Hosted by Graham Falkner, this episode is a rapid, no‑nonsense January Patch Tuesday breakdown aimed at small businesses and IT owners. Graham walks listeners through Microsoft’s unusually large release of 114 security updates, explains the essential jargon (CVE and CVSS), and highlights why severity scores don’t replace real‑world risk assessments.

The show covers the one vulnerability already being actively exploited (CVE‑2026‑2805 in Desktop Window Manager) and two other high‑risk items used in targeted attacks, plus three zero‑day bugs. Graham takes a deep dive into the critical on‑premises SharePoint emergency (Toolshell campaign, CVE‑2025‑53‑700‑70 and related issues), urging immediate patching and incident response for exposed servers. He also explains the severe Kestrel/ASP.NET Core HTTP request smuggling flaw (CVE‑2025‑55315) and the practical impact on web apps and deployment teams.

The episode reviews other major vendor fixes: SAP’s 16 security updates (including four critical vulnerabilities), Apple’s two WebKit zero days, Adobe’s 32 patches (eight critical affecting Acrobat, Reader and creative apps), HPE OneView’s unauthenticated RCE (CVE‑2025‑37164), and ongoing VMware ESXi risks. Graham calls out long‑delayed Fortinet SSL‑VPN vulnerabilities (including CVE‑2020‑12812) and newer FortiCloud SSO bypasses, stressing that overdue patching still causes widespread compromises.

Practical guidance and priorities are clear and actionable: patch Windows cumulative updates, exposed SharePoint servers, Fortinet edge devices and HPE OneView within 24 hours; address .NET/web app fixes and SAP critical patches within the next 72 hours to one week; then continue with routine maintenance for browsers, Adobe, Cisco and other software. The episode also flags upcoming deadlines and logistics—Oracle’s critical patch update on January 20 and the end of Windows 10 support—so listeners can plan maintenance windows and migrations.

Key takeaways: assume compromise if you haven’t patched exposed services, verify systems after applying updates, assign owners who can patch and redeploy quickly, and treat cumulative Windows updates as all‑or‑nothing. There are no external guests—this episode is hosted solo by Graham Faulkner and aimed at helping small organizations act fast and reduce risk in the wake of an intense Patch Tuesday.

In this episode of the Small Business Cybersecurity Guy, host Noel Bradford is joined by Mauven McLeod and Graham Falkner to unpack the Cabinet Office’s January 2026 Government Cyber Action Plan — a blunt, 100‑page admission that the UK government’s cybersecurity posture is “critically high” risk and that many of its own targets are unachievable. The trio break down the report’s headline findings, case studies of high‑profile failures, and why this matters to you even if you’ve never worked with government.

Key revelations from the Plan covered in the episode include: roughly 28% of government IT is legacy and cannot be defended with modern tools; repeated systemic failures across departments (poor patching, weak passwords, lack of monitoring); high‑cost incidents such as the British Library ransomware recovery and the CrowdStrike outage that cost the UK economy billions; and the Electoral Commission breach that exposed millions of voter records. The hosts explain the language the report uses — from “historical underinvestment” to “not achievable” targets — and what those admissions mean in plain English.

The episode also examines the Cabinet Office’s proposed response: new accountability rules giving accounting officers (permanent secretaries) personal responsibility for cyber risk, routine cyber risk reporting to boards, escalation mechanisms, and potential consequences including removal or public parliamentary scrutiny. The hosts discuss how this mirrors the health & safety/HSE accountability model and why public‑sector reform will likely set the precedent for private‑sector regulation (including implications of forthcoming cyber security and resilience legislation).

Financing and timelines are analysed too: the government has allocated around £210 million to kickstart a central cyber transformation unit with milestones through 2029, but the hosts stress this is a down payment — true remediation will take years and likely billions. The Plan’s investment priorities (visibility/monitoring, accountability, supply‑chain assurance, incident response and skills) form a checklist for businesses to adopt now.

Supply‑chain requirements are a central takeaway: departments will require security schedules, certification (Cyber Essentials, Cyber Essentials Plus, ISO 27001 where appropriate), and documented evidence of controls. These requirements will cascade down through primes to second‑ and third‑tier suppliers, so small businesses should expect tightened demands for proof of security and that compliance will become a competitive advantage.

The hosts finish with practical, actionable advice for small businesses: treat cyber risk as board‑level risk; establish personal accountability and clear escalation; prioritise visibility and monitoring; inventory and pragmatically manage legacy systems; obtain appropriate certifications (Cyber Essentials Plus, ISO etc.) if you have or might have public‑sector exposure; segregate and protect government work; build or improve incident response capability; and use this moment to push cultural change so security is embedded across the organisation.

Throughout the episode Noel, Mauven and Graham provide candid analysis, real examples from recent government failures, and specific steps SMBs can take now to reduce risk and gain a competitive edge as regulation and procurement expectations tighten. Listeners are pointed to the full Government Cyber Action Plan on gov.uk and the podcast blog for a detailed breakdown and sources.

In this episode Mauven McLeod and Graham Faulkner (with Noel Bradford joining partway through) unpack a worrying trend: adversary‑in‑the‑middle (AITM) attacks that steal session tokens and completely bypass conventional multi‑factor authentication (MFA). Using Microsoft’s recent telemetry (a 146% jump in AITM incidents) as a backdrop, they explain how transparent proxy phishing pages relay credentials and MFA approvals to capture session tokens and gain hours of unrestricted access to Microsoft 365 accounts.

The hosts explain, in plain technical terms, why SMS codes, authenticator app push prompts and one‑time codes fail against these attacks and why the stolen session token becomes a single‑factor credential for attackers. They describe what attackers typically do after compromise — mailbox reconnaissance, forwarding rules, OAuth app persistence, and registering new authentication methods — and highlight the scale of automated phishing‑as‑a‑service tools that make these attacks cheap and fast.

The episode then walks through the practical, phishing‑resistant solutions every small business should consider: Windows Hello for Business, hardware security keys (YubiKey, Authentrend and similar), and passkeys on mobile devices. For each option they cover how it works, deployment requirements, licensing or purchase costs, user experience trade‑offs, and which users to prioritize for rollout.

Mauven and Graham recommend a tiered, risk‑based rollout strategy: protect admin and privileged accounts first, then finance/HR/executives, and finally the wider workforce over months. They discuss real‑world gotchas — legacy apps that don’t support modern auth, BYOD complications, mobile workflows, and the need for a secured “break glass” account — plus expected labour, training and hardware costs for a typical 30‑user small business.

Beyond replacing or upgrading MFA, the hosts cover essential complementary controls: conditional access policies, continuous access evaluation (CAE) to shorten token windows, blocking legacy authentication (SMTP/IMAP/POP), impossible‑travel detection, and concrete incident response steps (revoking sessions, removing rogue MFA methods and OAuth apps, checking forwarding rules and mailbox rules, and doing forensics on accessed data).

The episode closes with an immediate to‑do list for small businesses: verify MFA is actually enabled, remove SMS/email MFA methods, plan a phishing‑resistant rollout starting with tier‑1 users, enable conditional access and CAE, and budget for training and support. They also preview an upcoming multi‑episode series to help businesses build a practical incident response plan.

Listeners can expect a technically grounded but actionable discussion aimed at business owners and IT staff: why traditional MFA is still valuable, why it’s not enough against AITM, and exactly how to adopt phishing‑resistant authentication to close that gap.