Description

What if the best way to protect your business isn't copying what the successful companies do, but avoiding what the failures did wrong? Welcome to reverse benchmarking, the cybersecurity equivalent of learning from other people's face-plants so you don't repeat them.

In this episode, Noel and Mauven flip traditional benchmarking on its head. Instead of asking "what are the best companies doing?", they explore the far more revealing question: "what did the disasters get catastrophically wrong?" From the Target breach via an HVAC vendor to ransomware attacks on UK holiday parks, the hosts dissect spectacular cybersecurity failures to extract practical lessons for small businesses.

You'll discover why copying enterprise best practices often backfires for SMBs, how compliance creates dangerous false security, and practical ways to build your own "disaster library" of lessons learned. Plus, the hosts reveal why some of the worst cybersecurity advice comes from studying successful companies rather than failed ones.

This isn't just negativity packaged as strategy. It's a systematic approach to identifying your business's genuine vulnerabilities by examining where others fell through the cracks. Because in cybersecurity, knowing what not to do is often more valuable than copying what others claim works.

Why This Episode Matters

One in three small businesses were hit by cyberattacks last year. The average cost? A quarter of a million pounds, with some reaching seven million. But here's the crushing statistic: 60% of small businesses close within six months of a cyber incident.

Traditional benchmarking tells you to copy what big enterprises do. Reverse benchmarking shows you what kills businesses like yours, so you can avoid becoming the cautionary tale in someone else's podcast.

Key Takeaways

1. Traditional Benchmarking Often Fails SMBs

• Copying FTSE 100 security on a shoestring budget is a losing game
• Enterprise solutions don't scale down effectively
• By the time you copy last year's "best practice," threats have evolved
• Context matters more than copying

2. Compliance ≠ Security

• Being compliant doesn't mean you're secure
• Compliance is like passing your driving test - it proves you know the rules, not that you'll never crash
• Checkbox culture creates dangerous complacency
• Attackers don't check your certifications before striking

3. The Statistics Are Sobering

• One third of SMBs hit by cyberattacks annually
• Average breach cost: £250,000
• Some breaches: £7 million
• 60% of small businesses close within six months post-attack
• NCSC estimates 50% of UK SMBs will experience a breach each year

4. Real-World Disasters Teach Practical Lessons

• Target breach: Lost $162 million because HVAC vendor credentials weren't properly segmented
• Colonial Pipeline: Shutdown of major US fuel infrastructure from weak VPN password
• UK holiday park ransomware: Peak season attack forced cash-only operations
• Common thread: Basic security fundamentals ignored

5. Third-Party Risks Are Existential

• 61% of breaches involve third-party access
• Small vendors create backdoors into larger networks
• Your security is only as strong as your weakest supplier
• Segment vendor access ruthlessly

6. Practical Implementation Steps

• Build your own "disaster library" of relevant failures
• Hold quarterly "what went wrong" review sessions
• Map your business to failed case studies
• Ask "could this happen to us?" for every breach you read about
• Create no-blame culture for reporting near-misses

Detailed Show Notes
Introduction (00:00 - 01:24)

Noel poses a simple question: in the pub, what do people talk about? Their wins, mostly. This episode does the opposite by examining failures instead of successes. The hosts introduce "reverse benchmarking" as the Darwin Awards of cybersecurity, learning from others' digital disasters rather than bragging about fancy firewalls.

Key Quote: "Learn from other people's face-plants so we don't repeat them."

What Is Reverse Benchmarking? (01:24 - 03:46)

Traditional benchmarking means copying what successful companies do. Reverse benchmarking flips this around: study the worst failures in your industry and make certain you don't repeat them.

The Problem with Traditional Benchmarking:

• Big enterprises have massive IT teams and unlimited budgets
• Trying to copy enterprise security on SMB resources is futile
• Benchmarking looks backwards - by the time you implement, hackers have moved on
• If everyone in your industry has the same gap, benchmarking won't reveal it

Why It Matters Now:

• One third of SMBs were hit by cyberattacks in the past year
• Average cost: £250,000, with some reaching £7 million
• 60% of small businesses close within six months of a cyberattack
• Most small business owners still think they're too small to be targeted

UK Context: The National Cyber Security Centre (NCSC) estimates around half of UK SMBs will experience a breach each year. Coin flip odds. If you're sitting in a board meeting saying "hackers won't bother with us," you might as well hang a sign reading "free Wi-Fi, no password."

