The Firewall Fallacy: Fortinet, KEVs and the Cost of Complacency

I'm in a fighting mood today, so how is this for an opening statement? A firewall can't save you from being badly run. Ah, that's what the glint in your eye is about. That's one strong opening. I had better clear out the complaint inbox. Good, let it warm up. For years, small businesses have been sold the idea that the firewall is the big wall around the castle. Lovely image, very comforting, also dangerously incomplete. Because the firewall isn't a wall. It's a computer at the edge of your network. It runs software. It has management access. It has authentication paths. It has cloud integrations. It has vulnerabilities. And when it fails, everybody suddenly discovers they had a governance problem wearing a hardware badge. The awkward bit is this. A firewall is still important. It's just not enough. Exactly. The firewall is a layer, a useful layer, an important layer, but still just a layer. If one exploited vulnerability, one bad configuration, or one lazy management interface can put your whole business at risk, you don't have defense in depth. You've wishful thinking with a license renewal. Today we're talking about defense in depth. We're talking about Fortinet having the sort of week nobody puts in the glossy brochure. We're talking about exploited authentication bypass, KAV listings, cloud single sign-on, and why patching is only the start. And we're talking about what a real small business should do when the expensive box at the edge stops being reassuring. So yes, this episode will upset some people. If it upsets you, ask yourself why. Welcome back to the Small Business Cybersecurity Guy. I'm Noel Bradford. I've spent more than 40 years in technology and quite a lot of that time cleaning up after people who believe the brochure. I'm Moven McLeod, former UK government cyber analyst, now here to occasionally stop Noel setting fire to the studio. I've never set fire to the studio. Not physically. And that perfectly introduces Lucy Harper. I'm Lucy Harper. I look at the accountability side of cybersecurity. Who knew what? Who owned it? Who signed it off? And who suddenly went quiet when the incident timeline appeared? I'm Graham Faulkner. I'll try to keep this useful for the business owner with 20 staff, one MSP, and a growing sense of dread. And I'm Corinne Jefferson. I'll focus on attacker behavior, edge devices, identity, and what the signals actually mean. Today is a roundtable because this topic deserves argument. Defense in depth sounds simple. Most businesses nod at it. Many vendors misuse it. Some MSPs hide behind it. And plenty of business owners think they already have it because they bought a firewall, endpoint protection and a backup product. Which isn't defence in depth. It's a collection of controls. Maybe if they're configured. If they're monitored. If someone owns them. Exactly. This is why we need the full table. Let's start with what seems to be a sackard cow for many IT people and MSPs. The firewall, regardless if it's a free unit that was supplied but your internet service provider, or an over-specced box your MSP recommended, Spolier Alert, the quality of that free router slash firewall is worse than most bargain basement stuff. Not your ISP probably paid under 10 quid for it, and it will be laughably out of date from a firmware perspective. Graham, what's the matter? I'm already nervous. I just upgraded my home internet and got a free Wi-Fi router. You should be. The firewall has become the comfort blanket of small business cyber security. We've a firewall. We're fine. No, you've a firewall. That means you've one control, one layer, one thing that also needs securing. To be fair, firewalls still matter. Nobody sensible is saying remove them. I'm not saying that. Even the ultra-cheap Wi-Fi router slash firewall that the ISP provided has its place and can, to a greater extent, be secured once fully patched. Or it can just be placed in modem or bridge mode and have a decent professional unit attached to it. But the danger is that people will hear this as anti-firewall. Good challenge. I'm not anti-firewall, I'm anti-worship. Firewalls shouldn't be treated like some kind of religion, not just because it's an expensive brand, more of later, be trusted like an intern with the root password and no supervision. Ultimately is the outer layer of the defence, the outer skin of the defence at depth onion if you like. Nor does absolve poor patching or fix weak identity. It doesn't test your backups or train your staff or remove old users. and it sure as hell doesn't document who owns risk. And it doesn't become safe because the dashboard is green. Green dashboards are bedtime stories with traffic lights. The problem is that many businesses were told the firewall was the main answer for years. So we should blame the industry