Chamber Amplified

Why Cyber Threats Are Increasing in 2026 (And What Businesses Must Do)

Findlay-Hancock County Chamber of Commerce

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 20:48

Send us Fan Mail

Cybersecurity threats are increasing in 2026, and AI is making scams more sophisticated than ever.

In this episode of Chamber Amplified from the Findlay-Hancock County Chamber of Commerce, Doug Jenkins talks with Josh Rabe of CentraComm about the growing rise in phishing attacks, ransomware threats, data breaches, and how artificial intelligence is lowering the barrier for cyber criminals.

They talk about:

  • Why phishing remains the #1 entry point into businesses
  • How AI is making scam emails harder to detect
  • The importance of employee cybersecurity training
  • What “least privilege” and zero-trust security mean for small businesses
  • How cyber insurance works, and what it doesn’t cover
  • What to do immediately if your business experiences a breach

Whether you’re a small business owner, nonprofit leader, or corporate executive, this episode provides practical steps to strengthen your organization’s cybersecurity posture.

Cyber threats aren’t slowing down, but with the right preparation, your business doesn’t have to be an easy target.

Music and sound effects obtained from https://www.zapsplat.com

Welcome And Topic Framing

Doug Jenkins

Hello and welcome back to Chamber Amplified, brought to you by the Fidlay Hancock County Chamber of Commerce. I'm Doug Jenkins. Each week on our podcast, we're talking about the things that matter most to local businesses and organizations, everything from workforce and leadership development to marketing, maybe IT issues, and just the everyday realities of running something that serves our community. On today's episode, we're talking about something that applies to everybody across the board. That's cybersecurity, not just for you, but for your business as well. So 2026 is actually off to a pretty rough start when it comes to scams. It's not just you thinking it, it's actually getting worse. We'll talk all about that. Phishing emails, well, you might think, oh, I can pick them out. It's the like it's a Nigerian prince, right? And there's a bunch of typos. Unfortunately, that's not the case anymore, at least not always the case. Some of these scams are getting more polished, they're more urgent, they're designed to pressure you. We're going to walk through all of that. My guest is Josh Raby of Centricom, and we'll be talking about what to train your staff on, what you need to look out for, what red flags are the big ones to keep an eye out for, and what to do if the worst actually happens. If you enjoy this podcast, don't forget to leave us a rating and review and share it with others. We're also on YouTube now, so if you really want to share this message, there's an easy way to do it. Just share the YouTube link out there in your social media, and that really helps spread the word. Now, let's get into it. It seems like it's been an eventful start to 2026 anecdotally. I know I've had a lot of conversations with people. There are bank scams out there, there's cybersecurity scams, everybody's getting calls from unknown numbers all the time. Is it anecdotal or are we seeing an uptick in perhaps cybersecurity threats?

Josh Rabe

I know it might seem impossible, um, but yes, there is an uptick. It is definitely increasing. Um, I know everybody's always bludgeoned with spam, phishing emails, you name it. Uh, but yes, it's actually getting worse.

AI Lowering The Barrier For Attackers

Doug Jenkins

Oh, that's comforting. That's uh we're off to a great start in 2026. Is there a reason why we're seeing more of it that uh you've heard of, or is it just something that's happening?

Josh Rabe

Uh so I mean there's a couple of reasons, but the major reason I would say is AI. Um, AI is lowering the bar of entry for the bad actors that are um trying to uh scam other people, trying to trying to make that money in nefarious ways. Um AI is is allowing what they're able to do to be more skilled than typically seen in the past by an entry-level um hacker or bad actor, if you will.

Doug Jenkins

And I guess that makes sense. We've been talking about using AI at your business here at the chamber for the last several years, and people are improving their efficiency on it. That was actually a question I was going to ask you. Is AI driving it? But when you put it like that, it makes a lot of sense. It's making us more efficient. Why wouldn't it make bad actors more efficient?

Josh Rabe

Yep. And that's uh that's one of the things that people need to need to keep in the back of their mind is you know, the same tools and products that we have available to us to protect environments are the same tools and products that um that the bad actors are constantly using and practicing on to hone their skills and look for those exploits, which AI is also helping with.

Doug Jenkins

Unfortunately, there's a flip side to every coin. Um you mentioned phishing, so we can start there. Is that one of the more common ones that we're seeing in this uptick? I know it seems like it's all across the board, but phishing seems like a good place to start.

Josh Rabe

Yeah, phishing and just focusing on the end user is where a majority of the efforts are um and compromising businesses.

