Tony Anscombe, chief security evangelist at ESET, returns to the podcast for a wide-ranging conversation about the cybersecurity landscape in early 2026. From the emergence of AI-powered malware to familiar weak points that keep showing up in breach after breach, Tony shares practical insights for MSPs advising their customers on security strategy this year.
The conversation opens with a look at major incidents from the past year, including the Jaguar Land Rover cyberattackthat disrupted thousands of supply chain businesses and led to a £1.5 billion UK government loan guarantee, the Ingram Micro ransomware incident, and breaches affecting Salesforce and Oracle. Tony shares a striking insight from a cyber insurer: open VPN servers without MFA have overtaken RDP as the leading driver of claims.
The discussion moves to shadow AI risks, with real-world examples of what goes wrong when companies deploy AI tools without security guardrails, and why MSPs have an opportunity to embed themselves as trusted advisors by being the security voice in the room.
Tony also walks through the emergence of AI-powered malware, including ESET’s research on PromptLock, the first documented AI-powered ransomware – originally a proof of concept from NYU researchers that ended up in the wild – and PromptSpy, the first Android malware to use generative AI at runtime.
The conversation closes with Tony’s advice for MSPs to stop talking about “cyber risk” and start talking about “business risk” – framing security in terms of downtime, continuity, and financial impact rather than technical threat statistics.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Spotify | Amazon Music | Android | iHeartRadio | Youtube Music | RSS
Read Full Transcript
Robert Dutt: Hello and welcome to the ChannelBuzz.ca podcast, bringing news and information to the Canadian IT channel for the last 16 years. I’m Robert Dutt, still editor at ChannelBuzz.ca, and your host for the show.
Cybersecurity is one of those areas where the threats never stand still, and lately the pace of change seems to be even faster. As we head further into 2026, factors like artificial intelligence, global geopolitical tensions, and increasingly organised cybercrime are reshaping what risk looks like for businesses of all sizes.
Today we’re stepping back from the day-to-day headlines to talk about what’s coming next, what really matters beneath the noise, and what IT service providers and resellers should be paying attention to as they advise their customers.
My guest is Tony Anscombe, chief security evangelist at ESET, and a frequent flyer on the podcast. Tony spends his time analysing emerging threats, talking with security teams around the world, and translating complex security trends into practical guidance.
This conversation is focused on thought leadership and the big picture trends shaping cybersecurity this year, from AI-driven attacks and mobile threats to ransomware and the impact of global events on the digital world Canadians rely on every day.
It’s a great conversation, so let’s get right into it. My chat with ESET’s Tony Anscombe.
Tony, thanks once again for taking the time.
Tony Anscombe: Oh, it’s always a pleasure to chat with you, Rob.
Robert Dutt: I just wanted to take this opportunity to kind of take a look at where we’re at in cybersecurity in the early part of 2026 and get your thoughts on what to expect this year, sort of help our listeners, the VARs and MSPs of the world, get an overall feeling for where things are at, where they’re going. I guess to throw things open, when you look ahead at this year, what feels genuinely different about the threat landscape compared to, say, a year ago? I was going to say a year or two, but I think even a year in this rapidly changing place is plenty.
Tony Anscombe: Well, I think you’ve seen some pretty big incidents last year. None of them, I would say, are a catastrophic incident, whereas the year before we saw the likes of Change Healthcare and there was the CrowdStrike update and things that affect hundreds of millions of people all at the same time. But you had Jaguar Land Rover with a significant issue. You saw the Salesforce ransomware, the Oracle zero day that was exploited in their systems. Ingram Micro ransomware incident took down a lot of the distribution channel. So I think there were incidents that are interesting.
I think to an element, I’d kind of say that you’re going to see more of the same, but the same is becoming more sophisticated and is starting to change. Now, if you go back four or five years, we’d have told you that cybercriminals at some stage will start using AI technologies in there as we go. Then I meet people frequently that turn and say, “I’m being attacked by AI.” The answer to that is, no, you’re not. Stop watching Terminator at weekends. That’s my recommendation. You’re getting paranoid.
