<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[SMB Tech & Cybersecurity Leadership Newsletter]]></title><description><![CDATA[Practical weekly cybersecurity guidance that helps SMB owners and leaders reduce risk, make confident decisions, and turn security priorities into action.]]></description><link>https://substack.cpf-coaching.com</link><image><url>https://substackcdn.com/image/fetch/$s_!YfY-!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc0ea6f9-9832-41d8-9807-cbdc9be949f0_640x640.png</url><title>SMB Tech &amp; Cybersecurity Leadership Newsletter</title><link>https://substack.cpf-coaching.com</link></image><generator>Substack</generator><lastBuildDate>Tue, 14 Jul 2026 02:36:31 GMT</lastBuildDate><atom:link href="https://substack.cpf-coaching.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Christophe Foulon]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[info@cpf-coaching.com]]></webMaster><itunes:owner><itunes:email><![CDATA[info@cpf-coaching.com]]></itunes:email><itunes:name><![CDATA[Christophe Foulon 📓]]></itunes:name></itunes:owner><itunes:author><![CDATA[Christophe Foulon 📓]]></itunes:author><googleplay:owner><![CDATA[info@cpf-coaching.com]]></googleplay:owner><googleplay:email><![CDATA[info@cpf-coaching.com]]></googleplay:email><googleplay:author><![CDATA[Christophe Foulon 📓]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Can Your Security Tools, Cameras, and Agents Prove Their Work?]]></title><description><![CDATA[This week's SMB leadership brief covers Cisco ISE trust gaps, ICO retail-crime privacy guidance, and Microsoft's AI-speed hardening model with actions to verify now.]]></description><link>https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-identity</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-identity</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 10 Jul 2026 21:56:09 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/4f6202b8-47c2-4f2e-83ce-82e887f18cd6_1024x572.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On July 6, 2026, Cisco updated its advisory for Cisco Identity Services Engine and Cisco ISE Passive Identity Connector <span>to include two tracked issues, including&nbsp;</span><strong><span>CVE-2026-20181</span></strong><span>, a&nbsp;</span><strong><span>CVSS 9.1</span></strong><span>&nbsp;remote code execution vulnerability, and noted that&nbsp;</span><strong><span>no workarounds are&nbsp;</span>available</strong>. On July 3, 2026, the UK Information Commissioner's Office told small retailers that data protection law still allows them to use personal information, including CCTV footage, to protect staff and premises, while warning that facial recognition carries a high bar due to the risk of wrongful identification. On July 8, 2026, Microsoft said its Secure Future Initiative now uses a multi-agent AI system to evaluate live cloud services at AI speed, but still routes findings through human security engineers for validation and implementation.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!1vQm!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!1vQm!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 424w, https://substackcdn.com/image/fetch/$s_!1vQm!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 848w, https://substackcdn.com/image/fetch/$s_!1vQm!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 1272w, https://substackcdn.com/image/fetch/$s_!1vQm!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!1vQm!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png" width="688" height="384" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:384,&quot;width&quot;:688,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:167196,&quot;alt&quot;:&quot;Infographic-style editorial dashboard with three grouped panels covering Cisco ISE trust risk, lawful retail-crime privacy controls, and AI-speed cloud hardening with human validation.&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/206291906?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="Infographic-style editorial dashboard with three grouped panels covering Cisco ISE trust risk, lawful retail-crime privacy controls, and AI-speed cloud hardening with human validation." title="Infographic-style editorial dashboard with three grouped panels covering Cisco ISE trust risk, lawful retail-crime privacy controls, and AI-speed cloud hardening with human validation." srcset="https://substackcdn.com/image/fetch/$s_!1vQm!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 424w, https://substackcdn.com/image/fetch/$s_!1vQm!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 848w, https://substackcdn.com/image/fetch/$s_!1vQm!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 1272w, https://substackcdn.com/image/fetch/$s_!1vQm!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F025d096d-1eaf-4566-a380-0b9473cb243d_688x384.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Trusted systems need explicit owners, proof, and limits.</figcaption></figure></div><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><div><hr></div><p></p><p>These are three versions of the same leadership problem. The systems you trust to enforce access, protect property, and accelerate operations are now high-trust systems in their own right. For SMB leaders, the question is no longer whether these tools are useful. It is whether you can prove who owns them, how quickly they must be patched, what data they can touch, and where a human must still overrule them.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!dS9h!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!dS9h!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 424w, https://substackcdn.com/image/fetch/$s_!dS9h!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 848w, https://substackcdn.com/image/fetch/$s_!dS9h!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!dS9h!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!dS9h!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg" width="1024" height="572" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:572,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:180811,&quot;alt&quot;:&quot;An infographic titled 'This Week's SMB Risk Signals: Identity Trust, Retail Privacy, and AI Hardening.' It is divided into three sections. Section 1 covers the Cisco ISE trust gap, highlighting CVSS 9.1 and CVE-2026-20181, while emphasizing the need for explicit accountability during MSP handoffs. Section 2 contrasts retail crime with privacy, noting UK ICO guidance that allows practical CCTV use for theft but requires documented reviews for facial recognition. Section 3 illustrates AI-speed hardening, showing multi-agent AI proposing findings to a live cloud, while a human hand clicks 'Validate &amp; Implement' to close the loop. The graphic includes CPF Coaching and Christophe Foulon branding&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/206291906?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="An infographic titled 'This Week's SMB Risk Signals: Identity Trust, Retail Privacy, and AI Hardening.' It is divided into three sections. Section 1 covers the Cisco ISE trust gap, highlighting CVSS 9.1 and CVE-2026-20181, while emphasizing the need for explicit accountability during MSP handoffs. Section 2 contrasts retail crime with privacy, noting UK ICO guidance that allows practical CCTV use for theft but requires documented reviews for facial recognition. Section 3 illustrates AI-speed hardening, showing multi-agent AI proposing findings to a live cloud, while a human hand clicks 'Validate &amp; Implement' to close the loop. The graphic includes CPF Coaching and Christophe Foulon branding" title="An infographic titled 'This Week's SMB Risk Signals: Identity Trust, Retail Privacy, and AI Hardening.' It is divided into three sections. Section 1 covers the Cisco ISE trust gap, highlighting CVSS 9.1 and CVE-2026-20181, while emphasizing the need for explicit accountability during MSP handoffs. Section 2 contrasts retail crime with privacy, noting UK ICO guidance that allows practical CCTV use for theft but requires documented reviews for facial recognition. Section 3 illustrates AI-speed hardening, showing multi-agent AI proposing findings to a live cloud, while a human hand clicks 'Validate &amp; Implement' to close the loop. The graphic includes CPF Coaching and Christophe Foulon branding" srcset="https://substackcdn.com/image/fetch/$s_!dS9h!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 424w, https://substackcdn.com/image/fetch/$s_!dS9h!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 848w, https://substackcdn.com/image/fetch/$s_!dS9h!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!dS9h!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F33c6a38f-b7a4-4902-99bd-d50c59b7ff5a_1024x572.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption"><strong>Three critical risk areas this week demand explicit human ownership.</strong> Whether you are patching the Cisco ISE trust gap, balancing retail crime surveillance with privacy laws, or deploying AI-speed cloud hardening, your high-trust systems still require human validation and clear accountability.</figcaption></figure></div><p></p><h2>1. The Tools Deciding Access Can Become the Attack Surface</h2><p>Cisco ISE and ISE-PIC are not ordinary apps. They sit close to identity, policy, and network-admission decisions. That is what makes Cisco's July 6 update important. If the platform making access decisions is itself under urgent patch pressure, the leadership risk is not just a server issue. It is a trust issue at the layer that governs who and what gets onto your environment.</p><ul><li><p><strong>Critical severity changes the conversation:</strong> Cisco's advisory lists <strong>CVE-2026-20181</strong> and <strong>CVE-2026-20190</strong>, <span>assigns the package a&nbsp;</span><strong><span>CVSS&nbsp;</span></strong><span>score of 9.1, and directs</span> customers to software updates rather than workarounds.</p></li><li><p><strong>Identity infrastructure is a force multiplier:</strong> A weakness in ISE or ISE-PIC can put a control system at risk, not just an endpoint, meaning the operational blast radius can be broader than the asset count suggests.</p></li><li><p><strong>Managed environments are still your accountability problem:</strong> Many SMBs do not run these systems directly. A partner, MSP, or network integrator may own the day-to-day work, but your business still owns the exposure and the evidence trail.</p><p></p></li></ul><p><strong>Strategic Action:</strong> Treat identity and network-admission platforms as crown-jewel control systems. They deserve named patch owners, shorter review windows, preserved logs, and explicit rollback plans.</p><p></p><p><strong>This Week's Leadership Move:</strong></p><ol><li><p>Confirm whether your organization or any managed provider runs Cisco ISE or ISE-PIC in any environment.</p></li><li><p>Ask for the current version, the fixed-release path, and the maintenance window that has already been assigned to the update.</p></li><li><p>Preserve admin and policy-change logs before patching, and confirm who has authority to disable or limit access if a patch slips.</p></li></ol><p></p><div class="pullquote"><p>To reduce the odds that an infrastructure weakness turns into a business-wide blind spot, <strong><a href="https://shop.tenable.com/cpf-coaching">Tenable</a></strong> helps teams see exposed assets, prioritize urgent weaknesses, and pressure-test where trusted systems still need faster remediation.</p><p><sub>Affiliate sponsor</sub></p></div><p></p><h2>2. Privacy Law Does Not Block Crime Response, but It Does Demand Discipline</h2><p>The ICO's July 3 guidance matters because it corrects a common SMB mistake from both directions. Some leaders assume privacy law blocks practical responses to crime. Others assume that if theft is rising, any surveillance step is justified. The ICO said neither instinct is strong enough on its own.<br></p><ul><li><p><strong>The operational pressure is real:</strong> The ICO cited British Retail Consortium figures of <strong>almost 5.5 million incidents of theft</strong> and <strong>43,000 incidents of violence against staff</strong> every year across the retail sector.</p></li><li><p><strong>Lawful use is still available:</strong> The regulator explicitly said data protection law enables businesses to use personal information, including CCTV footage, to protect the business, its staff, and its premises.</p></li><li><p><strong>Facial recognition is a separate decision:</strong> The ICO said there is a <strong>high bar</strong> for lawful use of facial recognition in public places because of the sensitivity of the data and the risk of misidentifying someone.</p></li></ul><p></p><p><strong>Strategic Action:</strong> Do not treat privacy as a blocker or a blank check. Treat it as an operating constraint that must be designed into your crime-response workflow before the next incident lands.</p><p></p><p><strong>This Week's Leadership Move:</strong></p><ol><li><p>Write down what information your team captures, shares, and retains when theft, violence, or repeat-shopper incidents occur.</p></li><li><p>Confirm who can access CCTV, who can share clips or names, how long records are retained, and where complaints are routed.</p></li><li><p>Keep facial recognition out of production until you have a written justification, a documented impact review, and a named approval authority.</p><p></p></li></ol><blockquote><p><strong>DON'T CONFUSE URGENCY WITH LEGAL COVERAGE</strong></p><p>Small businesses still need evidence, retention logic, and complaint handling when they respond to crime. If your response process depends on ad hoc judgment, your team will be improvising under pressure.</p><p><strong>Copla</strong> helps teams turn policy ownership, evidence collection, and control reviews into something repeatable instead of something remembered only after an incident.</p><p><strong>Make compliance operational. <a href="https://join.copla.com/cpf-coaching">See Copla</a></strong></p><p><sub>Affiliate sponsor</sub></p></blockquote><p></p><h2>3. AI-Speed Hardening Still Requires Human Owners</h2><p><br></p><p>Microsoft's July 8 post is useful because it does not present AI as a magical replacement for security engineering. It presents AI as a way to evaluate live services faster, with more context, and at a scale humans struggle to maintain alone. The key detail is what Microsoft kept human.</p><p></p><ul><li><p><strong>The architecture is multi-agent, not single-shot:</strong> Microsoft described a multi-agent system that evaluates cloud services against Secure Future Initiative requirements.</p></li><li><p><strong>The context is broader than code scanning:</strong> The system combines code-level vulnerabilities with configuration, identity, network, and runtime context to assess overall service posture.</p></li><li><p><strong>Human validation still closes the loop:</strong> Microsoft said the system generates findings and recommendations that security engineering teams then validate and implement.</p></li></ul><p></p><p><strong>Strategic Action:</strong> If your SMB wants AI in security or IT operations, use it first to compress review time and surface evidence faster. Do not let it close findings, change policy, or touch production systems without named human approval.</p><p></p><p><strong>This Week's Leadership Move:</strong></p><ol><li><p>Select one review workflow in which AI can propose findings but cannot mark the issue as complete.</p></li><li><p>Log what evidence the AI reviewed, who approved the recommendation, and what changed afterward.</p></li><li><p>Expand only after you can measure both the time saved and the quality tradeoffs.</p></li></ol><p></p><h3>Final Thoughts for Leaders</h3><p></p><p>Trusted systems deserve harder scrutiny, not easier trust. Identity engines, retail-surveillance workflows, and AI-assisted hardening all sit close to action. That means your next step is not to buy more dashboards. It is to name a patch owner, an evidence owner, and an approval owner for every system that can materially change access, rights, or operations.</p><p></p><p>If you put only one thing on next week's agenda, make it this: which systems in this business can act with trust we have not recently re-earned?</p><p><br></p><blockquote><p><strong>NEW CPF FRAMEWORK: THE ACTIVE RESILIENCE METHOD</strong></p><p>This is the operating model behind CPF Coaching going forward: <strong>Assess, Reinforce, Monitor</strong>. Assess where compliance pressure is already creating risk. Reinforce the controls, owners, and evidence that need to hold under pressure. Monitor the systems, vendors, and AI-assisted workflows that can drift quietly after the meeting ends.</p><p><a href="http://CPF-coaching.com">CPF Coaching</a> helps 50-500 person healthtech, fintech, and SaaS companies turn compliance pressure into active resilience, without the full-time CISO price tag.</p></blockquote><p>If another operator or business owner on your team needs this framing, use the share and referral tools below before the premium section.<br></p><p>If you want the implementation pack, templates, and tabletop below, the subscribe prompt is the quickest way to access the premium section.<br></p><p>Paid subscribers this week get a trusted-systems owner register, a retail-crime privacy checklist, an AI hardening approval matrix, and a seven-day implementation sprint.</p><blockquote><p><strong>FOR CONSULTANTS, MSPS, AND FRACTIONAL SECURITY LEADERS</strong></p><p>I also published the first ARM-branded Base44 template preview: an <strong>ARM Client Portal Template</strong> for intake, evidence tracking, control reviews, AI-assisted framework guidance, and client-ready dashboards.</p><p>Use it as a starting point if you need a repeatable way to help SMB clients move through Assess, Reinforce, and Monitor without rebuilding the workflow every time.</p><p><strong>Preview the template:</strong> <a href="https://smb-compliance-client-portal-templa-c3d824dd.base44.app/?utm_source=substack&amp;utm_medium=editorial_placement&amp;utm_campaign=arm_template_launch&amp;utm_content=july_9_issue_free_to_paid_bridge">ARM Client Portal Template for Base44</a></p><p><sub>If you are new to Base44, CPF may use a referral link in follow-up materials to support future template updates.</sub></p></blockquote><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is to share strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort, and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> An honest look at which tools are worth the SMB budget.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward.</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-identity?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-identity?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><div><hr></div><p>You&#8217;ve seen the "Why" behind this [Cyber/Tech Issue]&#8212;but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock:</p><ul><li><p><strong>The &#8220;How-To&#8221; Framework:</strong> A step-by-step breakdown of the [Process/Tool] mentioned above.</p></li><li><p><strong>Resource Toolkit:</strong> Downloadable templates and checklists I use with my private coaching clients.</p></li><li><p><strong>The Bottom Line:</strong> Direct analysis of the ROI and cost-savings associated with this strategy</p></li></ul><blockquote><p style="text-align: center;"><strong>Subscribe to Unlock the Full Strategy</strong> </p><p style="text-align: center;"><em>Join a community of SMB leaders who stop reacting to tech shifts and start leading them.</em></p></blockquote><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?"><span>Subscribe now</span></a></p><p></p><div class="paywall-jump" data-component-name="PaywallToDOM"></div><p><br></p><h2>Premium Intelligence: The Trusted Systems Response Pack</h2><p><br></p><h3>1. Cisco ISE and ISE-PIC Hardening Review</h3><p><br></p><p><strong>Technical Detail:</strong> Cisco's advisory <code>cisco-sa-ise-multi-G5WP8vv</code> covers <strong>CVE-2026-20181</strong> and <strong>CVE-2026-20190</strong> affecting Cisco Identity Services Engine and Cisco ISE Passive Identity Connector. Cisco's public advisory page shows a <strong>CVSS 9.1</strong> rating, a <strong>last updated date of July 6, 2026</strong>, and <strong>no workarounds available</strong>. One vulnerability is tracked as a remote code execution issue, and the package also includes an information disclosure risk. Even when exploitation requires additional conditions, the leadership lesson is clear: systems shaping access decisions need emergency-grade patch ownership.</p><p></p><ul><li><p><strong>Technical Detail:</strong> ISE and ISE-PIC are closely tied to authentication, admission, and policy enforcement, making them more sensitive than ordinary line-of-business servers.</p></li><li><p><strong>Actionable Strategy:</strong> Confirm the exact release train, the first fixed release for your branch, and the change window that has already been assigned. Do not let "the network team has it" stand in for an actual patch receipt.</p></li><li><p><strong>Vendor / MSP Check:</strong> Ask which partners, consultants, or outsourced network teams still have admin access and whether they will be involved in the patch sequence.</p></li><li><p><strong>Evidence Capture:</strong> Export admin activity, recent policy changes, and configuration backups before the change window opens.</p></li></ul><p><br></p><h3>2. Retail Crime Privacy Controls That Survive Pressure</h3><p></p><p><strong>Technical Detail:</strong> The ICO's July 3 guidance was aimed specifically at small retailers. It said businesses can use personal information, including CCTV footage, to protect staff and premises, but that they need to do so lawfully. The same guidance warns that facial recognition has a high bar for lawful use in public places because of both the sensitivity of the information and the risk of misidentification.<br></p><ul><li><p><strong>Technical Detail:</strong> The published pressure indicators matter: <strong>almost 5.5 million theft incidents</strong> and <strong>43,000 incidents of violence against staff</strong> each year across the sector.</p></li><li><p><strong>Actionable Strategy:</strong> Split your operating model into three lanes: routine CCTV review, incident-driven information sharing, and restricted advanced surveillance proposals such as facial recognition.</p></li><li><p><strong>Complaint Handling:</strong> Make sure a complaint about surveillance, retention, or disclosure has a named destination, response timeline, and evidence set.</p></li><li><p><strong>Retention Discipline:</strong> Keep only what you can justify, and document when clips, notes, or shared images must be deleted.</p></li></ul><p><br></p><h3>3. AI Hardening That Preserves Accountability</h3><p></p><p><strong>Technical Detail:</strong> In its July 8 post, Microsoft said its Secure Future Initiative uses a multi-agent AI system to proactively evaluate live cloud services against security requirements. The system combines code-level vulnerability information with configuration, identity, network, and runtime context, then surfaces findings for security engineering teams to validate and implement.</p><p></p><ul><li><p><strong>Technical Detail:</strong> Microsoft said the system delivered findings and recommendations within a few months of deployment, but did not describe the outcome as autonomous remediation.</p></li><li><p><strong>Actionable Strategy:</strong> Copy the operating pattern, not the scale. Start with AI-assisted review where every finding still needs a named human to accept, reject, or defer it.</p></li><li><p><strong>Approval Boundary:</strong> Separate "AI may review" from "AI may change." Your first success metric is evidence quality and cycle time, not unattended execution.</p></li><li><p><strong>Rollback Rule:</strong> Every AI-assisted change should have an owner, a log location, and a rollback path before it touches a production workflow.<br></p></li></ul><blockquote><p><strong>AI SPEED IS ONLY SAFE WHEN OWNERSHIP STAYS VISIBLE</strong></p><p>Security teams move faster when AI can assemble evidence and surface likely issues, but speed becomes liability when approvals, data boundaries, and change authority stay implicit.</p><p><strong>Airia</strong> is built for organizations that need governed AI orchestration, explicit controls, and clearer boundaries around where agents can and cannot act.</p><p><strong>Put guardrails around agentic work. <a href="https://try.airia.com/3bcae15ptpli">Explore Airia</a></strong></p><p><sub>Affiliate sponsor</sub></p></blockquote><p><br></p><h2>Premium Template: Trusted Systems Owner Register</h2><p></p><p>Use this register for any platform or workflow that can materially influence access, rights, safety, or production operations.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!EQuD!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!EQuD!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 424w, https://substackcdn.com/image/fetch/$s_!EQuD!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 848w, https://substackcdn.com/image/fetch/$s_!EQuD!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 1272w, https://substackcdn.com/image/fetch/$s_!EQuD!