InfoSec vs CyberSec vs IT Security - Stop Wasting Money on the Wrong Protection

Every week, the same conversation. A UK business owner tells me they've just spent £20,000 on a "comprehensive cybersecurity platform" that doesn't actually stop the attacks they face. Or they've hired consultants to develop "enterprise-grade information security frameworks" for a 15-person company that can't even keep their Windows updates current.

The security industry has turned terminology into a profit center. Vendors deliberately muddy the waters between Information Security, Cybersecurity, and IT Security because confused customers pay higher prices for inappropriate solutions. Meanwhile, 50% of UK small businesses with 10-49 employees got breached in 2025, proving that all this expensive confusion isn't protecting anyone.

Time to cut through the marketing rubbish.

This Week's Episode: The Definitions That Actually Matter

In this week's podcast, Mauven and I tackle the question that drives most security purchasing decisions: what's the actual difference between InfoSec, CyberSec, and IT Security, and which one does your business need right now?

We explain:

• What Information Security actually covers (hint: it's not just your computers, and it costs £15,000 to £25,000 annually if you do it properly)

• Why Cybersecurity isn't the same as IT Security (despite what vendors claim when they're trying to upsell you)

• Which approach gives you the best protection per pound spent (spoiler: IT Security fundamentals beat fancy InfoSec programmes every time for most UK SMBs)

• Real costs from real implementations (not the fantasy numbers in vendor proposals)

But here's what makes this episode different: we actually tell you what to buy and how much to budget.

The Brutal Statistics Nobody Wants You to See

50% of UK small businesses with 10-49 employees experienced cyber incidents in 2025. That's not a typo. Half of you listening to this will get hit this year.

Average cost per incident: £3,550 when you exclude the businesses reporting zero impact. But here's the number that should keep you awake at night: 60% of small businesses close within six months of a significant data loss incident.

That's not "cost of doing business." That's potentially the end of your business.

Yet only 35,000 of the UK's 5.5 million businesses hold Cyber Essentials certification. A £300 to £500 annual certification that addresses 90% of common threats. Most businesses would rather spend nothing and hope they're not targeted, or spend £25,000+ on "comprehensive programmes" that don't actually address the threats they face.

The disconnect is staggering.

What We Actually Recommend (And What It Costs)

Here's where most security podcasts waffle about "comprehensive solutions" and "holistic approaches." Bollocks to that. We give you specific products, real prices, and actual implementation timelines.

For a 15-30 employee UK business, you should budget £6,200 to £14,500 in the first year for proper security. That includes:

• Email security with actual anti-phishing protection (not just spam filtering)

• Phishing-resistant multi-factor authentication using hardware security keys

• Endpoint protection that detects threats in real-time

• Backup systems you've actually tested

• Network security configured properly

• Basic staff training on recognizing attacks

Year two onwards: £3,800 to £11,100 annually.

Compare that to the £25,000 to £50,000 that vendors want to charge you for "comprehensive cybersecurity platforms" or "enterprise information security programmes." Most UK SMBs get better protection from £8,000 worth of IT Security fundamentals than from £25,000 worth of sophisticated solutions they can't operate properly.

About This Week's Sponsor: Authentrend

Full transparency: this episode is sponsored by Authentrend, and I'm comfortable with that because we've been recommending their products to clients for months.

Here's why this sponsorship matters for you: 85% of cyber incidents involve phishing attacks according to government data. Most UK businesses implement SMS codes or app-based MFA that criminals can still bypass. What actually stops credential phishing is FIDO2 hardware security keys, cryptographic authentication bound to specific domains.

Authentrend makes FIDO Alliance Level 2 certified security keys that provide the same phishing-resistant protection as premium brands at £45 per key, or £40 if you order before December 22nd. Two keys per employee for backup, you're looking at £80-90 per person one-time investment.

We only accept sponsorships from companies whose products we'd recommend without the sponsorship money. Authentrend's ATKey series happens to be what we've been specifying for UK SMB authentication security anyway, so this works out nicely for everyone.

