Cybersecurity is no longer just a concern for large corporations, hospitals, or government agencies. In this episode of the Cyber Brisket Podcast, Chris Engler sits down with Reginald Andre, founder and CEO of ARC Solvers, to talk about the real risks businesses face today, from cyberattacks and AI misuse to downtime, unmanaged devices, and the false sense of security that comes from simply “buying a tool.”
The conversation is practical, honest, and especially relevant for small and mid-sized businesses that may assume they are too small to be targeted. Andre’s message is clear: smaller businesses are not too small to get hacked. They are often just too small to make the news.
The “Too Small to Get Hacked” Mindset Is Dangerous
One of the biggest cybersecurity misconceptions discussed in the episode is the belief that small businesses are not attractive targets for cybercriminals.
Andre challenges that idea directly. Small businesses may not make headlines the way major companies do, but they are attacked every day. In many cases, attackers are looking for the easiest opportunity, not the biggest company. A business with weak passwords, no employee training, no multi-factor authentication, or poor security policies can become an easy target.
Chris compares this to pickpocketing. Not every criminal is planning a massive, high-profile breach. Some are simply looking for unlocked doors and easy wins. For businesses, those “unlocked doors” may be a careless click, a reused password, an outdated account, or an employee who has never been trained on what to watch for.
The key lesson: cybersecurity for small businesses is not optional. It is part of running a responsible, resilient company.
Employees Are Often the First Line of Defense
As companies grow, they often introduce cyber risk without realizing it. According to Andre, one of the most common places this happens is with employees.
New hires are given access to systems, email, files, and tools, but they are not always given clear cybersecurity training. That creates risk from day one. A simple phone call, fake IT support request, or convincing email can trick an employee into giving away access.
The episode highlights how cybercriminals now use publicly available information, such as LinkedIn updates, to personalize attacks. For example, if someone posts that they just started a new job, an attacker may call pretending to be IT support and ask for access to the employee’s computer.
That type of attack does not require advanced hacking. It relies on trust, timing, and confusion.
For businesses, this means security training cannot be a one-time checklist item. Employees need ongoing reminders, clear policies, and a culture where it is okay to pause, question, and verify before taking action.
AI Is Creating New Business Risks
AI was one of the biggest topics in the conversation, and the concern was not whether businesses should use it. The issue is whether they are using it responsibly.
Andre explains that many companies already have employees using AI tools, even when leadership has not officially approved them. Some employees may avoid AI completely. Others may use it casually to rewrite emails or summarize content. Then there are power users who upload spreadsheets, client information, internal documents, or sensitive data without any guardrails.
That creates serious AI security risks.
If employees are using personal AI accounts for business work, the company may have no visibility into what data is being uploaded, where it is stored, who can access it, or what happens if that account is compromised. Andre also points out that some AI tools allow users to export conversation history and uploaded files. If an attacker gains access to that account, they may gain access to sensitive business information too.
The solution is not necessarily to ban AI. The better approach is to create structure.
Businesses need an AI acceptable use policy that explains:
What tools are approved
What information can and cannot be uploaded
Which accounts must be company-managed
How access is controlled
How licenses are added or removed when employees join or leave
AI can improve productivity, but without policy and oversight, it can also spread company data across tools leadership does not even know exist.
Cybersecurity Is More Than Buying a Tool
Another major theme from the episode is the difference between having cybersecurity tools and having a real cybersecurity strategy.
Andre warns that many companies buy a product and assume they are protected. But a tool by itself does not equal security. A tool may alert, block, or detect certain issues, but someone still needs to monitor it, interpret the activity, connect the dots, and respond quickly.
This is where the difference between a vendor and a partner becomes important.
A vendor may sell a line item. A true IT and cybersecurity partner cares about outcomes. They help a business think through risk, downtime, employee habits, incident response, backups, cyber insurance, and recovery plans.
For business owners, the question should not be, “Do we have a security product?” The better question is, “If something happens, do we know who is responsible, what happens next, and how quickly we can recover?”
Business Continuity Needs to Be Part of the Conversation
Cybersecurity is not only about preventing attacks. It is also about preparing for disruption.
Andre encourages businesses to ask a simple but important question: How long can we afford to be down?
If email goes down, how will you communicate with customers?
If phones stop working, where will calls go?
If your main systems are unavailable, can your team still operate?
If payroll is disrupted, what is the backup plan?
These questions may sound extreme until a business is forced to answer them during a real outage or cyber incident.
Chris adds an important point: downtime costs more than many leaders realize. Operations may stop, but payroll, rent, customer expectations, and deadlines do not.
This is why business continuity planning matters. Companies need backup communication methods, incident response plans, cyber insurance, and practical recovery steps before a crisis happens.
IoT and Smart Devices Are an Overlooked Risk
Looking ahead, Andre identifies connected devices as a major blind spot. Many businesses have smart TVs, cameras, routers, printers, appliances, and other internet-connected devices on their networks. These devices may not be managed or updated the same way computers are.
That matters because anything connected to the network can become a potential entry point.
A smart TV, camera system, or inexpensive router may seem harmless, but if it is outdated or poorly secured, it can create risk. Businesses should know what devices are connected to their network, who manages them, and whether they receive regular updates.
The Future of IT Will Require More Strategy
The episode also touches on how IT support is changing. Computers are becoming more reliable, and everyday technical issues may happen less often than they used to. But that does not mean businesses need less IT guidance.
Instead, the role of IT is shifting.
Businesses may not call as often for printer problems or blue screens, but they still need help with cybersecurity, AI governance, compliance, business continuity, cloud tools, employee access, and strategic planning.
The danger is that some companies may mistake fewer support tickets for lower risk. In reality, the risks are becoming less visible and more complex.
Key Takeaways
- Small businesses are not too small to get hacked; they are often just less likely to make the news.
- Employees need ongoing cybersecurity training, especially as phishing and impersonation attacks become more convincing.
- AI should be governed with clear policies, approved tools, and company-managed accounts.
- Cybersecurity tools are helpful, but they do not replace strategy, monitoring, and expert guidance.
- Business continuity planning is essential. Companies need to know how they will operate during downtime.
- Smart devices, cameras, routers, and other connected tools can create hidden security risks.
- A strong IT partner helps businesses plan, respond, recover, and reduce risk before something goes wrong.