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!EQuD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png" width="800" height="560" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:560,&quot;width&quot;:800,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:117537,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/206291906?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!EQuD!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 424w, https://substackcdn.com/image/fetch/$s_!EQuD!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 848w, https://substackcdn.com/image/fetch/$s_!EQuD!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 1272w, https://substackcdn.com/image/fetch/$s_!EQuD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe85ac9a3-a981-44cc-90b2-ab2931873ea5_800x560.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br></p><h2>Premium Checklist: Retail Crime Information-Sharing Controls</h2><ul><li><p>Document when staff may review CCTV and who approves access.</p></li><li><p>Define when footage or incident details may be shared outside the business.</p></li><li><p>Record the lawful basis and retention rule for each incident type.</p></li><li><p>Route complaints or objections to a named owner with a response timeline.</p></li><li><p>Keep facial-recognition proposals in a separate approval lane with higher scrutiny.</p></li><li><p>Confirm signage, notice language, and data-retention practice match real operations.</p></li></ul><p><br></p><h2>Premium Guide: Seven-Day Trusted Systems Hardening Sprint</h2><p></p><p><strong>Day 1: Inventory the trusted systems</strong></p><p>List every platform that can change access, record incidents, approve sensitive activity, or influence production operations.<br></p><p><strong>Day 2: Classify the owner</strong></p><p>Write down the internal owner, the vendor or MSP contact, and the person who approves emergency changes.</p><p><br></p><p><strong>Day 3: Verify patch or control status</strong></p><p>For identity and network-control systems, compare running versions to vendor advisories and preserve admin or policy logs before changes.</p><p><br></p><p><strong>Day 4: Review privacy and complaint handling</strong></p><p>For surveillance or incident-response workflows, document what is captured, who may share it, how long it is retained, and where complaints land.</p><p><br></p><p><strong>Day 5: Define AI approval boundaries</strong></p><p>Split workflows into advisory-only, draft-and-review, and permissioned-execution lanes. Do not let one label cover all use cases.</p><p><br></p><p><strong>Day 6: Run a short tabletop</strong></p><p>Ask what happens if the trusted system is the system under pressure. Who decides? What evidence exists? What stops further action?</p><p><br></p><p><strong>Day 7: Report the gaps</strong></p><p>Deliver a one-page summary showing the systems reviewed, the open gaps, the named owners, and the next remediation date.</p><p><br></p><h2>Premium Exercise: Tabletop for the Tool You Trust Most</h2><p><br></p><p><strong>Tabletop Exercise: The Gatekeeper Has the Emergency</strong></p><ul><li><p><strong>Premise:</strong> A managed provider tells you that a Cisco ISE update must be applied urgently. On the same day, a store manager wants to circulate CCTV stills after a violent incident, and your operations lead wants an AI review tool to auto-close low-confidence findings to save time.</p></li><li><p><strong>Exercise Goal:</strong> Test whether your team can identify the owner, evidence set, approval path, and stop condition for each trusted system before pressure leads to improvisation.</p></li><li><p><strong>Use this exercise to:</strong> expose where authority is assumed, where records are missing, and where legal or security decisions are made by habit rather than by policy.</p></li></ul><p><br></p><h2>Premium Exercise: Trusted Systems Self-Assessment<br></h2><ul><li><p><strong>Exercise Goal:</strong> Consider which tools in your business can grant access, identify a person, or recommend an operational action. Who owns each one? What evidence would you need to defend that process to a customer, regulator, insurer, or board member?</p></li></ul><p><br></p><h2>Sources</h2><ul><li><p>Cisco, "Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities," first published June 17, 2026 and last updated July 6, 2026: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ise-multi-G5WP8vv.html</p></li><li><p>Information Commissioner's Office, "How data protection law can help protect businesses from crime," July 3, 2026: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/07/how-data-protection-law-can-help-protect-businesses-from-crime/</p></li><li><p>Microsoft Security Blog, "Protecting Microsoft at AI speed: How SFI proactively hardens our cloud," July 8, 2026: https://www.microsoft.com/en-us/security/blog/2026/07/08/protecting-microsoft-at-ai-speed-how-sfi-proactively-hardens-our-cloud/</p></li></ul>]]></content:encoded></item><item><title><![CDATA[Your Firewall’s Passwords Leaked. Patching Won’t Fix It]]></title><description><![CDATA[Patching your firewall only closes the hole; it doesn't change stolen passwords. Learn why immediate credential rotation is crucial after the FortiBleed leak, even if you are fully patched.]]></description><link>https://substack.cpf-coaching.com/p/your-firewalls-passwords-leaked-patching</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/your-firewalls-passwords-leaked-patching</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Wed, 08 Jul 2026 20:16:19 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Ou53!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>In mid-June, security researchers confirmed one of the largest credential-theft campaigns ever recorded against network security devices. The operation, now called FortiBleed, harvested working administrator credentials from 86,644 Fortinet FortiGate firewalls across 194 countries, roughly half of all internet-facing Fortinet firewalls in the world. The victim list includes names like Samsung, Siemens, Oracle, and Accenture, but the quiet majority of exposed devices sit in front of small and mid-sized businesses, usually installed by an IT provider years ago and rarely thought about since.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ou53!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ou53!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Ou53!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Ou53!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Ou53!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ou53!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:103905,&quot;alt&quot;:&quot;A dark conceptual illustration of a reinforced 'FORTIGATE' vault door with green light patches. A hand, holding a key labeled 'SHA-256 CRACKED CREDENTIALS', is inserting it into the keyhole, bypassing multiple complex digital locks. Text overlays read 'PATCH STATUS: 100%' and 'CREDENTIAL EXPOSURE: VULNERABLE.'&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/206193085?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A dark conceptual illustration of a reinforced 'FORTIGATE' vault door with green light patches. A hand, holding a key labeled 'SHA-256 CRACKED CREDENTIALS', is inserting it into the keyhole, bypassing multiple complex digital locks. Text overlays read 'PATCH STATUS: 100%' and 'CREDENTIAL EXPOSURE: VULNERABLE.'" title="A dark conceptual illustration of a reinforced 'FORTIGATE' vault door with green light patches. A hand, holding a key labeled 'SHA-256 CRACKED CREDENTIALS', is inserting it into the keyhole, bypassing multiple complex digital locks. Text overlays read 'PATCH STATUS: 100%' and 'CREDENTIAL EXPOSURE: VULNERABLE.'" srcset="https://substackcdn.com/image/fetch/$s_!Ou53!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Ou53!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Ou53!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Ou53!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2a37eced-bfbd-4b91-9f78-f8c5db78fa23_1024x559.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">A 'patched' Fortinet FortiGate firewall is bypassed by stolen keys, illustrating that updates don't change old passwords.</figcaption></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p>If your business runs a FortiGate firewall, or you are not sure whether it does, this issue is for you. And if you read only one section, read the third one, because it explains why the obvious fix does not actually fix this.</p><h2>What happened, in plain terms</h2><p>A firewall is the locked front door of your network. FortiBleed was not a break-in through that door. It was a copy of the keys.</p><p>Attackers exploited known weaknesses in Fortinet devices to pull configuration data, then ran an industrial-scale password cracking operation offline. The campaign targeted more than 430,000 devices, planted traffic sniffers on roughly 19,000 of them, and successfully cracked administrator passwords for the 86,644 devices now confirmed exposed. The technical root cause: older FortiOS versions stored admin passwords using a legacy hashing method (SHA-256) that modern cracking rigs chew through. Fortinet fixed this by moving to a far stronger method (PBKDF2) in newer FortiOS releases, but, and this is the part that matters, the fix only takes effect for each administrator account after that admin logs in again following the upgrade.</p><p>Translation for the non-technical reader: even a fully patched firewall can still be carrying crackable, already-stolen passwords.</p><h2>Why this lands on SMBs harder than enterprises</h2><p>Three reasons.</p><p>First, Fortinet is the default firewall brand for the SMB and mid-market segment, often deployed and managed by a managed service provider (MSP). You may own one without ever having logged into it.</p><p>Second, enterprises have teams that rotated credentials the week this broke. SMBs mostly did not, because nobody told them. The exposure gap between large and small organizations is widening every day this campaign ages.</p><p>Third, the follow-on phase has started. Researchers have linked the FortiBleed credential set to the Lynx and INC ransomware operations, and based on comparable leaks they expect ransomware deployment attempts against the most valuable targets in the dataset through July and August. Stolen credentials age like inventory: the operators are now working through the list. Being smaller does not take you off it. It just moves you to a different sales tier.</p><h2>The uncomfortable truth: patching does not close this</h2><p>This is the strategic lesson of FortiBleed, and it applies well beyond Fortinet.</p><p>A software patch closes the hole the attacker used to get in. It does nothing about what the attacker already took. A validated credential database gives attackers a login window that survives every future update, because a stolen password stays valid until someone deliberately changes it.</p><p>So an organization that patched every Fortinet CVE this week, but did not rotate credentials, is still exposed. The patch window is bounded. The credential window stays open until you close it yourself.</p><h2>What to do this week (or ask your IT provider)</h2><p>If you have internal IT or an MSP, forward them this list and ask for written confirmation on each item. This is a half-day of work, not a project.</p>]]></content:encoded></item><item><title><![CDATA[Infostealers, HIPAA Fallout, and Computer-Using AI]]></title><description><![CDATA[What SMB leaders should verify now before credentials, regulators, or agents move faster than your controls.]]></description><link>https://substack.cpf-coaching.com/p/infostealers-hipaa-fallout-and-computer</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/infostealers-hipaa-fallout-and-computer</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Wed, 08 Jul 2026 19:25:36 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mT2X!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On June 24, 2026, (<em>Sorry, this one slipped through the cracks</em>) Microsoft said its Digital Crimes Unit, working with Europol and industry partners, moved to disrupt more than 200 malicious StealC and Amadey command-and-control domains and IP addresses. Six days earlier, on June 18, 2026, HHS&#8217; Office for Civil Rights announced a $450,000 HIPAA settlement after a ransomware incident at a health plan that potentially affected 10,023 people. Then, on June 24, 2026, Google said computer use is now built directly into Gemini 3.5 Flash, giving teams a mainstream path to AI that can see, reason, and take action across browser, mobile, and desktop environments.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!mT2X!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!mT2X!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 424w, https://substackcdn.com/image/fetch/$s_!mT2X!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 848w, https://substackcdn.com/image/fetch/$s_!mT2X!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 1272w, https://substackcdn.com/image/fetch/$s_!mT2X!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!mT2X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png" width="1100" height="960" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/19da882c-120b-442d-ae69-00430599c838_1100x960.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:960,&quot;width&quot;:1100,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1803391,&quot;alt&quot;:&quot;An infographic titled 'SMB Execution-and-Verification Pack' detailing three cybersecurity operational lessons. The left panel shows infostealers extracting admin cookies and shared credentials from unmanaged endpoints. The center panel illustrates HIPAA fallout, weighing risk analysis against a $450,000 OCR settlement and breach documentation risks. The right panel displays computer-using AI executing cross-platform actions, emphasizing the need for an explicit user confirmation gate.&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/203535981?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="An infographic titled 'SMB Execution-and-Verification Pack' detailing three cybersecurity operational lessons. The left panel shows infostealers extracting admin cookies and shared credentials from unmanaged endpoints. The center panel illustrates HIPAA fallout, weighing risk analysis against a $450,000 OCR settlement and breach documentation risks. The right panel displays computer-using AI executing cross-platform actions, emphasizing the need for an explicit user confirmation gate." title="An infographic titled 'SMB Execution-and-Verification Pack' detailing three cybersecurity operational lessons. The left panel shows infostealers extracting admin cookies and shared credentials from unmanaged endpoints. The center panel illustrates HIPAA fallout, weighing risk analysis against a $450,000 OCR settlement and breach documentation risks. The right panel displays computer-using AI executing cross-platform actions, emphasizing the need for an explicit user confirmation gate." srcset="https://substackcdn.com/image/fetch/$s_!mT2X!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 424w, https://substackcdn.com/image/fetch/$s_!mT2X!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 848w, https://substackcdn.com/image/fetch/$s_!mT2X!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 1272w, https://substackcdn.com/image/fetch/$s_!mT2X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19da882c-120b-442d-ae69-00430599c838_1100x960.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Execution without verification creates blind spots. This breakdown highlights the intersecting risks of unmanaged endpoints, regulatory fallout, and autonomous AI agents.</figcaption></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p></p><p>These are not separate stories. They are one operating lesson told from three angles. The software you trust can steal. The workflows you postpone can become regulatory evidence. And the AI you pilot for convenience can cross the line from draft help to real execution faster than your approval model catches up. If you lead an SMB with limited staff and a long tool list, the real question this week is simple: what inside your business can act before a human verifies it?</p><p></p><h2>Infostealers Are Still Feeding Bigger Attacks</h2><p></p><p>Microsoft said StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms, while Amadey acts as a loader that can deliver StealC and other malware. Microsoft also said the disruption action on June 24 targeted more than 200 malicious domains and IPs tied to that infrastructure. The leadership takeaway is not only that one family got hit. It is that the credential-theft economy remains fast, modular, and commercially packaged.</p><p></p><h3>Why You Should Be Concerned:</h3><h3></h3><ul><li><p>Credential theft is still the bridge to bigger damage: Microsoft explicitly tied infostealers to access brokers and downstream ransomware or follow-on operations.</p></li><li><p>The first infection can start outside your most managed systems: Microsoft warned that defenders may only notice the breach after valid credentials are already being abused.</p></li><li><p>Browsers and user tools remain a soft spot: When browsers, email clients, and chat apps become collection points, a single compromised endpoint can lead to a broader identity problem.</p></li></ul><p>Strategic Action: Treat browser-stored access, local endpoints, and admin sessions as one control surface. If you are still separating endpoint protection from identity protection and browser hygiene, you are leaving too much room between infection and detection.</p><p></p><p>Three steps to take this week:</p><ol><li><p>Revoke or rotate privileged sessions, admin cookies, and high-value credentials stored or recently used on unmanaged or lightly managed endpoints.</p></li><li><p>2. Confirm that every leader, finance user, and administrator is using managed endpoint protection and a password or passkey workflow that limits credential sprawl in the browser.</p></li><li><p>3. Review which SaaS admin accounts still allow broad access from a single endpoint without step-up verification or conditional access.</p></li></ol><p></p><div class="pullquote"><p>If your browser, email, and admin sessions are all one infostealer away from becoming an attacker&#8217;s launchpad, <strong><a href="https://get.bitdefender.com/8gk9x38k25bv">Bitdefender</a></strong> is a strong fit for SMB teams that need tighter endpoint visibility, isolation, and response coverage without building a large internal security operation.</p></div><p></p><h2>Regulators Still Expect You to Show Your Work After Ransomware</h2><p>HHS OCR said the ransomware investigation started after a health plan reported a breach tied to unauthorized access in November 2021. According to OCR, 10,023 individuals were potentially affected, and the plan paid $450,000 while agreeing to a two-year corrective action plan. OCR said the plan potentially failed to conduct an accurate and thorough risk analysis before the incident and failed to implement reasonable and appropriate policies and procedures under the HIPAA Privacy, Security, and Breach Notification Rules.</p><p></p><p>Why You Should Be Concerned:</p><ul><li><p>Ransomware response is also a documentation risk: OCR did not stop at the breach itself. It focused on what the organization could not prove it had already assessed and implemented.</p></li><li><p>The data set matters: OCR said names, addresses, phone numbers, email addresses, and Social Security numbers were potentially affected, which raises both operational and trust costs.</p></li><li><p>Regulators spelled out the control expectations: OCR specifically highlighted risk analysis, audit controls, system activity review, authentication, encryption, incident lessons learned, and workforce training.</p></li></ul><p><strong>Strategic Action:</strong> Stop assuming your controls are real because they are familiar. I recognize many SMB teams are stretched thin and rely on a handful of people to cover IT, privacy, and security at once. That is exactly why you need an evidence trail that survives a bad week.</p><p>Three steps to take this week:</p><ol><li><p>Map where regulated or otherwise high-sensitivity data enters, moves through, and leaves your systems, even if you are not a full-scale healthcare organization.</p></li><li><p>Document one current risk analysis for your most sensitive workflow instead of waiting for the perfect enterprise-wide assessment.</p></li><li><p>Verify that audit logging, authentication controls, encryption decisions, and workforce training are not just assumed but named, owned, and reviewable.</p><p></p></li></ol><blockquote><p><strong>AFTER RANSOMWARE, &#8220;WE THOUGHT WE HAD IT COVERED&#8221; IS NOT A CONTROL.</strong></p><p>OCR&#8217;s June 18 settlement shows that enforcement attention lands on the evidence behind your safeguards, not just your incident narrative. If risk analysis, policy maintenance, and control ownership still live across scattered documents and tribal knowledge, the cleanup cost goes up fast.</p><p> <strong>Copla</strong> is well matched for teams that need compliance automation, evidence collection, and expert support across frameworks without rebuilding the whole program from scratch.</p><p>Turn policy into proof. <a href="https://join.copla.com/cpf-coaching">Review Copla here</a></p></blockquote><p></p><h2>Computer-Using AI Is Becoming a Real Operations Design Choice</h2><p>Google said on June 24, 2026, that computer use is now a built-in tool in Gemini 3.5 Flash. Google said this lets developers build agents that can interact across browser, mobile, and desktop environments, and specifically framed the capability as a better fit for long-horizon automation tasks such as continuous software testing and knowledge work across professional applications. Google also said the release includes safeguards that can require explicit user confirmation for sensitive or irreversible actions and can automatically stop a task when indirect prompt injection is detected.</p><p></p><p>Why You Should Be Concerned:</p><ul><li><p>This shifts AI from generation to action: Google is packaging computer use inside a mainstream model, not as a niche experiment.</p></li><li><p>The risk language is already in the launch copy: Prompt injection, sensitive actions, and the need for human-in-the-loop verification were central to Google&#8217;s own safety framing.</p></li><li><p>Your approval model now matters more than your model demo: When AI can click, navigate, and act across tools, the governance question becomes operational rather than hypothetical.</p></li></ul><p>Strategic Action: Define where AI may advise, where it may draft, and where it may act only with approval. If a team cannot explain the trigger, owner, data boundary, and rollback for an agentic workflow, the workflow is not ready for production.</p><p></p><p>Three steps to take this week:</p><ol><li><p>Pick one low-risk workflow where AI can act in a bounded environment and document the exact success condition, stop condition, and human approver.</p></li><li><p>2. Require confirmation for spending, external communication, security changes, and record updates rather than leaving those actions to default agent behavior.</p></li><li><p>3. Log every pilot with the tool used, systems touched, data involved, owner, and rollback path before expanding access.</p></li></ol><p></p><h4>Final Thoughts for Leaders</h4><p>The common thread this week is execution without verification. Infostealers exploit it, regulators punish its absence, and AI that uses computers makes it easy to scale. Your job is no longer just to choose better tools. It is to decide which actions require proof, which systems can act alone, and which identities or agents need tighter boundaries before they can move. Put endpoint credential hygiene, risk-analysis evidence, and AI approval rules on your next leadership agenda before this week ends.</p><p></p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is to share strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort, and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> An honest look at which tools are worth the cost for SMB budgets.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward.</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/infostealers-hipaa-fallout-and-computer?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/infostealers-hipaa-fallout-and-computer?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p>You&#8217;ve seen the "Why" behind this [Cyber/Tech Issue]&#8212;but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock:</p><ul><li><p><strong>The &#8220;How-To&#8221; Framework:</strong> A step-by-step breakdown of the [Process/Tool] mentioned above.</p></li><li><p><strong>Resource Toolkit:</strong> Downloadable templates and checklists I use with my private coaching clients.</p></li><li><p><strong>The Bottom Line:</strong> Direct analysis of the ROI and cost-savings associated with this strategy</p></li></ul><p><strong>Subscribe to Unlock the Full Strategy</strong> </p><p></p><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?"