I say that, but the use of AI within cybercrime is making it more sophisticated. It’s making it more challenging to detect in certain instances and it’s becoming more challenging from a social engineering perspective. The sophistication and the likelihood of you clicking on something is unfortunately increasing.
I think if you look at cyber insurance reports that talk about claims and stuff like that, still 40% of people are paying. A lot of the things are business as usual. In fact, I spoke to a cyber insurer a couple of weeks ago, Rob, who gave me a snippet of information that I thought was fascinating. We talked about RDP a couple of years ago, you and I, about the issue of… and he said the majority of their claims are open VPN servers, where people have got a login page, ID and password to log into the VPN and they haven’t put MFA on it. VPNs have now taken the place of where RDP was, so that one seems to be moving down the chain a bit.
I took a look, I went on Shodan. I took a look on Shodan and sure enough, you can find lots of open VPN servers.
Robert Dutt: Just goes to show how some tools which are at least adjacent to security can be flaws as well. There’s no shortage of that. You already touched on a couple of them. You mentioned AI and obviously that’s the big subject of the industry and of business in general in 2025 and 2026. It seems like we’re at a place where right now, in many cases, it’s coming out in front of security, in front of management and in front of IT control, the whole shadow AI thing. I guess, what are your thoughts on where organizations are most exposed because of that gap that exists?
Tony Anscombe: Well, that’s a good point. The boardroom or the management teams in companies are going, “We need AI, we need AI,” because that’s what they’re hearing. Sure, it’s a great tool. If you look at a company like us at ESET, we’ve used AI in our products for two and a half decades or so. It’s not that new to us. But if you look at the latest iterations where a customer can get natural language help and stuff like that, you can sort through our threat intelligence easier. Those type of tools are where companies are at, isn’t it? It’s the customer interaction or it’s the knowledge base searching or it’s being able to get reasonable information quickly and meaningfully and in a nice way.
The problem is, a company takes all its data, throws it into an AI model and says, “Hey, AI, can you start helping my customers?” There’s likely to be personal information in there. They’re likely to leave APIs open and such like that then get abused. Before you do this, you need to have a cybersecurity person in the room. Now, that doesn’t mean you don’t do it. What that means is you do it in the right way. The cybersecurity person might turn and sit there and be the doomsday person and say, “Oh, no, we don’t want to do this.” But it’s then about explaining to the people that want it in the business about the risk and understanding where the level of risk lies and whether you’re comfortable and accepting of that risk.
We’ve seen some great examples of it, haven’t we? What was it, somebody bought a car from one of the car companies for a dollar or something, they managed to trick the AI chatbot into it. That’s the type of thing you want to be protecting against, making sure that you’ve got those guardrails in place. Also making sure it’s not going to surface some customer’s phone number or customer data inadvertently. Some customer in a previous call may have turned around and said, “Here’s my email address,” or “Here’s my phone number.” Of course, if that’s in your knowledge base somewhere or stacked in your support tickets, the right teasing of that information might bring it out and suddenly, in effect, you’ve got a customer data breach, which your AI told somebody. I’m just saying you don’t want that. You need to do it with security in mind. Make sure the agents are tied down correctly.
Now I saw there was an incident last year. I can’t remember which vendor it was with, Rob, but they had an API. It was an AI tool. They had an API for their customers to use. I think it was about 30 different customers were using it, or using the same ID and password. The password, by the way, I think was “default.”
Robert Dutt: Perfect.
Tony Anscombe: Right? So there you go. That’s just somebody doing it without too much thought. Put a cybersecurity person in the room, every customer would have had their own ID. There would have been stronger authentication, maybe certificate-based, and you wouldn’t have had that issue. It’s about having the cybersecurity people in the room with the business at the time you discuss it.
