Hosted by Graham Falkner, this episode is a rapid, no‑nonsense January Patch Tuesday breakdown aimed at small businesses and IT owners. Graham walks listeners through Microsoft’s unusually large release of 114 security updates, explains the essential jargon (CVE and CVSS), and highlights why severity scores don’t replace real‑world risk assessments.

The show covers the one vulnerability already being actively exploited (CVE‑2026‑2805 in Desktop Window Manager) and two other high‑risk items used in targeted attacks, plus three zero‑day bugs. Graham takes a deep dive into the critical on‑premises SharePoint emergency (Toolshell campaign, CVE‑2025‑53‑700‑70 and related issues), urging immediate patching and incident response for exposed servers. He also explains the severe Kestrel/ASP.NET Core HTTP request smuggling flaw (CVE‑2025‑55315) and the practical impact on web apps and deployment teams.

The episode reviews other major vendor fixes: SAP’s 16 security updates (including four critical vulnerabilities), Apple’s two WebKit zero days, Adobe’s 32 patches (eight critical affecting Acrobat, Reader and creative apps), HPE OneView’s unauthenticated RCE (CVE‑2025‑37164), and ongoing VMware ESXi risks. Graham calls out long‑delayed Fortinet SSL‑VPN vulnerabilities (including CVE‑2020‑12812) and newer FortiCloud SSO bypasses, stressing that overdue patching still causes widespread compromises.

Practical guidance and priorities are clear and actionable: patch Windows cumulative updates, exposed SharePoint servers, Fortinet edge devices and HPE OneView within 24 hours; address .NET/web app fixes and SAP critical patches within the next 72 hours to one week; then continue with routine maintenance for browsers, Adobe, Cisco and other software. The episode also flags upcoming deadlines and logistics—Oracle’s critical patch update on January 20 and the end of Windows 10 support—so listeners can plan maintenance windows and migrations.

Key takeaways: assume compromise if you haven’t patched exposed services, verify systems after applying updates, assign owners who can patch and redeploy quickly, and treat cumulative Windows updates as all‑or‑nothing. There are no external guests—this episode is hosted solo by Graham Faulkner and aimed at helping small organizations act fast and reduce risk in the wake of an intense Patch Tuesday.

In this episode of the Small Business Cybersecurity Guy, host Noel Bradford is joined by Mauven McLeod and Graham Falkner to unpack the Cabinet Office’s January 2026 Government Cyber Action Plan — a blunt, 100‑page admission that the UK government’s cybersecurity posture is “critically high” risk and that many of its own targets are unachievable. The trio break down the report’s headline findings, case studies of high‑profile failures, and why this matters to you even if you’ve never worked with government.

Key revelations from the Plan covered in the episode include: roughly 28% of government IT is legacy and cannot be defended with modern tools; repeated systemic failures across departments (poor patching, weak passwords, lack of monitoring); high‑cost incidents such as the British Library ransomware recovery and the CrowdStrike outage that cost the UK economy billions; and the Electoral Commission breach that exposed millions of voter records. The hosts explain the language the report uses — from “historical underinvestment” to “not achievable” targets — and what those admissions mean in plain English.

The episode also examines the Cabinet Office’s proposed response: new accountability rules giving accounting officers (permanent secretaries) personal responsibility for cyber risk, routine cyber risk reporting to boards, escalation mechanisms, and potential consequences including removal or public parliamentary scrutiny. The hosts discuss how this mirrors the health & safety/HSE accountability model and why public‑sector reform will likely set the precedent for private‑sector regulation (including implications of forthcoming cyber security and resilience legislation).

Financing and timelines are analysed too: the government has allocated around £210 million to kickstart a central cyber transformation unit with milestones through 2029, but the hosts stress this is a down payment — true remediation will take years and likely billions. The Plan’s investment priorities (visibility/monitoring, accountability, supply‑chain assurance, incident response and skills) form a checklist for businesses to adopt now.

Supply‑chain requirements are a central takeaway: departments will require security schedules, certification (Cyber Essentials, Cyber Essentials Plus, ISO 27001 where appropriate), and documented evidence of controls. These requirements will cascade down through primes to second‑ and third‑tier suppliers, so small businesses should expect tightened demands for proof of security and that compliance will become a competitive advantage.

The hosts finish with practical, actionable advice for small businesses: treat cyber risk as board‑level risk; establish personal accountability and clear escalation; prioritise visibility and monitoring; inventory and pragmatically manage legacy systems; obtain appropriate certifications (Cyber Essentials Plus, ISO etc.) if you have or might have public‑sector exposure; segregate and protect government work; build or improve incident response capability; and use this moment to push cultural change so security is embedded across the organisation.

Throughout the episode Noel, Mauven and Graham provide candid analysis, real examples from recent government failures, and specific steps SMBs can take now to reduce risk and gain a competitive edge as regulation and procurement expectations tighten. Listeners are pointed to the full Government Cyber Action Plan on gov.uk and the podcast blog for a detailed breakdown and sources.