The Compliance Trap (03:46 - 06:15)

Many businesses believe being compliant means they're secure. This is cybersecurity's biggest misconception.

Compliance vs Security:

• Compliance is like passing your driving test - it means you know the rules, not that you'll never crash
• Or that you're a good driver
• Microsoft's security GM: "Some SMBs believe being compliant means they're safe. It doesn't."
• Hackers don't check whether you've got ISO certification before attacking

The Checkbox Culture:

• "We did our annual password change. Job done."
• Hackers respond: "Challenge accepted."
• Following checklists creates false sense of security
• Real security requires ongoing vigilance, not annual tick-boxes

The Hidden Risk: If everyone in your industry has the same security gap but meets the same compliance standards, benchmarking against them won't reveal your shared vulnerability. You're all vulnerable together, congratulating each other on your certifications.

Case Study 1: The Target Breach (06:15 - 09:42)

One of retail history's most infamous breaches demonstrates how third-party access becomes a catastrophic liability.

What Happened:

• December 2013: Hackers stole 40 million credit card numbers and 70 million customer records
• Entry point: HVAC contractor with network access
• Attackers used vendor credentials to access Target's corporate network
• Then moved laterally to payment systems

The Aftermath:

• Direct losses: $162 million
• CEO resigned
• CIO resigned
• Board chairman resigned
• Countless hours dealing with breach response, forensics, legal battles

The Lesson: Your security is only as strong as your weakest supplier. That HVAC company, plumber, or IT consultant with network access? They're potential backdoors. Target's enterprise-grade security was bypassed through a small contractor's weak credentials.

For Small Businesses:

• 61% of breaches involve third-party access
• Small businesses often provide services to larger enterprises
• Your compromise becomes their breach
• Vendor management isn't optional

Practical Actions:

• Segment vendor access ruthlessly
• No contractor needs access to your entire network
• Use separate credentials for third parties
• Monitor vendor access continuously
• Regular vendor security audits

Case Study 2: Colonial Pipeline (09:42 - 12:28)

In May 2021, a single compromised password shut down a major fuel pipeline supplying 45% of the US East Coast's fuel.

What Happened:

• Ransomware attack forced shutdown of 5,500-mile pipeline
• Entry point: Weak VPN password
• No multi-factor authentication (MFA) on VPN access
• Company paid $4.4 million ransom (partially recovered later)

The Impact:

• Fuel shortages across southeastern United States
• Panic buying, price spikes
• Emergency government declarations
• Week-long shutdown of critical infrastructure

The Lesson: Credentials are your front door. If you're not protecting them properly, you've left the door unlocked with a welcome mat out for attackers.

For Small Businesses: The Colonial Pipeline didn't fail because of sophisticated zero-day exploits or nation-state malware. They failed because they didn't have MFA enabled on remote access.

Your Action Items:

• Enable MFA everywhere, particularly VPN access
• Enforce strong password policies
• Monitor for credential compromise
• Phishing-resistant MFA (hardware tokens or biometrics) for privileged access
• Regular access reviews

The Cost-Benefit Reality:

• Hardware security keys: £40-70 per user
• Potential breach cost: £250,000 average
• MFA prevents 99.9% of automated credential attacks
• The mathematics are straightforward

Case Study 3: UK Holiday Park Ransomware (12:28 - 15:15)

Closer to home, a UK holiday park discovered that timing matters when ransomware strikes.

What Happened:

• Ransomware attack during peak summer season
• All booking systems encrypted
• Payment processing down
• Guest check-ins disrupted

The Business Impact:

• Had to operate cash-only during busiest period
• Couldn't process new bookings
• Lost revenue during most profitable weeks
• Guest experience severely compromised
• Reputation damage

The Lesson: Attackers choose timing deliberately. They struck during peak season when the business would be most desperate to restore operations quickly and most likely to pay the ransom.

For Small Businesses: Seasonal businesses are particularly vulnerable during peak periods. That's precisely when attackers strike, knowing you can't afford downtime.

Your Defence Strategy:

• Offline, air-gapped backups tested regularly
• Incident response plan practiced before peak season
• Alternative payment processing methods ready
• Staff trained on ransomware procedures
• Crisis communication templates prepared

The Backup Reality: Having backups isn't enough. You need to test restoration procedures. The middle of a ransomware attack is not the time to discover your backups don't work or take three weeks to restore.

