One Click to Collapse: The SME Risk with Robert Maxwell

Show Notes

In this episode of the Entropy Podcast, Robert Maxwell (CEO of TGT Solutions) reframes cybersecurity from a technical concern into a core business risk especially for small and medium-sized enterprises (SMEs).

He argues that cyber threats are fundamentally about cash, trust, and continuity, not just systems. A single compromised credential or phishing attack can dismantle years of work in minutes, particularly in SMEs where operations often depend on one person, one account, or one set of credentials. 

Maxwell introduces a key mindset shift: cybersecurity is an investment, not an expense. Like building a portfolio, incremental and consistent investment in cyber resilience pays dividends protecting revenue, relationships, and long-term business viability. 

The conversation also explores human vulnerability as the dominant attack vector, the risks introduced by AI adoption, and why attackers prioritize ease over sophistication. Ultimately, the episode highlights a stark reality: it’s no longer “if” a business is attacked, but “when” and how prepared it is when that moment comes.

Key Takeaways:

1. Cyber is now a business problem, not an IT problem
It directly impacts cashflow, supplier relationships, and customer trust—not just systems.

2. SMEs are disproportionately vulnerable
Reliance on single accounts, single individuals, and weak password practices creates critical single points of failure.

3. Attackers prioritize ease, not scale or sophistication
The simplest entry point—often human—is the most exploited.

4. “Too small to hack” is a dangerous myth
Smaller firms are often easier targets and valuable entry points into supply chains.

5. Cybersecurity must be treated as an investment
Incremental improvements (policies, training, redundancy) generate long-term “dividends” in resilience.

6. Human behavior is the biggest risk surface
Phishing, credential reuse, and lack of policy enforcement remain dominant vulnerabilities.

7. AI is amplifying exposure
Organizations are unintentionally leaking sensitive data through unmanaged AI usage.

8. External validation is critical
Internal reviews often miss risks—independent assessments reveal blind spots.

9. Banks and institutions are shifting liability
Poor cyber hygiene increasingly results in unrecoverable financial loss.

10. Timing matters
Fixing issues after a breach is exponentially more expensive than proactive investment.

Soundbites:

•  “Cyber isn’t a technical issue anymore—it’s about cash.” 
•  “You can lose trust, cash, and credibility in under a minute.” 
•  “It’s not ‘if’ you get attacked—it’s ‘when’ and ‘how much they take.’” 
•  “One person, one password, one account—that’s all it takes.” 
•  “Attackers don’t look for the biggest target—they look for the easiest one.” 
•  “We were too busy… until we got hacked.” 
•  “Cybersecurity isn’t an expense. It’s an investment that pays dividends.” 
•  “The password they stole six months ago? It still works—that’s the problem.” 
•  “AI is making companies more vulnerable—and they don’t even realize it.” 
•  “You’re building a business for generations—cyber can erase it in minutes.”

You can learn more about TGT solutions from their website: https://www.tgtsolutions.com/

Transcript

Francis Gorman (00:03.394)
Hi everyone. Welcome to the Entropy Podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. Today I'm joined by Robert Maxwell, the President and CEO of TGT Solutions. He's the leading expert and authority on making organizations more profitable through the strategic application of technology. He is also a frequent speaker and writer on the subject.

Drawing on a wealth of research and over 25 years of experience, Robert has developed a unique perspective that aligns organizational objectives with appropriate technological solutions. Robert understands that this alignment of objectives and technologies coupled with creative problem solving helps organizations grow much more quickly than might otherwise have been possible. Robert, it's my absolute pleasure to have you here with me today.

Robert Maxwell (00:56.16)
Thank you,

Francis Gorman (00:57.996)
Robert, I kind of wanted to talk to you from the perspective of small to medium sized companies. it's kind of that little part of the world that people tend to jump by when we talk about cybersecurity and business strategy, but it's the key driver for most economies across the globe. And I think it's only fair that we give it the airtime it deserves in this space. You've said that cyber risk is no longer a technical issue. What's driving that shift in your...

in your view.

