Cybersecurity Priorities for 2026: The Two Vulnerabilities to Focus on in the AI Era (ep.7)

Show Notes

Is your organization prepared for an autonomous AI bot? Roger Grimes joins Jen Stone to discuss the shifting landscape of cybersecurity. This episode moves past the hype to look at the hard data: AI scams are yielding 4.5x more value for attackers, and traditional MFA is no longer enough to stop them.

In this episode, we translate complex "vulnerability fatigue" into a clear, two-step priority list. We strip away the jargon to show you exactly how autonomous bots are bypassing firewalls by targeting the human element. 

Key Takeaways:

• Focus on the "Big Two": Social engineering and unpatched software account for nearly 90% of business risk.
• Phishing Resistance: Why you should move toward YubiKeys or passkeys to avoid "man-in-the-middle" code interception.
• Patch Management: Why you should ignore "shiny" new vulnerabilities and follow the CISA Known Exploited Vulnerabilities catalog.
• The Negotiator's Trap: What happens when a CEO claims they have backups, but the hackers have already deleted them.

Featured Resources:

• CISA Known Exploited Vulnerabilities (KEV) Catalog: Use this to prioritize patching based on real-world attacker behavior. 
• Phishing-Resistant MFA:
  • YubiKey: A hardware security key requiring physical touch to prevent remote account takeovers. 
  • FIDO Passkeys: A cryptographically secure alternative to SMS codes. 
• Password Management: Tools like 1Password or LastPass are essential for creating long, random, and unique credentials that AI can't easily crack. 
• The 3-2-1 Backup Rule: Maintain three copies of data, on two different media types, with one copy kept strictly offline. 

Connect with Roger Grimes

• KnowBe4: Access security awareness training and social engineering defense resources at knowbe4.com. 
• Free Book Offer: Roger is offering a free PDF copy of his latest book, How AI and Quantum Impact Cyber Threats and Defenses, to all listeners. Email him directly at rogerg@knowbe4.com. 

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place 

But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/ 

Chapters

• 0:00: The AI Hacker Era
• 0:30: Introduction: Roger Grimes (KnowBe4)
• 0:56: New Book: How AI and Quantum Impact Defense
• 1:12: 90% of the Risk: People & Unpatched Software
• 1:55: Training People: Why it Still Matters
• 3:04: Current QR Code Threats
• 3:52: Agentic AI-Enabled Ransomware: Impact on SMBs
• 4:32: High-Level Ransomware Prevention Tactics
• 5:16: Ransomware Negotiation Trap: How Hackers Target Backups
• 6:20: The 3-2-1 Rule for Backups
• 6:30: The MFA Gap: Why Most Fail
• 7:21: Phishing Resistant MFA: FIDO and YubiKey
• 7:52: Password Managers: Essential Tool
• 8:19: How to Patch on a Budget
• 8:59: CISA KEV: Free Prioritization Tool
• 9:25: Free Resources: AI & Quantum Threats Guide