Why Reverse Benchmarking Works Better (15:15 - 17:45)

Traditional approaches focus on aspirational goals. Reverse benchmarking focuses on avoiding catastrophic failures.

The Psychological Advantage:

• Failures provide concrete examples of what not to do
• Success stories often omit the messy details
• Disasters reveal the actual attack patterns you'll face
• Real consequences make lessons stick

The Practical Advantage:

• You learn what actually breaks in the real world
• Not theoretical best practices that might work
• Understand attack chains step by step
• See how small gaps become massive breaches

The Cost Advantage:

• Avoiding one disaster pays for years of modest security investment
• You don't need enterprise budgets to avoid enterprise mistakes
• Focus resources on genuine vulnerabilities
• Not on impressive-sounding but irrelevant controls

The Timeliness Advantage:

• Recent failures reflect current threat landscape
• More relevant than last year's "best practices"
• See how threats evolve in real-time
• Adapt defences to actual attack methods

Building Your Disaster Library (17:45 - 19:29)

Practical implementation of reverse benchmarking for your business.

Step 1: Collect Relevant Failures

• Focus on breaches in similar-sized businesses
• Same industry or adjacent sectors
• Similar technology stack
• Geographic relevance (UK regulations, threat actors)

Step 2: Quarterly Review Sessions

• "What went wrong" meetings with your team
• Review recent breaches systematically
• Ask: "Could this happen to us?"
• Identify similar vulnerabilities in your environment

Step 3: Map to Your Environment

• For each breach, trace the attack path
• Identify which elements exist in your business
• Where are your equivalent vulnerabilities?
• What would the impact be if it happened to you?

Step 4: Prioritise Actions

• Not every lesson requires immediate implementation
• Focus on high-probability, high-impact scenarios first
• Quick wins vs long-term projects
• Balance cost against realistic risk

Step 5: Create Your "Anti-Playbook"

• Document what you'll never do based on failure analysis
• Share with team so everyone knows the "forbidden" approaches
• Update as new disasters emerge
• Make it living document, not static policy

Resources to Monitor:

• NCSC Weekly Threat Reports
• Information Commissioner's Office (ICO) breach reports
• Industry-specific security bulletins
• UK Cyber Security News
• Global breach databases with UK filter

Creating a No-Blame Culture (19:29 - 20:45)

If people hide mistakes, you lose the chance to fix vulnerabilities before an actual breach occurs.

The Aviation Model: Airlines improve safety by fostering no-blame culture for near-misses. They want to hear about every close call so they can fix systemic issues before disaster strikes.

Applying This to Cybersecurity: If Janet in accounting falls for a phishing test, berating her is counterproductive. Instead, make it a learning opportunity for everyone. Next time, she might be the one to spot a real phishing attempt and save your business.

Practical Implementation:

• "Lessons learned" sessions, not "who screwed up" meetings
• Focus on systems and processes, not individuals
• Reward reporting of near-misses
• Share failures anonymously when needed
• Celebrate catches of suspicious activity

The Payoff: Fear doesn't work. Education does. When people feel safe reporting potential issues, you catch problems early before they become breaches.

Summary and Call to Action (20:45 - 21:37)

Sometimes the best way to secure your business is by studying the worst failures out there and doing the opposite.

Key Principles:

• Traditional benchmarking can lead you astray for SMBs
• Reverse benchmarking provides genuine security advantage
• Study disasters: Target, Colonial Pipeline, holiday park ransomware
• Build it into regular practice, not one-off exercise

Your Mindset Shift: Think of yourself as Sherlock Holmes of cyber failures. Every incident is a case study that makes your business smarter. In cybersecurity, boring is good. If nothing's happening, it means your defences are working.

Immediate Actions:

1. Start your disaster library this week
2. Schedule your first quarterly review session
3. Map one recent breach to your business environment
4. Implement one lesson learned from this episode
5. Share this approach with your team

Resources Mentioned
Statistics and Studies

• National Cyber Security Centre (NCSC): UK SMB breach probability estimates
• Microsoft Security: Compliance vs security research
• Industry reports: 61% of breaches involve third-party access
• Bernard Ma: Quote on benchmarking limitations

Case Studies Referenced

• Target Corporation data breach (2013): HVAC vendor compromise, 40 million cards stolen, $162 million loss
• Colonial Pipeline ransomware (2021): VPN password compromise, $4.4 million ransom, critical infrastructure shutdown
• UK holiday park ransomware: Peak season attack, cash-only operations

