Jordan Polasek on AI and Cybersecurity: How the Threat Landscape Actually Changed in 2025–2026

I have resisted writing an AI-and-cybersecurity article for most of the current hype cycle, because most of what has been written on the topic has been either speculative or frankly vendor-driven. The threat landscape has, however, now shifted enough in the field that I have real things to report from actual Texas client environments, and enough of my clients have asked me directly what they should change that it is worth putting the answer in one place.

This is a practitioner's view, not a research paper. I'm writing about what I am seeing land in the environments BVTech manages and what I have changed — or am about to change — as a result. Where I am uncertain, I will say so.

The phishing floor has risen

The most measurable change I've observed since late 2024 is in the quality of phishing email that reaches my clients' inboxes. The old tells — broken grammar, awkward English, unusual spacing, bizarre greetings — are substantially gone. AI-assisted phishing produces text that is grammatically perfect, contextually plausible, and increasingly well-tailored to the recipient's industry and role. The emails look like they were written by a competent native English speaker because, effectively, they were; the human attacker is now supervising an AI that handles the composition.

The operational consequence is that "train users to spot suspicious emails" has become a much weaker defense than it was five years ago. The tells users were trained to notice have largely been eliminated. A Texas medical-office receptionist who could reliably spot a Nigerian-prince scam in 2020 cannot, in the field, reliably distinguish an AI-generated pretext from a real vendor email in 2026.

The defensive response is not better training — though you should still do training — but a structural shift: assume the user will click, and make sure the environment still survives.

Voice cloning has moved from theoretical to operational

I first heard a voice-cloned social-engineering attempt in a Texas legal client's environment in early 2025. The attacker had cloned the managing partner's voice well enough that the paralegal who picked up the phone was more than halfway into authorizing a wire transfer before the call was interrupted by a second call from the real partner on a different line.

The technology to clone a convincing voice from thirty seconds of audio is now widely available. Any principal of a Texas business who has ever given a local news interview, recorded a marketing video, or spoken at a Chamber of Commerce event has enough public audio to be cloneable. The specific attack pattern I see most often is a cloned-voice voicemail or live call to the bookkeeper or accounting clerk, asking for an urgent wire transfer to close a sensitive deal before the end of the day. The pretext is specific, the voice is right, and the urgency is manufactured.

The countermeasure is procedural, not technical. Every business handling wire transfers should have a standing policy that wire instructions received by any voice channel — phone, voicemail, video call — must be verified by an independent callback to a known number before the transfer is authorized. If this is not a written policy in your Texas business today, it should be a written policy by next week.

Automated reconnaissance is real

A quieter but equally significant change is on the attacker's reconnaissance side. AI-assisted attackers can now scan, catalog, and correlate public information about a business and its employees at a scale and speed that previously required a dedicated research team. LinkedIn profiles, public filings, vendor case studies, Instagram posts, Texas Secretary of State records, voter-registration data, property records — all of it gets pulled together into a per-business profile that informs pretext generation.

The implication for small Texas businesses: you are more findable than you were. The attacker no longer needs to pick you specifically; the automated tooling picks you. The pretext that arrives in your inbox will reference your actual vendors, your actual contractors, and sometimes your actual staff by name.

On the defensive side, AI is earning its keep — in specific places

I want to be careful here, because much of what is sold as "AI cybersecurity" is marketing. But in specific defensive use cases, machine-learning-based detection is genuinely doing work it could not do five years ago.

The strongest wins I see are in email filtering. The current generation of Microsoft Defender for Office 365 and of specialized tools like Abnormal Security catch a materially higher percentage of novel phishing attempts than the rule-and-signature-based systems they replace. The detection works because it models the normal communication patterns of a tenant — who emails whom, from where, when, about what — and flags deviations. AI-generated phishing becomes a deviation even when the text itself is clean.

The second area where I see real defensive value is in endpoint detection and response. Behavioral EDR catches attacker behavior that would get past signature-based antivirus because the attacker's actions — unusual process spawning, privilege escalation attempts, lateral-movement reconnaissance — have signatures of their own, even when the malware is new.

