with five to 50 staff for free in plain English. No fear-mongering. No box-ticking theatre. If you can't do something with an episode by Friday, we've wasted your time. So today's a bit different. We're holding ourselves to that same standard. Did the advice hold up? Let's find out. And just to be clear, this is not the awards dinner version of the story. No glossy montage, no heroic strings, no look how far we've come speech while someone slowly pans across a stock photo of a server rack. Which is a shame because I had a folder marked emotional orchestra. Delete it. Fine. The point is that year one only matters if the advice still helps. if a listener acted on something we said did it make their business safer if we shouted about something was it worth shouting about and if we were too blunt too soft or too neat we should say that as well That's important because cyber security content has a horrible habit of treating certainty as a brand asset everyone sounds confident everyone has a framework everyone has a three-step model with a shiny acronym and the emotional depth of a laminated fire exit sign. But here is the serious bit. If this show is going to keep telling small business owners to be honest about risk, recovery, passwords, suppliers, insurance and governance, then we have to be honest about our own first year. Some things we said held up beautifully, some things needed more context and some things changed faster than any of us would have liked. Which is a polite way of saying the criminals didn't wait for the editorial calendar. They never do. That's rude of them, frankly. Deeply inconsiderate. So this is the birthday episode, but it is also a review meeting. No cake until the action items. We're starting here on purpose, with the mistakes. Because anyone can do a birthday episode that's one long pat on the back. And we'd rather you trusted us in year two than felt warm about us for 10 minutes. So, confession one, yours I think. Mine, the 43%. Go on. Early on, I quoted the cyber security breaches survey. I said 43% of small businesses had been hit by a cyber breach in the last year. big number, scary number. I used it because it landed. And? And it's misleading. That 43% figure is dominated by phishing. A dodgy message got through the door. Somebody saw a scam email. That's not the same as criminals encrypting your entire business. Which is rather the point. Exactly. The more honest read from that same survey is about 19% who experienced at least one cybercrime. And if you strip fishing out and look at the nastier stuff, you're down around 3%. So the headline made it sound like every other business was getting ransomed. And that's the exact fear-mongering we set the show up to fight. I did the thing I tell vendors off for, so I corrected it on air, and I'm correcting it again now, not 43. Not if we're talking about actual cybercrime. And definitely not if we're talking about the serious stuff. Good. That one mattered. Right. Your turn. What did we get wrong? We were too soft on turn on MFA as the finish line. Ah. For months our advice was basically this, switch on multi-factor authentication and you've closed the big door. And switching it on is still the single best afternoon's work most businesses can do. That stands. But we said it like it was the end of the story and this year proved it isn't. We did a whole episode on attackers stealing session tokens and walking straight past MFA, adversary in the middle. We did another one on MFA fatigue. That's why staff just tap approve because they're worn down by prompts. The login, don't hack in stuff. Exactly that. The Kareen episode. So the correction is this. Turn MFA on. Yes, absolutely. Today. But the type matters. Text message MFA is better than no MFA. But it should not protect your admin, finance, payroll or email administration accounts. Phishing resistant beats a text message. Pass keys and hardware keys are not shiny toys. they're what the better end of the road looks like. So MFA is a flaw, not a trophy. Exactly. That's a real change in how we talk about it. Fair. Anything else? One more. Quick one. We both leaned on the word hacker too long. The cinematic hoodie in a dark room. When the reality is somebody bought a working password for a few quid, then logged in during office hours. Boring. Bureaucratic. And far more common. We fixed the language. Took us a while. So that's three. The scary stat. The MFA finish line. And the Hollywood hacker noted. Corrected. On the record, there is another thing I'd put in the wrong column. Not wrong as in false, wrong as in incomplete. We talked a lot about simple controls. Strong MFA, backups, patching, old accounts, all good, all still right. But sometimes we made it sound like the only thing missing was knowledge. As if every business owner was one tidy checklist away from sorting the whole thing out. And reality is messier. Exactly. Reality has three people off-sit. A finance system that only works in one browser. A line of business app last updated when David Cameron still looked fresh. A server under a desk because someone said cloud migration in 2019 and everyone got frightened. And an owner who knows the risk but cannot stop the business for two days to fix it. That's the bit. We were right to say the basics matter, but we should have spent more time on sequencing. What do you fix first when everything looks urgent? What can wait? What is genuinely dangerous and what is just ugly? Because ugly and dangerous are not the same thing. Although they do often