><span>Subscribe now</span></a></p><p></p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/infostealers-hipaa-fallout-and-computer">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[SMB Cyber Risk: Securing the Control Plane and Agentic AI]]></title><description><![CDATA[Why exploited business systems, automated-decision duties, and agentic AI all point to one SMB leadership problem: control.]]></description><link>https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 03 Jul 2026 17:46:08 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!cr2s!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On July 1, 2026, CISA added a Microsoft SharePoint Server deserialization vulnerability to its Known Exploited Vulnerabilities catalog, with a July 4 remediation due date for federal agencies. Two days earlier, CISA added a SimpleHelp authentication-bypass vulnerability, also with a compressed remediation window. The same recent KEV cluster included enterprise communication, engineering, remote administration, and network-management products from Cisco, PTC, Lantronix, and Ubiquiti. Separately, Colorado&#8217;s revised AI law has shifted the compliance conversation toward automated decision-making technology used in consequential decisions, while Anthropic&#8217;s June 30 announcements pushed more agentic and auditable AI work into everyday business lanes.</p><p>The common thread this week is not a single malware family or vendor. It is control. Attackers are targeting the systems that coordinate work, provide remote help, route communications, manage devices, and store collaboration data. Regulators are asking whether automated decisions can be explained, corrected, and reviewed. AI vendors are making it easier for software to perform more of the work itself. For SMB leaders, the question is no longer whether a tool is useful. It is whether the tool has authority over your business that you can see, limit, and reverse.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!cr2s!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!cr2s!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!cr2s!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!cr2s!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!cr2s!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!cr2s!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/df3667c7-215c-452b-a880-8e66702f281e_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;Infographic showing three SMB risk zones: control-plane systems, automated decisions, and agentic AI workflows, each connected to review, logging, and approval controls.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="Infographic showing three SMB risk zones: control-plane systems, automated decisions, and agentic AI workflows, each connected to review, logging, and approval controls." title="Infographic showing three SMB risk zones: control-plane systems, automated decisions, and agentic AI workflows, each connected to review, logging, and approval controls." srcset="https://substackcdn.com/image/fetch/$s_!cr2s!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!cr2s!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!cr2s!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!cr2s!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf3667c7-215c-452b-a880-8e66702f281e_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">This week&#8217;s risk pattern is control: the tools that coordinate work, make recommendations, or act across systems need faster patching, clearer ownership, and better audit trails.</figcaption></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><h2>1. Collaboration and Remote-Support Tools Are Now Front-Door Risk</h2><p>CISA&#8217;s most recent KEV additions are a useful leadership signal because they are not clustered in a single obscure product category. SharePoint is a collaboration backbone. SimpleHelp is remote support. Cisco Unified Communications Manager supports voice and collaboration. PTC Windchill and FlexPLM can sit close to product, engineering, and lifecycle operations. Ubiquiti UniFi OS and Lantronix EDS5000 touch network and device administration.</p><p>That matters because these platforms often sit above ordinary endpoint risk. They connect people, vendors, admins, files, devices, and workflows. If an attacker gets leverage there, the blast radius is not just one laptop. It can serve as a route into documents, privileged access, helpdesk workflows, engineering data, customer records, or operational systems.</p><ul><li><p><strong>The exploit window is shrinking:</strong> CISA&#8217;s recent federal due dates are measured in days, not weeks. Even if those due dates formally apply to federal agencies, they are a practical signal for every organization that depends on the same products.</p></li><li><p><strong>Remote support needs more scrutiny than ordinary SaaS:</strong> A remote-support product is supposed to cross trust boundaries. That makes authentication bypass and session-control weaknesses especially sensitive.</p></li><li><p><strong>Collaboration systems are evidence systems:</strong> SharePoint, communications tools, and product systems hold records your team may need during an incident, audit, dispute, or insurance claim.</p></li></ul><p><strong>Strategic Action:</strong>&nbsp;Treat collaboration, remote support, communications, and network management platforms as control-plane systems. They deserve shorter patch timelines, tighter admin review, and separate incident playbooks.<br></p><p><strong>Partner resource: </strong>For the 72-hour exposure review, <a href="https://shop.tenable.com/cpf-coaching">Tenable</a> is a practical fit for teams that need vulnerability and exposure visibility across internet-facing systems, remote-support tooling, and infrastructure. <br><a href="https://shop.tenable.com/cpf-coaching"><sub>Tenable</sub></a><sub> is an affiliate link, which means CPF Coaching may earn a commission if you choose to use it.</sub></p><p></p><p><strong>This Week&#8217;s Leadership Move:</strong></p><ol><li><p>Ask your IT owner or managed provider for a list of products that can administer devices, provide remote support, manage network gear, store regulated data, or coordinate internal files.</p></li><li><p>Check whether any product in that list appears in CISA KEV or vendor emergency advisories.</p></li><li><p>Create a 72-hour rule for exploited vulnerabilities in those systems, even if your normal patch cycle is monthly.</p></li></ol><p></p><h2>2. AI Compliance Is Moving From Model Labels to Decision Rights</h2><p>Colorado&#8217;s revised AI law is useful for SMB leaders because it moves the discussion away from abstract AI hype and toward a practical question: when automated decision-making technology materially influences a consequential decision, what does the business owe the person affected?</p><p>The revised law uses an automated-decision framework rather than simply asking whether a tool is branded as &#8220;AI.&#8221; Norton Rose Fulbright&#8217;s analysis notes that the revised Colorado framework focuses on covered automated decision-making technology used in consequential decisions, including employment, housing, financial services, insurance, health care, education, and government services. It also emphasizes notice, explanation, correction, and meaningful human review after adverse outcomes.</p><p>That structure should catch the attention of SMBs even outside Colorado. Many smaller firms use applicant-screening tools, lead-scoring systems, customer-risk flags, insurance workflows, credit tools, clinical intake products, scheduling engines, or automated customer support triage without calling them AI governance issues. The label matters less than the decision's impact.</p><ul><li><p><strong>Inventory beats policy theater:</strong> A generic AI policy does not help if nobody knows where automated recommendations influence customers, employees, tenants, patients, borrowers, or applicants.</p></li><li><p><strong>Human review has to be operational:</strong> It is not enough to say a person is &#8220;in the loop&#8221; if the reviewer cannot see the inputs, correct bad data, override the decision, or explain the outcome.</p></li><li><p><strong>Vendor documentation is now part of your evidence trail:</strong> If a third-party system influences a consequential decision, your contract, configuration, logs, and escalation path matter.</p></li></ul><p><strong>Strategic Action:</strong> Build an automated-decision register before you buy another AI or analytics tool. List where software scores, ranks, recommends, blocks, approves, escalates, or materially influences decisions about people.<br></p><p><strong>Partner resource: </strong>If the automated-decision register turns into a compliance evidence project, <a href="https://join.copla.com/cpf-coaching">Copla</a> can help SMBs organize cyber risk, assessments, and compliance workflows without building an enterprise GRC stack. <br><a href="https://join.copla.com/cpf-coaching"><sub>Copla</sub></a><sub> is an affiliate link, which means CPF Coaching may earn a commission if you choose to use it.<br></sub></p><p><strong>This Week&#8217;s Leadership Move:</strong></p><ol><li><p>Pick one department, such as HR, sales, finance, health operations, or customer success.</p></li><li><p>Identify every workflow where software recommends or influences a decision about a person.</p></li><li><p>For each workflow, document the owner, vendor, data source, appeal path, human reviewer, and override authority.</p></li></ol><p></p><h2>3. Agentic AI Is Becoming an Operating Model, Not a Side Experiment</h2><p>Anthropic&#8217;s June 30 release notes point in the same direction as the broader AI market: more agentic everyday work, more specialized AI applications, and more emphasis on auditable artifacts. Anthropic described Sonnet 5 as its most agentic Sonnet model for coding and everyday professional work, and described Claude Science as a customizable app that integrates common research tools, produces auditable artifacts, and provides flexible compute access.</p><p>For SMBs, the specific vendor matters less than the operating pattern. AI tools are moving from &#8220;write a draft&#8221; toward &#8220;use tools, work across systems, produce artifacts, and act inside business workflows.&#8221; That can be valuable. It can also create a silent risk when AI can access customer data, privileged systems, regulated decisions, code, financial workflows, or external communications.</p><ul><li><p><strong>Auditable artifacts are becoming a buying criterion:</strong> If an AI system performs meaningful work, your team needs evidence of inputs, outputs, tools used, approvals, and final changes.</p></li><li><p><strong>Agentic work needs budget and authority limits:</strong> A model that can browse, code, schedule, file, summarize, or update records can create operational cost and operational exposure.</p></li><li><p><strong>Specialized AI apps can bypass central review:</strong> A research, coding, sales, or support tool may enter through one team while raising enterprise-wide data and security questions.</p></li></ul><p><strong>Strategic Action:</strong> Do not approve agentic AI by demo quality alone. Approve it through workflow, authority, data boundaries, logging, rollback, and the business owner.</p><p></p><p><strong>Partner resource: </strong>For leaders experimenting with agentic AI, <a href="https://try.airia.com/CPF-coaching">Airia</a> is worth evaluating when the requirement is governed AI workflow execution, not just another chat window. <br><a href="https://try.airia.com/CPF-coaching"><sub>Airia</sub></a><sub> is an affiliate link, which means CPF Coaching may earn a commission if you choose to use it.</sub></p><p></p><p><strong>This Week&#8217;s Leadership Move:</strong></p><ol><li><p>Select one current or proposed AI workflow and classify it as advisory only, draft-and-review, or permissioned execution.</p></li><li><p>Write the stop condition: when must the workflow pause and ask a human?</p></li><li><p>Confirm where logs, prompts, tool actions, files, and final outputs are retained.</p></li></ol><p></p><h3>Final Thoughts for Leaders</h3><p>This week is about the systems that sit above the work. SharePoint, remote support, communications systems, network management, automated decisions, and agentic AI all carry a common risk: they can coordinate action faster than leadership can inspect it. That is the control-plane problem.</p><p>You do not need a giant security program to respond. You need a shorter list of critical systems, faster action on actively exploited vulnerabilities, an automated-decision register, and clear rules for where AI can advise, draft, or act. Put those four items on the leadership agenda before the holiday week ends.</p><div><hr></div><p></p><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is to share strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort, and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> An honest look at which tools are worth the cost for SMB budgets.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward.</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p>You&#8217;ve seen the "Why" behind this [Cyber/Tech Issue]&#8212;but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock:</p><ul><li><p><strong>The &#8220;How-To&#8221; Framework:</strong> A step-by-step breakdown of the [Process/Tool] mentioned above.</p></li><li><p><strong>Resource Toolkit:</strong> Downloadable templates and checklists I use with my private coaching clients.</p></li><li><p><strong>The Bottom Line:</strong> Direct analysis of the ROI and cost-savings associated with this strategy</p></li></ul><blockquote><p style="text-align: center;"><strong>Subscribe to Unlock the Full Strategy</strong> </p><p style="text-align: center;"><em>Join a community of SMB leaders who stop reacting to tech shifts and start leading them.</em></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?"><span>Subscribe now</span></a></p></blockquote><div class="paywall-jump" data-component-name="PaywallToDOM"></div><h2>Premium Intelligence: The SMB Control-Plane Risk Pack</h2><h3>1. 72-Hour Control-Plane Exposure Review</h3><p><strong>Technical Detail:</strong> CISA&#8217;s recent KEV additions included Microsoft SharePoint Server, SimpleHelp, Cisco Unified Communications Manager, PTC Windchill and FlexPLM, Lantronix EDS5000, and Ubiquiti UniFi OS. The product mix matters because it spans the collaboration, remote support, communications, product lifecycle, network, and device management layers.</p><p>Use this review for any system that can administer devices, provide remote access, store collaboration records, manage network infrastructure, route business communications, or coordinate product data.</p><p><strong>Control Questions:</strong></p><ul><li><p>Who owns emergency patch approval for this system?</p></li><li><p>Who can create, elevate, or disable admin access?</p></li><li><p>What vendor or MSP accounts can access it?</p></li><li><p>Where are admin actions logged?</p></li><li><p>What business process fails if the system is taken offline?</p></li><li><p>What customer, employee, or regulated data can be reached through it?</p></li></ul><p><strong>72-Hour Actions:</strong></p><ol><li><p>Search the product name in CISA KEV and the vendor&#8217;s security advisories.</p></li><li><p>Confirm version, patch status, and internet exposure.</p></li><li><p>Review admin, service, and vendor accounts.</p></li><li><p>Export or preserve audit logs before making major changes.</p></li><li><p>Confirm backup and recovery path for configuration and records.</p></li></ol><p></p><h3>2. Automated-Decision Register for Lean Teams</h3><p><strong>Technical Detail:</strong> The revised Colorado AI framework focuses on automated decision-making technology that materially influences consequential decisions. The practical issue for SMBs is not whether a tool markets itself as AI. It is whether software influences decisions about employment, financial access, insurance, health care, housing, education, government services, or similarly sensitive outcomes.</p><p>Start with a simple register. Do not overbuild it.</p><p>Workflow Tool or vendor Decision affected Data used Human reviewer Override path Evidence retained Candidate screening Interview selection Resume, assessments Customer risk scoring Approval or escalation CRM, payment history Support prioritization Response urgency Ticket text, account tier Credit, billing, or access decision Service access Financial or usage data</p><p><strong>Minimum Evidence Standard:</strong></p><ul><li><p>Tool owner</p></li><li><p>Vendor contract or terms</p></li><li><p>Data fields used</p></li><li><p>Decision category</p></li><li><p>Human review owner</p></li><li><p>Correction path</p></li><li><p>Logs retained</p></li><li><p>Customer or employee notice, where applicable</p></li></ul><h3>3. Agentic AI Authorization Map</h3><p>Use this map before letting AI tools act inside live systems.</p><p>AI workflow Allowed to advise Allowed to draft Allowed to act Data boundary Approval owner Logs retained Stop condition Draft customer response Yes Yes No Customer ticket only Support lead Ticket + AI log Legal, refund, threat, regulated claim Update CRM records Yes Yes Conditional CRM fields approved Sales ops CRM history + AI log Missing source or confidence flag Write or modify code Yes Yes Conditional Repo scope only Engineering owner PR + test output Security-sensitive change Vendor-risk review Yes Yes No Contract and questionnaire only Operations owner Review memo Missing evidence</p><p><strong>Operating Rule:</strong> AI may move faster than your team, but it should not outrun ownership. Every permissioned workflow needs a named owner, explicit data boundary, retained logs, and a rollback path.</p><h2>Premium Template: Friday Control-Plane Briefing</h2><p>Use this in a 30-minute leadership meeting.</p><p><strong>Part 1: Critical Systems</strong></p><ul><li><p>Which collaboration, remote-support, communications, network, and admin tools are business critical?</p></li><li><p>Which have internet exposure?</p></li><li><p>Which have privileged vendor or MSP access?</p></li><li><p>Which appeared in KEV or vendor emergency advisories in the last 30 days?</p></li></ul><p><strong>Part 2: Automated Decisions</strong></p><ul><li><p>Where does software score, rank, approve, deny, escalate, or recommend actions affecting people?</p></li><li><p>Which decisions have a human review path?</p></li><li><p>Which decisions can be explained and corrected?</p></li></ul><p><strong>Part 3: Agentic AI</strong></p><ul><li><p>Which AI workflows can act in live systems?</p></li><li><p>Which can only draft?</p></li><li><p>Which are advisory only?</p></li><li><p>Where are logs and outputs retained?</p></li><li><p>What is the stop condition for each workflow?</p></li></ul><h2>Premium Checklist: 10-Day Control-Plane Sprint</h2><ul><li><p>[ ] Inventory collaboration, remote support, communications, network management, and admin tools.</p></li><li><p>[ ] Check the inventory against CISA KEV and vendor advisories.</p></li><li><p>[ ] Assign a 72-hour patch owner for exploited vulnerabilities in control-plane systems.</p></li><li><p>[ ] Review admin and vendor access for remote-support and collaboration platforms.</p></li><li><p>[ ] Confirm logs are retained for admin actions and remote sessions.</p></li><li><p>[ ] Create an automated-decision register for one department.</p></li><li><p>[ ] Document human review and override paths for sensitive automated decisions.</p></li><li><p>[ ] Classify AI workflows into advisory, draft-and-review, and permissioned-execution lanes.</p></li><li><p>[ ] Write stop conditions for the top three AI workflows.</p></li><li><p>[ ] Preserve evidence: patch receipts, access reviews, decision register, AI logs, and approval notes.</p></li></ul><p></p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading the SMB Tech &amp; Cybersecurity Leadership Newsletter! If you have gained value from this post, why not share it with others as well?</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-control?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><p></p><h2>Sources</h2><ul><li><p>CISA, Known Exploited Vulnerabilities Catalog JSON feed, accessed July 3, 2026: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json</p></li><li><p>CISA, Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog</p></li><li><p>Norton Rose Fulbright, &#8220;Colorado enacts revised AI law,&#8221; May 2026: https://www.nortonrosefulbright.com/en-us/knowledge/publications/18733d31/colorado-enacts-revised-ai-law</p></li><li><p>Anthropic, homepage release listings for &#8220;Introducing Sonnet 5&#8221; and &#8220;Announcing Claude Science,&#8221; accessed July 3, 2026: https://www.anthropic.com/</p></li><li><p>The White House, &#8220;Promoting Advanced Artificial Intelligence Innovation and Security,&#8221; June 2, 2026: https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/</p></li></ul>]]></content:encoded></item><item><title><![CDATA[Stolen Logins, AI Agents, and $450K Regulatory Fines]]></title><description><![CDATA[What executes in your business without human verification? A CISO's guide to defending SMBs against infostealers, HIPAA fallout, and agentic AI.]]></description><link>https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-infostealers</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-infostealers</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 26 Jun 2026 22:30:01 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!cP_k!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On June 24, 2026, Microsoft said its Digital Crimes Unit, working with Europol and industry partners, moved to disrupt more than 200 malicious StealC and Amadey command-and-control domains and IP addresses. Six days earlier, on June 18, 2026, HHS&#8217; Office for Civil Rights announced a $450,000 HIPAA settlement after a ransomware incident at a health plan that potentially affected 10,023 people. Then on June 24, 2026, Google said computer use is now built directly into Gemini 3.5 Flash, giving teams a mainstream path to AI that can see, reason, and take action across browser, mobile, and desktop environments.</p><p>These are not separate stories. They are one operating lesson told from three angles. The software you trust can steal. The workflows you postpone can become regulatory evidence. And the AI you pilot for convenience can cross the line from draft help to real execution faster than your approval model catches up. If you lead an SMB with limited staff and a long to-do list, the real question this week is simple: <br><em>What inside your business can act before a human verifies it?</em></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!cP_k!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!cP_k!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 424w, https://substackcdn.com/image/fetch/$s_!cP_k!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 848w, https://substackcdn.com/image/fetch/$s_!cP_k!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 1272w, https://substackcdn.com/image/fetch/$s_!cP_k!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!cP_k!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/eac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:810578,&quot;alt&quot;:&quot;nfostealers, ransomware evidence, and computer-using AI all punish unverified action.\&quot; It features three distinct columns summarizing the week's risks and leadership moves:  Cyber Threat (Infostealer Economy): Notes over 200 malicious nodes were disrupted and advises leaders to treat browsers, endpoints, and privileged sessions as a single identity risk surface.  Privacy / Regulatory (HIPAA Proof Gap): Highlights a $450K settlement affecting over 10,000 people and urges leaders to build evidence for safeguards before an incident occurs, not after a regulator asks.  AI / Modernization (Computer-Using AI): Mentions new built-in confirmation safeguards for AI and advises leaders to classify AI into \&quot;advise, draft, and act\&quot; lanes before it touches live systems.&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/203533241?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="nfostealers, ransomware evidence, and computer-using AI all punish unverified action.&quot; It features three distinct columns summarizing the week's risks and leadership moves:  Cyber Threat (Infostealer Economy): Notes over 200 malicious nodes were disrupted and advises leaders to treat browsers, endpoints, and privileged sessions as a single identity risk surface.  Privacy / Regulatory (HIPAA Proof Gap): Highlights a $450K settlement affecting over 10,000 people and urges leaders to build evidence for safeguards before an incident occurs, not after a regulator asks.  AI / Modernization (Computer-Using AI): Mentions new built-in confirmation safeguards for AI and advises leaders to classify AI into &quot;advise, draft, and act&quot; lanes before it touches live systems." title="nfostealers, ransomware evidence, and computer-using AI all punish unverified action.&quot; It features three distinct columns summarizing the week's risks and leadership moves:  Cyber Threat (Infostealer Economy): Notes over 200 malicious nodes were disrupted and advises leaders to treat browsers, endpoints, and privileged sessions as a single identity risk surface.  