Robert Maxwell (01:29.332)
The primary driver is cash. People work hard to accumulate cash. People work hard to build assets. One of those assets for smaller and medium sized businesses tends to be trust. Cyber is the way in which you can lose all of that in under one minute. So businesses have regrettably had to become very acutely aware of it.

And it's no longer a technical issue. It was a technical issue when you could say to someone down the hall, please take care of that. Or you could say to your provider, it's your responsibility. Given the amount of cash, the amount of credibility, the amount of intangible asset involved, it's very much now a management responsibility.

Robert Maxwell (02:20.681)
Can't hear you now, Francis. Something changed. Now, yes.

Francis Gorman (02:24.046)
can you hear me now? Robert, Robert, when you talk about cash, do you equate that to the liquidity of a company and their ability to do business that could be put at risk as a result of a cyber attack? Or are you talking about something different in that view?

Robert Maxwell (02:40.765)
I'm speaking about cash in the traditional sense, as in someone gets into your account. I'm speaking about cash in the wider sense, whereby a client who might have trusted you, paid you regularly, is no longer doing so. I'm talking about a supplier relationship where you might've had terms and those terms are no longer available to you. So whether it's the inflow, the storage or the outflow of cash, it's all very implicated because

of the advent and the growth of cyber.

Francis Gorman (03:14.762)
Interesting viewpoint. when we look at that, suppose cashflow is the bloodline of a business. And this is why you say cyber is now shifting into very specifically a business problem away from just being a technical issue for organizations. Has that not always been the case or do think that shift has happened in the last number of years?

Robert Maxwell (03:38.246)
And it may have been the case to some limited extent some time ago. You were able to pick the phone up, perhaps call your supplier, say, I'll pay you in 10 days. You were able to pick the phone up, speak to your client and say, look, I need a check sooner rather than later. So there may have always been the presence of the matter, but cyber has changed the dynamic completely. Many transactions are done electronically. A lot of communication is done electronically.

and we both know from experience, you don't just trust, you have to verify. because the process has changed, the relationships around it have changed. So, cyber has had a major impact on the way cash flows and will continue to flow.

Francis Gorman (04:29.004)
And I have to ask, because Ireland has gone very much cashless. I know I still hold onto a couple of fifties in my wallet every week just because I have a trust issue. But in Canada, has the economy moved into that cashless workflow where, you know, that physical fiat is no longer as widely available and everything is tapped by your phone, your watch or your card? Is that the same outcome that you guys are seeing over there?

Robert Maxwell (04:54.163)
Yes, very much it's the same outcome. But speaking of cyber in respect to business, many businesses still have to remember that trust is the basis of all activity and cyber because of its ability to disrupt or ruin trust, as I mentioned in under a minute, one has to still think in terms of the physical asset of cash and one still has to think in terms of working on the relationships one has.

in order to protect that cash flow.

Francis Gorman (05:26.998)
Okay. And Robert, when you look at this from the provider viewpoint, what do you see as the biggest disruptor to a company's cash flow in the small to medium enterprise? And I suppose it is important to point out, we are talking small and medium enterprises. So that lifeline of credit may not be as widely as available as a Fortune 500 per se, or that insulation to a cyber attack is far more detrimental to their

ability to operate or their license to operate one would would think.

Robert Maxwell (05:59.328)
So what we see in small and medium businesses is the reliance heavily on one bank, one financial institution, one account. Usually one person with access to it. That person's access becomes compromised and it then becomes very difficult for that business to continue. So what we very heavily advocate is

Perhaps you need more than one account, more than one institution, more than one protocol, more than one set of passwords. Imagine that. I cannot tell you how many business owners who still use the same password for lots of different things because it's just easier. And this is where I say it's a business issue. You can easily have a different password, but it's a business issue because business owners have to be persuaded it's worth your time to take the time.

to have different passwords, to have different protocols, to have different models of operation so that if you're compromised, you can still function.