share a rack cabinet. They do. Usually with a dead switch and a label printer no one can find. So here is the better version. Don't try to fix cyber security as one giant heroic project. Fix the blast radius first. Protect the accounts that can do the most damage. Protect the data that would hurt most if stolen. Protect the systems that stop you trading. thing, then work outwards. That is a much better message than do all the basics, even though the basics still matter. And we got sharper on that as the year went on. We did. The early episodes were practical. The later ones were more ruthless about priority. That's a good development, but it belongs in the correction pile. I'd add suppliers to that. We were right that small businesses need to ask better questions of suppliers. But at the start, I think we underestimated how uncomfortable that is for them. Yes, because it sounds simple from this side of the microphone. Ask your IT provider about backups. Ask your software vendor about breach notification. Ask your payroll provider about MFA. Ask your web company who can access the hosting account. All sensible. But for many owners, that feels like accusing someone. And small business relationships are personal. The supplier might be someone they've known for 10 years, someone local, someone recommended by a friend, someone who turns up quickly when the printer has a tantrum. Which is lovely until the same supplier controls your domain, your email, your backups, your admin account, and the only copy of the password list. Exactly. So the more useful advice is not interrogate your suppliers. It is normalised, sensible questions before anything goes wrong. That's stronger. Put it in writing. Keep it calm. Ask what happens if they are unavailable. Ask who holds admin rights. Ask how quickly they can restore your data. Ask whether their own staff use MFA. Ask how they would tell you if they had a breach. That is not rude. That is governance. And if a supplier treats basic questions as an insult, that is useful information. Very useful. Possibly the most useful thing they'll ever give you. So that's another correction. The advice was right. The delivery needed more empathy. Agreed. We should never make small business owners feel stupid for not having done this already. They are running businesses. They are doing payroll, sales, recruitment, compliance, tax, customer service, and the emotional labour of pretending the bank portal is well designed. That last one is a national burden. It is. So yes, we still want them to act, but the tone matters. No shame, no panic, just better decisions this week than last week. That's how you earn a second year. Okay, we're allowed a little credit. It is our birthday. Go on then. One party poppers worth. The thing I'm proudest of is this. We kept saying cyber security is a business problem, not an IT problem. And the whole year bent towards that being true. When cyber crime stops the till. That one. The whole argument was simple. Stop asking your IT person to own this on their own. The question isn't just which firewall you buy. It's what stops you trading on Monday. Who can authorise emergency spend? Who calls the insurer? Who talks to customers? Who decides when the business is safe enough to reopen? And the backups episode hammered the same nail. Don't worship the green tick. A backup that's never been restored isn't a backup. It's a hope with a nice dashboard. Brutal. Accurate. We said that early in the run and we've not had to walk a word of it back. The other one that held up was badges aren't security. Don't buy the badge and the Cyber Essentials episodes. We took some stick for that. We did. People thought we were anti-certification. We're not. Cyber Essentials done honestly is genuinely useful. What we're against is buying a logo for the website while the actual controls underneath are held together with sticky tape. The badge becomes evidence against you the moment something goes wrong. And that's aged well. The insurance episode proved it. One wrong answer on a form 18 months ago. Then the claim starts to wobble. So the through line for year one is clear. Security's a business decision. Backups are a recovery plan, not a tick, and a certificate isn't a control. Another thing we got right was refusing to sell cybersecurity as magic. That matters more than it sounds, because the market is full of magical thinking. Buy this dashboard and sleep again. Buy this scan and call yourself mature. Buy this insurance policy and outsource the consequences. Buy this badge and put it in the footer next to your privacy policy. Which nobody has read. Not even the person who uploaded it. Especially not them. We kept pushing the same boring truth. Security is not a product you buy once. It is a habit, a rhythm, a set of grown-up decisions repeated often enough that they become normal. That is not glamorous, but it is survivable, and survivable beats glamorous every single time. I think the best example was the recovery theme, not backup, recovery. Yes, because recovery is where the marketing dies. The backup portal can be green, the sales deck can be beautiful, the invoice can say enterprise resilience in a font that costs more than a small car. But if you cannot restore the file, the mailbox, the server or the finance system when you need it, None of that matters. And it forced the right business question. How long can you be down? Exactly. Not how nice is the backup product. How long can payroll be unavailable? How long can the workshop stop booking