Robert Dutt: That’s an interesting place for MSPs because especially in the smaller end of enterprise and into SMB, when those discussions are taking place, often that MSP is going to be serving as the security person for an organization. It speaks to, I think, the need for you, even if you’re a third party to the company, you’ve got to have a strong seat to be able to say, “Hey, customer, this is all sounding great as far as innovation goes, but there’s stuff you need to think about here too.”
Tony Anscombe: Yeah, absolutely. But it’s also somewhere where the MSP actually shows up and provides the real value because if you can show that you’re reducing the company’s business risk, then that’s what you’re there to protect, isn’t it? I would have thought it actually cements you further into the company because the more projects you get involved in, the more you understand their business, the harder it is for that company to actually change MSP. You embed that customer relationship, which is kind of the holy grail, isn’t it? That’s what you want as a service provider.
Robert Dutt: Absolutely. Your research talks about smartphones as an increasingly attractive target. No argument there, it makes sense. It’s where a lot of people are doing their computing, right? It’s an interesting space in that sometimes it’s under IT control. Sometimes it’s not. Sometimes it’s a little bit of both. I guess what’s changed about mobile threats that MSPs and businesses should be paying more attention to right now?
Tony Anscombe: Well, I’m smiling, Rob, sat here listening to you say that because I’ve got two phones on my desk. One of them is very controlled and one of them is mine.
Robert Dutt: Wild West.
Tony Anscombe: Yeah, well, it’s not the Wild West. Mine is controlled by me, not the company. But it’s a good point because if you look at people’s phones, they need to be under some sort of MDM service. If you’re allowing somebody to use their own device, then you need the ability to delete data. You need the ability to track the phone if it’s lost, delete the data and control the apps. Potentially have some sort of compliance on the security settings that are on the phone. If the person hasn’t got biometric unlock on the phone, then maybe you don’t want to install your stuff on there at all. It’s not just about having that container for the company data that you control, but it’s also having a minimum set of security standards on the phone, that the phone itself is secure. Bear in mind, you’re helping actually your employees secure their phone in that scenario as well. But yeah, the more and more devices you see, the more and more I think compliance you need to do on them. I don’t think that will change anytime soon.
Robert Dutt: Ransomware, obviously the constant presence, the constant scourge. It keeps evolving, but the pattern keeps repeating in that a lot of the successful attacks are relying on maybe not the same weak points, but familiar weak points. I guess, why do we still see these same mistakes playing out? And what, if anything, can I do about that as an MSP?
Tony Anscombe: Well, certainly one of the things MSPs need to do is make sure the customer is being trained, but also make sure your own staff are being trained as well. If you look at… and I wouldn’t want to put a percentage on it, but it’s a big number. If you look at the number that involve some form of social engineering, unfortunately – social engineering, you know, phishing, text messaging, physical phone calls – it’s never-ending. The elements of social engineering are huge there.
I mean, I can’t remember whether we spoke about ClickFix last year. ClickFix was an interesting malware family. They used, one of the variants used the screen that says, “Are you a robot?” We all click the box, don’t we? And they’re very creative. Then it says, “Can you press these three keys on your keyboard to verify you’re human?” And what actually the three keys do is they invoke a PowerShell script. And there you go, you’re now breached.
But it’s those sophisticated mechanisms such as that, that you need to make sure your employees understand, and your staff and your customer staff. So within the MSP, that you’re doing regular training, regular, even for your technical people.
I worked for a company, Rob, when I first started my career in finance. It was a credit card company. And they used to run a program where a fictitious fake card member would sit there ringing numbers in the company each day, internal numbers. And your phone would ring and you’d pick the phone up and it would be a fake card member. And you had to own the call. Everybody in the company had to own the card member, regardless of whatever your job was. I’d love to see tech companies doing something similar.
Robert Dutt: Yeah.