Visit authentrend.com if you want to see what we're talking about. Grab that special pricing before December 22nd if you're ready to sort out your authentication properly.

Why This Episode Matters Right Now

The security industry wants you confused. Confused customers pay higher prices for solutions that don't match their threats. Vendors use different terminology for similar services so you can't comparison shop. They inflate complexity so you'll hire expensive consultants instead of implementing straightforward technical controls.

This episode gives you the knowledge to cut through their profitable confusion. We explain what InfoSec, CyberSec, and IT Security actually mean. We show you what each approach costs in real money. We tell you which one to start with based on your actual risk profile, not vendor sales targets.

By the end of this episode, you'll understand whether you need comprehensive information security governance, sophisticated cybersecurity threat detection, or just proper IT security fundamentals implemented correctly. Most UK SMBs need the third option but keep getting sold the first two.

What Else Is Coming This Week

This isn't just a standalone episode. We're dedicating the entire week to helping you understand and implement the right security approach:

Tuesday: Deep-dive article breaking down InfoSec versus CyberSec versus IT Security with specific product recommendations and cost breakdowns

Wednesday: Real-world example of a UK SME that wasted £20,000 on the wrong approach and still got breached

Thursday: Step-by-step implementation guide showing exactly how to deploy IT Security fundamentals in 8 weeks

Friday: Case study of a Leicester engineering firm that chose IT Security over expensive InfoSec programmes and successfully defended against three separate attacks

Saturday: Weekend opinion piece on why the cybersecurity industry deliberately keeps UK SMBs confused

All week, we're giving you practical guidance on stopping the waste and implementing security that actually works.

Listen Now

The episode is live wherever you get your podcasts. 60 minutes of straight talk about what UK small businesses actually need for security, what it really costs, and how to avoid getting fleeced by vendors selling you enterprise solutions for SMB problems.

No jargon. No vendor pitch. Just brutal honesty about protecting your business without bankrupting it.

Key Takeaways You'll Learn

• The real definitions of InfoSec, CyberSec, and IT Security (not the marketing versions)

• Why most UK SMBs should start with IT Security fundamentals, not comprehensive InfoSec programmes

• Specific budget numbers: £6,200-£14,500 first year for 15-30 employees

• Why phishing-resistant authentication costs £80-90 per employee one-time, not thousands in subscription fees

• The five controls that address 90% of threats UK small businesses actually face

• How to recognize vendor bollocks and what to look for instead

• Real implementation timelines (8 weeks from start to fully operational)

Who Should Listen

This episode is essential for:

• UK business owners tired of confusing security vendor pitches

• Finance directors trying to understand why security costs what it costs

• IT managers being pressured to implement expensive solutions they don't need

• Anyone who's ever wondered if they're buying the right type of security protection

• Business owners who've been breached and want to understand what actually went wrong

The Bottom Line

Whether you focus on Information Security, Cybersecurity, or IT Security initially doesn't matter as much as actually doing something properly. The biggest risk is doing nothing while you debate the perfect approach.

But understand what you're buying and why. Don't let vendors sell you enterprise solutions for SMB problems. Don't pay consultants £300 per hour to develop policies you can download for free from the ICO. And don't buy sophisticated threat detection systems when your basic IT hygiene is appalling.

Start with IT Security fundamentals. Add broader capabilities as you grow. And remember: the best security programme is the one you'll actually implement and maintain, not the one that looks most impressive in a sales presentation.

Listen to this week's episode and stop wasting money on the wrong protection.

Subscribe and Share

If this sounds like the kind of straight talk UK small businesses need about security, hit subscribe wherever you get your podcasts. Leave us a review if you found it helpful. Share it with other business owners who are tired of security vendor confusion.

And visit noelbradford.com throughout this week for detailed articles, implementation guides, and case studies that complement the episode.

Time to stop letting the security industry profit from your confusion.