The Small Business Cyber Security Guy | UK Cybersecurity for SMB & Startups

InfoSec vs CyberSec vs IT Security: Stop Wasting Money on the Wrong One | UK SMB Reality Check

Listen Later

Vendors love throwing around "InfoSec," "CyberSec," and "IT Security" like they're selling completely different solutions. Half the time it's the same thing with three different price tags. The other half? You're buying protection that doesn't address your actual risks.

With 50% of UK small businesses hit by cyber incidents in 2025 and 60% closing within six months of severe data loss, getting this wrong isn't just expensive—it's potentially fatal to your business.

Noel Bradford (40+ years wrangling enterprise security at Intel, Disney, and BBC) and Mauven MacLeod (ex-Government Cyber analyst who's seen threats at the national security level) cut through the marketing rubbish to explain what each approach actually does, what they really cost, and which one your business needs right now.

No vendor pitch. No corporate speak. Just the brutal truth about what works for UK SMBs.

This Episode is Sponsored by Authentrend

Special Listener Offer: £40 per FIDO2 security key (regular £45) - Valid until December 22nd, 2025

We only accept sponsorships from companies whose products we already recommend to clients. Authentrend's ATKey series provides FIDO Alliance Level 2 certified, phishing-resistant authentication at competitive pricing. Same cryptographic protection as premium brands, without the premium price tag.

Why we're comfortable with this sponsorship: We've been specifying Authentrend keys for UK SMB clients for months because the math works. FIDO2 hardware security keys stop the credential phishing attacks that cause 85% of cyber incidents. At £40-45 per key (two per employee for backup), you're looking at £80-90 per person for protection that actually works.

Learn more: authentrend.com

What You'll Learn
Understanding the Differences
  • What Information Security actually covers (hint: it's not just digital)
  • Why Cybersecurity isn't the same as IT Security (despite what vendors claim)
  • The CIA triad explained without the jargon
  • Real-world examples showing when each approach matters
    • UK Business Reality
    • Current threat landscape: 43% of UK businesses breached in 2025
    • Why small businesses (10-49 employees) face 50% breach rates
    • Average incident costs: £3,400 (but the real number is much higher)
    • UK GDPR, Data Protection Act 2018, and what actually applies to you
      • What It Actually Costs
      • Starting from scratch: £5,000-£15,000 annually for 10-20 employees
      • Phishing-resistant MFA: £80-90 per employee (one-time, includes backup keys)
      • Cyber Essentials: £300-£500 (your best bang for buck)
      • Managed security services: £300-£450/month realistic pricing
      • When £2,000-£3,500/month managed detection makes sense
      • Free government resources you're probably ignoring
        • Authentication Security Reality
        • Why SMS codes and app-based MFA still get phished
        • How FIDO2 hardware security keys cryptographically prevent credential theft
        • Real cost comparison: £80-90 per employee one-time vs subscription services costing hundreds annually
        • Special offer mentioned in episode: Authentrend keys at £40 until December 22nd
          • Implementation Without the Bullshit
          • Why IT Security basics beat fancy cybersecurity tools every time
          • The five controls that address 90% of UK SMB threats
          • Common mistakes that waste your security budget
          • How to prioritise when you can't afford everything
          • Vendor red flags and what to actually look for
            • Regulatory Requirements Decoded
            • ICO data protection fees: £40-£60/year (mandatory)
            • What "appropriate technical and organisational measures" really means
            • Why recent enforcement shows reprimands over fines for SMBs
            • Insurance requirements and how to reduce premiums
            • How phishing-resistant authentication affects cyber insurance premiums
              • Key Statistics Mentioned
              • 50% of UK small businesses (10-49 employees) experienced cyber incidents in 2025
              • £3,400 average cost per cyber incident (excluding business impact)
              • 60% of small businesses close within 6 months of serious data loss
              • 85% of cyber incidents involve phishing attacks
              • 43% of all UK businesses experienced breaches in 2025
              • Only 35,000 of 5.5 million UK businesses hold Cyber Essentials certification
              • 40% of UK businesses use two-factor authentication (meaning 60% rely solely on passwords)
                • Products & Solutions Discussed
                Authentication Security (Featured in Episode)