jobs? How long can the dentist lose access to patient records? How long can the solicitor lose case files? How long can the warehouse lose the pick list? Those are business questions, not IT questions. Which brings us back to the core point. Cybersecurity belongs in normal management. not in a cupboard with the switch, and definitely not in the hands of the one person who knows computers because they once fixed the office Wi-Fi by restarting it. To be fair, restarting the Wi-Fi is still the most successful intervention in modern civilization. I will allow it, but only as a diagnostic method, not a governance strategy. That should be on a mug. It should. Another thing that held up was the human layer. We never bought into the lazy users are idiots line. Good, because it is a rotten line. It is. People click things because they are busy. They approve prompts because they are under pressure. They reuse passwords because every system asks them to create yet another account. They trust fake invoices because the attacker copied a real supplier email thread. That does not make them stupid. It makes the system badly designed. And it makes management responsible for reducing the chance of ordinary mistakes becoming business disasters. Exactly. Training matters. But training without better controls is just blaming the person closest to the explosion. Use MFA. Limit admin rights. Block impossible travel. Disable old accounts. Protect email rules. Make reporting suspicious messages easy. Then train people inside a system that helps them. That message held up. And it will keep holding up because humans are not going out of support. Not officially, no. although some mornings I feel like I'm running on extended security updates. That may be a coffee issue. It is always a coffee issue. I'll take that. We were right enough. Right enough is the most British compliment you've ever paid me. Don't get used to it. Now, we couldn't do a birthday without the people who've made this show what it is. So we asked a few of the gang one question each. What surprised you most this year? 90 seconds. No waffle. 90 seconds. And Morven will be timing. I was born for this. We'll start with Graham, because obviously we asked him a question about the future, and he came back with the 1980s. The thing that surprised me was the past. We ran an episode on Cliff Stoll and a 75 cent accounting error at a Berkeley laboratory in the 1980s. A tiny discrepancy unraveled an international espionage case. I expected a history lesson. What I found was a manual. Keep your logs. Notice the small anomaly. Resist the urge to tidy up a mess before you understand it. 40 years on, the tools have changed. The discipline has not. That was the lesson of the year for me. The fundamentals are stubborn. So are the people who ignore them. Under 90 seconds, naturally. Graham has probably got a stopwatch in a spreadsheet somewhere. With conditional formatting. Obviously. Next up, Lucy Harper. And if you've heard her accountability pieces, you'll know this is where the polite gloves come on. What got under my skin this year was how often the story wasn't the breach. It was the silence afterwards. I kept following incidents where the technical bit was almost dull. The real damage was the cover-up. The blame shifting, the customer who found out from a stranger. The accountability gap is still wide open. Big organisations still get a strongly worded letter where a small business owner would get their life turned over. I'm not done with that one, not by a mile. That landed. It did, and she's right. In too many breaches, the crime is bad. The behaviour afterwards is worse. Last one. Corrine Jefferson. Threat intelligence, identity, speed, and the deeply unpleasant feeling that the criminals are not waiting for your next board meeting. What surprised me was the speed. We talked about identity-driven attacks. I shared the figure that the fastest intrusions were reaching data theft in around 72 minutes, down from nearly five hours the year before. A simulated AI-assisted attack did it in 25. From one careless click to your customer data being packaged for extortion? Faster than a coffee break. The defense hasn't changed, though. It's still identity. Lock down who can log in. Lock down from where. Lock down what they can reach. Then you take the speed advantage away from them. That's the part small businesses can actually win. Identity. Same drum we've been banging all year. Good to hear it from someone who's read the threat intel. And every one of them landed inside 90 seconds, too. Don't sound so surprised. I'm always surprised. It's the NCSC training. What I like about those three answers is that they do not point at shiny kit. Logs, accountability, identity. That is year one in miniature. And none of them require a small business to build a security operations centre in the broom cupboard. Exactly. This is the bit we have to keep making clear. A small business does not need to copy a bank. It does not need a 30-page threat model for the kettle. It does not need a monthly board pack that nobody reads. But it does need to know who can get in. It does need to keep useful logs. It does need to know what happens when something breaks. It does need to tell customers the truth if customer data is involved. And it does need to stop pretending cyber security is a mystical technical fog. Because the fundamentals are boring only until you need them. Precisely. A tested restore is boring until ransomware appears. A disabled old account is boring until