Breached (Part 4)

Written By Noel Bradford

Lessons Learned

This account is based on a real-world case. Names, locations, and identifying details have been changed or obscured to protect those involved and, frankly, to save a few blushes.

In the aftermath, it’s easy to say, “We should’ve known.”

It’s harder—and more valuable—to ask: what would we do differently?

Katie and her team did recover. But it cost them. Time, money, clients, sleep, and trust. And while they’ve emerged stronger and sharper, they’re also warier. A little less forgiving. A little more switched on.

Here’s what they—and you—should take away from what happened.

1. Your MSP is not a firewall. They are a vendor. Their job is to sell you things—licences, hardware, services. That doesn’t make them bad; it makes them commercial. But think again if you think they exist to challenge themselves or expose their weaknesses. That’s why an independent advisor—a fractional CIO or CISO—is worth their fee. Someone whose loyalty lies with you, not their bottom line. Someone who asks awkward questions, spots the blind spots, and keeps everyone honest. You're assuming too much if you’re not asking them hard questions. And if they’re offended when you do? That’s your most enormous red flag.

2. You must be breach-ready. Not breach-proof. That’s a myth. But you can be prepared to respond fast. Have a playbook. Know who to call. Run drills. Pretend the breach happened tomorrow. What would you do first?

3. Logging is non-negotiable. If you can’t see it, you can’t investigate it. If your provider can’t produce logs or refuses to share them, you have a governance problem, not just a tech one.

4. Do not rely on goodwill. The nicest technician in the world can’t stop a breach if their process is broken. Ask about patching. Ask about alerting. Ask about independence. And then ask them to prove it.

5. Trust—but verify. Yes, even your MSP. Especially your MSP.

6. Breach disclosure is a strategy, not a panic button. Silence breeds suspicion. Katie’s reputation survived because she acted early, honestly, and decisively. She notified the ICO, briefed clients, told the truth. And they remembered that.

7. Cyber insurance won’t cover dishonesty. If your provider lied—or buried the logs—you’re exposed. Katie’s premiums doubled. Not because she was breached… but because someone tried to bury the evidence.

8. Technical debt is real. Old servers. Weak passwords. Legacy systems. You can ignore them—until they become the crack the whole system falls through.

9. Nothing beats transparency. Katie shared what happened internally and externally, not to blame but to learn. Her team grew, her vendors adapted, and her clients stayed because she owned it.

10. The call might never come. But if it does… Don’t panic. Don’t lie. Don’t delay. Ask for help. Bring in someone external. And if you ever see the phrase “Do not tell the client”? Please make sure you are the one who hears about it first.

Final Word:

This series was based on a real business, a real breach, and real fallout. It wasn’t the result of an elite nation-state attack. It was a misconfiguration. An oversight. And a cover-up.

What saved the business wasn’t technology. It was decisiveness. Leadership. And a refusal to be misled.

There is no such thing as a small breach. Only a short window to get it right.

Act fast. Ask better questions. And never ever assume silence means safety.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

EU Bans SIM Farms – Years Too Late, As Usual
Next

The Soft Underbelly: How UK SMBs Are Screwing the Nation on Cybersecurity