The Small Business

Cyber Security Guy

Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.

Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.

What you’ll get here (and on the podcast):

  • Straight-talking advice for small businesses that want to stay secure

  • Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense

  • The occasional rant — and yes, the occasional expletive

  • War stories from the frontlines (names changed to protect the spectacularly guilty)

I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.

This blog and the podcast is where I unpack it all. Pull up a chair.

Man wearing glasses and a light gray sweater, smiling
Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation
Insider Threat, Cyber Security for Small Businesses, Podcast Noel Bradford Insider Threat, Cyber Security for Small Businesses, Podcast Noel Bradford

Your Complete Insider Threat Defence Action Plan: From Assessment to Implementation

This is the complete insider threat action plan for small businesses. Start with the non negotiables. Enable MFA on email and cloud apps. Audit who has access to what. Test your backups and prove you can restore. Then build. Roll out a password manager. Separate admin from day to day accounts. Turn on activity alerts and review them weekly. Segment guest, IoT and finance. Add EDR. Finish with drills, metrics, and monthly reviews. Do your leaders model the right behaviour? Do people know who to call at 3 am? Can you restore in four hours? If not, what will you change this week?

Read More
Your Insider Threat Assessment Framework: A Practical Self-Audit Guide
Insider Threat, Podcast Noel Bradford Insider Threat, Podcast Noel Bradford

Your Insider Threat Assessment Framework: A Practical Self-Audit Guide

Most security assessments fail small businesses. They ask the wrong questions or drown you in paperwork. You need a fast test that flags real risk and gives clear next steps. Start with five pillars. Access control. Authentication. Activity monitoring. Data protection. Incident response. Score each with simple questions. Fix the lowest pillar first. Turn on MFA. Remove excess access. Enable login alerts. Test restores. Write a one page incident plan. Track progress monthly with a few metrics. Does your team know who to call at 3 am? Can you revoke access in one hour? If not, this framework is for you.

Read More
Technical Defences Against Insider Threats: Solutions That Actually Work
Insider Threat, Cyber Security for Small Businesses, Podcast Noel Bradford Insider Threat, Cyber Security for Small Businesses, Podcast Noel Bradford

Technical Defences Against Insider Threats: Solutions That Actually Work

Small businesses do not need theory. They need controls that block real attacks without new headcount. Start with MFA. It is included in Microsoft 365 and Google Workspace. It kills password reuse and shoulder surfing. Apply least privilege. Split admin from day to day use. Roll out a business password manager. Turn on sign in alerts that flag odd times and places. Test backups with the 3 2 1 rule and keep one copy offline. Segment guest, IoT and finance. These steps are cheap and proven. Will you ship them this month, or wait until an employee exports your client list?

Read More
Confessions of a Reformed School Hacker: How Getting Caught Changed My Career
Insider Threat, Podcast, Industry Analysis, Cyber Security for Small Businesses Mauven MacLeod Insider Threat, Podcast, Industry Analysis, Cyber Security for Small Businesses Mauven MacLeod

Confessions of a Reformed School Hacker: How Getting Caught Changed My Career

Curiosity, access, and a careless password shaped my career. At sixteen I learned the simplest attack works best. I watched a teacher type admin123! and saw the whole network open up. No exploits. Just human nature. That is the insider threat in plain sight. People bypass clumsy controls to get work done. Do your policies help or hinder? Make secure the easy path with least privilege, SSO, MFA, logging, and coaching. Treat incidents as data, not drama. Channel curiosity before it goes underground. Would your systems survive a bright teenager with time after school? If not, what will you change this week?

Read More
Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats
Industry Analysis, Insider Threat, Podcast Noel Bradford Industry Analysis, Insider Threat, Podcast Noel Bradford

Why Good Employees Make Bad Security Decisions: The Psychology Behind Insider Threats

Security fails when it fights how people work. Most breaches are not villains. They are good staff blocked by bad design. The ICO shows students guessed weak passwords or read them off notes. The lesson is simple. If the secure path is slow, people route around it. Make secure the easy choice. Use single sign on. Use MFA that is one tap. Give safe tools for sharing files. Build trust so people report mistakes. Review real behaviour, not policy fantasy. Do your controls help work or hinder it? If a pupil could beat them before lunch, what would your team do?

Read More
Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers
Industry Analysis, Insider Threat, Podcast Noel Bradford Industry Analysis, Insider Threat, Podcast Noel Bradford

Your Biggest Cyber Threat Wears a School Uniform: What Small Businesses Can Learn From School Hackers

Insider threats are not shadowy hackers. They are people already inside your walls. The ICO found students caused most school data breaches by guessing weak passwords or reading them off sticky notes. They were not breaking in. They were logging in. Sound familiar? If a teenager can bypass controls, what would a bored employee try next? Audit access today. Turn on multi factor authentication. Stop forcing impossible passwords people write down. Log activity on sensitive systems. Train for curiosity, not fear. Can your security survive a Year Eleven with time to spare? If not, you need to fix it now.

Read More

⚠️ Full Disclaimer

This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:

  • My employer

  • Any current or past clients, suppliers, or partners

  • Any other organisation I’m affiliated with in any capacity

Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.

Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.

In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.