The third area, still emerging, is in log analysis. SIEM platforms with ML-driven anomaly detection catch slow-and-low attacks — the ones that spread out over weeks — that would be invisible to rule-based monitoring. For a small Texas business this is often out of budget, but the managed-detection-and-response (MDR) services that consume it on your behalf are increasingly reasonable at small-business price points.

What Texas small businesses should actually change

A pragmatic shortlist, calibrated to the typical Texas client I see.

Implement MFA on everything, especially the things you keep meaning to. The single highest-leverage defensive change in the AI-attack era is universal MFA. AI cannot defeat MFA at the protocol level; it can only social-engineer the user into bypassing it. Enforce MFA and the attacker's threshold for success rises by an order of magnitude.

Move to phishing-resistant MFA where you can. SMS-based MFA is better than nothing but is vulnerable to SIM-swap attacks that AI-enabled attackers are getting better at executing. App-based MFA (Microsoft Authenticator, Duo) is the working standard. FIDO2 hardware keys for your highest-privilege accounts — the owner's, the bookkeeper's, the domain administrator's — are genuinely phishing-resistant and increasingly affordable.

Deploy real endpoint detection and response. Not signature-based antivirus. EDR with behavioral detection and human or automated alert review. Guardz, SentinelOne, and Microsoft Defender for Business all work at Texas small-business price points.

Upgrade your email filtering. Microsoft Defender for Office 365 at minimum if you're on Microsoft 365. A dedicated behavioral-analysis layer on top if the business is large enough or the risk is high enough (particularly for legal and financial services).

Write a wire-verification policy and train on it. The voice-clone attack is the single most common direct-wire-fraud pattern I am seeing, and it is almost entirely preventable with a two-sentence written procedure.

Reduce your attack surface. Decommission old remote-access tools. Turn off unused cloud services. Remove ex-employee accounts promptly. AI attackers are better at finding forgotten resources than human ones were.

Maintain a tested backup. The single most effective defense against the worst-case ransomware outcome is a tested, immutable, off-site backup with retention measured in months. This has always been true; AI has not changed it, but it has changed the probability of ending up needing it.

What not to do

Do not panic-buy "AI cybersecurity" tools. The market is flooded with products that use "AI" to mean "pattern matching we rebranded in 2023." Before purchasing, ask the vendor for specific, testable claims about what their AI actually detects that a prior-generation tool did not, and ideally ask a trusted practitioner whether they have tested the claim.

Do not conclude that user training is obsolete. It is weaker than it was, but it is not useless. Trained users still report more suspicious messages than untrained users, and the reports are still how many attacks get caught. The training content does need to be updated; generic phishing examples from 2020 no longer teach anything useful.

Do not lean on "we're too small to be a target." The automated-reconnaissance shift has measurably flattened the size-of-target distribution. Small Texas businesses are being targeted at rates that used to be reserved for mid-market. Ignoring that is the most expensive choice available.

What I've changed in my own practice

Because this article is a practitioner's view rather than a think-piece, it's fair to say what I've concretely changed at BVTech in response to all of the above.

I now enforce app-based MFA on every client tenant I manage, with FIDO2 keys on owner and administrator accounts. I run Guardz EDR on every client endpoint and review alerts weekly as part of the standard managed-services deliverable. I have rewritten the phishing-awareness training content that BVTech clients receive, with current AI-assisted examples rather than 2020-vintage ones. I have added a wire-verification procedure as a required policy document for every financial or legal client. I have moved every client on Microsoft 365 to Defender for Office 365 at minimum, and the higher-risk clients to a dedicated behavioral email-security layer on top.

None of that is unusual. It is the current floor for a serious MSP in 2026. If your Texas provider has not made similar changes, that is worth a conversation.

If you are reading this and unsure where your own business sits, I'm happy to walk through the list against your current environment. Consultations are free and no-pressure, and I will give you a straight read even if we are ultimately not the right fit.