a password turns up in a dump. A supplier contact list is boring until your IT provider is unavailable. An incident plan is boring until everyone is shouting in the same team's call and nobody knows who is allowed to speak to the insurer. That last one is painfully common. It is. And the first hour of an incident is where good preparation shows. Not because everyone is calm, they won't be. People are human. But because they have a path. They know who decides. They know who records actions. They know who talks to staff. They know who talks to customers. They know who calls the external incident manager. They know where the insurance documents are. They know where the recovery passwords are stored. They do not waste the first morning discovering that the only person with access to the backup portal is on holiday in Cornwall, with no signal. That is oddly specific. Oddly specific examples are usually the most realistic ones. Fair. So yes, the cast check-in was meant to be a light birthday moment, but it also proves the bigger point. The things that mattered in year one were not exotic, they were basic. But basic does not mean easy, it means foundational. And if the foundation is missing, the clever stuff falls over. Right, quick aside, and this has absolutely nothing to do with cyber security, which makes it a rare and delicate creature. We've got a new show joining the network. It's called The Daily Time Drop. And rather than have me explain it badly, we've brought the host into the studio. Clara Vale, welcome to the Cyber Bunker. Thank you, Noel. I was promised a studio. This appears to be a room full of cables, coffee and unresolved professional trauma. That's the premium package. Good to know. So, Clara, for listeners who are used to ransomware, bad passwords and small business chaos, what is the daily time drop? It's 10 minutes a day. One main story from this day in history, then a couple of shorter drops as well. Little moments, odd facts, tiny historical grenades lobbed politely into your morning. That is a strong format. I thought so. Sometimes the main story is an invention. Sometimes it's a scandal. Sometimes it's a very confident human being making a decision that history immediately marks as bold but unwise. So not that far away from this show then. Less cyber insurance, better hats. That's fair. The idea is simple. Every day has something interesting tucked inside it. Not always the obvious thing. Not always the school textbook thing. The strange little detail. The forgotten character. The moment where you realise people in the past were just as clever, daft, petty, brilliant and ridiculous as we are. Which is comforting. Is it? Briefly. Then yes, briefly comforting. The launch episode was Scotch whisky, wasn't it? The first written record of Scotch whisky a monk, some malt and the early evidence that humanity has always looked at grain and thought I wonder if we can make this more interesting. And there's also an episode about a man with a window in his stomach. There is. I still don't know what to do with that. Listen to the episode. Sensible. It's the daily time drop. 10 minutes, every day, seven days a week. One main story, a couple of quick historical drops, jokes, facts and just enough sarcasm to keep the dust off. Perfect for the morning coffee? Or the commute? Or pretending you're busy for 10 minutes before opening your inbox? Strong use case? I thought so. I like that it is not trying to be homework. Absolutely not. Nobody needs more homework disguised as enrichment. The aim is curiosity. You should finish an episode knowing something you did not know before. Preferably something you can use later in the day to derail a perfectly ordinary conversation. That is a public service. I think so. History is much better when it feels alive People remember stories They remember the odd detail They remember the human absurdity A date on its own just sits there wearing a cardigan A story moves There's A sentence I didn't expect today. I brought several So Search The Daily Time Drop Wherever you get your podcasts Or use the link in our show notes Clara Vale, thank you for stepping into the cyber bunker. Thanks for having me I'll leave before something asks me to update firmware Wise choice Right, Back to the doom and gloom. Last bit before we wrap, the stuff that's still broken. Because a birthday's no good if you pretend everything's mended. Accountability. Still the big one. Lucy's right. A year of us banging on about it. And the gap between what happens to a small business owner and what happens to a giant institution after a breach is still enormous. We compared it to health and safety. Directors can go to prison for an unsafe ladder, lose millions of people's data, and too often it's a letter, a delay and a carefully polished statement. That hasn't shifted. We'll keep pushing. Second one, the we're too small to be a target myth. It will not die. Because it's comforting and criminals love a comfortable target. The whole point of automated attacks is they don't care how small you are. You're an IP address with a weak password. And the third, recovery. Everyone's bought the lock for the front door. Almost nobody's tested whether they can get back in after a fire. Buy recovery. Not reassurance. Test the restore. Still the advice. Still ignored more than it's followed. Here's the thing that keeps me hopeful, Mike. The businesses that do act often discover it barely costs them. We hear back from owners who turned on strong MFA, cleared out old logins, found the