                Authentrend ATKey Series (Episode Sponsor)

                • ATKey.Pro: USB-A/USB-C with NFC support
                • ATKey.Card: Contactless card format
                • Pricing: £45 regular, £40 special offer until December 22nd
                • FIDO Alliance Level 2 certified
                • Works with Microsoft 365, Google Workspace, 1000+ FIDO2-enabled services
                • Deployment cost: £80-90 per employee (2 keys for backup)

                  • Why hardware security keys matter:

                  • Cryptographically bound to specific domains (phishing technically impossible)
                  • Works even when users make mistakes
                  • One-time purchase vs ongoing subscription costs
                  • Significantly reduces cyber insurance premiums
                    • Email Security Options
                    • Microsoft Defender for Office 365 Plan 1: £1.70/user/month
                    • Google Workspace Advanced Protection: £4.60/user/month
                    • Sophos Email Security: £2.50/user/month
                      • Endpoint Protection
                      • Microsoft Defender for Business: £2.50/user/month
                      • Sophos Intercept X: £3.50/user/month
                      • CrowdStrike Falcon Go: £7.00/user/month
                        • Compliance & Frameworks
                        • Cyber Essentials: £300-£500 annually
                        • ISO 27001: £10,000-£15,000 first year (discussed as often unnecessary for SMBs)
                          • Resources Mentioned
                          Free Government Resources
                          • NCSC Small Business Guidance: ncsc.gov.uk
                          • ICO Free Templates: ico.org.uk
                          • Cyber Essentials Scheme: cyberessentials.ncsc.gov.uk
                          • NCSC FIDO2 Guidance: Phishing-resistant authentication recommendations
                            • Episode Sponsor
                            • Authentrend: authentrend.com
                            • Special offer: £40 per key (regular £45) until December 22nd, 2025
                            • ATKey.Pro and ATKey.Card models
                            • UK distributor support available
                              • Related Blog Posts (From This Week's Series)
                              • Tuesday: "InfoSec vs CyberSec vs IT Security: Stop Paying for the Wrong Protection in 2025"
                              • Wednesday: "Another UK SME Wastes £20k on 'Comprehensive CyberSec': Still Gets Breached"
                              • Thursday: "IT Security First: Your 5-Step Plan to Stop Buying the Wrong Protection"
                              • Friday: "The Leicester SME That Chose IT Security Over InfoSec Theatre: Saved £15k and Actually Got Secure"
                              • Saturday: "Opinion: The Cybersecurity Industry Is Deliberately Confusing UK SMBs"
                                • Recommended First Steps
                                Immediate Actions (This Week)
                                1. Catalogue your information - 1 day exercise to understand what you have and where it lives
                                2. Register for ICO data protection fee - £40-£60 annual mandatory requirement
                                3. Order hardware security keys - Start with admin accounts (grab Authentrend special offer before Dec 22nd)
                                  4. First Month
                                  1. Get Cyber Essentials certified - £300-£500, addresses 90% of common threats
                                  2. Implement email security - £900-£1,800 annually for proper anti-phishing
                                  3. Deploy phishing-resistant MFA - £80-90 per employee one-time investment
                                  4. Configure endpoint protection - £1,200-£2,500 annually for 15-30 users
                                    5. First Quarter
                                    1. Test your backups - Don't assume they work, actually restore something
                                    2. Basic staff training - Use free NCSC materials, focus on phishing recognition
                                    3. Review and document - Simple policies using ICO templates
                                      4. Budget Planning