Tony Anscombe: MSPs could be doing something like this with their customers. Can I randomly phone up your staff and see if I can socially engineer a password out of them? Not because I want to embarrass them, but because I want to be able to show that it can be done and then improve things beyond it. Wouldn’t that be a great service? It’s like phishing simulation, but with a person.
Robert Dutt: Interesting idea.
Tony Anscombe: Yeah. But if I ran an MSP myself, I think I’d be doing that on my own staff because I wouldn’t want to be, unfortunately, the supply chain into my customer that gets breached, that ends up seeing my customers breached. And there were a few of those, unfortunately, I think last year. I think Marks & Spencer were that way. And I think Jaguar Land Rover may have been through a third party as well. So I think there are some really interesting examples where third parties were unfortunately responsible.
Robert Dutt: Well, yeah. It speaks to kind of that trend too, where a lot of times those who are doing the attacks are looking at that as an increasingly viable way in because there’s potential for there to be a gap between organizations that no one’s really… everyone assumes that everyone else is kind of looking at it, maybe.
Tony Anscombe: Yeah, absolutely. There are other things I think MSPs… MSPs need to show their customers that they’re 100% secure, that they’ve gone through the same programs that actually customers
do as well. One thing I think, if an MSP doesn’t go through what I define as regular cyber insurance type requirements, to me that would be a good thing for them to do, because cyber insurers kind of push that whole reduction in risk.
Robert Dutt: That is rapidly becoming table stakes, isn’t it? That’s an expectation. Continuing along that line, for MSPs who are kind of planning out their security strategy, their security approach for the rest of the year, I guess what’s one assumption or one thing they’re doing that they should probably challenge or change at this moment in time?
Tony Anscombe: One thing to change, that’s a big question. Only take on customers that are secure.
Robert Dutt: Problem solved.
Tony Anscombe: Yeah. Don’t allow your customers to have any connectivity. No. It’s to make sure that you’re keeping pace with the advanced technologies that are out there. For example, we’ve seen EDR become MDR and XDR, but are you now plugging in good, accurate threat intelligence feeds into that EDR? Whoever’s EDR you’re using, obviously, I’d love everybody to use ESET’s, by the way. But if they’re offering that as a managed service from an MSP, I’d also couple that with threat intelligence feeds and APT reports. If you’ve got government customers, actually start taking it to the next level so that it’s not just about relying on the monitoring and detection of an issue, but also that you’re intelligently looking beyond where other issues might come through other industries or what’s happening elsewhere.
Robert Dutt: And taking that same kind of idea, but turning it around from a customer-facing perception. If you were advising an MSP on how to talk to clients about cyber risk this year and what they should be thinking about going forward, how does that conversation need to change in light of the changing threatscape?
Tony Anscombe: Well, firstly, now that’s an interesting term. I’m guilty of using the term cyber risk. If I was in the MSP shoes today, I would not be talking about cyber risk. I’d be talking about business risk. I think cyber is becoming a risk just like any other risk to a business, i.e. theft, fire, building collapsing, earthquakes, whatever it might be that we tend to have risk. And cyber now needs to be treated as that risk. You’ve got to talk to a business in the terms of it being a business risk.
There are some really good examples in the market now. I mentioned Jaguar Land Rover just a moment ago. Think about that entire incident. A third party to them gets breached and Jaguar Land Rover gets taken down through it. It affected 5,000 businesses. The UK government stepped in and bailed them out with PS1.6 billion. That’s a huge amount of money.
If you and I had a little company, we’re making screws for gearboxes. It’s all very well somebody coming to me and turning around and saying, “Cyber risk.” But what I really want to know is the business risk. How much is it going to cost my business if I have this incident? What is my downtime going to be? Talk to them in the business language and put it in real terms. It self-justifies, by the way, then the expenditure on cybersecurity because you’re talking to them about the finance of the business. I kind of stopped talking about, you know, “70% of ransomware attacks start as phishing.” Great, those are supplemental, but talk to them about actually how they keep their business running.