server nobody was patching, Tested a restore for the first time An afternoon's work each time Not a fortune. Just attention Attention's the cheapest control there is And the rarest There is another broken thing we should name The belief that cheap support and resilient support Are the same thing Ah... The we've got someone who does IT problem. Exactly. For some businesses, that is fine for day-to-day support. Someone resets passwords. Someone fixes Outlook. Someone orders laptops. That has value. But cyber resilience asks different questions. Who reviews admin access? Who tests backups? Who spots impossible logins? Who checks whether the firewall rule from 2018 still exposes something dreadful? Who owns the incident plan? Who challenges the business when the business wants to do something risky because it is convenient? And that is the difference between a helpful technician and an accountable security partner. Both can be good people, but they are not the same role. A small business does not need corporate theatre, but it does need someone willing to say no when no is the correct answer. It needs someone willing to document risk. It needs someone willing to tell the owner that the ancient server is not quirky, It is a loaded mousetrap with a login prompt. And that is still broken because too many businesses reward silence. Yes. Quiet IT is great when quiet means stable, monitored, patched, tested and reported. Quiet IT is a disaster when quiet means nobody has looked for six months. There is a difference between calm and invisible. There is a difference between low noise and no evidence. There is a difference between nothing happened and we have no idea what happened. That may be one of the lines for year two. It should be. Another thing still broken is technical debt with a comfort blanket over it. Old servers, old firewalls, old line of business systems, old accounts, old laptops that cannot run supported operating systems, old procedures that only exist because someone once wrote them on a sticky note and left. Every business has some of this. We are not pretending otherwise. The problem is when it becomes invisible. Exactly. Technical debt is not a moral failure. But hidden technical debt is a business risk. If you know it is there, you can plan, you can budget, you can isolate it, you can monitor it, you can replace it in stages. But if everyone pretends the old thing is fine because it still turns on, you are no longer managing risk, you are rehearsing surprise. That is bleak. It is accurate. And weirdly hopeful. Because the fix often starts with a list, not a project, not a purchase order, a list. What systems do we depend on? Who has admin access? What is out of support? What has not been backed up? What would stop us trading? What would embarrass us if a customer asked about it tomorrow? That last question works beautifully, by the way. Shame as a discovery tool. I prefer reputational clarity. Of course you do. But it works. Because small businesses are often better at fixing visible problems than abstract risks. Make the risk visible. Give it an owner. Give it a date, then it becomes work. Work can be done. Fog cannot. And the last broken thing. Decision speed. We talk about attacker speed all the time. 72 minutes, 25 minutes in a simulation, session tokens, password dumps, automated scanning. But business decision speed matters too. If it takes you three weeks to approve MFA, the attacker has already finished their coffee. If it takes a month to decide whether to replace an unsupported server, you are not being cautious. You are letting the risk age like cheese. Bad cheese. Very bad cheese. Possibly the kind found at the back of an office fridge next to someone's forgotten soup. Horrifying. Exactly. So, still broken. Accountability. Small business denial. Untested recovery. Invisible support. Hidden technical debt. Slow decisions. That sounds like a depressing list, but all of it can improve. Not with panic, with ownership. So year two, has a to-do list good, Right. We never let you leave without something to actually do. Birthday's no exception. Three things. This week... One. Test a restore. Not check the dashboard. Actually pull one file back from your backup and prove it works. If you can't, you've found your most important problem. Two. Look at your MFA. If your admin and finance logins are protected by a text message, upgrade them. Pass keys or hardware keys Start with the accounts that can move money, change email rules, access payroll or administer Microsoft 365 The NCSC backs phishing resistant login methods for a reason They're harder to trick, they're harder to relay, they're harder to steal 3. Find your zombie logins Old staff, old contractors, old app connections nobody remembers Old admin accounts from the person who left before COVID Switch them off Each one is an unlocked backdoor and do not turn these into a six-month transformation program. That is how simple work goes to die. Exactly. Put 30 minutes in the diary for each one. Restore one file. Review five privileged accounts. Disable five old logins. That is progress. And progress compounds. If you run the business, do not delegate the whole thing and disappear. Ask to see the result. Ask what failed. Ask what surprised the team. Ask what the next small fix should be. That question is powerful. What surprised us? because surprises are where the risk lives. The restore took four hours longer than expected. The finance admin account still had text message MFA. The old contractor account was still active. The backup report was going to someone who left last year. The domain renewal is tied to a personal email address. These are not rare. These are Tuesday. And once you know, you can fix. Yes, that is the whole game. Find the ugly thing before the criminal does. Find the weak account before it appears in a password list. Find the broken restore before ransomware turns it into an invoice. Find the supplier gap before everyone is shouting. This is not about perfection. It is about shortening the distance between we should really check that and we checked it. Test a restore. Harden the logins that matter. Kill the zombies. That's your birthday homework. And it's free. All three. Which means you don't get to blame the budget. Awkward. Very. That's a year. 90 odd episodes. 