Francis Gorman (07:06.158)
That's super interesting. When you bring it back to kind of that single person dependency and I suppose the size question plays in there. And I suppose this is an angle that we don't really discuss because working within a large institution, the thought that one person would hold the keys to the equity machine or the invoice machine or whatever is not something you ever kind of equate back to. But when you bring it into

family owned businesses or small businesses of 30 or 40 employees. There probably is one accountant that has a password for the email that's the same password for every other system that they have. Is that what you're seeing that a phishing attack or something similar can quickly bring down an organization of these sizes?

Robert Maxwell (07:51.892)
We see three things quite heavily. Number one, as you've just mentioned, phishing attacks, obtaining credentials. And the second thing we see quite heavily is that those nefarious actors spend a lot of time studying an organization. So the credentials may have been stolen six months ago, but because they're in your systems and they are observing what's going on, they wait very patiently.

And six months later, they do their damage. And the third thing that we see quite often, you've touched on it, is people are lazy. Because they're not forced by corporate policy to change that password every 30 days, every 60 days. They've got a password. They like the password. They think nobody else can guess their password. And lo and behold, at just the opportune time,

small and medium-sized businesses find themselves to be extraordinarily vulnerable. One bank account, one person, one set of credentials lost, and the banks are not very sympathetic to the story they come with these days. Woe is me. They're not very sympathetic at all.

Francis Gorman (09:06.446)
And I suppose when you break it down to that regard, the exposure there, when you say the banks are not sympathetic, is this poor hygiene has led to this exposure and therefore your loss is your loss and you need to suck it up, we won't be covering the cost. Is that where that lens comes from?

Robert Maxwell (09:24.255)
Precisely, One might have seen three, four years ago, a bank with whom one has done business for 20, 30 years say, I understand, know, we'll talk about it, et cetera, et cetera. You may have noted that the banks are now introducing all kinds of legal terms so that before you click a transaction, it's made very clear to you, this is your responsibility. We have no.

ownership in this matter. Once you click, it's yours. And so many businesses we've seen come along after the fact and say, but I didn't know. And they're kindly referred to that legalese and their bank of 20, 30 years just does not take ownership of their poor hygiene.

Francis Gorman (10:15.278)
Robert, you come into these organizations and you talk to the executives involved or the business owner involved, if it's just an individual. How do you bring these kind of real life issues and this human risk factor that has a technological attack surface? How do you bring that to life? What way do you sit down with those owners and go, here are

the key attack points in your organization. Is there a way that you sit down and map it out in layman's terms, assuming that most of these people don't have a cybersecurity team available to them, that they are heavily reliant on someone like yourself in terms of a third party technology partner coming in and being able to give them guidance to move forward in this space.

Robert Maxwell (11:02.633)
I recently wrote a book called Cyber Model Dividends. And the thesis of this book is business owners need to think about cyber as an investment in the same way they would invest in a stock in the stock market. With a stock, you would do some thinking, you would do some analysis and you will say, I would like to buy 20 shares in stock A. You understand that having made the investment,

at some point you are entitled to receive a dividend. We try to use that metaphor heavily when speaking to business owners. We try to convey the fact that cyber is not an expense. Stop looking at it as an expense because when you look at it as an expense, you're thinking about how do I cut my expense? You don't cut your cyber expense. You think of making a cyber investment. An investment once made, properly studied, well executed should

pay dividends down the line. So we try to speak to them about thinking about cyber as an investment. Perhaps you don't buy everything you need today. Perhaps you buy two shares today. Perhaps tomorrow when you have a bit more money, you buy five more shares and so on and so forth until you get to that point where you hold a position. Now I'm holding a thousand shares in this company. You've made an investment and as an investor,

You think to yourself, one day, whether it's next year, five years from now, I will receive a dividend and that dividend is going to make me very happy. I'm going to be very happy I made that investment. We try to bring that thinking to the fore because there several investments which smaller and medium sized businesses need to make. The most important, by the way, is in their people and training their people. But they need to make those investments, be cognizant.

of those investments, manage as you would manage an investment so that at the appropriate time the dividend will be there. One key dividend is we'll have a password policy. We'll enforce the password policy so that even though the bad guys have been in there for six months, by the time they come to use the password that they think they so cleverly stole and they're ready to use, oops, it no longer works. What a dividend to receive. The protection of your bank account in your hour of need.