Privacy / Regulatory (HIPAA Proof Gap): Highlights a $450K settlement affecting over 10,000 people and urges leaders to build evidence for safeguards before an incident occurs, not after a regulator asks.  AI / Modernization (Computer-Using AI): Mentions new built-in confirmation safeguards for AI and advises leaders to classify AI into &quot;advise, draft, and act&quot; lanes before it touches live systems." srcset="https://substackcdn.com/image/fetch/$s_!cP_k!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 424w, https://substackcdn.com/image/fetch/$s_!cP_k!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 848w, https://substackcdn.com/image/fetch/$s_!cP_k!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 1272w, https://substackcdn.com/image/fetch/$s_!cP_k!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feac1c735-fd9a-4724-804f-d3b1b64274d0_1376x768.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Verify Before It Executes</figcaption></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><h2>1. Infostealers Are Still Feeding Bigger Attacks</h2><p>Microsoft said StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms, while Amadey acts as a loader that can deliver StealC and other malware. Microsoft also said the disruption action on June 24 targeted more than 200 malicious domains and IPs tied to that infrastructure. The leadership takeaway is not only that one family got hit. It is that the credential-theft economy remains fast, modular, and commercially packaged.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>Credential theft is still the bridge to bigger damage:</strong> Microsoft explicitly tied infostealers to access brokers and downstream ransomware or follow-on operations.</p></li><li><p><strong>The first infection can start outside your most managed systems:</strong> Microsoft warned defenders may only notice the breach after valid credentials are already being abused.</p></li><li><p><strong>Browsers and user tools remain a soft spot:</strong> When browsers, email clients, and chat apps become collection points, one compromised endpoint can turn into a wider identity problem.</p></li></ul><p><strong>Strategic Action:</strong> Treat browser-stored access, local endpoints, and admin sessions as one control surface. If you are still separating endpoint protection from identity protection and browser hygiene, you are leaving too much room between infection and detection.</p><p>Three steps to take this week:</p><ol><li><p>Revoke or rotate privileged sessions, admin cookies, and high-value credentials stored or recently used on unmanaged or lightly managed endpoints.</p></li><li><p>Confirm that every leader, finance user, and administrator is using managed endpoint protection and a password or passkey workflow that limits credential sprawl in the browser.</p></li><li><p>Review which SaaS admin accounts still allow broad access from a single endpoint without step-up verification or conditional access.</p></li></ol><div class="pullquote"><p>If your browser, email, and admin sessions are all one infostealer away from becoming an attacker&#8217;s launchpad, <strong><a href="https://get.bitdefender.com/8gk9x38k25bv">Bitdefender</a></strong> is a strong fit for SMB teams that need tighter endpoint visibility, isolation, and response coverage without building a large internal security operation.</p></div><h2>2. Regulators Still Expect You to Show Your Work After Ransomware</h2><p>HHS OCR said the ransomware investigation started after a health plan reported a breach tied to unauthorized access in November 2021. According to OCR, 10,023 individuals were potentially affected, and the plan paid $450,000 while agreeing to a two-year corrective action plan. OCR said the plan potentially failed to conduct an accurate and thorough risk analysis before the incident and failed to implement reasonable and appropriate policies and procedures under the HIPAA Privacy, Security, and Breach Notification Rules.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>Ransomware response is also a documentation risk:</strong> OCR did not stop at the breach itself. It focused on what the organization could not prove it had already assessed and implemented.</p></li><li><p><strong>The data set matters:</strong> OCR said names, addresses, phone numbers, email addresses, and Social Security numbers were potentially affected, which raises both operational and trust costs.</p></li><li><p><strong>Regulators spelled out the control expectations:</strong> OCR specifically highlighted risk analysis, audit controls, system activity review, authentication, encryption, incident lessons learned, and workforce training.</p></li></ul><p><strong>Strategic Action:</strong> Stop assuming your controls are real because they are familiar. I recognize many SMB teams are stretched thin and rely on a handful of people to cover IT, privacy, and security at once. That is exactly why you need an evidence trail that survives a bad week.</p><p>Three steps to take this week:</p><ol><li><p>Map where regulated or otherwise high-sensitivity data enters, moves through, and leaves your systems, even if you are not a full-scale healthcare organization.</p></li><li><p>Document one current risk analysis for your most sensitive workflow instead of waiting for the perfect enterprise-wide assessment.</p></li><li><p>Verify that audit logging, authentication controls, encryption decisions, and workforce training are not just assumed but named, owned, and reviewable.</p></li></ol><blockquote><p><strong>AFTER RANSOMWARE, &#8220;WE THOUGHT WE HAD IT COVERED&#8221; IS NOT A CONTROL.</strong></p><p>OCR&#8217;s June 18 settlement shows that enforcement attention lands on the evidence behind your safeguards, not just your incident narrative. If risk analysis, policy maintenance, and control ownership still live across scattered documents and tribal knowledge, the cleanup cost goes up fast.</p><p><strong>Copla</strong> is well matched for teams that need compliance automation, evidence collection, and expert support across frameworks without rebuilding the whole program from scratch.</p><p><strong>Turn policy into proof. <a href="https://join.copla.com/cpf-coaching">Review Copla here</a></strong></p></blockquote><h2>3. Computer-Using AI Is Becoming a Real Operations Design Choice</h2><p>Google said on June 24, 2026, that computer use is now a built-in tool in Gemini 3.5 Flash. Google said this lets developers build agents that can interact across browser, mobile, and desktop environments, and specifically framed the capability as a better fit for long-horizon automation tasks such as continuous software testing and knowledge work across professional applications. Google also said the release includes safeguards that can require explicit user confirmation for sensitive or irreversible actions and can automatically stop a task when indirect prompt injection is detected.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>This shifts AI from generation to action:</strong> Google is packaging computer use inside a mainstream model, not as a niche experiment.</p></li><li><p><strong>The risk language is already in the launch copy:</strong> Prompt injection, sensitive actions, and the need for human-in-the-loop verification were central to Google&#8217;s own safety framing.</p></li><li><p><strong>Your approval model now matters more than your model demo:</strong> When AI can click, navigate, and act across tools, the governance question becomes operational rather than hypothetical.</p></li></ul><p><strong>Strategic Action:</strong> Define where AI may advise, where it may draft, and where it may act only with approval. If a team cannot explain the trigger, owner, data boundary, and rollback for an agentic workflow, the workflow is not ready for production.</p><p>Three steps to take this week:</p><ol><li><p>Pick one low-risk workflow where AI can act in a bounded environment and document the exact success condition, stop condition, and human approver.</p></li><li><p>Require confirmation for spending, external communication, security changes, and record updates rather than leaving those actions to default agent behavior.</p></li><li><p>Log every pilot with the tool used, systems touched, data involved, owner, and rollback path before expanding access.</p></li></ol><h3>Final Thoughts for Leaders</h3><p>The common thread this week is execution without verification. Infostealers exploit it, regulators punish its absence, and AI that uses computers makes it easy to scale. Your job is no longer just to choose better tools. It is to decide which actions require proof, which systems can act alone, and which identities or agents need tighter boundaries before they can move. Put endpoint credential hygiene, risk-analysis evidence, and AI approval rules on your next leadership agenda before this week ends.</p><p></p><blockquote><p style="text-align: center;"><strong>Subscribe to Unlock the Full Strategy</strong> </p><p style="text-align: center;"><em>Join a community of SMB leaders who stop reacting to tech shifts and start leading them.</em></p></blockquote><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is to share strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> Honest looks at which tools are worth the cost for SMB budgets.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-infostealers?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-infostealers?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p></p><div class="paywall-jump" data-component-name="PaywallToDOM"></div><p>You&#8217;ve seen the "Why" behind this [Cyber/Tech Issue], but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock: </p><p>Premium Intelligence: The SMB Verification-and-Execution Pack</p><p>Premium readers get the implementation layer this week: the controls, decision structure, and working assets that translate the three stories above into operating discipline.</p><h3>1. 72-Hour Infostealer Containment Plan for Lean SMB Teams</h3><p><strong>Technical Detail:</strong> Microsoft said StealC collects data from browsers, wallets, messaging applications, email clients, and gaming platforms, while Amadey helps deliver StealC and other malware. Microsoft also said defenders may only detect a problem after valid credentials are already being abused and that the disruption action covered more than 200 malicious domains and IPs.</p><p><strong>Actionable Strategy:</strong></p><ul><li><p>Inventory the endpoints that hold administrator browser sessions, finance access, and shared SaaS credentials.</p></li><li><p>Force session revocation and password or passkey resets for high-value accounts after any credible infostealer indicator, even before full root cause analysis is complete.</p></li><li><p>Separate daily-use accounts from privileged accounts so an infected user session does not automatically become a business-wide identity event.</p></li></ul><p><strong>Leadership Focus Areas:</strong></p><ul><li><p><strong>Credential concentration:</strong> Which devices and browsers hold the keys to payroll, banking, cloud admin, customer support, and identity providers?</p></li><li><p><strong>Response speed:</strong> Who can disable sessions and revoke tokens after hours without waiting for an approval chain?</p></li><li><p><strong>Detection depth:</strong> Which protections see suspicious browser, mail-client, or credential-store access before the attacker moves downstream?</p></li></ul><h3>2. OCR-Proof Ransomware Readiness for Data-Heavy SMB Workflows</h3><p><strong>Technical Detail:</strong> OCR said the health plan potentially failed to conduct a thorough risk analysis and failed to implement reasonable and appropriate policies and procedures before the ransomware incident. OCR also emphasized audit controls, information-system activity review, authentication, encryption, lessons learned, and workforce training as practical mitigation steps.</p><p><strong>Actionable Strategy:</strong></p><ul><li><p>Build one defensible risk-analysis package around your highest-sensitivity workflow instead of trying to perfect every process at once.</p></li><li><p>Tie each stated safeguard to an owner, a review date, and the evidence location so you can prove its execution later.</p></li><li><p>Run a quarterly ransomware-readiness review that includes both technical recovery controls and documentation quality.</p></li></ul><p><strong>Control Focus Areas:</strong></p><ul><li><p><strong>Evidence chain:</strong> Can you show the last review date, the owner, the control objective, and the supporting artifact for each safeguard?</p></li><li><p><strong>Training relevance:</strong> Does workforce training reflect the actual workflows where sensitive data, admin access, or urgent overrides occur?</p></li><li><p><strong>Auditability:</strong> If regulators or customers ask what changed after an incident, can you show the before-and-after and the approval record?</p></li></ul><h3>3. Computer-Use Agents Need an Approval Map Before They Need a Bigger Budget</h3><p><strong>Technical Detail:</strong> Google said that computer use is now built into Gemini 3.5 Flash for cross-platform tasks and explicitly described enterprise safeguards that may require user confirmation for sensitive or irreversible actions and can stop tasks when indirect prompt injection is detected. Google also positioned the capability for long-horizon tasks such as continuous software testing and knowledge work across professional applications.</p><p><strong>Actionable Strategy:</strong></p><ul><li><p>Classify AI workflows into advisory-only, draft-and-review, and permissioned-execution lanes.</p></li><li><p>Require a short design record before any live rollout: objective, systems touched, data boundary, approval step, stop condition, and rollback path.</p></li><li><p>Keep early pilots inside sandboxed or test environments whenever the workflow can alter systems, records, or customer-facing outputs.</p></li></ul><p><strong>Governance Focus Areas:</strong></p><ul><li><p><strong>Action authority:</strong> Which tasks can an agent complete versus prepare for human approval?</p></li><li><p><strong>Prompt-injection exposure:</strong> Which workflows touch live web content, inboxes, or vendor systems that could manipulate the agent?</p></li><li><p><strong>Economic guardrails:</strong> Who owns usage caps, exception approvals, and the cost of long-running automation?</p></li></ul><blockquote><p><strong>AN AGENT THAT CAN CLICK IS PART OF YOUR OPERATING MODEL, NOT JUST YOUR TOOLSTACK.</strong></p><p>If your organization is moving from chat prompts to computer-using workflows, the hard part is not generating output. It is controlling who can approve actions, what data the agent can touch, and how you recover when a task goes wrong.</p><p><strong>Airia</strong> is built for teams that need stronger AI orchestration, policy controls, and governance as agentic workflows move deeper into real business operations.</p><p><strong>Put guardrails around AI execution. <a href="https://try.airia.com/3bcae15ptpli">Explore Airia here</a></strong></p></blockquote><h2>Premium Template: Execution Authorization Matrix</h2><p>Use this template for any workflow where software, a human identity, or an AI agent can trigger an action that changes access, money movement, customer communication, or regulated records.</p><p><strong>Workflow name:</strong> <strong>Business owner:</strong> <strong>Technical owner:</strong> <strong>System or agent used:</strong> <strong>Trigger event:</strong> <strong>What can happen automatically:</strong> <strong>What requires confirmation:</strong> <strong>Sensitive data touched:</strong> <strong>Approval role required:</strong> <strong>Audit artifact retained:</strong> <strong>Rollback path:</strong> <strong>Budget or spend ceiling:</strong> <strong>Prompt-injection or spoofing exposure:</strong> <strong>Next review date:</strong></p><h2>Premium Checklist: 10-Day Verification Sprint</h2><ul><li><p>Identify the endpoints, browsers, and accounts that hold your most valuable sessions and tokens.</p></li><li><p>Reconfirm which privileged accounts still share devices or browsers for everyday browsing.</p></li><li><p>Document one current risk analysis for a high-sensitivity workflow and store the evidence where others can find it.</p></li><li><p>Verify audit logging, authentication, encryption, and training ownership for the same workflow.</p></li><li><p>Classify your current AI pilots into advise, draft, or act lanes.</p></li><li><p>Add approval gates for spending, external messaging, security changes, and record updates.</p></li><li><p>Name one person who can revoke sessions, disable an agent, or freeze a risky workflow after hours.</p></li><li><p>Test whether your rollback path is real for one automated or semi-automated workflow.</p></li><li><p>Review whether prompt injection or spoofing could reach any agent through inboxes, browsers, or web research tasks.</p></li><li><p>Schedule a follow-up review in 30 days to measure whether the controls changed behavior, not just documentation.</p></li></ul><h2>Premium Exercise: Friday 3:55 PM Verification Tabletop</h2><p><strong>Scenario:</strong> A finance manager reports strange browser prompts and reauthentication requests after visiting a vendor site. At the same time, a business unit asks to fast-track a new AI workflow that can log into internal tools and update project records automatically. Two hours later, legal asks whether the company can prove the current controls around sensitive data review after a recent ransomware scare.</p><p><strong>Exercise objectives:</strong></p><ol><li><p>Decide which sessions, accounts, and devices are frozen within the first 30 minutes, and who has the authority to do so.</p></li><li><p>Decide what evidence the organization can produce today about risk analysis, logging, authentication, and training for the affected workflow.</p></li><li><p>Decide which AI workflows can continue, which must pause, and what approval conditions must be met before it can act again.</p></li></ol><p><strong>Questions to work through:</strong></p><ol><li><p>Which account, device, or browser state would cause the largest business impact if it were silently abused for 24 hours?</p></li><li><p>If a regulator or major customer asked for proof of safeguards tomorrow morning, what artifacts would you actually hand over?</p></li><li><p>If the AI workflow made the wrong update in a live system, who would detect it, stop it, and reverse it?</p></li></ol><h2>Sources</h2><ul><li><p>Microsoft Security Blog, &#8220;StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them,&#8221; published June 24, 2026: https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/</p></li><li><p>HHS Office for Civil Rights, &#8220;HHS&#8217; Office for Civil Rights Settles Ransomware Investigation with Health Plan,&#8221; published June 18, 2026: https://www.hhs.gov/press-room/ocr-settles-ransomware-investigation-health-plan.html</p></li><li><p>Google Blog, &#8220;Introducing computer use in Gemini 3.5 Flash,&#8221; published June 24, 2026: https://blog.google/innovation-and-ai/models-and-research/gemini-models/introducing-computer-use-gemini-3-5-flash/</p></li></ul><ul><li><p><strong>The &#8220;How-To&#8221; Framework:</strong> A step-by-step breakdown of the [Process/Tool] mentioned above.</p></li><li><p><strong>Resource Toolkit:</strong> Downloadable templates and checklists I use with my private coaching clients.</p></li><li><p><strong>The Bottom Line:</strong> Direct analysis of the ROI and cost-savings associated with this strategy</p></li></ul>]]></content:encoded></item><item><title><![CDATA[Your Website Is Infrastructure: The Joomla Flaw Every SMB Should Act On This Week]]></title><description><![CDATA[Protect your SMB from the CVE-2026-48907 Joomla exploit. Unauthenticated attackers are dropping web shells. Here is your step-by-step incident response plan.]]></description><link>https://substack.cpf-coaching.com/p/your-website-is-infrastructure-the</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/your-website-is-infrastructure-the</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Tue, 23 Jun 2026 20:08:47 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!GPAp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F339170d3-a103-4dd1-a0ea-9ccf0af54f71_1024x559.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Last week, CISA added a maximum-severity vulnerability to its Known Exploited Vulnerabilities catalog: CVE-2026-48907, a flaw in the Joomla Content Editor (JCE) that carries the highest possible CVSS&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/your-website-is-infrastructure-the">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[This Week's SMB Risk Signals: Poisoned Packages, Imposter Losses, and the Arrival of AI Coworkers]]></title><description><![CDATA[SMB leaders: Discover how the Mastra npm hack, $3.5B FTC scam warnings, and AI coworkers impact your risk exposure&#8212;and what to lock down this week.]]></description><link>https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-poisoned</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-poisoned</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 19 Jun 2026 16:06:54 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!M0jJ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On June 17, 2026, Microsoft detailed a supply-chain compromise that poisoned more than 140 npm packages across the <code>mastra</code>  <code>@mastra</code> scopes. Two days earlier, on June 15, 2026, the Federal Trade Commission said people reported losing $3.5 billion to imposter scams in 2025, with business impersonation and fake security alerts driving some of the costliest losses. Then on June 16, 2026, Microsoft moved Copilot Cowork into general availability, pushing long-running, multi-tool AI work from preview into mainstream operating reality.</p><p>The three stories are different on the surface, but they point to the same leadership problem. SMB teams are letting software act faster than their control model can explain, verify, or contain. If your business runs on outsourced code, urgent digital communications, and newly embedded AI agents, your real risk is no longer just the tool. It is the speed of unreviewed execution.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!M0jJ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!M0jJ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 424w, https://substackcdn.com/image/fetch/$s_!M0jJ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 848w, https://substackcdn.com/image/fetch/$s_!M0jJ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 1272w, https://substackcdn.com/image/fetch/$s_!M0jJ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!M0jJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/96977059-b136-43ad-85da-957478905b92_1376x768.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:708915,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/202550059?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!M0jJ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 424w, https://substackcdn.com/image/fetch/$s_!M0jJ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 848w, https://substackcdn.com/image/fetch/$s_!M0jJ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 1272w, https://substackcdn.com/image/fetch/$s_!M0jJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96977059-b136-43ad-85da-957478905b92_1376x768.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>1. Your Software Supply Chain Is Now an Endpoint Problem</h2><p>Microsoft said the Mastra compromise affected 140-plus packages and began with a taken-over npm maintainer account that injected a malicious <code>easy-day-js</code> dependency into published versions. The security team wrote that the poisoned package executed during installation, meaning any developer workstation or CI/CD pipeline that ran <code>npm install</code>  <code>npm update</code> after the compromised versions were published was potentially exposed, even if the package was never imported into application code.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>Install time became execution time:</strong> The malicious <code>postinstall</code> hook ran automatically during dependency installation, not after an engineer consciously invoked suspect code.</p></li><li><p><strong>This hit build systems as well as laptops:</strong> Microsoft explicitly warned that CI/CD environments, tokens, credentials, and downstream software integrity were all in scope.</p></li><li><p><strong>The attacker optimized for persistence, not smash-and-grab noise:</strong> Microsoft described staged delivery, a second-stage payload, cross-platform persistence, and a risk of token or environment exposure. That is an operations problem, not just a dev-team problem.</p></li></ul><p><strong>Strategic Action:</strong> Treat your build and package ecosystem like privileged infrastructure. If an SMB leadership team still thinks dependency hygiene belongs only to engineering, this is the week to correct that assumption.</p><p>Three steps to take this week:</p><ol><li><p>Identify every workstation, build runner, or hosted pipeline that touched affected Mastra package versions on or after June 16, 2026.</p></li><li><p>Rotate developer tokens, CI secrets, and cloud credentials that may have been present where those packages were installed.