Robert Dutt: I think it speaks to a broader trend in the channel of over time, moving from speaking about technology to speaking about solutions to increasingly speaking about outcomes. I think we’re talking about now the business outcomes of security investment.
Tony Anscombe: Yeah, absolutely. To a lot of this, this is the decision of the CFO of where is the acceptable business risk. Then it’s about putting the right cyber plan in place to meet the line of business risk. And by the way, we all have risk in different… our line will all be in different places. If 10 of us stand in a casino in Las Vegas and we’ve all got $200, we’re all going to behave completely differently when we walk up to the roulette table.
Robert Dutt: Yeah, absolutely. And depending on where we’re at, we may have additional oversight, which colours our risk decision-making and depending on what… in this case, in what industry you’re in, for example.
Tony Anscombe: Well, exactly. Every CFO and every business will have a different line in the sand of where their business risk is.
Robert Dutt: You obviously get to spend a whole lot of time looking at what’s there and what’s coming in terms of security. I’m curious, is there anything that’s surprising you about the current security scene?
Tony Anscombe: Well, the one thing that we’ve seen in the last six months… we’re being attacked, but let’s come back full circle here. We’re being attacked by AI. We have seen a couple of examples of malware. At this stage, they appear to be proof of concepts of AI-based malware. What that means is it’s actually dynamically using AI within the malware to generate the attack. It’s looking at the environment and then using the environment, asking AI to then generate scripts and code on the fly in real time. They’re using public AI models to do this. It will create the script and then they attack with that script.
Now, in theory, that means you’re using a never-before-seen piece of code within the attack, which obviously makes it very challenging to detect. The two instances we’ve seen, one was PromptLock. The other one, we published details in the last few weeks, PromptSpy. One was on a Windows, macOS and Linux platform. The other one, a few weeks ago, was on an Android platform.
We’re seeing the emergence of that type of code. So lower barrier to entry. Now that code’s out there in the marketplace. Difficult-to-detect attacks. I think you’re going to see that expand over this next year.
Now, interestingly, one of those examples I just used, PromptLock, was a project by a university student. That’s what it transpired to be, but they put it in the public domain. Need I say more? Please don’t do this.
[Laughter]
Robert Dutt: I guess it was a matter of time that once the idea of vibe coding became kind of mainstream, that it was going to get turned back around and used in some sort of malicious way. That is one true trend across security over time. They will take advantage of the tools that are available.
Tony Anscombe: They will. But I expect to see more of that AI-generated code out there over this next year. The challenge then is making sure the technologies that are in place, those advanced technologies, are picking up those advanced attacks because it will become more challenging as it goes.
Robert Dutt: Tony, as always, so much going on in the security space, but you’ve given us some good things to think about. I think most importantly, some actionable things to think about as you’re running the security practice of an MSP. Appreciate your taking the time, as always.
Tony Anscombe: Hey, always a pleasure, as I said, Rob.
Robert Dutt: There it is, my conversation with Tony Anscombe, chief security evangelist at ESET. Whether it’s the rise of AI-powered malware, open VPN servers quietly becoming the new weak link, or simply learning to talk about security in business terms, there’s a lot here for MSPs to think about as we move through 2026. I’d like to thank Tony for joining us once again. Thank ESET Canada for their ongoing support of the site. And of course, thank you for listening today.
We’ll be back in your feed tomorrow as we’re joined by Lee Caswell from Nutanix to discuss the company’s 8th Annual Enterprise Cloud Index Report, and with a special episode on Friday as we discuss Amazon Web Services at 20 with AWS Canada chief Eric Gales. You’ll want to be sure you catch those, so please do subscribe to or follow the podcast in your podcast app of choice. And if it allows you to do so, please consider leaving a review or rating of the show.
Until next time, I’m Robert Dutt for ChannelBuzz.ca, and I’ll see you in the channel.