too. Vendors sold boxes, MSPs sold bundles, business owners bought what they were told to buy. That may explain the mess. It doesn't excuse leaving it there. Exactly. Inherited risk is still risk. Look a month or so ago, I spent an enjoyable afternoon auditing a customer's network. They had been have speed issues since they had a big fat multi-gigabit leased line installed. The network that supplied the connections were saying that all was fine up to their handover, so the problem must be elsewhere. And I rock up on site, open the comms closet, and what do I find? A very old, like pre-COVID era Linksys router. Hang on, I thought Linksys got absorbed by Cisco and disappeared 10 or more years ago. Yup, so did I, but they're still hanging on in there. So I looked the device up, expecting that they had curled their toes up years ago. And lo and behold, the specs for the router slash firewall were so poor, that couldn't handle anything more than about 100 megabits flat out. And that it had indeed gone full end of life in 2021. So I pulled out my emergency spare router from the back of the car that's capable of 10 gigs, swapped it out, and then whoosh customer running at full speed from the router, the linked switches are of a similar vintage, and so we had to go back and replace those as there were only fast Ethernet 2. Sorry got sidetracked Marnus upshot of the story here, was yes the site had a physical firewall, but to all intents and purposes it was hardly functional. And thus a massive risk. And once you understand the risk, doing nothing becomes a decision. Indeed, doing nothing isn't neutral, it's a choice with worse paperwork. Defense in depth means you don't rely on one control to protect the whole business. You use multiple layers. If one fails, another layer slows the attacker, limits damage, or helps you spot the problem. Again, back to the Onion or Russian doll, Matryoshka metaphor. The NCSC describes this as using multiple security measures to reduce single points of failure. Attackers look for single points of failure. one exposed system, one weak identity, one forgotten admin account, one unpatched device, one trusted supplier, one backup console with too much power. One MSP who says, we think it's fine and can't show evidence. Careful. Go on. Good MSPs do exist. Good providers do track advisories, patch edge devices, check logs, and document the outcome. Yes, indeed there are. And we talked about what good looks like with Mitt Patel from AssureX. and they won't be upset by this episode. I can't even flag it as the one-man band outfits as I know plenty that are so sorted and slick that they don't miss even a micro stutter. Going back to the episode with Mitt, the ones who you're upsetting may want to ask why the shoe fitted so quickly. Oh, Lucy has been sharpening her knives today. Accountability isn't a knife. It just feels like one when people have been comfortable in a rut for too long. So the layer model should be clear And the matryoshka or onion is an excellent analogy. Physical access, network, endpoint, identity, applications, data, backups, people, monitoring, governance. You forgot one. Ownership. Without ownership, layers become theater. A control without an owner degrades. A control without monitoring becomes blind. A control without testing becomes belief. And belief is great if you're choosing curtains. Less great when ransomware turns up. Right, as we're talking about firewalls, we would be remiss not to discuss the, um, Fortinet shitshow. Wow, here we go. I was wondering if we are going to the today. He has been saving this like his favourite dessert. Dessert shouldn't come with a KEV listing. If we're going there, then can we forever one's sake have some precision first? Agreed. This isn't Fortinet bad, everyone else good. That would be lazy. However, according to the OpenCVE project, Fortinet has had 81 CVEs since January 1st, 2026, to the time of recording. That's an average of three point something a week. The issue is more serious than brand tribalism. Just this week, Fortinet disclosed its 40 cloud product has slash had a single sign on authentication bypass vulnerabilities affecting multiple products. One advisory described crafted SAML messages allowing authentication bypass if the feature was enabled. Another later advisory described exploitation in the wild involving malicious 40 cloud accounts. CISR also added the later vulnerability to its known exploited vulnerabilities catalogue. That matters because Kev doesn't mean interesting, it means known exploited. It isn't a vibes-based advisory. It isn't one for the next quiet maintenance window when Mercury is in retrograde. I wasn't expecting astrology. I wasn't expecting edge authentication bypass on a security appliance. Yet here we are. To be fair, all major edge vendors get targeted. Firewalls, VPNs, web gateways, remote