</p></li><li><p>Require a high-risk dependency review pattern for critical builds: pinned versions, script-aware install review, and a named owner for package exceptions.</p></li></ol><div class="pullquote"><p>If a poisoned dependency can turn a developer laptop or build runner into an execution point, <strong><a href="https://get.bitdefender.com/8gk9x38k25bv">Bitdefender</a></strong> is a practical fit for SMB teams that need stronger endpoint protection, isolation, and response coverage without staffing a large in-house SOC.</p></div><h2>2. Impersonation Is No Longer &#8220;Just Fraud&#8221;</h2><p>The FTC said on June 15, 2026, that imposter scams were the most reported fraud category in 2025 and that reported losses climbed to $3.5 billion. The agency also said nearly one in three fraud reports involved impersonation and that reported losses reached nearly $1 billion for business impersonators and about $920 million for government impersonators. The FTC specifically called out fake security alerts, often posing as banks, as a costly tactic used to convince people to move money to &#8220;protect&#8221; it.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>The attack path is multi-channel:</strong> The FTC said these scams reached people through text, phone, email, social media, and search results. That means the weak point is not one inbox.</p></li><li><p><strong>The financial control gap is obvious:</strong> Fake urgency still works because too many businesses let a single message trigger a rushed action.</p></li><li><p><strong>Impersonation now rides your brand, your vendors, and your bank relationships:</strong> If your email authentication and callback practices are weak, your organization helps create the attack surface.</p></li></ul><p><strong>Strategic Action:</strong> Stop treating impersonation as solely a user-awareness problem. It is a workflow-design problem. The question is whether your payment, approval, and identity-verification paths still assume that a familiar name is good enough.</p><p>Three steps to take this week:</p><ol><li><p>Set a hard callback rule for payment changes, account-recovery requests, and urgent financial instructions, using known numbers only.</p></li><li><p>Lock down who can approve wire changes, vendor-bank updates, and emergency purchases without a second person's verification.</p></li><li><p>Review your email domain protection and anti-spoofing controls to reduce exposure for customers, staff, and partners to fake versions of your brand.</p></li></ol><blockquote><p><strong>IF YOUR DOMAIN CAN BE SPOOFED, YOUR BRAND BECOMES PART OF THE ATTACK CHAIN.</strong></p><p>FTC data shows impersonation losses are scaling because attackers exploit trust faster than most teams validate identity. Email authentication is not glamorous, but it is one of the clearest ways to reduce spoofing and brand-abuse risk.</p><p><strong>EasyDMARC</strong> helps organizations strengthen DMARC, DKIM, and SPF so brand impersonation, phishing exposure, and email-deliverability risk become easier to see and manage.</p><p><strong>Reduce spoofing risk. <a href="https://partners.easydmarc.com/opuv05et0ukc">Review EasyDMARC here</a></strong></p></blockquote><h2>3. AI Coworkers Are Moving Into Real Operating Lanes</h2><p>On June 16, 2026, Microsoft announced the general availability of Copilot Cowork worldwide. Microsoft described it as an agentic system that executes complex, long-running, multi-tool tasks end-to-end and returns completed results, not just drafts or recommendations. The company also emphasized that Cowork is off by default, uses usage-based billing, and now includes admin controls for access, budgets, alerts, and visibility.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>This is a shift from prompts to execution:</strong> Microsoft is commercializing AI work that runs across tools, data, and time, not just one-off chat outputs.</p></li><li><p><strong>Cost and authority now matter as much as model quality:</strong> The release makes explicit what many SMB leaders have not yet operationalized: agentic AI needs budgets, access controls, and workflow boundaries.</p></li><li><p><strong>The adoption pressure will move downstream fast:</strong> Even if your firm is not buying Copilot Cowork today, the market signal is clear. Vendors are normalizing AI systems that act, spend, and retrieve context at scale.</p></li></ul><p><strong>Strategic Action:</strong> Do not wait until staff brings agentic workflows in through a pilot, a plugin, or a department budget. Define where AI can act, where it can advise, and where a human must still approve.</p><p>Three steps to take this week:</p><ol><li><p>Name three workflows where AI may assist but not execute without review, such as customer promises, financial approvals, or regulated communications.</p></li><li><p>Assign an owner for AI tool budgets, usage review, and data-boundary decisions before you approve broader rollouts.</p></li><li><p>Pilot one agentic use case with a written success metric, a spending cap, and a required post-run review of output quality and side effects.</p></li></ol><h3>Final Thoughts for Leaders</h3><p>The convergence of poisoned dependencies, scaled impersonation fraud, and agentic AI rollout means SMB leadership has to rebuild trust as an operating system, not a slogan. The real question is not whether your team is moving fast. It is whether your approvals, logs, endpoints, domains, and AI rules are mature enough to keep speed from turning into silent exposure. Put software supply-chain ownership, impersonation controls, and AI execution boundaries on your next leadership agenda before this week ends.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is to share strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort, and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> Honest looks at which tools are worth the cost for SMB budgets.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward:</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-poisoned?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-poisoned?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p>You&#8217;ve seen the "Why" behind this [Cyber/Tech Issue]&#8212;but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock Premium Intelligence: The SMB Trust-and-Automation Implementation Pack.</p><blockquote><p style="text-align: center;"><strong>Subscribe to Unlock the Full Strategy</strong> </p><p style="text-align: center;"><em>Join a community of SMB leaders who stop reacting to tech shifts and start leading them.</em></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?"><span>Subscribe now</span></a></p></blockquote><p>Premium readers get the implementation layer: the concrete controls, governance structure, and team exercises that turn this week&#8217;s signals into operating discipline.</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-poisoned">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Cisco SD-WAN Zero-Day (CVE-2026-20245): A 30-Minute Checklist]]></title><description><![CDATA[Is your MSP exposing you to the Cisco SD-WAN zero-day (CVE-2026-20245)? Protect your business from supply chain risks with our immediate mitigation checklist.]]></description><link>https://substack.cpf-coaching.com/p/cisco-sd-wan-zero-day-cve-2026-20245</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/cisco-sd-wan-zero-day-cve-2026-20245</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Mon, 15 Jun 2026 14:03:30 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Oh1-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Cisco just confirmed that attackers are actively exploiting a zero-day in its Catalyst SD-WAN Manager (CVE-2026-20245), and there is no patch yet.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Oh1-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Oh1-!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Oh1-!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Oh1-!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Oh1-!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Oh1-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg" width="1024" height="687" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:687,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:99620,&quot;alt&quot;:&quot;A computer monitor displaying a red warning alert for the CVE-2026-20245 zero-day exploit over a compromised SD-WAN network diagram, sitting next to a tablet showing a security mitigation checklist.&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/202128294?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A computer monitor displaying a red warning alert for the CVE-2026-20245 zero-day exploit over a compromised SD-WAN network diagram, sitting next to a tablet showing a security mitigation checklist." title="A computer monitor displaying a red warning alert for the CVE-2026-20245 zero-day exploit over a compromised SD-WAN network diagram, sitting next to a tablet showing a security mitigation checklist." srcset="https://substackcdn.com/image/fetch/$s_!Oh1-!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Oh1-!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Oh1-!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Oh1-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd03bc93f-dca8-4ef1-8c1e-2c143ba3784a_1024x687.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">You cannot patch your way out of this zero-day yet. T&#8230;</figcaption></figure></div>
      <p>
          <a href="https://substack.cpf-coaching.com/p/cisco-sd-wan-zero-day-cve-2026-20245">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[This Week's SMB Risk Signals: A VPN Zero-Day, an AI Pricing Fight, and Siri's Workflow Creep]]></title><description><![CDATA[What SMB leaders should do this week about remote-access risk, AI pricing governance, and Apple&#8217;s workflow AI push.]]></description><link>https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-a-vpn</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-a-vpn</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 12 Jun 2026 21:16:01 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!4FO3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>This week delivered a clean reminder that SMB risk does not arrive in neat categories. On June 8, 2026, Check Point disclosed active exploitation of a critical VPN authentication bypass tied to real-world ransomware activity. On June 9, 2026, Colorado&#8217;s governor vetoed an AI and data pricing bill that would have put guardrails around how technology influences prices and wages. And at WWDC26, Apple showed just how quickly AI is moving from optional tool to built-in workflow layer for email, documents, images, passwords, and day-to-day assistant use.</p><p></p><p>For SMB leaders, the strategic point is straightforward: the attack surface is expanding faster than policy, and policy is evolving slower than employee behavior. You cannot wait for one perfect regulation, one perfect tool, or one perfect quarter to act. You need tighter operating discipline now.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!4FO3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!4FO3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 424w, https://substackcdn.com/image/fetch/$s_!4FO3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 848w, https://substackcdn.com/image/fetch/$s_!4FO3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!4FO3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!4FO3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg" width="1024" height="695" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:695,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:253986,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/201774808?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!4FO3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 424w, https://substackcdn.com/image/fetch/$s_!4FO3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 848w, https://substackcdn.com/image/fetch/$s_!4FO3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!4FO3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9d128ee0-154f-4b6c-811f-eaf7753d2c60_1024x695.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><h2>1. Your Remote Access Layer Is Still a Breach Path</h2><p>On June 8, 2026, Check Point disclosed active exploitation of CVE-2026-50751, a critical 9.3 CVSS authentication bypass affecting Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 protocol. Check Point said the activity had already hit a few dozen organizations globally, with one confirmed case tied to a Qilin ransomware affiliate. Check Point&#8217;s own timeline says exploitation began on May 7 and accelerated in early June.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>The flaw is pre-authentication:</strong> Attackers do not need a valid user password to establish a VPN session if the affected configuration is in place.</p></li><li><p><strong>The ransomware path is already visible:</strong> This is not theoretical. Check Point tied at least one post-compromise case to a Qilin affiliate.</p></li><li><p><strong>The SMB version of this problem is common:</strong> Smaller firms often keep older remote-access configurations in place because they are &#8220;still working,&#8221; especially when a single appliance, MSP, or internal admin owns the entire edge.</p></li></ul><p><strong>Strategic Action:</strong> Treat remote access as a business continuity issue, not a firewall setting. If your edge is old, poorly documented, or managed by habit, assume it deserves executive review this week.</p><p>Three steps to take this week:</p><ol><li><p>Confirm whether any Check Point Remote Access VPN or Mobile Access deployments still rely on IKEv1, then apply the June 8 security update immediately where relevant.</p></li><li><p>Review VPN and identity logs going back to May 7, 2026 for unusual remote-access sessions, especially sessions that do not line up cleanly with valid user behavior.</p></li><li><p>Re-rank remote access, privileged access, and endpoint isolation in your incident-response priorities before the next executive operations meeting.</p></li></ol><div class="pullquote"><p>If you are tightening the edge and want stronger containment when endpoints are exposed, <strong><a href="https://get.bitdefender.com/8gk9x38k25bv">Bitdefender</a></strong> is a practical fit for SMB teams that need stronger endpoint protection and response coverage without building a large in-house security operation.</p></div><h2>2. The Rules for AI-Driven Pricing and Pay Are Still Moving</h2><p>On June 9, 2026, Colorado Gov. Jared Polis vetoed a bill that would have limited the use of artificial intelligence and other data to set consumer prices and employee wages. Axios reported that Polis rejected 12 bills in total and sided with the tech industry in at least five vetoes, arguing this bill was too broad and could capture innocuous technology uses.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>A veto is not a green light:</strong> The absence of one law does not mean the underlying risk has disappeared. It means the policy fight is still active.</p></li><li><p><strong>Pricing and workforce decisions are already data-driven:</strong> CRM tools, finance tools, POS platforms, scheduling software, and AI copilots can all shape outcomes long before leadership labels them as &#8220;AI systems.&#8221;</p></li><li><p><strong>Your documentation gap is probably wider than your tech gap:</strong> Many SMBs can describe the tool they bought, but not the decision it influences, the data it uses, or the human override that exists when the output looks wrong.</p></li></ul><p><strong>Strategic Action:</strong> Build governance before you build scale. I recognize that for many SMBs, lean teams and limited budget make this feel like another policy burden. In practice, a lightweight decision register and review standard are much cheaper than defending an opaque pricing or wage process later.</p><p>Three steps to take this week:</p><ol><li><p>Inventory every workflow where software or AI influences pricing, quoting, discounting, compensation, scheduling, or performance scoring.</p></li><li><p>Assign a named business owner to each workflow and document the human review point, the source data, and the business objective.</p></li><li><p>Flag any workflow that touches protected classes, employment decisions, or customer segmentation for counsel or compliance review before it expands.</p></li></ol><blockquote><p><strong>DO NOT WAIT FOR THE PERFECT LAW TO TELL YOU WHAT GOOD GOVERNANCE LOOKS LIKE.</strong></p><p>If you need to prove that controls, evidence collection, and review steps actually exist, operational discipline matters more than policy theater.</p><p><strong>Copla</strong> helps growing companies automate evidence collection and continuous compliance work while keeping expert support in the loop.</p><p><strong>Reduce manual governance drag. <a href="https://join.copla.com/cpf-coaching">Review Copla here</a></strong></p></blockquote><h2>3. Consumer AI Is Becoming Workflow Infrastructure</h2><p>Apple used WWDC26 to show that AI is moving directly into everyday work surfaces. In Apple&#8217;s official WWDC26 materials, the company positioned Siri AI in iOS 27 as able to edit and write emails, texts, and documents; create photorealistic images; organize Safari activity; and update compromised passwords with one tap, while emphasizing privacy protections for personal information.</p><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>This is built into routine work, not a side app:</strong> Email, text, documents, images, browser activity, and password hygiene all sit inside normal employee behavior.</p></li><li><p><strong>Convenience will outrun governance:</strong> Staff will adopt embedded AI features because they save time, not because your policy allows it.</p></li><li><p><strong>The privacy promise does not remove your responsibility:</strong> Even when a platform markets itself as private, you still need clear rules on what staff can paste, summarize, generate, and share.</p></li></ul><p><strong>Strategic Action:</strong> Move from blanket bans or blind enthusiasm to controlled enablement. Your job is not to stop every assistant. Your job is to decide which jobs are safe, which data classes are off-limits, and which outputs require human review.</p><p>Three steps to take this week:</p><ol><li><p>Define three approved AI-assisted tasks for your team, such as draft summarization, internal meeting prep, or first-pass writing, and three prohibited tasks, such as handling regulated personal data or final external commitments without review.</p></li><li><p>Add AI-use guidance to device management, acceptable-use policy, and manager coaching, especially for sales, HR, finance, and client-facing staff.</p></li><li><p>Run a two-week pilot with a short after-action review so you learn where productivity improves and where risk starts to leak.</p></li></ol><h3>Final Thoughts for Leaders</h3><p>The convergence of remote-access weakness, unfinished AI regulation, and built-in assistant workflows means SMB leadership has to operate with more discipline, not more panic. The real question is not whether these technologies are coming. It is whether your operating model is mature enough to absorb them without turning speed into unmanaged exposure. Put remote access, automated decision governance, and approved AI use on your next leadership agenda before the end of this week.</p><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is by sharing the strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort and more informed peers lead to a safer environment for everyone&#8217;s business.</p><div><hr></div><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> Honest looks at which tools are worth the SMB budget.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-a-vpn?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-a-vpn?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p>You&#8217;ve seen the "Why" behind this, but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><div><hr></div><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock:</p><ul><li><p><strong>The &#8220;How-To&#8221; Framework:</strong> A step-by-step breakdown of the [Process/Tool] mentioned above.</p></li><li><p><strong>Resource Toolkit:</strong> Downloadable templates and checklists I use with my private coaching clients.</p></li><li><p><strong>The Bottom Line:</strong> Direct analysis of the ROI and cost-savings associated with this strategy</p></li></ul><blockquote><p style="text-align: center;"><strong>Subscribe to Unlock the Full Strategy</strong> </p><p style="text-align: center;"><em>Join a community of SMB leaders who stop reacting to tech shifts and start leading them.</em></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?"><span>Subscribe now</span></a></p></blockquote>
      <p>
          <a href="https://substack.cpf-coaching.com/p/this-weeks-smb-risk-signals-a-vpn">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[2026 Cybersecurity & Privacy Strategies for SMB Leaders: Navigating AI-Accelerated Threats, Exposure Management, and the California Delete Act]]></title><description><![CDATA[How AI is compressing the exploit timeline&#8212;and what SMB leaders must do to survive machine-speed ransomware and the strict California Delete Act.]]></description><link>https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies-27d</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies-27d</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 12 Jun 2026 16:12:12 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!qaqU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p></p><p>The enterprise technology and security environment has entered a phase of decisive maturity, permanently altered by the integration of artificial intelligence into the arsenals of both global defenders and highly resourced threat actors. For leaders in the small and medium-sized business (SMB) sector who span the technology, cyber, privacy, and legal domains, the events leading up to May 2026 represent a critical operational inflection point. The speed, scale, and automation of malicious cyber operations have compressed the threat lifecycle to an unprecedented degree, exposing the inherent inadequacies of reactive security paradigms and legacy vulnerability management frameworks. Concurrently, regulatory bodies across the globe, and particularly within the United States, are imposing rigorous, highly technical operational requirements on data handling, fundamentally blurring the traditional lines between IT governance, proactive cybersecurity, and legal compliance. This initial strategic briefing dissects the immediate threats observed throughout April 2026, analyzes the sweeping regulatory shifts coming into enforcement, and outlines the high-level strategic mitigations required to maintain organizational resilience.&nbsp;</p><p></p><p><strong>The Problem: AI-Accelerated Exploitation and the April 2026 Breach Wave</strong></p><p>The most profound and disruptive shift in the current cyber threat ecosystem is the radical compression of the vulnerability-to-exploit timeline. In late April 2026, the cybersecurity agency CERT-In issued a high-severity advisory directly addressing the exponential rise of AI-driven cyber threats, specifically pointing to the capabilities of advanced models and frontier AI systems. The capability of these advanced AI systems to independently analyze vast volumes of complex source code, identify zero-day vulnerabilities in widely utilized software architectures, and generate functional, weaponized exploit codes has reduced the traditional exploitation window from weeks or days to a matter of mere hours.&nbsp;</p><p>The automation offered by these adversarial AI models has significantly lowered the barrier to entry for cybercriminals, facilitating highly sophisticated credential theft, privilege escalation, and lateral movement across enterprise networks with minimal human intervention. Consequently, the financial and commercial sectors have observed massive spikes in fraudulent infrastructure; for instance, cybersecurity firm CloudSEK projected that fraudulent financial website domains would grow by 65% in 2026, alongside an 83% increase in fake financial applications, largely driven by AI-generated phishing content and deepfake-enabled fraud.&nbsp;</p><p>This theoretical risk of machine-speed exploitation materialized severely throughout April 2026, as the industry witnessed an unprecedented wave of massive data breaches impacting organizations of all sizes, proving that SMBs and large enterprises alike are squarely within the crosshairs of automated campaigns. The threat landscape was heavily dominated by the ShinyHunters ransomware group and other advanced persistent threat (APT) actors, demonstrating highly automated and scalable extortion tactics. The devastation observed across multiple sectors highlights the critical vulnerabilities inherent in third-party supply chains and unhardened infrastructure.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!qaqU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!qaqU!