Why Security Complacency is the CEO's Greatest Mistake
April 14, 2026
You wouldn’t drive a car without insurance, would you? Then why run a company without giving security the utmost thought? In this episode of Trust Issues, Brandon Lecoq and Bruno Lecoq, CEO/CISO at BEMO, confront the uncomfortable truth about cybersecurity in SMBs: size doesn't determine risk, security hygiene does. Drawing on real-world attacks from BEMO's 478-client base, Bruno shares critical Microsoft security data, insider threat case studies, and the deceptively simple attack methods that catch most organizations off guard. The conversation leaves the noise behind, focusing on what actually stops attackers and why so many SMBs remain dangerously unprepared.
You wouldn’t drive a car without insurance, would you? Then why run a company without giving security the utmost thought? In this episode of Trust Issues, Brandon Lecoq and Bruno Lecoq, CEO/CISO at BEMO, confront the uncomfortable truth about cybersecurity in SMBs: size doesn't determine risk, security hygiene does.
What You’ll Learn:
- Why the "we're too small to be targeted" myth costs you everything
- How to recognize when employees unknowingly hand attackers the keys
- The three-move attack sequence that works on most SMBs
- How to interpret fake phishing test results as a leading indicator
- The ROI calculation that justifies investing in Microsoft 365 E5
- Why "we've never been attacked" is a dangerous approach to security
This conversation leaves the noise behind, focusing on what actually stops attackers and why so many SMBs remain dangerously unprepared.
Episode Chapters:
00:47 The "Too Small to Target" Myth
01:36 Why Org Size Doesn't Determine Risk
03:09 The MFA Social Engineering Attack
07:28 Why Microsoft 365 E5 Matters
11:30 Phishing Remains the #1 Attack Vector
16:13 42% Click-Through Rate on the First Phishing Test
18:52 How MFA and Anti-Phishing Stop 99% of Automated Attacks
21:40 Key Takeaways & Closing Thoughts
Quotes:
"I just came back from a Microsoft conference, and they told us 48% of admin accounts on Office 365 don't have MFA. If you take that number, it's about 2,500,000 company accounts with no MFA. I can be by the beach in Rio and give you a nice run somewhere and you will pay me a thousand bucks to give you the key, I just need to do 10 a day, and I have a very nice retirement."
"Across our 478 customer base, the attack volume has no correlation with company size. The only correlation is security hygiene, what matters is your secure score.”
"The number one attack we see is phishing links, finding a way for you to click. If you click, it's game over, especially if you don't have MFA. Even if they click, it's about how fast the hacker can come in and what they can access with those credentials."
"One amazing stat from a conference I attended was that 42% of global admins don't have MFA. For me, this was a shocking number. There are 5,700,000 small businesses in the US, and roughly 2,500,000 company accounts may have a global admin with no MFA. That's a nice target, and of course, hackers are happy about it."
“For all the companies we deploy awareness training to, our average is 42% of people clicking on the first phishing test. It's basically half your company clicking - done. That's why we tell all companies the goal should be below 3%, and if you have three clicks, you're in trouble with HR because we cannot take that risk."
Connect with the team:
👉 Bruno Lecoq on LinkedIn: https://www.linkedin.com/in/brunolecoq/
👉 Brandon Lecoq on LinkedIn: https://www.linkedin.com/in/brandon-lecoq
👉 BEMO Website: https://www.bemopro.com/
Trust Issues is handcrafted by our friends over at: fame.so