200,000 plus downloads. And every one of you who pressed play left a review, sent a message or sent a business owner our way. Thank you. Genuinely. We don't say that lightly. The show only works because people actually use it. There's a companion piece on the blog with the full year one timeline. It also has the sources behind everything we said today. You'll find it at the smallbusinesscybersecurityguy.co.uk. And if today was useful, the best birthday present you can give us is dead simple. Send it to one business owner who needs it. One person. That's the ask. Now quick heads up on year two, because there's more coming than just this show. There is. We're building this out into a proper network. Two new daily shows, Monday to Friday. Morvan's got one called Threat Analysis. Short, sharp and focused on what's actually worth worrying about that day. No drama for the sake of it. And Corrine's taking the daily CVE update. Vulnerabilities and exploited floor alerts. Translated for people who don't have a security team. Plus, the hot takes are getting their own home. 7 days a week, evergreen advice and the day's news. So they stop crashing into the main feed like an overexcited Labrador. All of them short. 10 minutes, give or take. A coffee's worth. Details soon. Stay subscribed and you'll be first to hear. And before we vanish into year two, one more serious thank you. Some of you have sent us stories. Some have sent corrections. Some have sent examples from your own businesses. Some have sent episodes to directors, finance managers, practice managers, school leaders, charity trustees, and people who thought cybersecurity meant the IT person had bought a firewall once. That matters. Because the whole point of this show is reach. Not vanity reach, useful reach. A person hears something, they ask a better question, they close an old account, they test a backup, they challenge a supplier, they stop a bad decision before it becomes an incident. That is the win. Quietly preventing disasters is not very cinematic. No, but it is cheaper than starring in one. That may be the most practical thing said in this whole episode. Print it on the cake. We are not printing things on the cake. Fine, put it in the show notes. Better. So year two will keep the same promise, plain English, useful action, no vendor nonsense, no compliance theatre, no pretending small businesses have the budget, people or patients of a multinational bank, but also no letting small businesses hide behind size as an excuse. You do not need to do everything. You do need to do the right next thing, then the next, then the next. Next week, though, we're back to normal service. Something will be on fire by then. Something always is. I'm Noel Bradford. I'm Marvin McLeod. This has been the Small Business Cybersecurity Guide. Here's to year two. Right, before we let you go completely, let's have a quick chat about the boring but necessary legal bits. Don't worry, I'll make this as painless as possible. First up, and this is important, everything we've said today represents our own personal opinions and experiences. These views are ours alone and don't represent any organisation we work for, any employers, advertisers, sponsors or anyone else who might be connected to the show. When we're giving you advice or sharing our thoughts, that's coming from us as individuals, not speaking on behalf of anyone else. Everything we've talked about today is for general guidance. It's meant to point you in the right direction, but it absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What works brilliantly for a Birmingham bakery might be completely useless for a Manchester marketing agency. We do our very best to keep everything accurate and current, but let's be honest here. The cyber security world moves faster than a caffeinated squirrel being chased up a tree by Marvin's Jack Russell. Things can change between when we record and when you're listening, so always double-check critical, technical details with qualified professionals before you go making major changes to your systems. If we've mentioned any websites, products or services, we're giving you information, not necessarily giving them our seal of approval. We can't be responsible for what happens on their end or if things go sideways when you use them. Some things we recommend might involve affiliate partnerships. We'll always flag those when they come up because transparency matters. Now, if you're dealing with serious cybersecurity incidents, actual data breaches, or gnarly legal compliance issues, please talk to proper professionals, rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team. This has been a Small Business Cybersecurity Guy production. Copyright 2025, all rights reserved.