The Small Business

Cyber Security Guy

Welcome to my blog and podcast, where I share brutally honest views, sharp opinions, and lived experience from four decades in the technology trenches. Whether you're here to read or tune in, expect no corporate fluff and no pulled punches.

Everything here is personal. These are my thoughts, not those of my employer, clients, or any poor soul professionally tied to me. If you’re offended, take it up with me, not them.

What you’ll get here (and on the podcast):

Straight-talking advice for small businesses that want to stay secure
Honest takes on cybersecurity trends, IT malpractice, and vendor nonsense
The occasional rant — and yes, the occasional expletive
War stories from the frontlines (names changed to protect the spectacularly guilty)

I've been doing this for over 40 years. I’ve seen genius, idiocy, and everything in between. Some of it makes headlines, and most of it should.

This blog and the podcast is where I unpack it all. Pull up a chair.

Man wearing glasses and a light gray sweater, smiling

News Desk 01/08/2025 News Desk 01/08/2025

The UK Government's Ransomware Gambit: Why Your SMB Just Became a Bigger Target

The UK Government's July 2025 consultation response commits to implementing world-leading ransomware legislation by late 2026.

Three key proposals include payment bans for public sector/CNI, universal 72-hour incident reporting, and government pre-approval for private sector payments.

This will dramatically increase ransomware targeting of SMBs as criminals pivot from restricted sectors to easier private targets.

Noel Bradford 14/06/2025 Noel Bradford 14/06/2025

Compliance Alone Is Digital Security Theatre

After decades of watching government departments wave certificates while getting breached,

I'm done pretending compliance equals security. Yes, you need SOC 2 for some contracts. Yes, ISO27001 impresses procurement teams. But if you think those certificates will stop ransomware, you're living in a dangerous fantasy.

I've seen FTSE 100 companies with pristine audit reports get absolutely destroyed by basic phishing attacks.

It's time for some brutal honesty about what compliance actually protects (your contracts) versus what it doesn't (your business). Pull up a chair, this is going to sting.

Noel Bradford 12/06/2025 Noel Bradford 12/06/2025

Implementing Cyber Essentials: Your 5-Step Action Plan

Tired of consultants charging £10,000 for Cyber Essentials implementation that you can do yourself in six weeks?

This step-by-step guide cuts through the consultant bollocks and shows you exactly how to implement CE yourself. Real timelines (6 weeks max), real costs (under £4,000), real templates you can actually use.

No consultant dependency, no ongoing fees, no compliance theatre. Just practical security that actually protects your UK SMB while meeting NCSC requirements.

Stop funding consultant BMWs, start securing your business properly.

Noel Bradford 10/06/2025 Noel Bradford 10/06/2025

ISO27001 vs Cyber Essentials: Real Defence vs Checkbox Theatre

Another UK SMB just spent £40,000 on ISO27001 certification. Three months later: ransomware. The compliance industry has convinced every 15-person company they need enterprise-grade paperwork to survive. Bollocks. While you're documenting your password policy in 47 formats, criminals are walking through the digital front door you forgot to lock. Today's deep-dive exposes the real cost of compliance theatre vs actual security. Spoiler: Cyber Essentials might actually protect you, ISO27001 will definitely bankrupt you

Noel Bradford 09/06/2025 Noel Bradford 09/06/2025

Episode 2: Compliance Theatre Won't Save You

What if everything you've been told about cybersecurity compliance is designed to empty your bank account rather than protect your business?

In this explosive episode, we exposes the compliance industrial complex convincing every 15-person company they need enterprise-grade certifications.

With NCSC insider revelations, discover why the government never intended SMBs to need ISO27001, how SOC 2 reports became "expensive fiction for executives," and the shocking real costs consultants hide. From Manchester SMEs losing £50k after £30k certifications to enterprise breaches despite perfect audits, this is your compliance wake-up call. Stop funding consultants' lifestyles, start protecting your business.

Noel Bradford 18/05/2025 Noel Bradford 18/05/2025

ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real

Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene.

Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster.

This article lays out the real problem and preaches the blunt truth: no ISO, no SOC 2, no procurement badge means a thing unless Cyber Essentials or equivalent is tested, verified, and enforced.

Noel Bradford 17/05/2025 Noel Bradford 17/05/2025

ISO27001 vs Cyber Essentials (Part 2/3):Big Names, Big Certs, Big Breaches: The Truth Behind the Logos

You’d think ISO27001 and SOC 2 certifications mean a business is secure. But if 2023 and 2025 have shown us anything, it’s that those badges don’t stop breaches. From Capita’s data leaks to Harrods’ containment chaos, and Co-op’s app disruption to the MOVEit dominoes, governance frameworks have failed where basic cyber hygiene would have succeeded.

Cyber Essentials, often dismissed as small business fluff, turns out to be the missing frontline control in all of these high-profile failures. This article names names, unpacks the gaps, and shows why CE+ is no longer optional, it's essential.

Noel Bradford 16/05/2025 Noel Bradford 16/05/2025

ISO27001 vs Cyber Essentials (Part 1/3): Why They’re Not the Same and Why That Matters More Than Ever

Think Cyber Essentials and ISO27001 are just different flavours of the same thing? Think again. One’s a tactical shield against everyday threats, the other’s a strategic blueprint for governance. Mistake one for the other, and you’ll either overspend or leave the door wide open.

This article rips into the dangerous misconception that they’re interchangeable, explores how Cyber Essentials is built for every organisation, from startups to schools, and why it remains your frontline defence while ISO27001 governs the back office. Ignore this and you risk joining the breach statistics next quarter.

⚠️ Full Disclaimer

This is my personal blog. The views, opinions, and content shared here are mine and mine alone. They do not reflect or represent the views, beliefs, or policies of:

My employer
Any current or past clients, suppliers, or partners
Any other organisation I’m affiliated with in any capacity

Nothing here should be taken as formal advice — legal, technical, financial, or otherwise. If you’re making decisions for your business, always seek professional advice tailored to your situation.

Where I mention products, services, or companies, that’s based purely on my own experience and opinions — I’m not being paid to promote anything. If that ever changes, I’ll make it clear.

In short: This is my personal space to share my personal views. No one else is responsible for what’s written here — so if you have a problem with something, take it up with me, not my employer.