access devices. They sit in a privileged position. That makes them valuable. That's the correct framing. This isn't just about one vendor. It's about over-trusting edge technology. Yes, but we should still say the uncomfortable thing. However, if you track back in, looking at Fortinet's track record is woeful and smacks of massive corporate technical debt stretching back over a decade or more. When a firewall vendor has an exploited authentication bypass problem, the correct response isn't smug reassurance. The correct response is evidence. What devices do we have? Which versions? Was the feature enabled? Was management exposed? Were logs checked? Were accounts reviewed? Were credentials rotated? And was the fix actually applied? Exactly. Patching isn't a time machine. It closes the known hole. It doesn't prove nobody walked through it yesterday. Let's translate that for the listener. If your provider says, we patched it, the next question is, what did you check before and after patching? Check logins. Check cloud account activity. Check whether logging was intact. And if the answer is, we don't keep those logs, take a very deep breath before replying. Because that isn't a technical detail. That's a business risk disclosure. And this is where the corporate IT directors out there will accuse me of being difficult and grumpy. You know the same guys that think ISO 27001 is a shield and have never seen the fallout of a click-to-fix attack at 3pm on a Friday mainly because they are playing golf or in the pub. Only here? Asking for proof after an exploited firewall vulnerability reaching KEV status isn't being difficult. It's being awake. I agree, but some small businesses won't know how to ask. Then give them the wording. Fine, ask this. Please confirm whether any of our Fortinet devices were affected by the recent 40 cloud single sign on vulnerabilities. A regular check-in doesn't hurt regardless of the edge hardware, so substitute Fortinet for Cisco, Sofos, Draytech, Ubiquity, WatchGuard, etc. That's strong. It's also basic. It works for all manufacturers, so just make a few edits and send it, and do it regularly, at least quarterly. And if you want to know more about the current CVE and Kiwis, the Kareen posts about them on the blog, and we have a daily 10-minute audio show launching today. And if the provider can't answer, that tells you something. It tells you whether they're selling protection or reassurance. Reassurance, without evidence, is just marketing with a service desk. I want to challenge something. Go ahead, I'm all ears. You keep attacking dashboards and reports, but businesses do need reporting. They need simple indicators. They can't read raw logs all day. Correct. So the dashboard isn't the enemy. Bad use of the dashboard is the enemy. Good challenge. I agree. A dashboard is useful when it points to evidence, action and ownership. It's useless when it's just green boxes and a PDF nobody reads. Green boxes and vibes. Exactly. Green boxes and vibes have become the native language of weak assurance. It's what I heard described as a watermelon dashboard. Nice green and smooth in public, but scratch the surface and it's red and sticky. The board sees green, the MSP says green, the vendor console says green. Then an incident happens and everybody discovers the green meant we didn't look deeply enough. So a watermelon indeed. Attackers don't care about green. They care about reachable management, weak authentication, stale credentials, unmonitored change, and poor segmentation. So the question is, what should a good report show? Not just status, movement. What changed? What failed? What was patched? What couldn't be patched? What's exposed? What's overdue? What risk needs a decision? And who owns the next action? A useful report should make accountability visible. It should also separate noise from threat. 10,000 alerts don't help a business. 10 meaningful signals with response action might. If your report can't tell the difference between busy and dangerous, it isn't security reporting. It's confetti. That will upset reporting vendors. Meh. I shall try to recover emotionally. I want to drag use out of the technical swamp for a minute. Go on. The technical detail matters, but the real failure is often governance. Who knew? Who decided? Who checked? Who documented? Who challenged the answer? Who accepted the risk? That's often missing in small businesses. Sometimes because they're small. There may be no formal board structure. The owner may also be sales, finance, HR and complaint handler. I understand that. But attackers don't reduce impact because the company is busy. They also don't care that your MSP was understaffed. They don't care that your renewal was due, your firewall was out of support, or your documentation was on someone's laptop. Cyber criminals are famously poor at respecting