A flaw in video software used by Netflix, YouTube and TikTok that wasn’t caught in 5 million earlier security reviews. A 27-year old security hole in a supposedly bulletproof operating system.

Anthropic’s latest flagship model Mythos is so powerful it uncovered thousands of bugs across every major operating system and browser, more than software makers can keep up with.

Last week we entered a new phase of AI. Not because of a new model, but because a company decided one was too dangerous to release.

On April 7th, Anthropic announced a delay in the public release of Mythos and a partnership with Crowdstrike, Google, Cisco, and other tech leaders to fix bugs before hackers can exploit them.

The same day, Fed chair Jerome Powell and Treasury Secretary Scott Bessent chaired an urgent meeting with the CEOs of Goldman Sachs, Bank of America and other top banks to ensure they were taking precautions.

Cybersecurity experts have been blunt: this is a nightmare scenario waiting to happen.

An army of thieves

Imagine you’re a burglar. Breaking into a home is risky because you don’t know what to expect. Is someone home? Is there an alarm system? A dog? A gun? Is there anything worth stealing?

Home burglary is rare because most burglars don’t want to roll the dice.

Now imagine you can scan every home in a neighborhood and find the ones with no security, families on vacation, and mattresses stuffed with cash. And you can dispatch a team of robbers to break into them all at once, in a single afternoon.

In the wrong hands, Mythos is that burglar.

Easy pickings

It’s easy to imagine dire scenarios where hackers compromise banking, airline ticketing, or even military systems. But these organizations face regular cyberattacks and have dedicated security teams.

The more likely targets are smaller organizations. Ransomware attacks jumped 47% last year, and two-thirds hit businesses with fewer than 500 employees.

In 2021 hackers took Kronos offline, freezing payroll processing for 8 million employees. A 2024 incident at Change Healthcare knocked out claims processing at 90% of US pharmacies, costing hospitals more than a billion dollars a week and forcing cancer patients to wait for treatment.

A head start

Alex Stamos, who led security at Facebook and Yahoo, estimates we have six months before Mythos-level technology goes mainstream.

Anthropic is the first of many. OpenAI and Google are both expected to launch frontier models within the next month. xAI, Meta and Chinese labs aren’t far behind. Each will be tempted to jump the line and release to the public.

Even if the labs show restraint, the technology won’t stay locked up. Case in point: the same month Anthropic held back Mythos, it accidentally leaked source code for Claude Code.

Your work playbook

Within six months, we’ll know who took the right steps to safeguard their systems. The ones that didn’t will be exposed, and their leaders will have hard questions to answer.

Here’s where you can start:

CEOs are used to their security teams crying wolf. Now isn’t the time to hold back. Give them what they ask for, and make sure they have a solid plan.

IT leaders should read Anthropic’s red team report and share the key points with your CEO. Close the gaps in your own system and ensure your vendors are doing the same.

Small business owners can start with the FTC’s cybersecurity guide. It was released before Mythos, but has simple, practical tips on how to stay safe.

Your home playbook

Most of the Mythos risk is for companies, not individuals. But there are still steps you can take to get your house in order.

99.9% of the time online safety is hopelessly unsatisfying. You spend time and energy, and the best outcome is… nothing happens. You aren’t hit with a ransomware attack. Your identity isn’t stolen. Your PC isn’t corrupted with malware.

But the 0.1% can be awful. A friend of mine had his identity stolen last year. It took months to sort out, and he even had to get a lawyer.

The good news is that basic steps will go a long way. Freeze your credit. Use two-factor authentication. Don’t reuse passwords. The government’s secure our world website covers the most important ones.

We got started this weekend and have a lot of passwords to fix. 😬

Don’t sleep on this

Facing AI can feel helpless. No one really knows if it will take our jobs, cause a recession or derail our kids’ futures. Every week brings another round of news and speculation that adds to the anxiety.

But this week is different. You can take real action to protect your customers, your employees and your families.

And you should.

Share

Dad Joke: Why did Elsa freeze her credit? The cold never bothered her anyway. 🤣🥶