Francis Gorman (13:31.36)
I do like that analogy. I'm going to steal the investing, invest in my shares and I will I will give you a dividend and that dividend is revenue protection for your for your business, essentially. Robert, what?

Robert Maxwell (13:42.612)
Hmm. I cannot perhaps I can just share this thought with you. I cannot tell you how many times it's embarrassing. I cannot tell you how many times people call us up and say, we've been hacked. Okay. Why didn't you call me before you were hacked? Well, we were this is is this is not a joke. You can't make this stuff up. We were too busy at the time. Hmm.

But why are you calling me now then? Because you've been hacked. Your money's been stolen. I can help you perhaps in some way, shape or form, but this is now going to cost you significantly more, hundreds of times more than it will have cost you had we had this conversation six months ago. But I didn't have the money, but I didn't have the time. But then how are you going to have the time now to spend hundreds of times as much? The investment model.

is the only model that will protect the business.

Francis Gorman (14:44.258)
hindsight is a great thing, know, as they say. Robert, I'm always interested to understand. So you've witnessed the shortcomings, let's say, across multiple years in business. What point did you get to that said, need to document these in a way that's consumable by others that led to that inception of sitting down to write a book? And how did that process help you?

streamline your thoughts and I suppose your intonation of what good looks like for others to understand.

Robert Maxwell (15:22.865)
It started when we got into cyber about seven, maybe eight years ago. And we worked with large organizations who intuitively understood the danger and took many steps to better protect themselves. At the same time, we noticed our smaller clients having a very cavalier attitude. Primarily, we're too small to be hacked.

I cannot tell you how many times I've heard that said, we're too small to be happy. We don't have anything of interest to anyone. So here we are working with our large corporate organizations who are, how much more can we do? What else can we do? And here we have a set of smaller organizations who are, it doesn't apply to me. I'll get around to it at some point.

and it occurred to us we better figure out how to package the thinking and share it with a smaller organization in a way that they can relate to it. That's the genesis of the thinking about packaging it in the form of a book. We try to make the book very readable, very understandable, but the key concept is one of this is an investment, not an expense.

Francis Gorman (16:47.618)
What's the key learning that came out of the book that you didn't expect?

Robert Maxwell (16:53.62)
The key learning was the benefit which small organizations with the right thinking can create for themselves. When we began to say to people, what you're building, you're building for yourself, your children and your grandchildren. Think about their legacy. And that type of thinking we realize has really resonated with a lot of

individual business owners. They can relate to the fact that their legacy is going to be damaged if they don't take this one extra precautionary step. So we finally found a language that can resonate with business owners and for us that's been a big takeaway.

Francis Gorman (17:45.007)
I actually really liked that. When you reframe it that these companies are family kind of owned or they're owned by individuals, you're building for the future, for the next generation, you're building generational wealth, but that could all be eradicated very quickly. It's not a multinational conglomerate that has hundreds of millions of euro in the bank. you're doing well, you're in the one to...

to 10 million bracket, which is life changing cashflow. But if it's all tied back to a single point of failure and a single bank account and a single moment that a compromise can happen, I can see how that can devastate a generation of a family that have spent maybe a lifetime building something up to where it is today. So I can really see how framing or reframing risk

and tying it to kind of an emotive trigger could be really powerful. I actually, really do like that. these are things that don't normally come out in conversations with individuals who are on the cutting edge of a new AI technology or quantum advancement or whatever. But these are real life conversations. These are things that ordinary business people, ordinary working people that have been on that grind for years.

Robert Maxwell (19:01.257)
you

Francis Gorman (19:11.63)
These are realities that need to be brought to the fore. And I appreciate that you're kind of unearthing some of these things. Is there a mindset that's dangerous though that can creep in here that you've seen in the industry? touched on some points already. We didn't have time. We didn't have the budget. Is there a fundamental thematic that can kind of creep up through individuals at the top of these organizations that kind of sneaks in on unassumingly and then it's too late?