internal process. How rude of them. Governance doesn't mean a hundred-page policy. It means decision rights. Who can take systems offline. Who can approve emergency patching. who can engage an incident responder, who talks to the insurer, who talks to customers. And who can tell the MSP to act quickly without waiting for three people to approve a quote. Yes, during a real incident, delay isn't admin, delay is damage. Speed matters because attackers move through stages. Initial access, discovery, privilege escalation, persistence, lateral movement, data access, exfiltration, impact. If your process only wakes up after impact, your process isn't response. It's obituary writing. That's brutal. It's also true. Noelle, let me ask you directly. Why does this topic get under your skin? Because it's avoidable. Not every attack is avoidable. Not every incident is negligence. Not every vulnerability is someone's fault. But the same patterns keep turning up. Exposed management, weak identity, old firmware, missing logs, flat networks, untested backups, vague MSP answers, leadership that only gets interested when the invoice is painful. And after the event? After the event, everyone wants grown-up answers from systems they refuse to fund, test, document or own. That's fair, but small businesses do have budget pressure. Of course they do. So how do we avoid sounding like we're saying, spend everything or you deserve it? By saying the opposite. Defence in depth isn't buy everything. It's stop pretending one thing does everything. You don't need a bank-grade security team to separate guest Wi-Fi. You don't need one to remove old users, turn on strong MFA, restrict admin access, test backups, and ask your provider for evidence. The most exploited gaps are often boring. Boring doesn't mean harmless. Exactly. Boring is where attackers make their money while the industry argues about acronyms. That's why anger is useful here. Not panic. Not fear. Anger. Because a lot of this isn't mysterious. It's tolerated. Yes, that's why I'm angry. Not because Fortinet had vulnerabilities. Vendors will always have vulnerabilities. Microsoft has them. Cisco has them. Palo Alto has them. SonicWall has them. Everyone has them. I'm angry because too many people still build business security around one trusted box. Then they act shocked when the box needs defending too. Let me put the attacker view on this. Edge devices are attractive because they sit before the internal network. They often face the internet. They're trusted by design. They may have weaker endpoint telemetry than laptops and servers. They also hold clues. Network ranges, routing, VPN users, object names, policies, admin patterns, sometimes integrations with directory services. So even if an attacker doesn't immediately drop ransomware, access can still matter. Correct. Access can support reconnaissance, persistence, credential targeting and later intrusion. And the scary bit is that successful login can look less dramatic than exploit traffic. Yes. If the path is authentication bypass, the signal may sit in admin activity. It may sit in cloud login traces, configuration changes or account creation. Which many small businesses aren't watching. Correct. There it is. Not watching isn't the same as safe. Also, not knowing isn't the same as innocence. That one needs care. It's careful. I'm not saying every business is negligent. I'm saying ignorance is a weak defence when the questions were obvious. Regulators, insurers and customers increasingly ask whether reasonable steps were taken. And reasonable steps now include evidence, asset list, patch process, admin review, logging, backups, incident contact list, supplier accountability. And segmentation. If the edge device fails, the internal network shouldn't become a soft carpet. Many small business networks are one flat trusting puddle. You really like that phrase. I hate that it's accurate. I want to defend the listener for a moment. Go on. Most small businesses didn't design their current environment from scratch. They inherited bits. Old routers. A server that should have gone years ago. A phone system that needs a strange port open. A line of business app that only works if everyone looks away politely. The official architecture of British small business. So when we say flat network or poor governance, some listeners may hear blame. Good point. The useful message is this. You aren't stupid because you inherited a mess, but you're responsible for what you do next. Exactly. I agree completely. If you discover your network is a mess, that isn't the shame point. The shame point is pretending you didn't discover it, or worse still, refusing to do anything about it. Prioritise. Don't freeze. Start with five things. Know what you have. Lock down identity. Patch expose systems. Test backups. Ask for evidence. And stop exposing management