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 424w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 848w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1272w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!qaqU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:&quot;normal&quot;,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:0,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!qaqU!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 424w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 848w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1272w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Enjoying it so far, why not subscribe to keep up on the change landscape and be prepared to defend your organization and advanced your career in the process.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?utm_source=email&amp;r=&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?utm_source=email&amp;r="><span>Subscribe</span></a></p><p></p><p>Furthermore, the emergence of the "Elite Enterprise" ransomware in the wild signifies a terrifying evolution in the destructive potential of automated malware. This high-impact threat utilizes a sophisticated hybrid encryption model, combining AES-256 for rapid file encryption and RSA-4096 for asymmetric key protection, making brute-force decryption mathematically impossible. Unlike traditional ransomware, which rapidly changes file extensions and triggers immediate behavioral alarms in legacy detection systems, Elite Enterprise deliberately leaves all filenames intact post-encryption. This highly evasive tactic masks visible indicators of compromise, causing severe operational confusion for IT teams attempting to triage the incident, as users perceive spontaneous system failures or localized file corruption rather than a widespread cryptographic attack.&nbsp;</p><p>The malware executes a highly structured sequence of evasion and impairment tactics before revealing its presence. It systematically targets Windows backup architectures by terminating critical processes such as vssadmin.exe and wmic shadowcopy to permanently eradicate Volume Shadow Copies, denying the victim a rapid recovery path. It actively disables administrative and management tools, utilizing hidden windows and bootkit techniques to impair defenses, and subsequently disrupts MBR/VBR boot sectors. Only after the propagation and destruction phases are complete does it drop the ransom notes (elite_ransom.html and a text variant), demanding ransoms as high as 227 BTC. These notes operate with a 168-hour countdown timer and explicitly state that no communication or negotiation is possible, promising automatic decryption strictly upon payment&#8212;a psychological pressure tactic optimized for maximum, frictionless extortion.&nbsp;</p><p></p><p><strong>A Case Study in Critical Urgency: CVE-2026-41940 (cPanel &amp; WHM)</strong></p><p>The theoretical dangers of rapid, automated exploitation were perfectly illustrated by CVE-2026-41940, a critical vulnerability disclosed in late April 2026 affecting cPanel &amp; WHM and WP Squared platforms. Assigned a maximum CVSS score of 9.8, this vulnerability allows unauthenticated remote attackers to bypass the login flow entirely and secure root-level administrative access to the hosting control panel.&nbsp;</p><p>The root cause of this catastrophic flaw lies in how the cpsrvd (the cPanel service daemon) processes and writes new session files before authentication even occurs. Attackers are able to inject raw Carriage Return Line Feed (\r\n) characters via a malicious basic authorization header, manipulating the whostmgrsession cookie by omitting an expected segment and avoiding the standard encryption process applied to user-provided values. Because the system fails to properly sanitize this input before writing the session file to the disk, attackers can inject arbitrary properties directly into their session file, most notably appending the parameter user=root.&nbsp;</p><p>Upon triggering a reload of the session from the newly manipulated file, the attacker is instantly granted maximum administrator-level access without ever supplying a valid password. This results in the full compromise of hosted accounts, exposure of customer databases, and the ability to establish persistent backdoors for subsequent lateral movement across the hosting infrastructure. Security intelligence firms observed targeted zero-day exploitation of this specific flaw occurring in the wild as early as February 2026, months before public disclosure or patch availability, demonstrating the absolute necessity of preemptive, continuous defense structures rather than reactive patching.&nbsp;</p><h2>The Strategic Mitigation: The Paradigm Shift to Exposure Management&nbsp;</h2><p>The sheer volume of newly discovered vulnerabilities has rendered traditional vulnerability management (VM) programs mathematically and operationally impossible to sustain. With the National Vulnerability Database reporting over 42,000 Common Vulnerabilities and Exposures (CVEs) in 2025 alone, the strategy of indiscriminate patching is a verified failure, especially when enterprise organizations are faced with an average of 67 million security findings per year generated by disparate scanning tools.&nbsp;</p><p>The necessary strategic shift for SMBs and enterprise leaders alike is the transition from legacy Vulnerability Management to Continuous Threat Exposure Management (CTEM). While traditional VM focuses merely on identifying known software flaws across internal assets and prioritizing them based on generic, theoretical severity scores like CVSS, Exposure Management evaluates the actual risk based on the attacker's operational perspective. Exposure management recognizes that not every vulnerability poses a legitimate threat; an exposure only exists when a technical weakness aligns with an attacker's capabilities, is reachable within the specific network environment, and lacks sufficient mitigating controls.&nbsp;</p><p>To effectively mitigate the risks posed by AI-accelerated threats, organizations must ask critical, context-driven questions rather than blindly following vulnerability reports. Is this specific vulnerability reachable from the public internet? Does it reside on a business-critical asset that processes regulated data? Are there active, automated exploits currently observed in the wild?.&nbsp;</p><p>By focusing relentlessly on exploitability, network reachability, and business impact, Exposure Management consolidates thousands of related findings, addresses underlying root causes&#8212;such as excessive container privileges, unencrypted cloud snapshots, or identity misconfigurations&#8212;and filters out theoretical risks isolated safely behind internal firewalls. This paradigm shift allows resource-constrained SMB security teams to focus exclusively on the specific conditions that threat actors can realistically exploit. Transitioning to this model has been shown to deliver an average 40% reduction in remediation backlogs, saving organizations an estimated 33,000 hours per year and significantly reducing the operational friction between security and IT operations teams.&nbsp;</p><h2><strong>Actions for Improvement: Integrating Proactive Defense and Governance</strong></h2><p>To navigate the perilous convergence of AI-driven attacks, complex software vulnerabilities, and stringent regulatory compliance, organizations must adopt architectures built fundamentally on "secure by design" principles. Relying solely on human analysts to triage an overwhelming flood of alerts is no longer a viable defensive posture against machine-speed execution. Organizations must integrate automated containment, advanced identity governance, and modernized security operations centers (SOC) into their core operational fabric.&nbsp;</p><p></p><blockquote><p><a href="https://crowdstrike2001.partnerlinks.io/Cpf-coaching">CrowdStrike Falcon</a> is the definitive AI-native platform built to stop breaches, empowering organizations to secure their entire infrastructure at scale. This end-to-end solution unifies endpoint, cloud, and identity protection, leveraging world-class threat intelligence to keep you decisively ahead of modern, AI-powered attacks.. By implementing comprehensive, AI-native solutions like <a href="https://crowdstrike2001.partnerlinks.io/Cpf-coaching">CrowdStrike </a>Falcon, SMBs can autonomously detect behavioral anomalies, immediately isolate affected assets at the endpoint level, and effectively counter the rapid execution of modern ransomware variants before lateral movement occurs, transitioning their posture from reactive recovery to proactive prevention.</p></blockquote><p>Furthermore, cybersecurity is no longer an isolated technical discipline; it has fundamentally converged with legal and privacy compliance. In 2026, privacy regulation is defined by complex, multi-layered frameworks that rigorously test the operational realities of data governance, security visibility, and executive accountability. The United States has decisively moved beyond a fragmented patchwork of loose guidelines into a mature, highly aggressive enforcement phase.&nbsp;</p><p>On January 1, 2026, new comprehensive state privacy laws took effect in Indiana, Kentucky, and Rhode Island, granting consumers extensive rights to access, delete, and port their data, while explicitly requiring opt-in consent for sensitive data processing. Crucially, the era of regulatory leniency is abruptly ending. The 60-day "right to cure" period for the Montana Consumer Data Privacy Act (MTCDPA) expires on April 1, 2026, meaning any violations discovered are immediately enforceable by the State Attorney General without providing the business a grace period to rectify the non-compliance.&nbsp;</p><p>The most operationally disruptive legislation currently altering the landscape is the California Delete Act (SB 362), which established the highly complex Data Broker Requests and Opt-out Platform (DROP). Operational as of January 2026, this centralized governmental portal allows California residents to submit a single, verified request requiring all registered data brokers to permanently delete their personal data. By the strict deadline of August 1, 2026, businesses classified as data brokers must access this platform continuously&#8212;at least every 45 days&#8212;and flawlessly honor all deletion requests across their entire digital supply chain. This legislation transforms data deletion from a simple administrative task into an intensive, highly automated, and legally perilous engineering requirement. Organizations must now urgently align their cybersecurity exposure management with their data privacy obligations, utilizing strict identity and access controls to govern data sprawl, rapidly satisfy consumer rights requests, and withstand the inevitable wave of stringent regulatory audits.&nbsp;</p><p></p><p>If you have enjoyed the free portion of this blog, there is even more of this great content in the premium content, so why not become a paid subscriber today?</p><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?utm_source=email&amp;r=&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?utm_source=email&amp;r="><span>Subscribe</span></a></p><p>Can you think of others who could value from this substack as well, why not share it them, share it with enough folks and you will get some free months yourself too!</p><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies-27d?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies-27d?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p></p><p></p><p></p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies-27d">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[The June 2026 Executive Guide to Proactive Cyber and Privacy Defense]]></title><description><![CDATA[Definitive blueprints for neutralizing file server vulnerabilities, hardening physical infrastructure, and auditing AI vendor claims.]]></description><link>https://substack.cpf-coaching.com/p/critical-server-crashes-exposed-industrial</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/critical-server-crashes-exposed-industrial</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Sat, 06 Jun 2026 13:42:49 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!RvOR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4b33b966-5609-4f51-86e4-496a3dcbe0bb_2752x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The paradigm of prioritizing only remote code execution vulnerabilities must evolve. On June 5, 2026, CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog, highlighting a high-sev&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/critical-server-crashes-exposed-industrial">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Is the SMB Software Supply Chain Broken? Inside the May 2026 Code Breaches]]></title><description><![CDATA[In May 2026, cybersecurity risks have shifted.]]></description><link>https://substack.cpf-coaching.com/p/is-the-smb-software-supply-chain</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/is-the-smb-software-supply-chain</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 29 May 2026 12:36:39 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!zjgO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b6be8d9-a7a7-460e-bdab-5c55a25d9f9b_2752x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>In May 2026, cybersecurity risks have shifted. Attackers are now focusing on software supply chains and administrative systems, while regulatory requirements around AI and consumer data are increasin&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/is-the-smb-software-supply-chain">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[The May 2026 Executive Guide to Strategic Cyber and Privacy Resilience]]></title><description><![CDATA[Equip the organization against May 2026's most critical threats. Discover strategic mitigations for Ivanti zero-days, AI risks, and CIPA pixel litigation.]]></description><link>https://substack.cpf-coaching.com/p/active-zero-days-ai-capabilities</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/active-zero-days-ai-capabilities</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Sat, 23 May 2026 13:39:21 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!b_D1!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>I just returned from Washington, D.C., where I attended the 2026 National Cyber Innovation Forum at the U.S. Capitol, hosted by GMU&#8217;s National Security Institute. Sitting in a room with senior leaders from across government, industry, and venture capital, I found the conversations heavily focused on advancing our national defense, protecting critical infrastructure from state-backed intrusions, and preparing for emerging AI-enabled risks.</p><p>But as I listened to these high-level discussions regarding global digital hegemony and national security strategy, it struck me how perfectly these macro-level trends align with the immediate, operational realities we face every day in the SMB and mid-market space. The threats they are tracking at the Capitol are the exact same forces showing up in our networks and legal dockets this week.</p><p>The rapid acceleration of AI capabilities, highlighted by the diverging approaches of Anthropic&#8217;s Project Glasswing and OpenAI&#8217;s new Daybreak initiative, isn&#8217;t just a theoretical national security concern; it is fundamentally altering the speed at which vulnerabilities are weaponized against the software we rely on. The persistent, chained zero-day attacks on edge appliances, such as the active exploitation we are seeing right now with Ivanti EPMM, demonstrate exactly how advanced threat capabilities trickle down to exploit resource-constrained IT teams. And when you combine these sophisticated cyber threats with the aggressive wave of CIPA privacy litigation targeting our basic website tracking tools, the mandate for leadership is crystal clear.</p><p>We can no longer afford to treat cybersecurity and privacy as isolated IT checkboxes. They are centralized imperatives: business continuity, revenue, and brand trust. Here is my strategic breakdown of the three critical events converging on our landscape this week, and more importantly, the exact steps we need to take to build proactive resilience.</p><p>The threat landscape in May 2026 underscores a clear reality: cyber risk is a critical issue for revenue, hiring, and brand trust, extending far beyond the traditional IT department.<sup>2</sup> The convergence of automated artificial intelligence capabilities, persistent vulnerabilities in edge appliances, and aggressive privacy litigation has created a highly volatile environment for organizations of all sizes.<sup>7</sup> The World Economic Forum<sup>&#8217;</sup>s Global Cybersecurity Outlook for 2026 reveals that 94% of surveyed executives anticipate AI to be the most significant driver of change in the industry, while geopolitical fragmentation continues to elevate the baseline risk for critical infrastructure and private enterprise alike.<sup>7</sup></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!b_D1!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!b_D1!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 424w, https://substackcdn.com/image/fetch/$s_!b_D1!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 848w, https://substackcdn.com/image/fetch/$s_!b_D1!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!b_D1!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!b_D1!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png" width="1456" height="794" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:794,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:7460630,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/198958391?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!b_D1!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 424w, https://substackcdn.com/image/fetch/$s_!b_D1!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 848w, https://substackcdn.com/image/fetch/$s_!b_D1!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!b_D1!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2c282480-0789-4e77-a2fa-8008d6414746_2816x1536.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div><hr></div><p>This geopolitical volatility is manifesting as tangible disruptions, as evidenced by recent disclosures in the Indian financial sector, where major institutions such as HDFC Asset Management Company reported cybersecurity incidents requiring the immediate activation of containment protocols.<sup>8</sup> As high-value cyber fraud incidents surge and cyber-threat literacy ascends to the number one global people risk <sup>2</sup>, technology, privacy, and legal leadership face a clear mandate. Isolated technical defenses are insufficient. Organizations must implement strategic, cross-functional resilience protocols that address both sophisticated threat actors and stringent regulatory enforcement simultaneously.</p><h3><strong>1. The Exploitation of Ivanti EPMM: When Credential Reuse Meets Zero-Day Vulnerabilities</strong></h3><p>The paradigm of applying a single patch and moving on has been fundamentally shattered by the latest campaigns targeting edge appliances. On May 7, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog.<sup>9</sup> This high-severity improper input validation vulnerability affects Ivanti Endpoint Manager Mobile (EPMM).<sup>11</sup></p><p>The underlying concern for leadership is not merely the existence of a new software flaw, but the sophisticated, chained exploitation tactics utilized by threat actors. Attackers are not exploiting CVE-2026-6973 in isolation. Instead, they are utilizing administrative credentials stolen during the exploitation of earlier flaws (CVE-2026-1340 and CVE-2026-1281) in January 2026 to authenticate and trigger the newly discovered remote code execution vulnerability.<sup>3</sup> Because CVE-2026-6973 requires administrative authentication to be successfully exploited <sup>10</sup>, organizations that applied the January firmware patches but failed to rigorously rotate all administrative credentials remain heavily exposed to total appliance compromise.<sup>3</sup></p><p>This scenario perfectly illustrates the resource constraints and operational fatigue inherent in small and mid-sized businesses (SMBs) with lean IT departments. The failure to conduct comprehensive post-incident cleanup&#8212;specifically, auditing and resetting elevated-privilege accounts&#8212;creates an immediate pathway for attackers.<sup>3</sup> Furthermore, the May update from Ivanti addressed four additional vulnerabilities alongside CVE-2026-6973, reinforcing the reality that edge appliances remain highly lucrative targets for adversarial groups.<sup>10</sup></p><p>To mitigate this risk, technical teams must immediately decouple the assumption that software patching equates to absolute remediation. Leadership must mandate verification that both the software update and the corresponding credential rotation have been executed simultaneously. Strategic actions include verifying that all Ivanti EPMM appliances have been updated to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1.<sup>13</sup> Concurrently, organizations must force a mandatory rotation of all administrative credentials and API keys associated with the EPMM environment, regardless of when they were last changed.<sup>12</sup> Finally, system logs must be audited for unauthorized administrative access originating from unexpected geographical locations or anomalous IP addresses over the past 90 days.</p><div class="callout-block" data-callout="true"><p><strong>Sponsor Spotlight: Cyvatar.AI</strong> Cyvatar.AI delivers an enterprise-grade, managed endpoint protection solution specifically designed to empower organizations in the digital and cloud era. This affordable, AI-driven platform provides continuous monitoring and response without the cost or complexity of an in-house team. By offloading the burden of continuous patch verification and credential auditing to Cyvatar.AI, leadership can focus on core business operations while ensuring critical edge appliances are secure against chained exploits. <a href="https://cyvataraif5706.referralrock.com/l/CHRISTOPHE77/">Learn how to secure endpoints today</a> </p></div><h3><strong>2. The Dual-Use AI Paradigm: Anthropic&#8217;s Project Glasswing and Claude Mythos</strong></h3><p>Artificial intelligence has historically been viewed primarily as a productivity enhancement, but May 2026 marks its undeniable, mainstream entry into autonomous cyber warfare and defense. Anthropic recently unveiled Project Glasswing, a highly restricted cybersecurity initiative leveraging its unreleased frontier AI model, Claude Mythos, in partnership with technology giants such as AWS, Google, Microsoft, and CrowdStrike.<sup>14</sup></p><p>The capabilities demonstrated by Claude Mythos demand immediate strategic attention from executive leadership. The model possesses an unprecedented ability to autonomously discover and exploit vulnerabilities that have evaded human detection and automated testing for decades, including a 27-year-old flaw in OpenBSD and a 16-year-old bug in FFmpeg.<sup>4</sup> Furthermore, Anthropic noted that Mythos autonomously chained several vulnerabilities within the Linux kernel to escalate privileges from an ordinary user to total machine control.<sup>16</sup> High-capability AI models like Mythos drastically compress the time between the discovery of a vulnerability and the deployment of a weaponized exploit.<sup>2</sup> Attackers will inevitably utilize similar agentic reasoning capabilities, entirely eliminating the traditional operational window organizations rely upon for testing and deploying patches.<sup>4</sup></p><p>The implications of autonomous AI in cybersecurity are so profound that Anthropic has been tasked with briefing the global Financial Stability Board (FSB), chaired by the governor of the Bank of England, regarding the potential systemic threat these models pose to global financial infrastructure.<sup>17</sup> The International Monetary Fund (IMF) has echoed these concerns, warning that inconsistent oversight of fast-moving AI developments could weaken the globally interconnected financial system.<sup>17</sup></p><p>Organizations can no longer rely exclusively on annual, point-in-time penetration tests. The defense strategy must evolve to include continuous, automated security assessments that keep pace with the velocity of AI-driven offensive capabilities. Leadership should initiate a comprehensive review of the organization&#8217;s Secure Software Development Lifecycle (SSDLC) to ensure security testing is shifted entirely left and integrated continuously into the deployment pipeline.<sup>18</sup> Furthermore, organizations must evaluate the integration of defensive AI tooling to assist lean security teams in analyzing codebases and configurations at a scale that was previously impossible without massive enterprise budgets.<sup>18</sup> Finally, strict access controls and zero-trust principles around critical data must be established, operating under the assumption that traditional perimeter defenses will eventually be bypassed by sophisticated AI agent chaining.</p><div class="callout-block" data-callout="true"><p><strong>Sponsor Spotlight: Airia AI.