Frequently Asked Questions

The blog is brutally honest and uses strong language when discussing cybersecurity failures. It's not HR-sanitized. However, it's "safe" for workplaces that value actual insight over sugar-coated information. The podcast is raw and unfiltered (within Ofcom standards), recorded with the same blunt tone used when discovering critical security oversights — like unpatched Exchange servers from 2019.

It's for SMB owners feeling vulnerable to phishing, IT managers juggling multiple responsibilities, frustrated employees raising security alarms, and anyone who's had to research technical terms at 2 AM after a security incident. The podcast targets the same audience with less filtering and additional context about issues that didn't make it into blog posts — for legal reasons.

Because preventable breaches destroy businesses and lives. I've witnessed companies lose everything due to negligence — like failing to implement MFA or properly maintain backups. The anger stems from seeing fixable problems repeatedly cause real damage, yet many businesses still treat cybersecurity as optional. The podcast captures this frustration with additional sarcasm.

Everything is based on over four decades of real-world experience, not theory or vendor marketing. I've cleaned up actual breaches, read insurance denials, and helped rebuild compromised systems. The podcast provides even more detailed context about what went wrong and what should have happened.

No. No affiliate links, no sponsored products. If the content helps you recognise security problems and take action — or fire an inadequate managed service provider — the goal is achieved. I won't promote antivirus software or performance tools with hidden agendas.

Cyber Essentials is necessary baseline security — comparable to "wearing trousers in public." It doesn't provide complete protection but stops over 90% of common attacks. Cyber Essentials Plus involves real audits and genuine scrutiny. Without it, you're signalling to attackers that you have weak systems and slower legal responses.

I'm a CIO at a properly functioning MSP — which is exactly why calling out substandard providers matters. Many resell cheap solutions, assume antivirus is sufficient, and disappear when breaches occur. Higher standards should apply to partners, not lower ones.

Absolutely. Reader stories — anonymised or not — inform future posts and podcast episodes. I use real examples to educate others and help prevent similar incidents. Drop me a message via the contact page.

Yes. Questions too sensitive for boardrooms, vendor marketing concerns, and security challenges are all welcomed. The podcast especially covers raw, unfiltered content you won't find on vendor blogs. New episodes typically release on Mondays at noon GMT.

Disagreement is welcome — if it's supported by real arguments. Vendor assurances, past audit passes, and weak defences (like RDP without MFA) won't hold up. I've changed positions before when presented with valid counterpoints. Bring evidence, not feelings.

Available on Spotify, Apple Podcasts, Amazon Music, Podbean, and most other podcast apps — just search "The Small Business Cyber Security Guy." New episodes drop Mondays at noon GMT, or whenever something noteworthy occurs.

Mauven is the podcast co-host's professional pseudonym — required contractually by her employer. While I'm direct and passionate, Mauven provides calm, clinical analysis and fact-checking. Together we unpack breach reports and call out industry malpractice without sugarcoating. Her voice is masked due to employer requirements.

Contact via the site's contact form or LinkedIn with genuine stories about breaches, security disasters, or fixes that worked. Identities are protected if you need that. I'm also available for guest appearances on other podcasts — reach out and we'll talk.

Sponsorship isn't traditional here. Only companies with genuinely valuable messages for UK SMBs are considered. I won't sanitize content, read approved scripts, or compromise editorial independence. Vendors must be willing to participate in candid discussion — not produce marketing fluff.

Yes — but only for events that aim to genuinely educate, not soften the message. I speak at panels, webinars, and boardroom sessions where waking people up to real risks matters. Fees include travel, and I reserve the right to call out nonsense during the presentation.

No. This blog and podcast are independently operated with no editorial oversight from employers. I've spent four decades in this industry and built this platform to say the things that need saying — without restriction. If that ever changes, you'll notice immediately. The tone would fundamentally shift.