interfaces to the internet. I'd add one more. Write down the owner. Yes, every action needs an owner and a date. Otherwise, it becomes someone should and someone should is where security goes to die. Now the bit that will annoy people. Only now. The MSP accountability bit. Here we go. If an MSP manages the firewall, then the MSP should know which customers are affected by a major vendor advisory. They should know device model, firmware version, exposure, management configuration, and whether the affected feature is enabled. They should also know what telemetry exists and what telemetry doesn't exist. And they should communicate clearly, not with alarmism, with facts. Yes, facts, evidence, dates, actions, not we're aware of this issue. We're aware is what people say when they want credit for receiving an email. Some providers may be waiting for vendor guidance before acting. Fine, then say that. Say we're assessing affected devices. We've identified these versions. We're applying this mitigation. We're waiting for this vendor patch. We'll check these indicators. will report back by this time. That's communication. We're aware is fog. The real operational gap is mapping advisory to asset to action. Without that map, every advisory becomes a scavenger hunt. And customers should ask for that map. Yes, ask your MSP how they handle KV entries. Ask what happens when CISA adds a vulnerability to KV. And I'll put money on tilde 50% of MSPs not knowing what a KV is. And they only know about CVEs and other known problems via some vendor post on LinkedIn. Ask how they identify affected assets. Ask how fast they act. Ask what evidence you get. If they can't answer, you've learned something valuable. That doesn't mean sack them on the spot. Correct. It means have an adult conversation. If the adult conversation causes panic, that also tells you something. We should bring in Cyber Essentials here because it gives small businesses a useful baseline. Yes, baseline, not magic. Cyber Essentials forces useful questions, annually at least. Firewalls, secure configuration, access control, malware protection, security updates. Those areas map directly onto common attacker routes. But a badge without operational reality is just compliance theatre. I'll defend Cyber Essentials as a flaw. I'll also happily upset anyone pretending the floor is the penthouse. Metaphorical furniture only. For now. The 2025 to 2026 Cybersecurity Breaches survey showed that only a minority of UK businesses reported having technical controls in all five cyber essentials areas. That tells us the basics are still not universal. Which makes the arrogance worse. If the basics aren't done, don't tell me your security posture is mature because your firewall has a strong brand. Attackers exploit gaps, not brand names. That's another keeper. Attackers exploit gaps, not brand names. Right. I want proper disagreement. What does my argument risk getting wrong? It risks sounding like every provider is lazy. Fair. Some aren't. Some do the work quietly and properly. We shouldn't paint everyone with the same brush. Agreed. Good providers should use this episode as customer education. Bad providers will use it as a mirror and complain about the lighting. It also risks overwhelming small businesses. If we give them 40 actions, they'll do none. True. Threat reality must become prioritised action. Agreed. My concern is different. I think we risk letting leadership pass this back to IT. Explain. Firewall patching sounds technical. Single sign-on sounds technical. KEV sounds technical. But the leadership question is simple. Did we take reasonable steps to protect the business? And can we prove it? Exactly. So the output needs to be plain English. What do we have? Is it affected? What did we do? What did we check? What risk remains? Who owns it? That's the chain. Good. That's how we land it. Let's build the practical version. You run a 20-person professional services firm, accountants, solicitors, recruitment, consultancy, something where data matters and downtime hurts. You've Microsoft 365. Laptops, a firewall, maybe a server. Remote working, a couple of personally owned devices. Some cloud apps, maybe an MSP. You probably also have suppliers with access. Payroll, HR, website, account software, telecoms, remote support. And attackers only need one weak route. Just ask Marks & Spencers or JLR. Your first job is ownership. And now Lucy has entered the chat with a governance hammer. It's a very nice hammer. Name the person responsible for cyber risk, not the person who fixes printers. The person who owns risk decisions. Then create the short asset list. Users, admins, devices, firewalls, servers, cloud systems, backup systems, suppliers. Next, identity. MFA everywhere. Stronger MFA for admins and finance. Remove levers. Kill shared admin accounts. Review global admin. Block