</strong> As AI capabilities accelerate, deploying artificial intelligence safely within the enterprise is paramount. Airia<sup>&#8217;</sup>s Enterprise AI Orchestration Platform delivers comprehensive security controls that protect organizational data, ensure compliance, and maintain enterprise governance throughout the AI journey. Deploy with confidence knowing that all internal AI initiatives are protected by industry-leading security architecture designed to prevent data leakage and ensure regulatory alignment. <a href="https://try.airia.com/CPF-coaching">Explore secure AI orchestration with Airia</a> </p></div><h3><strong>3. The &#8220;Millisecond Problem&#8221;: Pre-Consent Pixel Firing and CIPA Litigation</strong></h3><p>While technical teams battle zero-day exploits and AI advancements, legal and marketing departments are facing an unprecedented crisis regarding basic website functionality. A niche legal theory originating in California has rapidly evolved into a nationwide plaintiffs&#8217; playbook, with legal dockets inundated with over 3,500 expected class-action lawsuits in 2026 that leverage the California Invasion of Privacy Act (CIPA).<sup>5</sup> The litigation specifically targets the use of routine website tracking technologies, such as Meta, Google, and TikTok pixels, as well as session replay scripts.<sup>5</sup></p><p>The core issue driving this litigation is characterized as the &#8220;millisecond problem.&#8221;.<sup>6</sup> Plaintiffs&#8217; attorneys are focusing entirely on the sequence of operations during a website visit. If a third-party tracking pixel fires and transmits data to an external server before the user explicitly interacts with the website&#8217;s cookie consent banner, it is being legally classified as an unlawful interception of communications under CIPA.<sup>6</sup> CIPA violations carry severe statutory damages of up to $5,000 per violation.<sup>19</sup> When these damages are multiplied across tens of thousands of website visitors in a class action format, even a minor configuration error in a marketing script can result in multi-million dollar exposure, directly threatening the solvency of mid-market organizations. <sup>20</sup></p><p>Adding to the complexity is the &#8220;Broken Banner&#8221; scenario.<sup>6</sup> Courts have heavily scrutinized situations where a user interacts with a consent banner and explicitly rejects non-essential cookies, but the website&#8217;s tag manager fails to honor that choice across all interconnected third-party vendors.<sup>6</sup> This failure transforms a technical misconfiguration into a deceptive practice, inviting unfair competition claims alongside privacy violations.<sup>6</sup> For example, Tractor Supply recently faced a $1.35 million fine simply for providing users with a non-functional webform to opt-out of data sharing.<sup>21</sup></p><p>Marketing, IT, and legal departments must urgently bridge the historical gap between written privacy policies and actual technical implementation. Consent management is no longer merely a user interface design choice; it is a critical compliance mechanism requiring rigorous technical validation. Leadership must mandate an immediate technical audit of the organization&#8217;s website to inventory all third-party tracking scripts, pixels, and session replay tools.<sup>20</sup> The website&#8217;s Consent Management Platform (CMP) must be strictly configured to block all non-essential tracking scripts by default until affirmative, explicit consent is granted by the user.<sup>5</sup> Routine testing of this consent architecture must be conducted using browser developer tools to verify that rejection signals successfully suppress all outbound telemetry in real-time.</p><div class="callout-block" data-callout="true"><p><strong>Sponsor Spotlight: Omnistruct</strong> Navigating the complexities of CIPA, CCPA, and global privacy mandates requires more than just legal advice; it requires technical execution. Omnistruct provides the strategic expertise necessary to build and scale comprehensive privacy, GRC, and security programs. Serving as an embedded security partner, Omnistruct delivers the executive-level guidance and hands-on technical support needed to ensure privacy architectures&#8212;including complex consent management platforms&#8212;align perfectly with stringent legal frameworks, empowering organizations to achieve their marketing goals without sacrificing compliance. <br><a href="https://omnistruct.com/partners/influencers-meet-omnistruct/">https://omnistruct.com/partners/influencers-meet-omnistruct/</a>  Just let them know CPF Coaching sent them your way, or reach out to me for a <a href="mailto:info@cpf-coaching.com   Omnistruct Introduction">formal introduction</a></p></div><h3><strong>Final Thoughts for Leaders</strong></h3><p>Cybersecurity and privacy compliance can no longer be delegated as purely technical or administrative functions; they are centralized business risk imperatives requiring board-level visibility.<sup>2</sup> The events of May 2026 demonstrate that technological capabilities&#8212;whether in the form of autonomous AI discovering kernel flaws or weaponized litigation targeting marketing pixels&#8212;are scaling far faster than traditional enterprise defenses. True organizational resilience requires moving beyond reactive compliance checklists and perimeter patching. Leadership must foster an environment in which continuous credential auditing, proactive threat hunting, and rigorous technical validation of privacy architectures are embedded in daily business operations. The immediate directive for executives is to thoroughly verify that the organization&#8217;s stated security and privacy policies fundamentally align with the technical realities operating under the surface.</p><p></p><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is to share strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort, and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> Honest looks at which tools are worth the cost for SMB budgets.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/active-zero-days-ai-capabilities?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/active-zero-days-ai-capabilities?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&amp;gift=true&quot;,&quot;text&quot;:&quot;Give a gift subscription&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?&amp;gift=true"><span>Give a gift subscription</span></a></p><p>You&#8217;ve seen the "Why" behind this [Cyber/Tech Issue]&#8212;but knowing the risk is only half the battle. To move from awareness to actual protection, you need a localized execution plan.</p><p>The remainder of this deep dive is designed specifically for the SMB leader who needs to move fast without a massive enterprise budget. By upgrading to a paid subscription, you unlock:</p><ul><li><p><strong>The &#8220;How-To&#8221; Framework:</strong> A step-by-step breakdown of the [Process/Tool] mentioned above.</p></li><li><p><strong>Resource Toolkit:</strong> Downloadable templates and checklists I use with my private coaching clients.</p></li><li><p><strong>The Bottom Line:</strong> Direct analysis of the ROI and cost-savings associated with this strategy</p></li></ul><blockquote><p style="text-align: center;"><strong>Subscribe to Unlock the Full Strategy</strong> </p><p style="text-align: center;"><em>Join a community of SMB leaders who stop reacting to tech shifts and start leading them.</em></p></blockquote>
      <p>
          <a href="https://substack.cpf-coaching.com/p/active-zero-days-ai-capabilities">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Moving from 'Pay and Chase' to 'Stop and Catch': The Frontlines of the Fraud Fight]]></title><description><![CDATA[The Bottom Line: Federal program fraud is a massive financial and societal crisis diverting hundreds of billions of dollars from taxpayers.]]></description><link>https://substack.cpf-coaching.com/p/moving-from-pay-and-chase-to-stop</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/moving-from-pay-and-chase-to-stop</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Thu, 21 May 2026 21:36:08 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!YfY-!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc0ea6f9-9832-41d8-9807-cbdc9be949f0_640x640.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p></p><p><strong>The Bottom Line: </strong>Federal program fraud is a massive financial and societal crisis diverting hundreds of billions of dollars from taxpayers. However, a new executive order driven multi-agency task for&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/moving-from-pay-and-chase-to-stop">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[The DoD Warning: Why AI and Cybersecurity Are Now One Discipline]]></title><description><![CDATA[The biggest risk to your organization is no longer deploying AI incorrectly, it is not deploying it at all.]]></description><link>https://substack.cpf-coaching.com/p/the-dod-warning-why-ai-and-cybersecurity</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/the-dod-warning-why-ai-and-cybersecurity</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Thu, 21 May 2026 20:24:10 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!YfY-!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc0ea6f9-9832-41d8-9807-cbdc9be949f0_640x640.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The convergence of artificial intelligence and cybersecurity is no longer a future prediction. It is an immediate reality. Based on recent insights from the Department of Defense, these two fields ar&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/the-dod-warning-why-ai-and-cybersecurity">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[The Defender's Head Start]]></title><description><![CDATA[How AI is Flipping the Script on Vulnerability Management]]></description><link>https://substack.cpf-coaching.com/p/the-defenders-head-start</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/the-defenders-head-start</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Thu, 21 May 2026 19:08:39 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!YfY-!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc0ea6f9-9832-41d8-9807-cbdc9be949f0_640x640.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>At the recent National Cyber Innovation Forum, Anthropic's Rob Blair shared critical insights regarding their new "Mythos" capabilities. The bottom line for tech and cyber leaders is clear. We curren&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/the-defenders-head-start">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Autonomous AI and Zero-Day Threats: The May 2026 SMB Strategic Briefing]]></title><description><![CDATA[An exhaustive strategic briefing for SMB leaders on the latest May 2026 tech, cyber, and privacy events. Discover mitigations for the Linux "Copy Fail" zero-day, defenses against rogue AI agents, and frameworks for strict GPC compliance.]]></description><link>https://substack.cpf-coaching.com/p/autonomous-ai-and-zero-day-threats</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/autonomous-ai-and-zero-day-threats</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 15 May 2026 11:34:23 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!roVv!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9a32372c-6292-4a92-be15-1fd05d63c3b8_2816x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h2>Open-Access Strategic Briefing</h2><p>This section addresses the four most critical events and overarching trends impacting the SMB technology sector over the past week, delineating the core problems, the re&#8230;</p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/autonomous-ai-and-zero-day-threats">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Are SEC Disclosure Rules and State Privacy Laws Outpacing SMB Defenses?]]></title><description><![CDATA[Navigate May 2026's critical cybersecurity threats, privacy regulations, and AI governance mandates. Equip the enterprise with our strategic frameworks.]]></description><link>https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Sat, 09 May 2026 17:10:17 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!OaOk!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The contemporary threat environment dictates that technology and legal leaders can no longer operate in silos. The period spanning April to May 2026 has witnessed unprecedented convergence across the domains of cybersecurity, data privacy, and artificial intelligence (AI) regulation. SMB technology leaders, legal counsel, and privacy officers are simultaneously confronting sophisticated supply chain breaches, a rapidly fracturing state and federal privacy legislative landscape, and the operational integration of emerging AI governance standards. You are facing a crucible where threat actors are weaponizing identity, while regulators are simultaneously enforcing strict data minimization and rapid disclosure mandates. This strategic briefing provides the necessary context, threat mechanics, and actionable frameworks required for immediate organizational resilience.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!OaOk!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!OaOk!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 424w, https://substackcdn.com/image/fetch/$s_!OaOk!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 848w, https://substackcdn.com/image/fetch/$s_!OaOk!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!OaOk!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!OaOk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png" width="1456" height="794" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:794,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:7670942,&quot;alt&quot;:&quot;SEC and Privacy Requirements outpacing SMB defenses&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/197018165?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="SEC and Privacy Requirements outpacing SMB defenses" title="SEC and Privacy Requirements outpacing SMB defenses" srcset="https://substackcdn.com/image/fetch/$s_!OaOk!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 424w, https://substackcdn.com/image/fetch/$s_!OaOk!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 848w, https://substackcdn.com/image/fetch/$s_!OaOk!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!OaOk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2f648222-08d8-4db2-a27b-6f51acabb796_2816x1536.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">SEC and Privacy Requirements outpacing SMB defenses</figcaption></figure></div><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">SMB Tech &amp; Cybersecurity Leadership Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div><hr></div><p></p><h3>1. The Identity Perimeter Collapse and Escalating SEC Scrutiny &#8212; Mitigating the Canvas Breach and Advanced Persistent Threats</h3><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>The Instructure Canvas Breach:</strong> Between late April and early May 2026, the educational technology ecosystem experienced a catastrophic supply chain failure. The criminal extortion group ShinyHunters breached Instructure&#8217;s Canvas Learning Management System (LMS), compromising an estimated 275 million users across nearly 9,000 educational institutions globally. The threat actors exploited a vulnerability within the platform&#8217;s &#8220;Free-For-Teacher&#8221; account tier to gain unauthorized access to sensitive environments. The exposed data&#8212;including names, institutional email addresses, student identification numbers, and internal Canvas messages&#8212;provides highly lucrative fodder for secondary phishing and social engineering attacks.</p></li><li><p><strong>Evolution of Advanced Persistent Threats (APTs):</strong> Concurrently, the SilverFox APT group launched a sophisticated phishing campaign utilizing tax-themed lures (such as fake Income Tax Department notices in India) to target SMBs and enterprises across industrial and consulting sectors. The campaign deployed a modified Rust-based loader to pull the ValleyRAT backdoor, alongside a novel Python-based backdoor dubbed &#8220;ABCDoor&#8221;. ABCDoor allows attackers to stream multiple victim screens simultaneously in near real-time, accessing clipboards and updating itself, effectively bypassing traditional command-line detection mechanisms.</p></li><li><p><strong>SEC Disclosure Enforcement:</strong> The regulatory tolerance for cyber negligence has evaporated. The U.S. Securities and Exchange Commission (SEC) has aggressively expanded its enforcement of Exchange Act Rule 13a-15, charging four public companies for negligent cybersecurity disclosures in late 2024 and continuing aggressive enforcement into 2026. Regulators are utilizing internal accounting controls provisions (Section 13(b)(2)(B)) to penalize companies that fail to timely escalate material cybersecurity risks and vulnerabilities to senior management, rendering internal communication breakdowns a matter of federal securities fraud.</p></li></ul><div class="callout-block" data-callout="true"><p><strong>Strategic Action:</strong> You must shift your defensive posture from perimeter-based security to identity-centric and endpoint-focused models. Relying solely on vendor assurances or annual risk questionnaires is no longer viable in an environment where API keys and third-party SaaS integrations can provide persistent, unmonitored cloud access to threat actors. Establish immediate compliance-aware access policies that restrict access from unmanaged devices, and enforce strict, real-time escalation protocols for all suspected cyber incidents to satisfy both internal risk mitigation and external SEC disclosure requirements.</p></div><p><strong>Actions for Improvement:</strong></p><ol><li><p><strong>Mandate Systemic Credential Rotation:</strong> Organizations utilizing interconnected SaaS platforms must mandate precautionary password resets across Single Sign-On (SSO) environments and revoke/reissue API tokens, LTI keys, and authentication credentials connected to third-party applications immediately following any disclosed vendor breach.</p></li><li><p><strong>Audit Free and Shadow IT Accounts:</strong> Conduct a comprehensive audit of all unsanctioned or &#8220;free-tier&#8221; software accounts associated with corporate email addresses. Establish and enforce policies that strictly prohibit the use of unmanaged environments for official corporate activities.</p></li><li><p><strong>Enhance Endpoint Telemetry and Behavioral Analytics:</strong> Deploy advanced endpoint protection that leverages behavioral analytics rather than relying solely on signature-based detection. This allows for the rapid identification of anomalous file changes or unauthorized network beaconing associated with novel, visually-driven backdoors like ABCDoor.</p></li></ol><blockquote><p><strong>CrowdStrike Falcon</strong> CrowdStrike Falcon is the definitive AI-native platform built to stop breaches, empowering organizations to secure their entire infrastructure at scale. This end-to-end solution unifies endpoint, cloud, and identity protection, leveraging world-class threat intelligence to keep you decisively ahead of modern, AI-powered attacks like SilverFox. Secure your endpoints today. <a href="https://crowdstrike2001.partnerlinks.io/Cpf-coaching">https://crowdstrike2001.partnerlinks.io/Cpf-coaching</a></p></blockquote><p></p><h3>2. The Privacy Legislative Labyrinth &#8212; Navigating the SECURE Data Act and State-Level Algorithmic Bans</h3><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>The Federal SECURE Data Act:</strong> In April 2026, the U.S. House Energy &amp; Commerce Committee released the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act). This proposed legislation aims to establish a comprehensive federal privacy framework that applies to entities that process the data of over 200,000 consumers annually or generate $25 million in gross revenue. It proposes broad preemption of state privacy laws while omitting private rights of action, leaving enforcement to the FTC and state Attorneys General. It establishes a national data broker registry and mandates strict opt-in consent for sensitive data processing.</p></li><li><p><strong>State-Level Surveillance and Geolocation Bans:</strong> In the absence of finalized federal law, states are enacting highly targeted, punitive legislation. Maryland enacted the Protection from Predatory Pricing Act (HB 895), becoming the first state to ban &#8220;surveillance pricing&#8221;&#8212;the use of personal data to set individualized, dynamic prices&#8212;specifically within food retail establishments over 15,000 square feet and third-party delivery services. Concurrently, Virginia amended the Virginia Consumer Data Protection Act (VCDPA), effective July 1, 2026, to outright prohibit the sale of precise geolocation data, removing any mechanism for consumer consent.</p></li><li><p><strong>Aggressive FTC and State Enforcement:</strong> Enforcement mechanisms are increasingly severe. California recently levied a record-breaking $12.75 million CCPA settlement against General Motors for the unauthorized sale of connected-vehicle telematics (including precise geolocation, hard braking, and speed data) to data brokers like LexisNexis. The settlement highlighted that GM&#8217;s privacy policy, which stated vehicle data would only be used to operate OnStar, rendered their opt-out mechanism legally ineffective because it did not cover undisclosed downstream data flows. Additionally, the FTC continues to force massive refund programs for deceptive practices, including a ban on the Kochava subsidiary from selling sensitive location data that could trace individuals to health facilities or places of worship.</p></li></ul><div class="callout-block" data-callout="true"><p><strong>Strategic Action:</strong> The paradigm has irreversibly shifted from simply obtaining broad consent to executing absolute data minimization and purpose limitation. You can no longer rely on opaque privacy policies to cover extensive secondary data monetization strategies. Mitigating regulatory risk requires granular data mapping, the immediate cessation of high-risk data sales (especially geolocation), and the implementation of robust data governance frameworks that trace the lifecycle of sensitive data from initial collection through third-party dissemination.</p></div><p><strong>Actions for Improvement:</strong></p><ol><li><p><strong>Execute a Geolocation and Telemetry Audit:</strong> Identify all instances where precise geolocation or behavioral telemetry is collected across mobile applications, connected devices, or web platforms. Immediately halt any secondary monetization or sharing of this data without explicit, purpose-limited authorization to prepare for the Virginia VCDPA July 2026 mandate.</p></li><li><p><strong>Evaluate Algorithmic Pricing Models:</strong> For organizations using dynamic pricing engines, conduct rigorous legal and technical reviews to ensure prices are based on broad supply-and-demand metrics, inventory levels, or geographic costs, rather than on individualized consumer surveillance data.</p></li><li><p><strong>Audit Opt-Out Mechanism Fidelity:</strong> Map the flow of consumer opt-out requests across your entire architecture to ensure they sever <em>all</em> downstream data sharing with external brokers and marketing partners, preventing the systemic, technical failures penalized in the GM CCPA settlement.</p></li></ol><blockquote><p><strong>Omnistruct</strong> Omnistruct provides the strategic expertise to build and scale your privacy, GRC, and security programs, empowering your team to achieve its goals without sacrificing compliance. By serving as your embedded security partner (BISO), Omnistruct delivers the executive-level guidance and hands-on support needed to mature your security posture and navigate complex legislation like the SECURE Data Act. <a href="https://omnistruct.com/partners/influencers-meet-omnistruct/">https://omnistruct.com/partners/influencers-meet-omnistruct</a><code>/</code></p></blockquote><p></p><h3>3. The AI Governance Mandate &#8212; Pre-Deployment Vetting, Shadow AI, and Infrastructure Protests</h3><p><strong>Why You Should Be Concerned:</strong></p><ul><li><p><strong>National Security and Pre-Deployment Vetting:</strong> The rapid deployment of artificial intelligence is outpacing organizational governance, prompting intense regulatory intervention at the national security level. In May 2026, the U.S. Center for AI Standards and Innovation (CAISI) established landmark agreements with Google DeepMind, Microsoft, and xAI to conduct voluntary pre-deployment vetting of frontier AI models. These evaluations are designed to identify systemic risks associated with cybersecurity vulnerabilities, biosecurity threats, and chemical weapons synthesis before public release.</p></li><li><p><strong>The AI Infrastructure Backlash:</strong> The physical expansion of AI is facing unprecedented grassroots resistance. Due to the massive energy and water consumption of AI data centers, local opposition blocked or stalled approximately 48 data center projects worth an estimated $156 billion in 2025 alone. This has led to state-level moratoriums in deep red states like Indiana and prompted federal legislative proposals for a national pause on data center construction until comprehensive federal AI safety laws are enacted. This infrastructural bottleneck threatens the availability and cost structures of enterprise AI computing power.