Why Small Businesses Can't Rely Solely on AI to Combat Threats

The growing complexity of cyber threats, paired with limited resources, makes it essential for companies to adopt a more comprehensive approach that combines human vigilance with AI's capabilities.

John Mutuski, CISO, Pipedrive

January 3, 2025

4 Min Read
The letters AI filled with a design that looks like a circuit board, with the words "ARTIFICIAL INTELLIGENCE" underneath
Source: NicoElNino

COMMENTARY

As cybersecurity threats continue to surge, it has become crucial for small businesses to adopt proactive strategies to ensure they are protected. While artificial intelligence (AI) is starting to provide value to security organizations, it also has enabled more sophisticated attacks, leaving too much room for hackers to slip through.

The very nature of our workplaces is intensifying the cybersecurity challenges small businesses face, with remote and hybrid work models still popular, despite the push for a return to office. This massive increase in remote work has created a broader attack surface that's difficult to manage for businesses when they are already lacking time and resources. Accenture's Cybercrime Study revealed that nearly 43% of cyberattacks are on small businesses, and 95% of them can be attributed to human error. These businesses agree, as 60% of small-business owners said in the US Chamber of Commerce's Q1 2024 Small Business Index that they are concerned about cybersecurity threats.

Employees now operate in a space where their activities are less regulated, making cybersecurity vigilance more crucial than ever. Companies must not only implement robust security measures but also empower their teams to recognize potential threats. One significant risk comes from the allure of public Wi-Fi networks — incredibly convenient but fraught with danger, especially as "work from home" can also be "work from anywhere." These networks can easily be mimicked by malicious actors eager to intercept sensitive data.

As workers navigate this new environment, a blend of proactive security measures and individual awareness becomes essential for safeguarding both personal and organizational information.

Here are two of the most common cybersecurity myths or misconceptions business owners will encounter, and how they can avoid falling into these traps:

  • Myth No. 1: Antivirus software is enough. Many small businesses are relying on antivirus software alone to protect against cyber threats. This is not an effective long-term solution. Modern security threats, especially social engineering attacks, demand more robust defenses, such as multifactor authentication (MFA) and ongoing employee education to withstand these threats.

  • Myth No. 2: Your business is immune to threats because of size or location. Small businesses should never assume they are immune due to their size or location. Fostering a culture of cybersecurity awareness among employees is vital, despite the size or capacity of your small business. When individual employees are armed with the right knowledge and they recognize that cybersecurity is a collective responsibility, simple actions like reporting suspicious activities and ensuring devices are securely managed can significantly mitigate the risk of breaches.

Strategies for Small Businesses

AI needs to be used as a supplement, not a replacement for human analysis and decision-making. Small businesses should identify and prioritize their most critical functions and software. AI can process vast amounts of data and improve efficiency, but it still requires human oversight. Small businesses, which often lack dedicated information security teams, need to adopt proactive strategies to protect themselves.

While small businesses may lack the resources needed for complex simulations, they can use checklists and resources provided by local or federal cybersecurity agencies to evaluate their preparedness and make sure they are covering all of their bases. Leveraging resources that are readily available can give small businesses the additional support they need in a time where threats have become unmanageable.

Maintaining Customer Trust

Small businesses often depend on third-party providers for critical services like payment processing, payroll, customer support, and more. Again, because their resources are limited, it's vital for them to verify that the providers they choose uphold stringent security standards, such as PCI certification, to protect both their operations and their customers. In that same vein, these businesses need to communicate clearly with customers about how their data is being protected by these third-party platforms. As much as people don't want to hear it, reading and understanding terms of service and data privacy policies is essential and will show customers your commitment to securing their data.

The workplace will continue to see growing use of AI, and small businesses that adopt these solutions need to ensure customer data is protected. According to Pipedrive's 2024 "State of AI in Business Report," knowledge and trust are the main blockers in AI adoption, with 48% citing a lack of knowledge as the main blocker to adoption, followed by lack of trust (40%). When there is already a lack of trust in AI solutions, it makes it even more important that small businesses prioritize gaining the trust of their customers when using AI to enhance their offerings.

AI offers valuable tools to enhance cybersecurity, but small businesses cannot afford to rely on it as a standalone solution. The growing complexity of cyber threats, paired with limited resources, makes it essential for companies to adopt a more comprehensive approach that combines human vigilance with AI's capabilities. Building a culture of cybersecurity awareness among employees, ensuring the use of advanced security measures like multifactor authentication, and fostering transparent communication with customers about data protection are all critical steps. As businesses navigate an increasingly digital landscape, their long-term success will depend on how well they can balance technological solutions with human insight and proactive planning.

About the Author

John Mutuski

CISO, Pipedrive

John Mutuski is chief information security officer (CISO) at Pipedrive, the easy and effective sales CRM for small businesses. Mutuski is responsible for developing and leading the information security program, managing technology risk, driving cybersecurity operations, and implementing and managing the cyber governance, risk, and compliance (GRC) process.

With over 20 years of experience spanning both agile startups and large global enterprises, he has consistently demonstrated a unique blend of strategic leadership and technical expertise. His career is marked by a deep commitment to continuous learning, always embracing the unfamiliar and turning challenges into opportunities for growth. His passion for building diverse, cross-functional teams has allowed him to foster innovation and resilience in the face of rapidly evolving security threats. As a collaborative leader, he actively seeks out new experiences and relationships, enabling him to stay at the forefront of cybersecurity trends and deliver impactful, long-term solutions.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights