How AI is changing the security landscape for small businesses

The security threat landscape is rapidly evolving, and the emergence of AI-powered cyber attacks means that businesses of all sizes risk more frequent and sophisticated breaches than ever before.

For small and medium enterprises (SMEs), this new era of cyber crime is particularly concerning. Despite the growing risk of cyber attacks, 43% of SMEs have no cyber security defence in place. SME decision makers must now make smarter investment choices to protect themselves amidst this new AI-powered threat landscape.

Security risks facing SMEs

A recent report shows that small businesses are three times more likely to be targeted by cyber criminals than larger companies, with threats including phishing, ransomware and malware attacks, social engineering, data theft, and insider threats. To make matters worse, SMEs may arguably have the most to lose if they are exposed to an attack. Reports show that 60% of SMEs go out of business within six months of a data breach.

As cyber criminals begin using advanced technologies such as AI, these threats will likely become more complex and harder to combat. One particularly alarming example of AI-powered cyber crime is enhanced social engineering, whereby cyber criminals use psychological manipulation, typically via email or message, to acquire sensitive data for malicious intent. Whilst social engineering is by no means a new phenomenon, cyber criminals are now using AI to create more convincing messages and send them out at a significantly larger scale than ever before.

A recent DarkTrace report found there has been a 135% increase in social engineering attacks from January to February 2023. Smaller businesses have faced the brunt of these attacks, as companies with fewer than 100 employees experienced 350% more social engineering attacks than larger enterprises.

As a result of this advanced threat landscape, small businesses must look at upgrading their security accordingly. Unless investment in cyber security is prioritised and advanced technologies such as AI are deployed, such attacks are far more likely to succeed, with potentially catastrophic results.

Putting security first in your tech stack

There is no silver bullet to protect small organisations fully from cyber threats. Security strategies should be layered and composed of various complementary defence mechanisms, including people and technology, and built into the architecture of SMEs.

AI will be an accelerator for the threat landscape, but there is no reason why AI can’t be a catalyst for the ‘defending’ side too. Fight AI with AI! Modern security principles of having a data-centric and risk-based approach remain relevant, now more than ever, but AI-based security solutions will accelerate the deployment and application of such principles.

As cyber criminals continue to bolster their attacks with AI, small businesses must react and build AI-powered security solutions into their tech stacks to ensure adequate protection. This technology should be incorporated on top of existing ‘Zero Trust’ security frameworks. Zero Trust assumes that nothing in the network can be trusted and helps mitigate risks of unauthorised access to confidential company information through least-privilege access at each stage of digital interaction. AI can bolster this strategy through procedures such as automatic classification, behavioural analytics, and threat intelligence integration. This ensures that only authorised personnel can access sensitive company data in an automated and precise manner.

Cyber security awareness for employees

Cyber security is not just about implementing technological solutions. It must be regarded as a mindset that is interwoven into the very culture of every small business. The onus falls on small businesses to create a security-first culture, which employees then have a responsibility to uphold.

With rapid and unforeseen AI progression, employees must be continually educated to recognise evolving threats. Gartner predicts that by 2025, AI-enabled fraud will alter businesses’ attack surface, driving greater focus on security education and awareness alongside outsourcing enterprise trust. Like larger enterprises, companies must ensure employees are aware of AI-related risks.

Up to 95% of cyber security issues can be traced to human risk factor. Thus, an educated and alert workforce provides a strong line of defence against cyber threats. While AI is increasing the sophistication of cyber attacks, it can also help companies build advanced training methods that can ensure employees remain capable of detecting scams and new types of risks. For example, AI can act as a ‘copilot’ for junior security staff who may lack cyber security ‘combat experience’, by pointing them in the right direction as to where threats occur. People and technology go hand-in-hand in building security strategies into the fabric of SMEs. It’s an uphill battle for the cyber security industry – not only are there a large number of unfilled job openings, the workforce is also outpaced by the current volume of attacks from an increasing number of threat actors. By investing in AI-powered solutions, organisations are helping their security workforce to scale the threat landscape evolution.

Balancing security costs with the risk of attacks

Smaller budgets often increase tension on investment choices, tightening spend on areas not outwardly accelerating business growth or output. However, with the average global cost of a single breach around $3.62 million, prioritising security investment is critical. A strong security strategy is essential to support the longevity of business development and reduce potential for costly breaches. A 2022 Forrester report found that 90% of firms said improving their ransomware attack response capabilities is a top priority, with 51% noting that they lost customer trust after such an attack.

While CISOs and security teams are still testing the full implications and capabilities of AI in the security stack, many B2B tech companies are incorporating AI into their products. As SMEs explore the options available to them, they should consider how they can best utilise the new capabilities from their current vendors for both productivity and budget gains.

The future of small business security

AI is a double-edged sword – it will be a game-changer for businesses and cyber criminals. Sixty-seven percent of IT leaders are prioritising it for their business, recognising the benefits it brings in better serving customers, harnessing data, and optimising operations. Such developments also provide a new landscape and tools for cyber criminals to exploit.

Already primary targets of cyber crime, SMEs will face increased pressure from increasingly complex, AI-enabled attacks. Some SMEs may take the short-term view that investing in their business security is costly, especially in the current economic climate. But having a sophisticated security strategy in place is critical to prevent catastrophic breaches, and ultimately to move small businesses forward for the long run.


With the novelty of AI in the threat landscape, employees must receive continual education to ensure they remain capable of threat detection. Businesses must have both strong technological security and comprehensive employee training to ensure risks are spotted and prevented.