legacy sign-in. Then edge exposure. Firewall management shouldn't be open to the internet unless there's a very specific, controlled, logged reason. Remote access must be patched, restricted and monitored. Then patching, not just laptops. Firewalls, switches, access points, printers, NAS boxes, line of business software, browsers. Yes, printers. The beige betrayal machine in the corner is part of the estate. We aren't letting that phrase go, are we? No. Then backup testing. Not. The job says success. Restore something. Open it. Prove it works. And protect backup administration separately. If the same compromised identity can delete the backups, your recovery plan has a trapdoor. Finally, ask for evidence. If your MSP says you're covered, ask what covered means. Ask what's monitored. Ask what's logged. Ask what gets patched. Ask who signs off risk. And ask what happens at 9 o'clock on a Friday night when the thing that was fully managed starts screaming. All the deep. Let's say the quiet bits out loud. This feels like the part where complaints multiply. Good. A firewall can't save you from weak governance. True. A firewall can't save you from stale admin accounts. True. A firewall can't save you from untested backups. True. A firewall can't save you from an MSP that can't show evidence. True. With the important note that good providers should welcome evidence-based questions. Correct. And a firewall definitely can't save you from a leadership team that only discovers cyber risk after the solicitor asks for a timeline. Very true. The challenge is making this useful, not just brutal. Here's the useful part. Stop buying comfort. Start buying outcomes. Define outcomes. Reduced exposure. Faster patching. Stronger identity. Tested recovery. Better logging. Here's a clear pulse check any SMB can use today. This is Microsoft specific, but then given market share that's almost half our audience. Ask whoever is administers your M365 environment what your tenant's Microsoft security score is and ask for all the numbers, overall, identity, apps and data. Ask what's the maximum possible score given your licensing. Then if they blink or evade or give you numbers that are below 60% for the overall, then you've issues, clear ownership, faster response, evidence you can show. And fewer assumptions. Assumptions are where accountability goes to hide. Exactly. We assumed the MSP had it. We assumed the firewall was current. We assumed backups worked. We assumed old users were gone. We assumed logs existed. Assumption isn't a control. Let's give the listener a proper response model. Go. When a vendor advisory drops, especially one added to KEV, step one is identify affected assets. Step two, confirm exposure and enabled features. Step three, apply the vendor fix or mitigation. Step four, preserve evidence. Step five, check for compromise. Step six, rotate relevant credentials where appropriate. Step 7. Reduce exposure after the emergency is over. Step 8. Document the decision and residual risk. Step 9. Report back to the business owner in plain English. And Step 10. Learn something. If the same class of problem comes back next month and your process is still a panic spreadsheet, you didn't learn, you performed. Panic spreadsheet is painfully accurate. For the small business owner, the question is simple. Can your provider explain this process before the next crisis? If not, ask why. And ask before you need the answer. You should bring in the broader UK data. Yes, because this isn't theoretical. The 2025 to 2026 UK Cybersecurity Breaches Survey found that 43% of businesses identified a breach or attack in the previous 12 months. The stricter cybercrime figure was 19% of businesses. Phishing remained the most common breach or attack type by far, experienced by 38% of businesses. And formal incident response plans were still not widespread. Which means many businesses are getting hit guessing and then calling the guessing a process. Some of that's capacity, not arrogance. True, but the fix still starts with ownership. You can't outsource responsibility. You can outsource tasks. That distinction matters. It matters because our MSP handles cyber isn't a bored answer. It's the start of a follow-up question. What exactly do they handle? Where is it written? What evidence proves it? What's outside scope? Scope is key. If it isn't in scope, it may not be monitored, patched, backed up or supported. And attackers are surprisingly uninterested in your contract boundaries. Rude again. Noelle, I think this is where your argument lands. Go on. You aren't saying small businesses need to become enterprises. You're saying they need to stop outsourcing thought. Yes. They can outsource management. They can outsource monitoring. They can outsource patching. They can outsource projects. But they can't outsource caring whether the business