I recently was at a cyber security talk by Scott Simpson from the Security Circle, which landed hard for me, and I think it will for you too. It confirmed something I’ve been feeling for a while. The threat landscape has changed so fast that most small businesses simply don’t realise how exposed they are. Not because they’re doing anything wrong, but because AI has shifted the rules of the game.
And unlike the headlines, this isn’t just about big enterprises. It’s already affecting everyday businesses, freelancers, agencies, clinics, gyms, trades, coaches, consultants – basically anyone who stores client data, uses cloud tools, or has a team working online.
What really hit me was how AI has changed the speed, scale, and sophistication of attacks. Criminals don’t need coding skills now. They can use tools like Claude to generate malware, scripts, and full attack sequences. One example shared was a complete beginner who breached seventeen companies using AI-generated code. That’s the world we’re in now.
But the part that small businesses absolutely need to understand is this. Your systems are only as secure as the people you work with. Your contractors, your marketing tools, your booking software, your CRM, your invoicing platform, your email provider, even your AI tools. One weak link in your supply chain can be enough to expose everything.
And with AI accelerating attacks, most antivirus tools can’t keep up. Criminals are generating new malware faster than traditional systems can update their databases. That means small businesses can’t afford to treat cyber security as something that only big companies have to worry about.
There were three takeaways that matter for every business.
- Train your team regularly. Not once a year. Every two months. Most breaches happen because someone clicked something.
- Lock down your supply chain. Make sure every tool you use has its security in order. You’d be shocked how many breaches come through a supplier.
- Never assume your business is too small to be a target. Criminals don’t care about your revenue. They care about access.
The second half of the talk, on AI governance, was honestly the scariest part. And this is where small businesses are most at risk without even realising it.
AI governance sounds like a big-enterprise phrase, but it affects everyone. If you’re using AI tools, storing client data, or building digital products, you already have responsibilities under different countries’ regulations. Even if you only work in the UK.
Just one example. Someone in a company used an AI transcription tool during a meeting. It automatically sent the transcript to every person in her contacts list. That created an instant data breach and litigation risk. These tools don’t always behave how you think they behave.
Another example. A business uploaded confidential documents for translation into an LLM without realising they hadn’t opted out of data training. They effectively leaked their own sensitive information.
There are also entire AI products being built that can never legally be sold in Europe because the creators didn’t check the regulations early enough. Five years of development wiped out overnight.
The point is simple. If you’re going to use AI in your business, you must have rules around it. Not to slow things down, but to stay safe, compliant, and sellable.
Things you need to consider:
- What tools are your team using behind the scenes
- What your acceptable use policy says about AI
- How your tools store and process data
- Whether any of your tools use AI without you knowing
- Whether the tools you white label or resell are compliant across different territories
And this is why supply chain matters so much. If one of your tools handles client data in a non-compliant way, the liability sits with you.
For small businesses, the goal isn’t to become experts. It’s to make smart choices and put simple guardrails in place.
AI is incredible. It’s not something to fear. But it does need structure. If we put the basics in place now, we can use it to grow without exposing ourselves to risks we didn’t sign up for.
If you want help putting together a simple AI governance checklist for small businesses, let me know. I’m building one off the back of this talk to make it easy for business owners to stay safe, stay compliant, and still move fast with AI.