Phishing Evolves Beyond Obvious Typos

Doug Jenkins

So let's talk about the different types of phishing because these can be incredibly easy to spot, but it feels like they are getting increasingly harder to deal with because of what we talked about, AI making it a little bit easier to put those together. Uh, I know in the last month or so I've seen several emails I get like, oh, hey, here's this, I need you to take a look at this PDF, whatever it is. And it will come from an email address that I'm familiar with, but there's always maybe something that just seems a little bit off where all right, maybe I'm not gonna open that PDF. But are PDFs a big place of entry for people who are doing these scams?

Josh Rabe

Uh yeah, so you can embed you can embed files in PDFs, you can embed files in web pages. So really all they want you to do is take that first action, which is a lot of times why you end up um you get that gut feeling just because the emails that you're reading, either it's a small mistake or it's just the overall feeling it's giving you. If they're trying to uh put urgency to whatever the email is talking about, a lot of times it's a oh hey, you owe money to some organization or to some um government agency body, so on and so forth. And with that, obviously, if somebody's saying, hey, you owe money here, you're gonna have penalties or fines or whatever the case may be. It's a lot of people are gonna say, Well, I don't want that to happen. I don't want a you know bad mark on my credit, credit report, whatever the case may be. I don't want the business to have, you know, uh, especially in smaller towns, you don't want your business to have a bad name, not not paying their debts and all that good stuff.

Doug Jenkins

Yeah, that makes a lot of sense. I think the one the only one that I feel like is easy to to pick out is uh every once in a while I'll see it, I'll get an email from someone like, hey, need you to take a look at this. And then the attachment is actually another email file. It looks like it came from um Outlook or something like that, where it's like, open this to open up a separate email. And I'm thinking, has there anybody ever sent an attachment that way in the last 10 years? Um, I don't want to give uh scammers an idea on something they could stop, but that seems like the easiest one to pick out. The others are pretty tough.

Josh Rabe

Yeah, and again, as I mentioned, AI is just making it so easy to have your your base level of of those phishing emails to look very realistic. You can you can go to AI and say, I need an email template, and then give it exactly how you want it to look, and it'll it'll put it push it out for you. It'll make it for you. And a lot of times how it worked in the past is most obvious, uh, most obvious indicator that a fish was a that it's a phishing email or malicious email was those little mistakes that are, you know, as people that operate and work with the English language every day, little nuances in the language that people that use it know that are being missed by people that are in other organizations or other countries in the world that are um targeting these organizations.

Urgency Tactics And PDF Lures

Doug Jenkins

So this means that your staff needs to be coached up on these issues and they're always evolving. But really, that's probably the most cost-effective way to try and stop it, is to make sure that your staff is prepared for these types of attacks. What do you suggest when you're talking? I mean, we've talked about it on this podcast before with other guests that it's not, they're not just going for marathon, they're going for marathon on down the line to our smallest mom-ma-pop shop in Finley. Everybody's at risk for this, no matter how many employees you have. But what are the conversations that business should be having with their staff to try and get that frontline really on board?

Josh Rabe

Awareness is huge. Um, just being aware that no matter how big the company is, it's not a matter of if you'll be targeted. It's a matter of when, um, as you touched on, the bad actors, they don't care if they're getting into Marathon's network or you know, one of the other uh small businesses in Finlay. They just care that they're able to get around the defenses that are in front of them, and whatever their objective is, they can think they can accomplish it.

Doug Jenkins

So when we all started getting the internet way back when, seems like we've had it forever now, uh, we had the antivirus software going on, and that's certainly evolved. And we've got whatever's running in the background on here, Sentinel or something like that. Uh, how good are those programs at if you click the wrong link uh in an email that's a phishing thing? Are those programs good at catching them, average? Are they are they doing much of anything when it comes to those phishing links?

Josh Rabe

Uh so yeah, I mean it depends completely on the tool and how it's set up, but um a lot of like your proof points and your email security tools, those are the ones that are catching a lot of the a lot of the phishing emails, and especially since uh email security has definitely been beefed up in the past uh past couple years, um, especially with uh DCM and DMARC um and SPF records. Uh with all that, you're authenticating that you actually sent it from, in this case, CentriCom's domain. We sent the email, we signed it, and are authenticating that it came directly from us. Now, there's still ways to abuse it, and there's still workarounds, and there always will be, because nothing is 100% secure. Um sorry to anybody that's listening that may have expected 100% security, but it's not possible.

