Two things are true at the same time
The first thing: AI is making it easier and cheaper to attack businesses. Phishing emails that used to be easy to spot because of clumsy grammar and odd phrasing are now polished, personalized, and convincing in a way they simply were not two years ago. Voice cloning is real, accessible, and being used in fraud. The volume of attacks is up. The quality of attacks is up. The cost to run them is down.
The second thing: AI is also making it easier and cheaper to defend businesses. Security tools that used to require a dedicated team to run are getting smarter and more accessible. Threat detection that took days of manual analysis can happen in minutes. The same technology raising the threat level is also raising the floor on what good defense looks like.
Both things are true, and understanding both is more useful than focusing only on the scary one. Let me walk through what is actually changing, starting with the threat side, because that is what affects your decisions most immediately.
What AI is doing to the attack side
Phishing has gotten significantly better
The old advice: look for spelling errors, strange phrasing, generic greetings, still has some value, but far less than it used to. AI-generated phishing emails can now be perfectly grammatical, contextually appropriate, personalized with details scraped from LinkedIn and your company website, and written in a tone that matches your organization’s culture. Some of what I am seeing in the field is indistinguishable from a message a real colleague might send.
What this means practically: you cannot rely on your team’s ability to spot a bad email the way you could a few years ago. The burden has shifted from “this email looks suspicious” to “let me verify this request through a separate channel before I act on it.” Process matters more than perception now.
Voice fraud is real and it works
This one is worth taking seriously. AI voice cloning tools can produce a convincing imitation of someone’s voice from a few seconds of audio: audio that is often publicly available on a company website, a podcast, or a LinkedIn video. There have been documented cases of employees wiring money because they received a call that sounded like their CFO. This is not a theoretical risk anymore.
The defense here is the same as for sophisticated phishing: verify through a second channel. If someone calls and asks you to do something financial or sensitive, hang up and call them back on a number you already have. One extra step. Saves a lot of grief.
Social engineering at scale
Attackers have always used social engineering, manipulation rather than technical exploits, to get what they want. AI removes the bottleneck of scale. A human attacker can run one or two targeted campaigns at a time. An AI-assisted attacker can run hundreds simultaneously, each one customized to the target. Small businesses, which have historically been less targeted simply because they were not worth the manual effort, are now much more attractive.
What AI is doing to the defense side
Security awareness training is getting more relevant
Traditional security awareness training, a once-a-year video that everyone clicks through to get the completion certificate, was never particularly effective. AI is enabling training that is more targeted, more frequent, and more realistic. Simulated phishing campaigns that adapt based on what each employee falls for. Training that is specific to a person’s role rather than generic. Shorter, more relevant content that people actually retain.
If you are running annual click-through training and calling it done, the risk landscape has moved past that. Monthly touchpoints, realistic simulations, and role-specific content are table stakes now for any business handling customer data.
Threat detection is faster
The security tools available to mid-sized businesses today would have required an enterprise security team to operate five years ago. AI-assisted endpoint detection, email filtering that learns from your specific environment, and anomaly detection that flags unusual behavior before a breach becomes a crisis are increasingly available at price points that make sense for organizations well below the Fortune 500.
I am not going to name specific products here because this space moves fast and anything I recommend today may have a better alternative by the time you read it. What I will say is that if your email security is still just whatever came with your Microsoft or Google license and you have not evaluated it lately, that is worth a conversation with someone who knows the current landscape.
Incident response is getting more organized
AI is also useful when something goes wrong. Summarizing logs, helping draft stakeholder communications, building incident timelines, identifying what data was potentially exposed: these are tasks that used to take days of manual work and can now be significantly accelerated. The work still requires human judgment at every step. The mechanical parts move faster.
The three things that matter most for a business your size
Security is a field that can consume unlimited time and money if you let it. The goal for most small and mid-sized businesses is not to build a security program that rivals a bank. It is to be meaningfully harder to attack than the business next door, and to recover quickly when something does happen. These three things move that needle more than anything else right now.
1. Verify before you act on any unusual request
Wire transfers, credential resets, changes to payment information, access to sensitive data: if any of these arrive by email or phone and they feel even slightly off, verify through a separate channel before acting. Not a reply to the email. Not a callback to the number provided in the message. A call to a number you already have, or a direct message to the person through a channel you already use. This single habit defeats a significant percentage of AI-assisted attacks targeting businesses today.
2. Get multi-factor authentication everywhere it can go
If you only do one technical thing after reading this post, make it this. Multi-factor authentication, requiring a second form of verification beyond just a password, stops the majority of credential-based attacks cold. It is not perfect. It is also not complicated or expensive. Every major email platform, cloud storage service, and business application supports it. If yours are not using it, that is a gap worth closing this week, not eventually.
3. Have a clear, written plan for when something goes wrong
Most small businesses do not have an incident response plan. Most of the time nothing happens, and the absence of a plan does not feel costly. When something does happen: a compromised account, a phishing victim, a ransomware attempt, the absence of a plan is felt immediately. Who do you call first? Who needs to be notified? What do you stop doing while you figure out what happened? What do you tell customers if their data was involved?
A one-page plan that answers those four questions is infinitely better than no plan. You do not need a 50-page incident response playbook. You need the four phone numbers and the four decisions documented somewhere everyone can find them when the moment comes: which, if it ever does, will not be a calm Tuesday afternoon.
A word about AI tools and your own sensitive data
I have mentioned this in earlier posts and it belongs here too: as your team starts using AI tools more, data hygiene becomes more important, not less. AI tools are powerful in part because you can give them a lot of context. The risk is that “a lot of context” sometimes includes things that should not leave your organization: customer data, employee records, contracts, anything under NDA.
The practical fix is straightforward. Establish clear rules about which AI tools are approved for business use, what data is allowed into each one, and what is off-limits entirely.
The honest bottom line
AI is not making cybersecurity simpler. It is raising the stakes on both sides. The businesses that stay safe are not going to be the ones who panicked and banned everything, or the ones who ignored it and assumed nothing would happen to them. They are going to be the ones who paid attention, made a few smart decisions about process and tools, and built a culture where people know what to do when something feels wrong.
That is achievable for a business of any size. It does not require a dedicated security team. It requires a handful of good habits and a willingness to keep updating them as the landscape keeps moving.
The goal is not to be unhackable. No one is. The goal is to make the attack more expensive than the reward, and to recover cleanly when something still gets through.
What is coming next
February’s post is the prompt engineering piece I have been promising since November. No more delays, it is written and ready. If you have ever felt like AI is giving you mediocre answers and you are not sure why, that post is for you. The difference between a good prompt and a poor one is smaller than most people think, and a few specific habits cover almost all of it.
This is post five of a two-year series on AI for real people doing real work. Post one covers what AI actually is. Post two is a look at how I use these tools in my day-to-day work. Post three covers the five tools worth trying for free. Post four is about getting email working for you instead of against you. Security questions, or something specific about your situation you want me to look at? Send a note.
