Something happened in the AI world last month that most small business owners scrolled right past. Anthropic — one of the leading AI labs — accidentally leaked details about its next model, called Claude Mythos, by leaving thousands of internal files sitting in a publicly searchable data store. A toggle switch in their content management system was left in the wrong position, setting digital assets to public by default. One of the most sophisticated AI companies on the planet got breached not by a nation-state hacker, but by a misconfigured checkbox.

Let that sit for a moment.

The leaked materials described Mythos as “currently far ahead of any other AI model in cyber capabilities” and warned that it “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” In other words, the same technology transforming how we work is simultaneously turbocharging how criminals attack us.

This is not the moment to panic. It is the moment to pause — and ask yourself an uncomfortable question: is there a ticking time bomb sitting inside your business right now? For a lot of small and family businesses, cyber is exactly that. And most owners don’t know it until it goes off.

Taleb Had a Word for This

Nassim Taleb’s Antifragile draws a line most people miss. Fragile things break under stress. Robust things survive it. But antifragile things actually get stronger from it. The goal isn’t just to weather the storm — it’s to be better after it than before.

Cybersecurity is a perfect test of that framework. A business that ignores it is fragile: one decent phishing email, one compromised password, and you’re handing a stranger access to your client list, your bank accounts, your contracts. And when that happens, the conversation quickly moves from “how do we fix this” to “who is liable for this.”

But here’s what often gets missed in that conversation: the fallout doesn’t have to be catastrophic to be costly. You don’t need a data breach headline or a six-figure ransom demand to feel real pain. A mid-sized phishing incident — one that gets caught before serious data walks out the door — can still consume days of your time, your attorney’s time, your IT vendor’s time, and your team’s attention. Notifications to clients. Forensic review to confirm what was and wasn’t accessed. Internal process overhaul. Insurance claim paperwork. That’s a week of your life and real money, even in the best-case scenario.

The time bomb doesn’t have to detonate fully to do damage. The shockwave alone is expensive.

A business that treats cyber hygiene as a checkbox is merely robust. But a business that builds security into its culture, trains its people, and reviews its practices regularly? That’s antifragile — and it’s in a far better legal and financial posture when something does go wrong.

Email Mike

The Phishing Problem Has Changed. Seriously.

Here’s what I want you to tell every person in your office: the era of “Nigerian prince” emails is over. AI has killed it.

For years, small business owners used bad grammar as their spam filter. If an email had typos and awkward phrasing, it was probably a scam. That heuristic no longer works. AI has made sophisticated, targeted phishing attacks more likely in 2026, with models capable of penetrating corporate and government systems with “wild sophistication and precision.”

What does this look like in practice? An email that reads exactly like it’s from your bank, your title company, your largest client — personalized, professional, urgent. It references a real deal you’re working on. It asks you to click one link. Modern AI can draft that email in seconds, customized for your industry, your company name, and your role. CrowdStrike’s 2026 Global Threat Report found an 89% increase in AI-assisted attacks year-over-year.

From a legal standpoint, this matters beyond the obvious. If a fraudulent wire transfer goes out because someone on your team clicked the wrong link, your bank may not be on the hook. Your insurance carrier may not be on the hook. You may be. The duty of care your business owes to its clients — and to itself — includes reasonable steps to prevent foreseeable harm. AI-assisted phishing is now very foreseeable.

Book a Meeting with Mike

This Is Not One-Size-Fits-All

Before you start pricing out enterprise security software, take a breath. Not every business needs the same defenses. A solo practitioner running a lean operation has different risks than a family business with fifteen employees and an outside bookkeeper accessing your systems remotely. Your job is to right-size the response.

Ask yourself three questions: Where does your sensitive data live? Who has access to it? What happens to your business — and your obligations to third parties — if that access gets compromised tomorrow?

For most small businesses, the answers are simpler than you think. The threat model isn’t usually a nation-state attack. It’s someone clicking the wrong link, reusing a password, or losing a laptop. The legal and operational exposure from those mundane failures, however, can be anything but small — especially when you factor in not just the breach itself, but the response: the hours spent, the professionals engaged, the clients notified, the processes rebuilt.

The Non-Negotiable Floor

There is a floor. These aren’t optional regardless of your size:

Multi-factor authentication (MFA) on everything. Your email, your bank portals, your practice management software, your cloud storage. Courts and regulators are increasingly treating MFA as a baseline reasonable precaution, not a best practice. If you don’t have it and something goes wrong, that gap will be noticed.

A password manager. One tool, properly used, solves most credential hygiene problems and demonstrates the kind of documented security practice that matters if you’re ever defending a claim.

Regular backups, tested and offline. Ransomware encrypts your files and demands payment. A clean, offline backup gives you options. Without it, you’re negotiating with criminals — or paying them. Either way, you’re losing time you don’t have.

Cyber liability insurance — and actually comply with it. Review your policy carefully. Many general business policies exclude cyber incidents entirely. More importantly, cyber policies specify minimum security requirements as conditions of coverage. Claims get denied not because the attack was excluded, but because the insured hadn’t implemented the basic controls the policy required. Read it like a contract — because it is one. And remember: even a covered claim means weeks of your time managing the response. Insurance reimburses money. It doesn’t give you back the hours.

Train your people. Once a year, sit everyone down and show them what a phishing email looks like today — not five years ago. Build a culture where flagging a suspicious link is rewarded. Document that you did it. In a coverage dispute or a negligence claim, that documentation is evidence of reasonable care. It also makes your team part of the defense rather than the vulnerability.

Email Mike

The Opportunity in the Chaos

Here’s what the Mythos story actually tells us: the same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws in important software. The technology cuts both ways.

For your business, that means AI tools are increasingly available to help you defend — better spam filters, smarter fraud detection, more capable security software within a small business budget. But none of that matters if you haven’t handled the basics. You cannot build something antifragile on a foundation that a single phishing email can crack.

More practically: you cannot afford the time bomb. Not because every incident is catastrophic — most aren’t — but because even the non-catastrophic ones cost you weeks of your life and real money. Prevention is almost always cheaper than response.

The Anthropic leak was a misconfigured checkbox. The most sophisticated AI company in the world, exposed by a toggle. Your own risks are probably simpler — and more fixable — than that.

So this week, pick one thing off the list above. Not all of them. One. Next week, pick another.

That’s how antifragile gets built. That’s also how you defuse the time bomb before it goes off — or at least make sure that when it does, the damage stays contained.

Mike Lang is a transactional lawyer who writes weekly for founders and family business owners navigating the deals that define their companies. Questions or topics you want covered? Reply to this email.