Frequently asked questions.
1. Is this blog safe for work?
That depends. Do you work somewhere that pretends everything’s fine while the servers are on fire metaphorically (and sometimes literally)? Then no. Absolutely not. This blog is not “safe” in the traditional, HR-sanitised sense. It’s blunt. It’s brutally honest. It uses bad words when bad things happen. Because they do.
But if you're somewhere that values actual insight over sugar-coated nonsense, it’s the safest thing you’ll read all day. It might save your job. Or your budget. Or your sanity.
The podcast is raw, unfiltered (subject to the Ofcom Broadcast Standards), and recorded in the same tone I used when I found out another MSP still hasn’t patched that Exchange server from 2019. If you're the kind of person who listens to true crime and thinks, "This is relaxing,” you’ll be right at home.
2. Who is this blog (and podcast) actually for?
It’s for the people who lie awake at night wondering, "Did we actually test that backup, or did we just talk about it in the meeting and then move on?"
This is for:
SMB owners who feel like they’re one phishing email away from chaos
IT managers juggling more hats than a circus
Frustrated employees who keep raising the alarm only to be told “It’s fine, we’re covered by cyber insurance” (you're not)
And anyone who’s had to Google “what does remote code execution actually mean” at 2 am because someone clicked on a bloody invoice link again
The podcast is the after-hours version. It has the same message but is less filtered. You’ll hear stories that didn’t make it into the blog for legal reasons, and the full tone of voice I use when dealing with auditors who don't understand the difference between 'compliant' and 'secure'.
If you've ever wanted someone to say what you're thinking — I’m saying it. Out loud. Into a mic.
3. Why are you so angry all the time?
Because apathy in IT gets people breached. And breaches ruin lives, not just systems.
I’m angry. After all, I’ve sat across from small business owners who’ve lost everything, customer trust, financial data, and legal credibility, because someone thought MFA was a “nice to have” or backups were “probably working.” I’ve watched £5 million-a-year companies go under over a £400 firewall that nobody updated.
I’m not angry without reason. I’m angry because this is all fixable, yet it keeps happening. Because “we didn’t know” isn’t a valid excuse in 2025, when every vendor, government, and toddler with an iPad is screaming about ransomware.
And yes, the podcast captures that rage, too. But with more sarcasm and fewer F-bombs. Usually.
4. Can I trust what’s written (or said) here?
You can trust this blog more than your last ISO audit. And more than that, the LinkedIn post you read said AI would solve cybersecurity.
Everything I write is based on real-world experience. Not theory. Not vendor brochures. Actual breaches, actual fixes, actual disasters. I’ve worked in this industry for over four decades. I’ve cleaned up messes that never made the news and been brought in after the smoke had already blackened the walls. I’ve read the insurance denials. I’ve helped rebuild from scratch.
The podcast is where I give even more context—because sometimes 3000 words isn’t enough to capture just how badly someone cocked it all up. You’ll get the play-by-play and the “what should have happened” version. There is no agenda. It is just the truth, as messy and uncomfortable as it is.
5. Are you trying to sell me something?
No. But if this content helps you realise your current setup is a flaming bin fire and you want help fixing it, I’ll point you in the right direction. I don't have affiliate links because I’m not selling magic boxes or cyber crystals. You won’t find me flogging antivirus software named after large animals or performance-enhancing email tools.
If, and it is a big if, I do any sponsored content, it will be declared loud and proud because someone has given me cold, hard cash, and this is the compliant thing to do.
I’m trying to sell clarity, sanity, and maybe a bit of self-respect for businesses that’ve outsourced their entire security model to Dave, the part-time IT guy who works Tuesdays.
If reading this blog or listening to the podcast makes you finally get serious about segmentation or password hygiene, job done. If it makes you fire your crap MSP, even better.
6. What’s your take on Cyber Essentials?
Cyber Essentials is the IT version of wearing trousers in public. You don’t get points for doing it, but not doing it makes you a liability.
It’s not bulletproof. It’s not a silver bullet. But it’s a start. It’s defensive. It’s proven to stop over 90% of common attacks. And if your business doesn’t have it, you’re not “saving money” — you’re waving a flag that says “we’ve got soft systems and slower lawyers.”
And CE+? That’s where the fun begins. Real audits. Real scrutiny. No more “we just showed them Sharon’s laptop because it was the only one we patched last month.”
In the podcast, I discuss what a proper CE+ prep looks like and why the latest 2025 audit changes mean your bluff game is officially over.
7. Why do you keep slagging off MSPs? Aren’t you one?
Yes, I am the CIO of a real MSP who does the job correctly. That’s precisely why I have to call the rest out.
I’ve followed too many companies into hell and back after their so-called “partner” failed to do even the basics, not exotic stuff, just simple things like patching, backups, proper EDR, and working DNS.
Being an MSP doesn’t mean you get a pass. It means you should be held to higher standards. But most aren’t. They resell whatever’s cheapest, pretend antivirus is good enough, and disappear when things go bang.
If you think I’m exaggerating, listen to the podcast episodes where I break down breaches caused by shoddy MSP work. Spoiler: it’s always worse than it sounds.
8. Can I comment or share war stories?
Please do. Misery loves company, and education thrives on examples.
Some of my best posts came from reader emails that started with, “You’re not going to believe what my MSP just did…” Trust me, I will believe it. I’ve probably seen worse. Better yet, I’ve had to fix it.