In this episode Mauven McLeod and Graham Faulkner (with Noel Bradford joining partway through) unpack a worrying trend: adversary‑in‑the‑middle (AITM) attacks that steal session tokens and completely bypass conventional multi‑factor authentication (MFA). Using Microsoft’s recent telemetry (a 146% jump in AITM incidents) as a backdrop, they explain how transparent proxy phishing pages relay credentials and MFA approvals to capture session tokens and gain hours of unrestricted access to Microsoft 365 accounts.

The hosts explain, in plain technical terms, why SMS codes, authenticator app push prompts and one‑time codes fail against these attacks and why the stolen session token becomes a single‑factor credential for attackers. They describe what attackers typically do after compromise — mailbox reconnaissance, forwarding rules, OAuth app persistence, and registering new authentication methods — and highlight the scale of automated phishing‑as‑a‑service tools that make these attacks cheap and fast.

The episode then walks through the practical, phishing‑resistant solutions every small business should consider: Windows Hello for Business, hardware security keys (YubiKey, Authentrend and similar), and passkeys on mobile devices. For each option they cover how it works, deployment requirements, licensing or purchase costs, user experience trade‑offs, and which users to prioritize for rollout.

Mauven and Graham recommend a tiered, risk‑based rollout strategy: protect admin and privileged accounts first, then finance/HR/executives, and finally the wider workforce over months. They discuss real‑world gotchas — legacy apps that don’t support modern auth, BYOD complications, mobile workflows, and the need for a secured “break glass” account — plus expected labour, training and hardware costs for a typical 30‑user small business.

Beyond replacing or upgrading MFA, the hosts cover essential complementary controls: conditional access policies, continuous access evaluation (CAE) to shorten token windows, blocking legacy authentication (SMTP/IMAP/POP), impossible‑travel detection, and concrete incident response steps (revoking sessions, removing rogue MFA methods and OAuth apps, checking forwarding rules and mailbox rules, and doing forensics on accessed data).

The episode closes with an immediate to‑do list for small businesses: verify MFA is actually enabled, remove SMS/email MFA methods, plan a phishing‑resistant rollout starting with tier‑1 users, enable conditional access and CAE, and budget for training and support. They also preview an upcoming multi‑episode series to help businesses build a practical incident response plan.

Listeners can expect a technically grounded but actionable discussion aimed at business owners and IT staff: why traditional MFA is still valuable, why it’s not enough against AITM, and exactly how to adopt phishing‑resistant authentication to close that gap.

Welcome to the Small Business Cybersecurity Guy Christmas Special with host Noel Bradford and guests Mauven MacLeod and Graham Falkner. This episode is a rapid-fire, often hilarious and sometimes horrifying roundup of the most spectacular cyber security disasters of 2025, told with a no-nonsense focus on what small businesses should learn from them.

We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA.

Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene.

We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences.

The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution.

In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents.

Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly.

The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.

#Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice

Do UK small businesses need cyber risk registers? Graham said no. After this 40-minute debate with Noel Bradford, he changed his mind completely.

This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers.

UK cyber security statistics that changed Graham's mind:

• 43% of UK small businesses experienced cyber breaches last year (DSIT 2025)
• 73% have no board-level cyber security responsibility
• 28% of SMEs say one cyber attack could close them permanently (Vodafone 2025)
• Average UK small business breach costs £3,398

Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed.

Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability.

Practical cyber risk register implementation:

✓ Minimum viable cyber risk register template (8 columns, single spreadsheet)

✓ Board-level cyber security governance framework

✓ Quick remediation: enable MFA, test backup restoration, implement payment verification

✓ NCSC Board Toolkit guidance for UK SMEs

✓ Cyber insurance risk assessment requirements

Perfect for UK small business owners, SME directors, startup founders, business managers responsible for cyber security compliance, GDPR, and corporate governance.

Listen to this cyber security governance debate and learn why risk registers aren't bureaucracy - they're legal protection for directors and businesses.

Show notes

December 2025 just shipped the last Microsoft security fixes of the year. Fifty seven vulnerabilities, three zero days, and one actively exploited Windows privilege escalation that hits almost every supported build. Are you patched before the Christmas break, or are you leaving a present for attackers in January?

In this episode, Graham walks through the December Patch Tuesday release for 2025, with a focus on what actually matters for small and medium businesses. You will hear how CVE 2025 62221 in the Windows Cloud Files driver turns a low level account into full system compromise, why Office Preview Pane is once again a risk, and how AI powered tools like GitHub Copilot for JetBrains and PowerShell changes introduce new attack paths. Does your team know about any of that?

You also get a fast tour of Adobe and other vendor updates, including ColdFusion, Android, Ivanti, Fortinet, React server components and SAP. Graham then zooms out to review the full year, with more than one thousand one hundred Microsoft vulnerabilities in 2025 and privilege escalation bugs leading the pack. Finally, he explains why the five week gap before the next Patch Tuesday on thirteen January 2026 makes December patching non negotiable.

By the end of the episode you will know:

1. Which patches you must treat as emergency work, especially CVE 2025 62221

2. How Office, Copilot and PowerShell changes affect day to day risk

3. Why Windows 10 without Extended Security Updates is now a business liability

4. What to ask your IT team or provider before everyone disappears for the holidays

Are you confident your estate will survive the festive period, or do you need to push patching to the top of the list?