                                      15-20 employee business, first year total: £6,200-£14,500

                                      • Email security: £900-£1,800 annually
                                      • Hardware security keys: £2,400-£2,700 one-time (with Dec 22nd offer: £2,400)
                                      • Endpoint protection: £1,200-£2,500 annually
                                      • Backup systems: £600-£1,200 annually
                                      • Network security: £600-£1,800 (includes one-time hardware costs)
                                      • Training: £0-£1,500 annually
                                      • Testing: £500-£2,000 annually

                                        • Ongoing costs (Year 2+): £3,800-£11,100 annually

                                        Hosts

                                        Noel Bradford - CIO/Head of Technology, Boutique Security First MSP

                                        • 40+ years enterprise security (Intel, Disney, BBC)
                                        • Direct, budget-conscious, solutions-focused
                                        • Enjoys challenging conventional security wisdom
                                        • Known for calling out vendor bollocks

                                          • Mauven MacLeod - Ex-Government Cyber Analyst

                                          • Government cybersecurity background (NCSC)
                                          • Glasgow-raised, practical approach
                                          • Translates national security threats into business reality
                                          • Focuses on what actually works for UK SMBs
                                            • Our Sponsorship Disclosure Policy

                                            We only accept sponsorships from security vendors whose products we already recommend to UK SMB clients independently. If we wouldn't deploy it ourselves or specify it for consulting engagements, we won't accept sponsorship money for it.

                                            Why Authentrend: We've been recommending their FIDO2-certified hardware security keys to clients for months because:

                                            • They provide the phishing-resistant authentication we consistently advise UK SMBs to implement
                                            • Pricing makes proper authentication accessible to small businesses
                                            • FIDO Alliance Level 2 certification ensures they meet security standards
                                            • They align with our core message: affordable IT security fundamentals over expensive security theatre
                                              • Take Action

                                              Don't let perfect be the enemy of good. Start with what you can manage, do it properly, and build from there.

                                              Your Next Steps
                                              1. Listen to the episode - Understand the differences before spending money
                                              2. Download the risk assessment template - Available on our blog
                                              3. Order hardware security keys - Start with admin accounts (special offer ends Dec 22nd)
                                              4. Get Cyber Essentials certified - £300-£500 addresses most common threats
                                              5. Implement IT Security fundamentals - £2K-£5K gets you real protection
                                              6. Review quarterly - Security isn't a one-time project
                                                7. Subscribe & Connect
                                                • Never miss an episode - Hit subscribe wherever you get your podcasts
                                                • Leave us a review - It genuinely helps other UK small business owners find these conversations
                                                • Visit our blog - Additional resources, templates, and practical guides at [noelbradford.com]
                                                • Got specific questions? - Drop us a comment and we might cover it in a future episode
                                                  • Next Week's Episode

                                                  "Government Cyber Initiatives: Why Whitehall's Digital Strategy Keeps Failing UK Businesses"

                                                  The NCSC produces world-class guidance. Unfortunately, most of it assumes you have dedicated security teams and enterprise budgets. We'll examine why government cybersecurity initiatives consistently miss the mark for the businesses that need help most, and what UK SMBs should actually implement instead.

                                                  Remember

                                                  The biggest security risk is doing nothing while you debate the perfect approach.

                                                  Stop wasting money on expensive security theatre. Start with IT Security fundamentals that actually protect against the threats you face. Get phishing-resistant authentication in place. Test your backups. Train your staff.

                                                  Everything else can come later.

                                                  Tags

                                                  #Cybersecurity #InformationSecurity #ITSecurity #UKSmallBusiness #SMB #UKGDPR #CyberEssentials #DataProtection #ICO #BusinessSecurity #CyberThreats #SecurityBudget #NCSC #UKBusiness #SmallBusinessUK #FIDO2 #PhishingResistant #MFA #Authentrend #HardwareSecurityKeys #AuthenticationSecurity

                                                  ...more
                                                  View all episodesView all episodes
                                                  Download on the App Store
                                                  The Small Business Cyber Security Guy | UK Cybersecurity for SMB & StartupsBy The Small Business Cyber Security Guy