Robert Maxwell (19:40.563)
One of the things we've noted is the person who founded that business is good at something, whether it's building roads, building buildings, making food. And they're not particularly conversant with new technologies. They don't like to admit that they're not particularly good at it because they have built their business. So they're very good at some thing.

but they're not good at this thing. Meaning technology, particularly cyber security.

And sometimes they don't know who to ask. Sometimes they're not in the habit of asking because they've built a great business. So one of the things we have found across the board with smaller organizations is the need to slow the owner or the partners down long enough to say, we have to have this conversation. You want to have it now.

Because if you don't have it now, you will have it later and you will not light the conversation you have later.

So the thing we've noticed across the board is smaller organizations tend to be led by people who don't know about cyber, who don't have the time to learn, who don't like to admit they don't know, and who will not take the time. And this is where we have found the investment metaphor works well for them. It's not an expense, it's an investment. And second of all, is where we...

Robert Maxwell (21:25.31)
touch an emotional nerve when we speak of the fact that you've just spent 30, 40 years building something. You want to enjoy it. You want to pass it on. And if you fail to do this step, you lose it. It's almost certain now you will lose it. It's not an if you will get attacked. It's a when you get attacked and how much they take. So you want to take this step.

Francis Gorman (21:48.888)
Are attackers prioritizing scale, simplicity or impact? does it matter anymore in your view?

Robert Maxwell (21:56.957)
I find attackers prioritize ease, ease of access. There are some attackers, particularly the state type attackers who are very strategic. We need this particular vendor's credentials so we can get to this particular middle-sized company in the value chain. So there are some attackers that we have found to be extraordinarily strategic. The vast majority of them

focus on ease. How quickly can we get in? How quickly can we get out? And what can we get in the process?

Francis Gorman (22:35.894)
It's interesting you touched on the supply chain aspect there because we've seen that quite a bit, especially in the UK where the smaller feeder companies, you know, that the large entities rely on are the weak points for detonation of malware or ransomware or, you know, some sort of an injection attack into source code that's going to be ingested downstream by a larger conglomerate. Have you seen much of that in Canada per se across your client pools where, know,

the small business does something really well, but actually has some IT connectivity to a larger organization where you're kind of going, guys, you are the key threat vector for operation A over here. Like we need to not just think about you. need to think about how you can impact company A.

Robert Maxwell (23:23.072)
As I hinted to you earlier in this conversation, we work with large organizations and they correctly took the approach, what can we harden? What else can we do? So having hardened so many surfaces, they became less vulnerable in those areas. But where was the one place they could not, quote unquote, harden to the extent that they themselves hardened? And that is with a supplier.

who provides a critical piece of their infrastructure or their work, but who cannot or has not taken the time to invest in the same way. So bad guys knew, well, there really two areas, one of which is the suppliers, and they knew that the supply chain was the vulnerability that could be exploited and have done so.

and continue to do so with great effect. The other vulnerability we noticed that hasn't until very recently been taken very seriously is software patching levels. Many organizations, because they have so much software, don't always patch the software they've got to the level that they need. So there are vulnerabilities that have been exposed. But by and large, the largest vector of attack

has been along the human route, particularly the human supplier route.

Francis Gorman (25:00.116)
It's interesting to see that that same attack vector is materialized in multiple geo regions. It's down to its simplicity and the weak point, is you can trick a human quicker than you can break MFA or something. If someone just gives you their password or hands over account information or points you in the right direction of a key person within an organization that has that access, that is far easier to...

manipulate that, that maybe go after the technological level of the organization. Robert, you, you, you're the CEO of, of a technology provider. So I assume you have to look inward as well as outward at these problems and ensure that, you know, your hygiene is, is strong. How do you, how do you manage your own risk and governance in terms of, of the organizational aspects and what challenges does that bring to you as a business owner in your own right?