Doug Jenkins

That's unfortunate, but uh it is the world that we live in, and I think we all understand it. Uh I think a lot of it, and maybe you can correct me if I'm wrong here, is that when the internet when we first got computers in the internet, it didn't work all that smoothly. And so that would stand out to you if something wasn't wasn't put together right. But now everything just sort of works when it comes to computers and the internet. So, you know, you don't you just mindlessly click on things because you're like, yeah, this goes to where I wanted to go. This is how the internet works. It's almost like we're too comfortable with how computers and the internet have evolved.

Josh Rabe

Yeah, and especially when you start getting into the topics like privacy um and confidentiality, yeah, it's we've come become so used to the convenience of the internet and how it is always on, like you said, until it isn't, and then when it isn't, there's a big commotion and it gets fixed really quick.

Staff Training And Awareness

Doug Jenkins

Let's talk a little bit more about uh protecting businesses. Like we said, we want to train, you you you want to have that conversation with your staff, you want to make sure that you have up-to-date software. Uh, I do think training and and getting used to what phishing email can look like. Have you guys ever done any sort of penetration testing where you said you work on the behalf of a client to see who would fall for a uh a phishing email, although it's come from Centricom and you guys are actually helping train staff that way?

Josh Rabe

Yeah, so one of the functions of my role is that I do work with client organizations and um manage their email security, and a big part of that is maintaining um a lot of the uh email security platforms also do security awareness training, so like your proof points and your no befores. Um those organizations they have both functionalities under one umbrella, so it's lumped together a lot of times. That way you can focus on the end users who are the main targets of the bad actors. Um, with that though, um yes, I do send out quite a bit, uh quite a bit of uh phishing emails and have quite a bit of campaigns going on. Um it's it's interesting to see what gets reported to me, and hey, is this phishing or um is this a bad email? And you know, I'm like, that one's not me. I didn't do that one.

Doug Jenkins

That's a lot of pressure to have to be the authenticator of being if it's uh if it's legit or not.

Josh Rabe

Yeah, uh getting getting pretty quick and good at it, though. So that's definitely a benefit of the position.

Doug Jenkins

So unfortunately, and we've seen the headlines that you can be as prepared as you want to be. You can do all the training, you can have the software, uh, but if one person in the in your organization clicks the wrong link and the software doesn't catch it, it can lead to some very bad things. What are the consequences of not being diligent when it comes to this issue? Vigilant is probably the word I was looking for.

Email Security Tools And Limits

Josh Rabe

So the consequences are going to be entirely dependent on how well you've built out the defense in depth behind because your your end user is gonna be exposed to risk and threats no matter what. It's just the nature of the of being the end user. Um you're always gonna be targeted, you're always going to be a target. Um but being able to um you know use that training but also have the extra defenses in behind the user. Um so making sure that they have limited access, only access to the things that they need. Whereas if you have somebody that's in my position in engineering, I have no need to access an organization's business uh financial records. So I shouldn't have access to those.

Doug Jenkins

Yeah, absolutely. That uh the and I forget what the term is, but the access only is needed uh is a is a huge thing. Yeah, least privilege. That's exactly what I was thinking of. I knew you were zero trust or uh we have seen unfortunately things like ransomware happen when all of the fail-safes, if if somebody ignores a fail-safe or or they just deal with a particularly talented scammer, I suppose. Uh ransomware, I suppose, is one of the bigger issues that people deal with. But what are the other threats? Uh being locked out of your information and held having it held for ransom is awful, but I imagine data breaches are just as can be just as costly if they come to be.

Josh Rabe

Yeah, absolutely. And the best way I like to look at it is, you know, there's a black market for a lot of things, there's a black market for data as well. And cyber criminals, that's where they live and breathe and operate day-to-day. Um, so yeah, there's a huge market for it, and a lot of the information that would be uncovered in a non-ransformer attack uh could later be turned and sold to other bad actors, um, you know, sell selling that intel on a target, um, which is how a lot of the uh supply chain attacks become so effective.

Doug Jenkins

So unfortunately, uh this has become such an issue that people need protection. Cyber insurance is uh a product that has been developed to help offer uh some protection to businesses in this area. So let's talk a little bit about cyber protection. What is it? What is it not?

Josh Rabe

Uh for cyber insurance?

Doug Jenkins

Yes.

Josh Rabe

So cyber insurance is not a catch-all for your organization to say, you know, we don't need to worry about security, we have insurance. That's not how it works. Uh what it is, though, is that it is a driving force in uh security maturity. Um it used to be, you know, you that just have to have one or two things and uh you you qualify and be good for uh cyber insurance policy. Nowadays you're almost going through an audit of types before you're allowed to be insured. Um so that is driving a lot of maturity and a lot of those processes being built out in these organizations to heighten the base level of security that organizations have.

