Dec 17 2025
Security

How SMBs Can Build AI Security Muscle Memory, No Matter Their Resources

Creating a strong security culture with a foundation of governance and robust security practices is crucial for small businesses facing threats powered by artificial intelligence.
Jordan Scott
by

Jordan Scott is the web editor for HealthTech magazine and a multimedia journalist with experience in B2B publishing.

Artificial intelligence has created opportunities for small businesses to reduce friction through automation, but it’s also fundamentally changed the cybersecurity threat landscape. Businesses of all sizes are facing increased risk due to AI-powered social engineering attacks.

“Attackers are using generative AI to create personalized phishing emails that feel like they’re timed perfectly. The grammar is excellent. The tone feels like it’s coming from the person that the email claims to be coming from,” says Barracuda CIO Siroui Mushegian. “It feels incredibly authentic, and it’s becoming tricky for employees as well as people in their personal lives to differentiate.”

Other ways AI is complicating cybersecurity for businesses is through external threats such as deepfakes and internal threats such as shadow AI.

Deepfake technology trains AI on real audio or video of a person to create a realistic imitation that can be used to convince employees to buy gift cards or authorize wire transfers, for example.

Shadow AI occurs when employees are using unapproved AI tools. These tools haven’t been vetted and can leave a business vulnerable to exposing sensitive data.

While all businesses face these challenges, small to medium-sized businesses are particularly vulnerable because attackers know they have limited staff — meaning that patching may be inconsistent and there may be fewer detection tools in place.

However, it’s still possible for SMBs to protect themselves from AI-powered cyberattacks despite having fewer resources than medium and large enterprises. Here’s what small business IT leaders need to know.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03 x_security_q325_animated_click_mobile_03

 

How SMBs Can Mitigate Security Threats Despite Limited Resources

One of the best ways to bolster an SMB’s cybersecurity is by building security muscle memory and good habits. It’s about making safe behavior second nature.

“Make sure you have a culture of shared responsibility, where every single person in your organization, from your interns all the way up to the CEO and executive stakeholders, feels accountable for protecting your data and brand,” says Mushegian.

She says an organization’s staff can be its weakest link when it comes to security, but it’s possible to manage that vulnerability in a variety of ways.

“Regularly run tabletop exercises that simulate real-world incidents,” she says. “Include all key stakeholders, from executives to anyone who might play a role in the response. These drills clarify roles, responsibilities and decision-making so when a real incident hits, there’s no confusion about who does what.”

EXPLORE: Optimize cyberdefense with managed security services.

Mushegian also recommends conducting phishing drills so employees learn how to spot red flags before they cause a major issue for the business. She says businesses should take every opportunity they can to engage with employees on security by meeting them where they are, whether that’s sending reminders in emails, Slack messages or through another chat platform used by the company.

“Make it something that’s in the forefront of their minds,” she says, adding that frequent training for all employees using relatable, real-world examples is crucial for ensuring staffers buy into their role in a secure workplace. “Don’t make it so technical that they don’t look forward to it or pay attention. Having it be topical will help to draw them in.”

On the technical side, testing backup and recovery is something that’s often overlooked by IT teams of all sizes because it’s inconvenient. However, Mushegian says, being on top of where and how the business would restore data in the event of a breach can mean the difference between a minor disruption and a major crisis. She also emphasizes the importance of maintaining incident response playbooks and ensuring they are available and familiar to relevant staff.

“They don’t have to be heavy handed, super long or complicated,” she says. “They should be something that that you pull out once in a while to read through and update as necessary.”

Siroui Mushegian
AI doesn’t just make the attacker smarter, it expands your digital footprint. Your attack surface is bigger, more complex and more available that it has ever been before.”

Siroui Mushegian CIO, Barracuda

SMBs Should Fight AI With AI

When an SMB has little room in the budget for cybersecurity expenses, it’s important to prioritize security spending and resources. SMBs should start by ensuring they have a strong cybersecurity framework with a robust threat detection strategy. And they should fight AI with AI.

“You could start by using an AI assistant to help you figure out what you need to prioritize. Then use tools and services that embed AI to make sure their tools are superpowered,” says Mushegian. “Also, leverage third parties that provide XDR or MDR support. Those companies can help to augment your staff. They’re using AI tooling to help them quickly resolve incidents.”

It’s also essential to establish governance models so people know what is approved to use in the company’s environment and what’s off-limits, she explains.

“It should be very clear what happens if someone uses an unsanctioned AI application in your environment,” she says. “People should understand that AI is powered with data, and that your data being used in an unsanctioned AI application is putting the business at risk.”

Reviewing which AI tools staff are using and staying on top of regulatory requirements should be part of an SMB’s regular security practice.

“AI doesn’t just make the attacker smarter, it expands your digital footprint. Your attack surface is bigger, more complex and more available that it has ever been before,” says Mushegian. “Creating awareness and establishing governance is another layer that’s very important.”

READ MORE: These are the five biggest cybersecurity risks for small businesses.

Partnership Bolsters Small Businesses’ Cyber Defenses

Having a security operations center allows businesses to monitor all of the incidents occurring in their IT environments every day. Building a SOC requires hiring specialized, dedicated staff with SOC experience, as well as onboarding and configuring security tools that can be intensive to run from an expense and time standpoint, according to Mushegian. For that reason, it’s rare for businesses to have an internal SOC, especially if they are small with limited resources.

“Thankfully, there are third parties and vendors that offer this service. So, linking up with a third party that is a trusted vendor can help to augment your team,” she explains. “You can spend more time doing things that are important to you with your very small staff while augmenting with a third party to help build out strength through a mosaic of portfolio services. Recognizing that your business is challenged and then doing whatever you can to build that out is very important.”

skynesher/Getty Images

More On

Related Articles

Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report