</p></li><li><p><strong>The Proliferation of &#8220;Shadow AI&#8221;:</strong> For the standard SMB, the immediate threat is employee use of these powerful tools. Without formalized governance, employees routinely input proprietary code, sensitive client communications, and strategic business plans into public Large Language Models (LLMs), inadvertently violating Non-Disclosure Agreements (NDAs), GDPR privacy mandates, and corporate intellectual property protocols. Furthermore, the EU AI Act reached a critical trilogue agreement, establishing firm compliance dates, including a requirement for generative AI providers to implement machine-readable watermarks for synthetic content by December 2, 2026.</p></li></ul><div class="callout-block" data-callout="true"><p><strong>Strategic Action:</strong> You must proactively assert control over your AI deployments and the shadow usage within your enterprise. This necessitates treating AI not as standard software procurement, but as a high-risk operational vector that requires dedicated steering committees, rigid acceptable-use policies, and continuous observability of digital sovereignty and data processing locations.</p></div><p><strong>Actions for Improvement:</strong></p><ol><li><p><strong>Establish an AI Steering Committee:</strong> Form a cross-functional governance body consisting of IT, legal, security, and human resources personnel. This committee must oversee all AI procurement, evaluate vendor data training practices, and monitor regulatory shifts to ensure digital sovereignty.</p></li><li><p><strong>Publish and Enforce an AI Acceptable Use Policy:</strong> Define explicitly which generative AI tools are approved for corporate use. Establish strict data classification rules to prevent the input of personally identifiable information (PII) into public models, and outline mandatory human-in-the-loop review requirements for any AI-generated outputs used in production environments.</p></li><li><p><strong>Audit AI Features in Existing SaaS:</strong> Recognize that AI risk extends beyond standalone tools like ChatGPT or Claude. Conduct a comprehensive inventory of AI-powered features recently embedded into existing enterprise software (e.g., CRM assistants, HR screening tools, coding copilots) to ensure their data processing agreements align with internal privacy standards and emerging regulations.</p></li></ol><p></p><h3>Final Thoughts for Leaders</h3><p>The events of May 2026 unequivocally demonstrate that cybersecurity, data privacy, and AI governance are no longer operational IT concerns; they are fundamental business risks inextricably linked to supply chain integrity, algorithmic ethics, and national security. The velocity of threat actors adopting AI tools is matched only by the aggressiveness of regulatory bodies enforcing new privacy paradigms and SEC disclosure rules. You must immediately transition your organization from a reactive compliance posture to a proactive, intelligence-driven risk management strategy. I strongly advise that executive boards mandate a comprehensive review of all third-party vendor relationships and AI deployments before the end of the fiscal quarter to secure organizational resilience against these converging forces.</p><div><hr></div><h3>Help Other Leaders Secure Their Future</h3><p><strong>The Network Effect of SMB Security</strong> </p><p>The most effective way to strengthen our SMB community is by sharing the strategies that actually work in the field. If you find value in these technical deep dives, helping a fellow leader bridge their tech gap makes the entire ecosystem more resilient. Cybersecurity is a collective effort and more informed peers lead to a safer environment for everyone&#8217;s business.</p><p></p><div><hr></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading SMB Tech &amp; Cybersecurity Leadership Newsletter! If you have gained value from this post, why not share it with others who might gain value from it as well? </p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p><strong>Why Share This Subscription?</strong> When you refer a colleague to this newsletter, you are giving them access to the same specialized insights you use to lead your team:</p><ul><li><p><strong>Zero-fluff technical execution:</strong> No high-level theory, just the steps to implement.</p></li><li><p><strong>Cost-saving vendor analysis:</strong> Honest looks at which tools are worth the SMB budget.</p></li><li><p><strong>Direct coaching frameworks:</strong> Access to the same logic I use with private coaching clients.</p></li></ul><p><strong>Pay It Forward</strong> Use the button below to share this post or your unique referral link. When your peers join our community, we all benefit from a more secure and tech-forward marketplace.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post&quot;,&quot;text&quot;:&quot;Refer a friend&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/leaderboard?&amp;utm_source=post"><span>Refer a friend</span></a></p><p></p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/are-sec-disclosure-rules-and-state">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Founding Member Advisory: SMB Technology and Cybersecurity Landscape Analysis (January–April 2026)]]></title><description><![CDATA[Executive Overview of Publication Enhancements and Strategic Realignment]]></description><link>https://substack.cpf-coaching.com/p/founding-member-advisory-smb-technology</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/founding-member-advisory-smb-technology</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Sat, 02 May 2026 14:23:32 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!KVKB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Over the first four months of 2026, the global technology and cybersecurity ecosystems have experienced a series of compounding, high-velocity disruptions. Driven by the transition from generative to agentic artificial intelligence, an increasingly hostile geopolitical cyber landscape, and aggressive new regulatory mandates, the operating environment for small and mid-sized businesses (SMBs) has fundamentally altered. Recognizing that traditional advisory and reporting models are no longer sufficient to equip business leaders to withstand machine-speed threats, the <em>SMB Tech &amp; Cyber Leaders Newsletter</em> has undertaken a comprehensive operational, structural, and strategic realignment.</p><p>This advisory serves a dual purpose. First, it provides Founding Members with complete transparency regarding the backend infrastructure, editorial, and tiering changes implemented across the publication platform between January and April 2026. These upgrades were engineered to transform the publication from a passive reporting vehicle into an active, intelligence-driven subscription network. Second, it delivers the definitive analysis of the macroeconomic, technological, and regulatory shifts that have defined the first trimester of 2026, along with predictive modeling and strategic mitigations to help SMBs navigate the remainder of the year.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!KVKB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!KVKB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 424w, https://substackcdn.com/image/fetch/$s_!KVKB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 848w, https://substackcdn.com/image/fetch/$s_!KVKB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!KVKB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!KVKB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png" width="1456" height="794" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:794,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:6186327,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://substack.cpf-coaching.com/i/195357325?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!KVKB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 424w, https://substackcdn.com/image/fetch/$s_!KVKB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 848w, https://substackcdn.com/image/fetch/$s_!KVKB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!KVKB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8af469ff-910e-46b9-b793-006a1b6cbf37_2816x1536.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>To maximize the value of this report, Founding Members should immediately focus on several critical action areas highlighted throughout this advisory: adopting preemptive cybersecurity and rapid patching practices, strengthening incident response and backup strategies, rigorously auditing cloud and AI service costs, enforcing Multi-Factor Authentication and encryption, updating employee security training to counter AI-generated attacks, and initiating migration to quantum-resistant cryptography. These actions can help secure your organization, control costs, and maintain compliance as the landscape continues to evolve at machine speed.</p><p></p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/founding-member-advisory-smb-technology">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[2026 Cybersecurity & Privacy Strategies for SMB Leaders: Navigating AI-Accelerated Threats, Exposure Management, and the California Delete Act]]></title><description><![CDATA[The enterprise technology and security environment has entered a phase of decisive maturity, permanently altered by the integration of artificial intelligence into the arsenals of both global defenders and highly resourced threat actors.]]></description><link>https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies</link><guid isPermaLink="false">https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies</guid><dc:creator><![CDATA[Christophe Foulon 📓]]></dc:creator><pubDate>Fri, 01 May 2026 12:28:22 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!qaqU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p></p><p>The enterprise technology and security environment has entered a phase of decisive maturity, permanently altered by the integration of artificial intelligence into the arsenals of both global defenders and highly resourced threat actors. For leaders in the small and medium-sized business (SMB) sector who span the technology, cyber, privacy, and legal domains, the events leading up to May 2026 represent a critical operational inflection point. The speed, scale, and automation of malicious cyber operations have compressed the threat lifecycle to an unprecedented degree, exposing the inherent inadequacies of reactive security paradigms and legacy vulnerability management frameworks. Concurrently, regulatory bodies across the globe, and particularly within the United States, are imposing rigorous, highly technical operational requirements on data handling, fundamentally blurring the traditional lines between IT governance, proactive cybersecurity, and legal compliance. This initial strategic briefing dissects the immediate threats observed throughout April 2026, analyzes the sweeping regulatory shifts coming into enforcement, and outlines the high-level strategic mitigations required to maintain organizational resilience.&nbsp;</p><p></p><p><strong>The Problem: AI-Accelerated Exploitation and the April 2026 Breach Wave</strong></p><p>The most profound and disruptive shift in the current cyber threat ecosystem is the radical compression of the vulnerability-to-exploit timeline. In late April 2026, the cybersecurity agency CERT-In issued a high-severity advisory directly addressing the exponential rise of AI-driven cyber threats, specifically pointing to the capabilities of advanced models and frontier AI systems. The capability of these advanced AI systems to independently analyze vast volumes of complex source code, identify zero-day vulnerabilities in widely utilized software architectures, and generate functional, weaponized exploit codes has reduced the traditional exploitation window from weeks or days to a matter of mere hours.&nbsp;</p><p>The automation offered by these adversarial AI models has significantly lowered the barrier to entry for cybercriminals, facilitating highly sophisticated credential theft, privilege escalation, and lateral movement across enterprise networks with minimal human intervention. Consequently, the financial and commercial sectors have observed massive spikes in fraudulent infrastructure; for instance, cybersecurity firm CloudSEK projected that fraudulent financial website domains would grow by 65% in 2026, alongside an 83% increase in fake financial applications, largely driven by AI-generated phishing content and deepfake-enabled fraud.&nbsp;</p><p>This theoretical risk of machine-speed exploitation materialized severely throughout April 2026, as the industry witnessed an unprecedented wave of massive data breaches impacting organizations of all sizes, proving that SMBs and large enterprises alike are squarely within the crosshairs of automated campaigns. The threat landscape was heavily dominated by the ShinyHunters ransomware group and other advanced persistent threat (APT) actors, demonstrating highly automated and scalable extortion tactics. The devastation observed across multiple sectors highlights the critical vulnerabilities inherent in third-party supply chains and unhardened infrastructure.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!qaqU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!qaqU!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 424w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 848w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1272w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!qaqU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:&quot;normal&quot;,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:0,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!qaqU!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 424w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 848w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1272w, https://substackcdn.com/image/fetch/$s_!qaqU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F15c09140-ce94-4d2c-bd48-42b5a0235e52_1024x559.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Enjoying it so far, why not subscribe to keep up on the change landscape and be prepared to defend your organization and advanced your career in the process.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?utm_source=email&r=&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?utm_source=email&r="><span>Subscribe</span></a></p><p></p><p>Furthermore, the emergence of the "Elite Enterprise" ransomware in the wild signifies a terrifying evolution in the destructive potential of automated malware. This high-impact threat utilizes a sophisticated hybrid encryption model, combining AES-256 for rapid file encryption and RSA-4096 for asymmetric key protection, making brute-force decryption mathematically impossible. Unlike traditional ransomware, which rapidly changes file extensions and triggers immediate behavioral alarms in legacy detection systems, Elite Enterprise deliberately leaves all filenames intact post-encryption. This highly evasive tactic masks visible indicators of compromise, causing severe operational confusion for IT teams attempting to triage the incident, as users perceive spontaneous system failures or localized file corruption rather than a widespread cryptographic attack.&nbsp;</p><p>The malware executes a highly structured sequence of evasion and impairment tactics before revealing its presence. It systematically targets Windows backup architectures by terminating critical processes such as vssadmin.exe and wmic shadowcopy to permanently eradicate Volume Shadow Copies, denying the victim a rapid recovery path. It actively disables administrative and management tools, utilizing hidden windows and bootkit techniques to impair defenses, and subsequently disrupts MBR/VBR boot sectors. Only after the propagation and destruction phases are complete does it drop the ransom notes (elite_ransom.html and a text variant), demanding ransoms as high as 227 BTC. These notes operate with a 168-hour countdown timer and explicitly state that no communication or negotiation is possible, promising automatic decryption strictly upon payment&#8212;a psychological pressure tactic optimized for maximum, frictionless extortion.&nbsp;</p><p></p><p><strong>A Case Study in Critical Urgency: CVE-2026-41940 (cPanel &amp; WHM)</strong></p><p>The theoretical dangers of rapid, automated exploitation were perfectly illustrated by CVE-2026-41940, a critical vulnerability disclosed in late April 2026 affecting cPanel &amp; WHM and WP Squared platforms. Assigned a maximum CVSS score of 9.8, this vulnerability allows unauthenticated remote attackers to bypass the login flow entirely and secure root-level administrative access to the hosting control panel.&nbsp;</p><p>The root cause of this catastrophic flaw lies in how the cpsrvd (the cPanel service daemon) processes and writes new session files before authentication even occurs. Attackers are able to inject raw Carriage Return Line Feed (\r\n) characters via a malicious basic authorization header, manipulating the whostmgrsession cookie by omitting an expected segment and avoiding the standard encryption process applied to user-provided values. Because the system fails to properly sanitize this input before writing the session file to the disk, attackers can inject arbitrary properties directly into their session file, most notably appending the parameter user=root.&nbsp;</p><p>Upon triggering a reload of the session from the newly manipulated file, the attacker is instantly granted maximum administrator-level access without ever supplying a valid password. This results in the full compromise of hosted accounts, exposure of customer databases, and the ability to establish persistent backdoors for subsequent lateral movement across the hosting infrastructure. Security intelligence firms observed targeted zero-day exploitation of this specific flaw occurring in the wild as early as February 2026, months before public disclosure or patch availability, demonstrating the absolute necessity of preemptive, continuous defense structures rather than reactive patching.&nbsp;</p><h2>The Strategic Mitigation: The Paradigm Shift to Exposure Management&nbsp;</h2><p>The sheer volume of newly discovered vulnerabilities has rendered traditional vulnerability management (VM) programs mathematically and operationally impossible to sustain. With the National Vulnerability Database reporting over 42,000 Common Vulnerabilities and Exposures (CVEs) in 2025 alone, the strategy of indiscriminate patching is a verified failure, especially when enterprise organizations are faced with an average of 67 million security findings per year generated by disparate scanning tools.&nbsp;</p><p>The necessary strategic shift for SMBs and enterprise leaders alike is the transition from legacy Vulnerability Management to Continuous Threat Exposure Management (CTEM). While traditional VM focuses merely on identifying known software flaws across internal assets and prioritizing them based on generic, theoretical severity scores like CVSS, Exposure Management evaluates the actual risk based on the attacker's operational perspective. Exposure management recognizes that not every vulnerability poses a legitimate threat; an exposure only exists when a technical weakness aligns with an attacker's capabilities, is reachable within the specific network environment, and lacks sufficient mitigating controls.&nbsp;</p><p>To effectively mitigate the risks posed by AI-accelerated threats, organizations must ask critical, context-driven questions rather than blindly following vulnerability reports. Is this specific vulnerability reachable from the public internet? Does it reside on a business-critical asset that processes regulated data? Are there active, automated exploits currently observed in the wild?.&nbsp;</p><p>By focusing relentlessly on exploitability, network reachability, and business impact, Exposure Management consolidates thousands of related findings, addresses underlying root causes&#8212;such as excessive container privileges, unencrypted cloud snapshots, or identity misconfigurations&#8212;and filters out theoretical risks isolated safely behind internal firewalls. This paradigm shift allows resource-constrained SMB security teams to focus exclusively on the specific conditions that threat actors can realistically exploit. Transitioning to this model has been shown to deliver an average 40% reduction in remediation backlogs, saving organizations an estimated 33,000 hours per year and significantly reducing the operational friction between security and IT operations teams.&nbsp;</p><h2><strong>Actions for Improvement: Integrating Proactive Defense and Governance</strong></h2><p>To navigate the perilous convergence of AI-driven attacks, complex software vulnerabilities, and stringent regulatory compliance, organizations must adopt architectures built fundamentally on "secure by design" principles. Relying solely on human analysts to triage an overwhelming flood of alerts is no longer a viable defensive posture against machine-speed execution. Organizations must integrate automated containment, advanced identity governance, and modernized security operations centers (SOC) into their core operational fabric.&nbsp;</p><p></p><blockquote><p><a href="https://crowdstrike2001.partnerlinks.io/Cpf-coaching">CrowdStrike Falcon</a> is the definitive AI-native platform built to stop breaches, empowering organizations to secure their entire infrastructure at scale. This end-to-end solution unifies endpoint, cloud, and identity protection, leveraging world-class threat intelligence to keep you decisively ahead of modern, AI-powered attacks.. By implementing comprehensive, AI-native solutions like <a href="https://crowdstrike2001.partnerlinks.io/Cpf-coaching">CrowdStrike </a>Falcon, SMBs can autonomously detect behavioral anomalies, immediately isolate affected assets at the endpoint level, and effectively counter the rapid execution of modern ransomware variants before lateral movement occurs, transitioning their posture from reactive recovery to proactive prevention.</p></blockquote><p>Furthermore, cybersecurity is no longer an isolated technical discipline; it has fundamentally converged with legal and privacy compliance. In 2026, privacy regulation is defined by complex, multi-layered frameworks that rigorously test the operational realities of data governance, security visibility, and executive accountability. The United States has decisively moved beyond a fragmented patchwork of loose guidelines into a mature, highly aggressive enforcement phase.&nbsp;</p><p>On January 1, 2026, new comprehensive state privacy laws took effect in Indiana, Kentucky, and Rhode Island, granting consumers extensive rights to access, delete, and port their data, while explicitly requiring opt-in consent for sensitive data processing. Crucially, the era of regulatory leniency is abruptly ending. The 60-day "right to cure" period for the Montana Consumer Data Privacy Act (MTCDPA) expires on April 1, 2026, meaning any violations discovered are immediately enforceable by the State Attorney General without providing the business a grace period to rectify the non-compliance.&nbsp;</p><p>The most operationally disruptive legislation currently altering the landscape is the California Delete Act (SB 362), which established the highly complex Data Broker Requests and Opt-out Platform (DROP). Operational as of January 2026, this centralized governmental portal allows California residents to submit a single, verified request requiring all registered data brokers to permanently delete their personal data. By the strict deadline of August 1, 2026, businesses classified as data brokers must access this platform continuously&#8212;at least every 45 days&#8212;and flawlessly honor all deletion requests across their entire digital supply chain. This legislation transforms data deletion from a simple administrative task into an intensive, highly automated, and legally perilous engineering requirement. Organizations must now urgently align their cybersecurity exposure management with their data privacy obligations, utilizing strict identity and access controls to govern data sprawl, rapidly satisfy consumer rights requests, and withstand the inevitable wave of stringent regulatory audits.&nbsp;</p><p></p><p>If you have enjoyed the free portion of this blog, there is even more of this great content in the premium content, so why not become a paid subscriber today?</p><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/subscribe?utm_source=email&r=&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/subscribe?utm_source=email&r="><span>Subscribe</span></a></p><p>Can you think of others who could value from this substack as well, why not share it them, share it with enough folks and you will get some free months yourself too!</p><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p><p></p><p></p><p></p>
      <p>
          <a href="https://substack.cpf-coaching.com/p/2026-cybersecurity-and-privacy-strategies">
              Read more
          </a>
      </p>
   ]]></content:encoded></item></channel></rss>