Reverse Benchmarking: Why Studying Cyber Failures Beats Copying Best Practices

PodcastCompliance & CertificationCorporate Governance
Written By Noel Bradford

Right, here's a question for you: when you're in the pub, what do people usually talk about? Their wins, mostly. Best sales month, new contract, that sort of thing.

Everyone brags about what they got right. We're doing the opposite.

Not celebrating failures. Learning from them. Think of it as the Darwin Awards of cybersecurity.

This is reverse benchmarking: studying the worst screw-ups in our industry so we don't repeat them.

The Problem with Traditional Benchmarking

Traditional benchmarking is copying what the best companies do. We all peek at the smart kids' paper in class. Except what if the smart kids' answers don't fit our test?

Big enterprises have massive IT teams and unlimited budgets. We don't. Trying to copy FTSE 100 security on a shoestring budget is a mugs game. It's like a corner shop trying to use Tesco's inventory system. You'll end up with more complexity than protection.

Plus, benchmarking looks backwards. By the time you copy last year's best practice, hackers have moved on. Bernard Ma puts it well: benchmarking only tells you what's already happened, not what's next. In a fast-moving threat landscape, that's a problem.

Here's another issue: if everyone in your industry has the same gap, benchmarking won't reveal it. You're all copying each other's blind spots.

The Compliance Theatre Problem

The biggest misconception in cyber: compliance is like passing a driving test. It means you know the rules, not that you'll never crash.

Microsoft's security GM put it bluntly: some SMBs believe being compliant means they're safe. It doesn't.

Hackers don't check whether you've got your ISO certification before attacking. They target weak links regardless of size. The National Cyber Security Centre says around half of SMBs are likely to experience a breach each year. Coin flip odds.

If you're sitting in a board meeting saying hackers won't bother with us, you might as well hang a sign saying "free Wi-Fi, no password."

Why UK SMBs Are Bleeding Out

The statistics are mental:

  • 43% of UK businesses experienced a cyber breach or attack in the last 12 months

  • The average cost to remedy an attack is £21,000

  • 60% of small businesses close within six months of a cyber attack

  • Only 22% of UK businesses have a formal cybersecurity incident management plan

It's not just an IT problem. It's an existential threat. Yet most small business owners still think they're too small to be targeted, or they think ticking compliance boxes means they're safe.

How Reverse Benchmarking Actually Works

Instead of asking "what are the best companies doing?", ask "what killed everyone else?"

Study the worst failures. Identify the root causes. Make sure you don't repeat them.

It's winning the pub quiz not by knowing all the right answers, but by knowing the really stupid answers people gave last week. Avoid the obvious pitfalls everyone else is falling into.

Every major breach teaches multiple lessons if you're paying attention.

Take the breaches we discuss in the full episode:

  • HVAC vendor at Target

  • Equifax's unpatched vulnerability

  • Colonial Pipeline's VPN without MFA

  • SolarWinds supply chain compromise

Each one reveals systemic failures that apply to businesses of any size. The question isn't "could this happen to us?" The question is "have we already made the same mistakes?"

Building Your Reverse Benchmarking Practice

1. Create a Failure Database

Track major breaches in your industry. Not for schadenfreude. For education.

What went wrong? What controls were missing? What assumptions proved false? Document it. Share it with your team.

2. Run Tabletop Exercises

Pick a famous breach. Walk through what would happen if it hit your business tomorrow.

Could your HVAC contractor access customer data? Do you know? Have you checked?

Is your VPN protected by MFA? Do you even have a VPN?

What unpatched systems are running in your environment right now?

3. Question Every "Best Practice"

Just because Barclays does it doesn't mean it's right for a 15-person marketing agency.

Context matters. Budget matters. Technical capability matters.

Ask: "What problem does this solve for us specifically?" If the answer isn't clear, don't implement it.

4. Foster a No-Blame Culture

This is critical. If people hide errors, you lose the chance to fix things before a breach.

Airlines improve safety by fostering a no-blame culture for near misses. If Janet in accounting falls for a phishing test, make it a learning opportunity for everyone. Next time, she might be the one to spot a real attack and save your bacon.

Fear doesn't work. Education does.

The Mindset Shift

Reverse benchmarking isn't a one-off idea. It's a mindset.

Think of yourself as the Sherlock Holmes of cyber failures. Every incident is a case that makes your business smarter.

Traditional benchmarking can lead you astray, but reverse benchmarking provides the security edge. We shared some cringeworthy hack stories in the episode, all so you don't have to be that story in next year's news.

And remember: in security, boring is good. If nothing's happening, it means it's working. Like a boring pub night, sometimes that's just what you need to stay out of trouble.

Listen to the Full Episode

This article covers the highlights, but the full episode includes detailed analysis of:

  • The Target breach through their HVAC contractor

  • How Equifax ignored warnings for months

  • Colonial Pipeline's catastrophic VPN failure

  • The SolarWindes supply chain disaster

  • Practical implementation strategies for SMBs

Coming Next Week: We're going to reverse benchmark something really special: your office printer. Yes, the printer hacker saga is a thing, and it's hilarious and scary.

Key Takeaways

✓ Traditional benchmarking copies what works elsewhere, often without appropriate context for SMBs ✓ 60% of small businesses close within six months of a cyber attack ✓ Compliance doesn't equal security; it's theatre without substance ✓ Reverse benchmarking studies failures to avoid repeating mistakes ✓ Every major breach reveals systemic failures applicable to businesses of any size ✓ A no-blame culture enables learning from near-misses before they become disasters

Subscribe & Share

If you enjoyed our pint-sized wisdom, please subscribe and leave a review. Maybe share a story of a cyber blunder you learned from. We might feature it (anonymously if you prefer) in a future episode.

Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming shows.

Stay safe out there, and remember: learn from the mistakes of others. You haven't got time to make them all yourself.

Cheers.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

The Comfortable Lie: Why UK Cybersecurity's Status Quo Is No Longer Defensible