survives. That's exactly it. I don't expect every business owner to understand SAML, 40Cloud single sign-on, CVE numbering, or CAVE-E obligations. I do expect them to ask grown-up questions. Are we affected? What did we do? How do we know it worked? What risk remains? Who owns it? That's governance in five questions. And it's manageable. It also changes behavior. Providers perform better when customers ask for evidence. Exactly. If you only buy Reassurance, you'll be sold Reassurance. Buy Evidence. Right. No vague motivational ending. Do this this week. First, ask your IT provider for a list of your edge devices and firmware versions. Second, ask whether any recent KEV listed vulnerabilities affected your estate. Third, ask whether management access is exposed to the internet, and if so, why? Fourth, ask who owns CyberRisk inside your business. Fifth, test or restore from backup. Sixth, review admin accounts. Seventh, check whether logs exist for the systems you would rely on during an incident. Eight, create a simple incident contact list. Ninth, write down what your MSP is responsible for and what remains yours. Tenth, stop accepting fog. Define fog. We're aware. We believe. It should be fine. The dashboard is green. No further action required. We've never had a problem before. We've never had a problem before isn't evidence. It may only mean nobody was looking. Ask for plain English proof. And if that annoys someone, good. You aren't asking them to perform magic. You're asking them to explain the risk they're paid to manage. Defence in Depth isn't a slogan. It isn't a vendor bundle. It isn't a certificate. It isn't a firewall with a fancy name. It isn't a green dashboard and a monthly report. It's layered protection against single points of failure. It's detection when prevention fails. It's recovery when detection is too late. It's ownership before the solicitor asks awkward questions. And it's the grown-up admission that every layer can fail, including the expensive one, including the one with the respected logo, including the one your MSP described as enterprise-grade, including the one the vendor called Next Generation. Next Generation still needs patching. That may be the title of your autobiography. Only if the first chapter is called Green Isn't Safe. I'd read that. Final thought for the listener. Don't panic, but don't drift. Ask the questions before the incident. Demand evidence before the breach. Own the risk before someone else owns the story. And please, stop pretending your firewall is the strategy. It's a layer. Build the rest. Thanks for listening to the Small Business Cyber Security Guide. Stay safe. Stay awkward. Test your backups. Check your logs. And if your firewall admin page is exposed to the internet, maybe cancel lunch. Right. Before we let you go completely, let's have a quick chat about the boring but necessary legal bits. Don't worry. I'll make this as painless as possible. First up, and this is important, everything we've said today represents our own personal opinions and experiences. These views are ours alone and don't represent any organisation we work for, any employers, advertisers, sponsors or anyone else who might be connected to the show. When we're giving you advice or sharing our thoughts, that's coming from us as individuals, not speaking on behalf of anyone else. Everything we've talked about today is for general guidance. It's meant to point you in the right direction, but it absolutely shouldn't be treated as professional advice tailored specifically to your business. Your situation is unique. What works brilliantly for a Birmingham bakery might be completely useless for a Manchester marketing agency. We do our very best to keep everything accurate and current but let's be honest here. The cyber security world moves faster than a caffeinated squirrel being chased up a tree by Movin's Jack Russell. Things can change between when we record and when you're listening so always double-check critical, technical details with qualified professionals before you go making major changes to your systems. If we've mentioned any websites, products or services, we're giving you information, not necessarily giving them our seal of approval. We can't be responsible for what happens on their end or if things go sideways when you use them. Some things we recommend might involve affiliate partnerships. We'll always flag those when they come up because transparency matters. Now, if you're dealing with serious cybersecurity incidents, actual data breaches, or gnarly legal compliance issues, please talk to proper professionals, rather than just relying on podcast advice. We're here to educate and help you understand the landscape, not to replace your security consultant, solicitor, or IT team. This has been a Small Business Cybersecurity Guy production. Copyright 2025. All rights reserved.