What if the best way to protect your business isn't copying what the successful companies do, but avoiding what the failures did wrong? Welcome to reverse benchmarking, the cybersecurity equivalent of learning from other people's face-plants so you don't repeat them.
In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses.
You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones.
This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works.
Why This Episode Matters
One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident.
Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast.
Key Takeaways
1. Traditional Benchmarking Often Fails SMBs
3. The Statistics Are Sobering
4. Real-World Disasters Teach Practical Lessons
5. Third-Party Risks Are Existential
6. Practical Implementation Steps
Detailed Show Notes
Introduction (00:00 - 01:24)
Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls.
Key Quote: "Learn from other people's face-plants so we don't repeat them."
What Is Reverse Benchmarking? (01:24 - 03:46)
Traditional benchmarking means copying what successful companies do. Reverse benchmarking flips this around: study the worst failures in your industry and make certain you don't repeat them.
The Problem with Traditional Benchmarking:
UK Context: The National Cyber Security Centre (NCSC) estimates around half of UK SMBs will experience a breach each year. Coin flip odds. If you're sitting in a board meeting saying "hackers won't bother with us," you might as well hang a sign reading "free Wi-Fi, no password."
The Compliance Trap (03:46 - 06:15)
Many businesses believe being compliant means they're secure. This is cybersecurity's biggest misconception.
The Hidden Risk: If everyone in your industry has the same security gap but meets the same compliance standards, benchmarking against them won't reveal your shared vulnerability. You're all vulnerable together, congratulating each other on your certifications.
Case Study 1: The Target Breach (06:15 - 09:42)
One of retail history's most infamous breaches demonstrates how third-party access becomes a catastrophic liability.
The Lesson: Your security is only as strong as your weakest supplier. That HVAC company, plumber, or IT consultant with network access? They're potential backdoors. Target's enterprise-grade security was bypassed through a small contractor's weak credentials.
Case Study 2: Colonial Pipeline (09:42 - 12:28)
In May 2021, a single compromised password shut down a major fuel pipeline supplying 45% of the US East Coast's fuel.
The Lesson: Credentials are your front door. If you're not protecting them properly, you've left the door unlocked with a welcome mat out for attackers.
For Small Businesses: The Colonial Pipeline didn't fail because of sophisticated zero-day exploits or nation-state malware. They failed because they didn't have MFA enabled on remote access.
The Cost-Benefit Reality:
Case Study 3: UK Holiday Park Ransomware (12:28 - 15:15)
Closer to home, a UK holiday park discovered that timing matters when ransomware strikes.
The Lesson: Attackers choose timing deliberately. They struck during peak season when the business would be most desperate to restore operations quickly and most likely to pay the ransom.
For Small Businesses: Seasonal businesses are particularly vulnerable during peak periods. That's precisely when attackers strike, knowing you can't afford downtime.
The Backup Reality: Having backups isn't enough. You need to test restoration procedures. The middle of a ransomware attack is not the time to discover your backups don't work or take three weeks to restore.
Why Reverse Benchmarking Works Better (15:15 - 17:45)
Traditional approaches focus on aspirational goals. Reverse benchmarking focuses on avoiding catastrophic failures.
The Psychological Advantage:
The Timeliness Advantage:
Building Your Disaster Library (17:45 - 19:29)
Practical implementation of reverse benchmarking for your business.
Step 1: Collect Relevant Failures
Step 2: Quarterly Review Sessions
Step 3: Map to Your Environment
Step 4: Prioritise Actions
Step 5: Create Your "Anti-Playbook"
Creating a No-Blame Culture (19:29 - 20:45)
If people hide mistakes, you lose the chance to fix vulnerabilities before an actual breach occurs.
The Aviation Model: Airlines improve safety by fostering no-blame culture for near-misses. They want to hear about every close call so they can fix systemic issues before disaster strikes.
Applying This to Cybersecurity: If Janet in accounting falls for a phishing test, berating her is counterproductive. Instead, make it a learning opportunity for everyone. Next time, she might be the one to spot a real phishing attempt and save your business.
Practical Implementation:
The Payoff: Fear doesn't work. Education does. When people feel safe reporting potential issues, you catch problems early before they become breaches.
