The Biggest Cybersecurity Challenges Facing Regulated and Mid-Market Sectors - with Cody Barrow of EclecticIQ

Barrow explains how agentic AI is automating lower-skilled attacks, making phishing emails more convincing and enabling sophisticated deepfake video calls for social engineering. He recommends establishing code words with family members to authenticate identity during emergency requests, as attackers can now impersonate people via FaceTime or WhatsApp with realistic deepfakes.

• •Agentic AI is making previously obvious phishing attempts look legitimate by eliminating spelling errors and improving authenticity
• •Deepfake live video calls represent the scariest threat, enabling attackers to impersonate family members requesting emergency fund transfers
• •Implement code words with family and colleagues to authenticate identity during unexpected requests
• •The automation of attacks is happening slower than expected but steadily increasing in sophistication

Mid-market sectors like manufacturing and retail face broad attack surfaces through supply chain weak links, particularly in payment systems and e-commerce platforms. These organizations lack the regulatory mandates that force security investments and are more vulnerable to opportunistic attackers who can cause weeks of revenue loss through system downtime.

• •Supply chain vulnerabilities create multiple weak links that attackers can exploit to bring down payment systems
• •Weeks of downtime from compromised payment systems directly translates to significant revenue loss
• •Mid-market lacks strong regulatory mandates forcing comprehensive security across all touchpoints
• •Opportunistic attackers specifically target this sector due to weaker defenses and easier exploitation

Highly regulated industries like finance and telecom have the most mature cybersecurity programs (Bank of America spends $1B annually) but face different challenges: overwhelming alert volumes, difficulty finding right-skilled personnel, and prioritization problems. Unlike intelligence agencies, they lack frameworks to effectively focus their substantial resources on the right threats.

• •Major financial institutions like Bank of America invest $1 billion annually in information security as 'revenue protection'
• •Alert fatigue from too many signals creates analysis paralysis despite mature security programs
• •Skills shortage isn't just about quantity but finding the right expertise for specific security roles
• •Lack of intelligence agency-level frameworks makes threat prioritization extremely challenging despite high funding

Critical infrastructure faces patient, well-funded, state-backed threat actors seeking leverage, disruption, or pre-positioning for future conflicts. These organizations have clarity of mission through national policy but often lack adequate security funding. Attackers prioritize stealth and long-term access over immediate exploitation.

• •State-backed attackers are patient and well-funded, often pre-positioning access for potential future conflicts
• •Critical infrastructure targets include energy sector and other services essential for societal function
• •National policy provides clear mission priorities, unlike private sector organizations that must self-define
• •Attackers seek leverage and disruption capabilities rather than immediate exploitation, making detection harder

Barrow challenges the hype around AI as a magical cybersecurity solution, positioning it as helpful but limited. AI assists with context generation, alert triage, and report summarization, but the most effective solution is organizational culture and executive alignment. Security teams must understand what keeps executives awake at night and translate business risks into technical defenses.

• •AI helps with alert triage, context generation, and report summarization but isn't a complete solution
• •Organizational culture and executive alignment are more effective than AI tools alone
• •Security teams should regularly ask executives 'what keeps you up at night' to align technical defenses with business priorities
• •Translate executive concerns (e.g., fraudulent mortgages in specific regions) into technical security measures for maximum impact

For resource-constrained mid-market organizations, Barrow recommends focusing on high-impact basics: enforced multifactor authentication, single sign-on for centralized access control, up-to-date endpoint patching, and vetting supply chain partners' security practices. When internal scaling isn't feasible, outsource to managed detection and response providers offering 24/7 security operations.

• •Enforce multifactor authentication across all remote accounts and administrative access, ideally organization-wide
• •Implement single sign-on (SSO) to centralize access and identity control
• •Ensure all endpoints maintain current security patches to close known vulnerabilities
• •Vet supply chain partners' security practices since their compromise can shut down your operations
• •Outsource to managed detection and response (MDR) providers when internal 24/7 security teams aren't feasible

Barrow argues that in 2025, most businesses should consider outsourcing some security operations. Key indicators include: inability to survive 3-4 days of operational downtime, lack of clear recovery plans, uncertainty about breach response, and extensive supply chain dependencies. These red flags signal the need for a mature security partner rather than building everything in-house.

• •If 3-4 days of system unavailability would be existential for your business, you need external security partnership
• •Lack of clear recovery or incident response plans indicates immediate need for expert assistance
• •Extensive supply chain partnerships multiply risk and complexity beyond internal team capabilities
• •The reality of 2025's threat landscape makes some level of security outsourcing prudent for most organizations
• •Focus assessment on business impact (revenue loss, data leakage) rather than technical security metrics alone