Send your stories. Anonymised or not. I’ll use them to educate others, poke the right bear, or add colour to the next podcast episode. Because if you’ve suffered through an IT horror show, at least get some catharsis out of it. And maybe help the next poor soul avoid the same fate.
9. Do you take requests for blog or podcast topics?
Yes. That’s where some of the best content comes from.
Got a question you’re too afraid to ask in the boardroom? Wondering whether your vendor’s marketing sounds like a steaming pile of horse shit? Send it. I’ll break it down and tell you what they’re not saying.
I’ve tackled everything from CE+ audits to disaster recovery cockups, Teams phishing, remote access shambles, and vendor finger-pointing. If it’s making your life harder and nobody’s giving you a straight answer, I will.
The podcast especially thrives on this—it’s where the rawer stuff lands—the ranty, “you won’t read this on a vendor blog” kind of stuff.
10. What if I disagree with you?
Good. You should. That means you’re paying attention.
You don’t have to agree with everything I write or say. But don’t bring weak arguments. Please don’t say, “Our vendor said it’s fine.” Don’t bring “we passed an audit once.” Come with real points. Challenge me. Make it interesting.
I’ve changed my mind on things before. I’ve learned from readers and podcast listeners. But I’ve also doubled down when someone tried to defend RDP without MFA, or why it’s fine that their backup is a USB drive next to the kettle.
Disagreement is welcome. Delusion is not.
11. Where can I listen to the podcast?
Everywhere podcasts live. Search for “The Small Business Cyber Security Guy” on Spotify, Apple Podcasts, Google, Amazon, or your favourite app.
You’ll find rants, breakdowns, real case studies, a few caffeine-fuelled tirades, and the occasional special guest who actually knows what they’re talking about.
Or head over to noelbradford.com/podcast for the full archive.
New episodes drop every Monday at Lunchtime GMT or maybe whenever something stupid happens.
12. Who the hell is Mauven?
Mauven is my podcast co-host. Calm, clinical, and often the voice of reason when I’m mid-rant about yet another security failure. If I’m the flamethrower, Mauven’s the scalpel. While I’m tearing into a dodgy MSP or unravelling a vendor cover-up, Mauven’s reading back the facts, the numbers, and the bits that make you wince.
Together, we unpack breach reports, dissect incident timelines, and call out the kind of malpractice that happens in UK businesses every week. Mauven doesn’t flinch, doesn’t sugarcoat, and just delivers the uncomfortable truth with unsettling precision.
Think late-night radio meets breach response hotline. If you haven’t heard them yet, you should.
13. How can I be on the podcast?
Easy. Got a story worth telling? A breach you lived through? A security disaster you helped fix or witnessed from the inside? Reach out.
You don’t need to be a CISO or a vendor shill. Just bring insight, truth, and a willingness to talk about what went wrong and what could have been done differently.
Bonus points if you have receipts, logs, or a voicemail from your MSP saying, “We’ve never seen that issue before.”
Email me via the contact form on the site or connect with me on LinkedIn. If you sound like you’ve got something to say, I’ll put you behind the mic. I am happy to protect your identity as long as you can prove to the team that you are telling us the truth!
14. How does my company sponsor the podcast?
You don’t. Not really.
This isn’t some influencer side hustle flogging beard oil or password managers with affiliate links. The podcast exists to tell the truth, the uncomfortable, career-limiting, vendor-upsetting truth, which means most sponsorship deals are dead on arrival.
Now, in theory, if your company has something genuinely valuable to say something that would help UK SMBs secure themselves, navigate risk, or recover from the endless parade of cyber bullshit they’re currently up against — then sure, I’ll listen.
But understand this up front:
The bar to entry is very, very high.
Higher than most MSPs set their admin passwords.
I won’t sanitise the content, I won’t read some “approved talking point” on-air, and I won’t slap your name on an episode unless I trust you with a customer’s infrastructure and reputation and you are willing to join us on at least one show for a roasting….
So if you’re a vendor, service provider, or specialist with a proper message and are not afraid to stand next to raw, uncensored commentary on how bad things are, get in touch.
If not, go sponsor something softer. Maybe a startup podcast about work-life balance or AI-powered motivational quotes.
15. Do you do public speaking?
Yes. When it matters. And only when the brief isn’t “Can you just not swear and keep it light?”
I speak at events, panels, webinars, and boardroom interventions where the goal is to actually wake people up, not lull them into another false sense of cybersecurity because someone from compliance ticked a few boxes in an Excel sheet.
If you want me to sugar-coat your marketing event or fluff up your "Cyber Innovation Showcase", no thanks. If you want someone to stand in front of a room full of executives and explain — clearly and without jargon — why their current MSP is walking them into a disaster, let’s talk.
The fee includes travel, coffee, and a clause allowing me to call out the nonsense if it starts mid-event.
16. Does your employer have a say in this?
No. Absolutely not. This blog and podcast are mine (consider it a public service hobby), as are the opinions and tone. If I name and shame someone, they earned it, not because of any company agenda.
I’ve been in this industry for over forty years. I’ve seen too many smart people silenced by job titles and NDAs. So, I built this platform to say the things that need saying, with or without anyone’s permission.
My employer doesn’t write this. They don’t edit it. And they certainly don’t get to water it down. If that ever changes, you’ll know because the swearing will stop, the sarcasm will vanish, and I’ll probably be off doing something else entirely.
Until then? It’s just me. No leash. No PR filter. Just unfiltered insight, backed by experience and a very low tolerance for bullshit.