Summary and Call to Action (20:45 - 21:37)
Sometimes the best way to secure your business is by studying the worst failures out there and doing the opposite.
Your Mindset Shift: Think of yourself as Sherlock Holmes of cyber failures. Every incident is a case study that makes your business smarter. In cybersecurity, boring is good. If nothing's happening, it means your defences are working.
Resources Mentioned
Statistics and Studies
National Cyber Security Centre (NCSC): UK SMB breach probability estimatesMicrosoft Security: Compliance vs security researchIndustry reports: 61% of breaches involve third-party accessBernard Ma: Quote on benchmarking limitationsCase Studies Referenced
Target Corporation data breach (2013): HVAC vendor compromise, 40 million cards stolen, $162 million lossColonial Pipeline ransomware (2021): VPN password compromise, $4.4 million ransom, critical infrastructure shutdownUK holiday park ransomware: Peak season attack, cash-only operationsUK Regulatory and Advisory Bodies
National Cyber Security Centre (NCSC): www.ncsc.gov.ukInformation Commissioner's Office (ICO): www.ico.org.ukRecommended Reading
NCSC Weekly Threat ReportsICO breach notifications and enforcement actionsIndustry-specific security bulletinsUK Cyber Security News aggregatorsPractical Checklist: Start Your Reverse Benchmarking Practice
Create a folder or document for your "disaster library" Sign up for NCSC weekly threat report emails Identify three recent breaches in businesses similar to yours Schedule your first quarterly "what went wrong" review meeting Map one major breach to your business environment Identify your equivalent vulnerabilities to the mapped breach Implement one quick-win lesson from disaster analysis Share this approach with your leadership team Hold your first formal reverse benchmarking session Build your "anti-playbook" of forbidden approaches Establish no-blame reporting culture for near-misses Review and update third-party access controls Weekly review of new breach reports Monthly check: "Could this happen to us?" Quarterly team review sessions Annual comprehensive vulnerability mappingQuestions for Your Team
Use these discussion prompts in your quarterly review sessions:
Next Episode Preview
Episode 30: The Office Printer Hacker Saga
Yes, office printers are a genuine security risk. Sounds hilarious, but it's genuinely scary. We'll explore why that seemingly innocent device in the corner is actually a network-connected computer with hard drives, stored documents, and often the same default admin password it shipped with.
You'll discover the printer botnet that attacked an entire city, the university students who made campus printers output memes, and why your MFP (multi-function printer) knows more about your business than you'd be comfortable with.
If you think printers are just about paper jams and toner costs, this episode will open your eyes to why printer security belongs in your threat model. Subscribe so you don't miss it.
Share Your Story
Have you learned from a cybersecurity blunder, either your own or someone else's? We'd love to hear about it. Send your story to us (anonymously if you prefer), and we might feature it in a future episode.
Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming episodes.
Connect With The Show
Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms
Leave a Review: Your reviews help other small business owners find practical cybersecurity advice
Website: thesmallbusinesscybersecurityguy.co.uk
Legal Disclaimer
The views and opinions expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of any organisations they work for, employers, advertisers, sponsors, or any other entities connected to the show.
This podcast is for general educational and informational purposes only. It should not be treated as professional advice tailored specifically to your business circumstances. Your situation is unique, and you should consult with qualified cybersecurity professionals before implementing significant changes to your systems.
Whilst we strive to keep all information accurate and current, the cybersecurity landscape evolves rapidly. Always verify critical technical details with qualified professionals before making major decisions.
We cannot accept liability for any losses or problems that may result from following the suggestions in this podcast. Please think of us as knowledgeable colleagues sharing insights, not contracted consultants providing formal advice. When in doubt, get a second opinion from someone who can assess your specific situation.
Copyright © 2025 The Small Business Cyber Security Guy. All rights reserved.
Episode Tags
#Cybersecurity #SmallBusiness #ReverseBenchmarking #CyberThreats #DataBreach #UKBusiness #SMBSecurity #InformationSecurity #ThreatIntelligence #SecurityStrategy #BusinessProtection #CyberResilience #RiskManagement #SecurityPodcast #UKCyber #NCSC #ThirdPartyRisk #ComplianceVsSecurity #CyberEducation #BusinessContinuity
