Small Business Cyber Basics

What a small business AI and security review should cover

A practical guide to the first areas a small business should check when AI tools, staff accounts, email security and suppliers all overlap.

29 Jun 20263 min readJames Mackie

Small businesses are adopting AI tools at the same time as they are trying to keep accounts, suppliers, email and backups under control. Those two problems belong together.

AI risk is rarely separate from security risk. The same business data that needs protecting in email, cloud storage and finance systems is the data staff may paste into chatbots, automation tools and new SaaS products.

A useful review should not start with fear. It should start with visibility.

The first question is what already exists

Most teams already have more technology in use than they think. Staff may be using ChatGPT, Copilot, browser extensions, meeting note tools, design assistants, CRM automations or spreadsheet helpers. Suppliers may also be using AI inside their own workflows.

The review should identify:

  • Which AI tools are already being used
  • Which staff accounts have access to important systems
  • Which suppliers can access business data
  • Which accounts have MFA enabled
  • Which data should never be pasted into unapproved tools
  • What could be recovered if email, files or devices were compromised

This does not need to be a heavy audit. It does need to be honest.

AI usage and account access are connected

If staff use AI tools to handle customer messages, documents, meeting notes or internal spreadsheets, the business needs a simple rule set. It also needs to know whether those tools are attached to personal accounts, shared logins, browser plugins or unmanaged company subscriptions.

That is why AI readiness should sit beside the basics in the first five cyber checks for a small business. MFA, admin access, email security, backups and supplier access still matter. AI just makes the gaps easier to expose.

Email and domain security still carry the business

For most small businesses, email remains the control point. It resets passwords, holds customer conversations, receives invoices and connects to almost every other system.

A practical review should check whether MFA is enforced, whether old accounts still exist, and whether SPF, DKIM and DMARC are in place for the domain. These checks are not glamorous, but they reduce the likelihood of account takeover and impersonation.

Backups need a recovery answer

The backup question is not "do we have backups?" It is "what would we restore, who would restore it, and how long would it take?"

That answer matters more as businesses add AI and automation. If a tool deletes, changes, syncs or corrupts data, the business needs a path back. Cloud storage and SaaS platforms can be resilient, but they do not remove the need for a recovery plan.

Supplier access needs names, not assumptions

Suppliers often hold more access than the business remembers. Web agencies, accountants, IT support, marketing tools, payment processors, CRM consultants and old contractors can all remain connected long after the original job is finished.

A review should turn that into a named list: supplier, access level, business owner, reason, and next review date. That list is often one of the fastest ways to reduce risk.

What the final output should look like

A useful review should produce plain-English findings, not just technical notes. The business should come away knowing:

  1. What is already in decent shape
  2. What is exposed or unclear
  3. What should be fixed first
  4. Who should own each fix
  5. Which items can wait

That is the difference between a review and a report that sits unread.

Related field notes

Back to Insights