Robert Maxwell (25:56.075)
Great question, thank you for asking. The simple answer is we manage with extreme care. We understand that because we help others, we will ourselves become a victim and therefore we have to take even more precautions than we're advising others to take to evade the bad guys who would take us down so that they, could laugh at us, but more importantly, get to all the people who we are supporting. So it behooves us

to spend the time to think very carefully about what's next, what's worked. And it's also very interesting to do lots of reviews on the types of attacks we get. We get attacked very often. I think I saw a statistically, not I think, I know I saw a statistically the other day that we've had about 1.3 million attacks in the last, attack efforts in the last six months.

So we try to use this to bring our potential clients and existing clients to the realization they're not stopping. They haven't gotten in yet, but they're not stopping. They're going to keep trying. If they're trying for us, they will try for you as well.

Francis Gorman (27:12.642)
I think that makes it more relatable though, if you can kind of go, well guys, look, this is not just me telling you that you need to pay me to do something for you as a business owner myself, my stats are as follows and we can see, you know, one point X million times was an attempted attack and those attacks were brute force against our cloud services or, you know, we, we managed to stop X amount of phishing emails that came in through our, our detection software or

you know, someone sent in malware and we, we caught that at a sandbox in our, in our email solution or whatever, but you can, you can make it more relatable then because it's, it's not just, it's not just hypothetical. You have the data points to, to, to speak to on, on, on, on that, Robert, think before we finish up, I kind of like to ask you, how should companies assess their, their cyber posture without it becoming a checkbox exercise per se?

Robert Maxwell (28:13.278)
I think they should do two things. First of all, they should recognize the need for an investment in a small external review. It's very easy to attempt to do an internal review, come back and say, look, we're all good. We checked. An external review reveals something quite different because of course they're looking for different things and are apt to be more honest with you.

So there should be a small external review. offer such an external review at a very low cost and 95 % of the time we find that clients are very surprised because they're learning things they did not know. That's one thing. The second thing with respect to companies is the need to recognize that even if you work quote unquote clean,

or you got a good review last year doesn't necessarily mean you're going to get a good review now or in six months time. So there's got to be the approach that we have to stay ahead of this curve. That's a key, a key mindset. And this is why we keep saying it's a business problem, much more so than a technological problem. As you well know, AI has advanced considerably and the types of attacks that

are now becoming prevalent. We didn't know about them six, nine months ago. So one does not do a review to say, we've done it. We had a clean one and it was done seven months ago. We're okay. One has to have the mindset that last one was clean. We've now made the following changes. And by the way, let's get ready for the next review.

Francis Gorman (30:02.952)
That's interesting AI. I should really ask you about AI in these organizations because when I look at AI, see lots of people are throwing high levels of sensitive data in there, just assuming it's a magic box that gives back answers or creates PowerPoints or documents or whatever the artifact may be. But in organizations that don't necessarily have security professionals or data privacy professionals embedded with them.

The mindset may be very different to a regulated entity per se that is very conscious of the risk levels. How much has AI changed how you approach these businesses?

Robert Maxwell (30:44.72)
AI has changed our approach considerably. We now start by asking prospective clients, what is your cybersecurity policy with respect to artificial intelligence? At which time we ordinarily get a look which says, what are you even talking about? And then we go on to explain, yes, I know that you are using AI.

And by the way, even if you don't think you're using AI, somebody in your organization is, what's your cybersecurity policy around that? To which most people then drop their gaze, meaning we hadn't thought about that. So to answer your question, AI has made more companies more vulnerable than they can possibly realize. And it's not because

the bad guy is using AI, although that's the case. It's because the company is using AI to expose itself more and more daily without recognizing it's doing that.

Francis Gorman (31:51.116)
Yeah, it's fascinating. I really don't know how this plays out over the next couple of months because, you know, with with an tropic drop and potentially might us the most dangerous zero day finder of all time. If you're to believe the market and hype, the world may be about to get very interesting or maybe it's just more hype. All will be revealed soon enough, I suppose. Robert, it's been fascinating having you on. It's been an intrinsic look at a different side of cyber.

than we normally have on the podcast. So I really do appreciate your viewpoints and thank you for taking the time out of your day to speak with me.

Robert Maxwell (32:26.081)
Thank you, sir. Take care. Bye-bye.

Francis Gorman (32:28.217)
Thank you.