UK Regulatory and Advisory Bodies

• National Cyber Security Centre (NCSC): www.ncsc.gov.uk
• Information Commissioner's Office (ICO): www.ico.org.uk

Recommended Reading

• NCSC Weekly Threat Reports
• ICO breach notifications and enforcement actions
• Industry-specific security bulletins
• UK Cyber Security News aggregators

Practical Checklist: Start Your Reverse Benchmarking Practice

This Week:

• Create a folder or document for your "disaster library"
• Sign up for NCSC weekly threat report emails
• Identify three recent breaches in businesses similar to yours
• Schedule your first quarterly "what went wrong" review meeting

This Month:

• Map one major breach to your business environment
• Identify your equivalent vulnerabilities to the mapped breach
• Implement one quick-win lesson from disaster analysis
• Share this approach with your leadership team

This Quarter:

• Hold your first formal reverse benchmarking session
• Build your "anti-playbook" of forbidden approaches
• Establish no-blame reporting culture for near-misses
• Review and update third-party access controls

Ongoing:

• Weekly review of new breach reports
• Monthly check: "Could this happen to us?"
• Quarterly team review sessions
• Annual comprehensive vulnerability mapping

Questions for Your Team

Use these discussion prompts in your quarterly review sessions:

1. Which recent breach in our industry most closely resembles our business model?
2. Do we have the same entry points that attackers used in [specific breach]?
3. What would be our equivalent business impact if we experienced this type of attack?
4. Which quick fixes could we implement this month to avoid similar failures?
5. What systemic vulnerabilities do we share with failed organisations?
6. Are we making the same assumptions that led to their breach?
7. Would our backup and recovery process work in a real crisis?
8. Do our third-party vendors have access they don't need?
9. Where are we relying on compliance rather than actual security?
10. What's our single point of failure that resembles their weakness?

Next Episode Preview

Episode 30: The Office Printer Hacker Saga

Yes, office printers are a genuine security risk. Sounds hilarious, but it's genuinely scary. We'll explore why that seemingly innocent device in the corner is actually a network-connected computer with hard drives, stored documents, and often the same default admin password it shipped with.

You'll discover the printer botnet that attacked an entire city, the university students who made campus printers output memes, and why your MFP (multi-function printer) knows more about your business than you'd be comfortable with.

If you think printers are just about paper jams and toner costs, this episode will open your eyes to why printer security belongs in your threat model. Subscribe so you don't miss it.

Share Your Story

Have you learned from a cybersecurity blunder, either your own or someone else's? We'd love to hear about it. Send your story to us (anonymously if you prefer), and we might feature it in a future episode.

Got a cybersecurity dilemma keeping you up at night? Send it our way. We'll tackle it in our down-to-earth style in upcoming episodes.

Connect With The Show

Subscribe: Available on Apple Podcasts, Spotify, and all major podcast platforms

Leave a Review: Your reviews help other small business owners find practical cybersecurity advice

Website: thesmallbusinesscybersecurityguy.co.uk

Email: hello@thesmallbusinesscybersecurityguy.co.uk

Legal Disclaimer

The views and opinions expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of any organisations they work for, employers, advertisers, sponsors, or any other entities connected to the show.

This podcast is for general educational and informational purposes only. It should not be treated as professional advice tailored specifically to your business circumstances. Your situation is unique, and you should consult with qualified cybersecurity professionals before implementing significant changes to your systems.

Whilst we strive to keep all information accurate and current, the cybersecurity landscape evolves rapidly. Always verify critical technical details with qualified professionals before making major decisions.

We cannot accept liability for any losses or problems that may result from following the suggestions in this podcast. Please think of us as knowledgeable colleagues sharing insights, not contracted consultants providing formal advice. When in doubt, get a second opinion from someone who can assess your specific situation.

Copyright © 2025 The Small Business Cyber Security Guy. All rights reserved.

Episode Tags

#Cybersecurity #SmallBusiness #ReverseBenchmarking #CyberThreats #DataBreach #UKBusiness #SMBSecurity #InformationSecurity #ThreatIntelligence #SecurityStrategy #BusinessProtection #CyberResilience #RiskManagement #SecurityPodcast #UKCyber #NCSC #ThirdPartyRisk #ComplianceVsSecurity #CyberEducation #BusinessContinuity