Comfort, Convenience, And Risk

Doug Jenkins

Which that makes a lot of sense because if you just said, yeah, I bought a cyber insurance policy and there were no checks on the other side, that's almost a recipe to get reckless with your cybersecurity practices. So having those boxes that you have to check just to be eligible for it, I think makes sense that would you look at it that way.

Josh Rabe

Yeah, and if you're not doing the minimum requirements, you know, then you're just making yourself even more of a liability. And then that that liability is obviously transferred to your insurance company.

Doug Jenkins

So let's uh let's wrap up by just looking at red flags, let's say that you've got the cyber insurance in place, you've you've done the training, you've got the the correct software that you need, you're still gonna get things that pop up that are red flags. What are things that immediately trigger alarm bells to you if you get a certain type of email or phone call or what have you? What should people think about first that should really trip that alarm?

Simulated Phishing And Reporting

Josh Rabe

Well, first thing is, are you expecting that email or any communication from that organization that is appearing to send it to you? If you can answer yes to that, the second thing I typically move on to is this email trying to get me to do something and is it activating any sense of urgency on my end? If there's a sense of urgency, especially encouraging me to act immediately, um, that is telling me that's a red flag. And what I always encourage is that somebody uses another form of authentication on those types of requests. So if you have somebody that emails you and says, hey, you owe some money, um, use another form of communication. Don't just email them back and say, Hey, are you actually this company? Um, you know, get on the phone, call them and say, I received an email, it looks like it's from you guys. Do I have an outstanding balance or whatever the case may be? Um so that sense of urgency is a really big thing that often gets overlooked because in the moment you're panicking, you're stressed out, you're not focused on the fact that you're feeling that, you're focused on what is making you feel that.

Doug Jenkins

I think it's a really good piece of the puzzle. Now, if it happens and you do get the that breach, what's the protocol? Do I need to if if I'm using Centercom, do I need to get a hold of you? Do I need to call law enforcement? If money has been taken, it's ransomware. At what point do I need to notify customers? I'm sure there's a lot of protocols once there is a breach.

Josh Rabe

Yeah, so the first thing that you want to do, um, especially if you have cyber insurance, is notify your insurance company. Um, your insurance company is going to contact all of the people that need that need to be involved to address the breach and uh subsequent uh fallout from the breach. Um they're also going to involve uh your attorney as well and establish that um client privilege um over the entire situation, over the breach itself, so that nothing is getting leaked and nothing is getting um nothing is allowed to be put out without it being vetted through the insurance and and legal teams.

Doug Jenkins

All good advice. If people want to have a conversation with you, Josh, and and maybe walk through their own security practices and what they need to be doing, what's the best way to get in touch with you?

Josh Rabe

Uh yeah, I I work uh I work with CentraComm. Um so just call CentriComm and ask for me, and I'll be there.

Doug Jenkins

Absolutely. Well, Josh, we appreciate your time on the podcast today. Thanks for taking time out. Yeah, thanks for having me.

Josh Rabe

It was great.

Consequences And Least Privilege

Doug Jenkins

So a couple of points as we wrap up this week's episode of Chamber Amplified. The first being that cybersecurity is no longer strictly an IT issue. It's not something you can just hand off to either your internal department, maybe you contract with someone to handle these issues for you. It's actually really a business leadership issue, and you need to have your entire staff up to speed on some of the things that they need to look out for. Another thing is if things just look off or urgent, pause, verify it through another channel. I think that's a big point. And look, this can get anybody. This got me. Uh, a couple of years ago, I got an email from what looked like our CEO at the time, and I forget what it was, but it wanted a response and it was just worded just slightly off. I couldn't figure it out. I responded to it and then, like five minutes later, I thought, why did I do that? Fortunately, nothing came out of that, but you have to be on the lookout for things like that all the time. And the question again, this is the sad part, the question isn't if you're going to be targeted by these types of scams, it's when and will you be ready. Hopefully, you're a little bit more ready after listening to today's episode. Well, that'll do it for another edition of Chamber Amplified. This is a free podcast available to the community, made possible by the investment of our members here at the Findlay Hancock County Chamber of Commerce. If you're looking at ways to get your business involved in the community, a lot of times the chamber is a great place to get that started. If you'd like to learn more about that, you can send me an email, djenkins at findlayhancockchamber.com. We can talk about how an investment in the chamber not only helps your business, but the business community as a whole. Thanks again for listening. We'll see you next time on Chamber Amplified from the Findlay Hancock County Chamber of Commerce.

Head Shot

Doug Jenkins

Host