By Craig Moss
In the ever-evolving digital landscape, a small business’s biggest edge—and its biggest threat—can be summed up in two letters: AI.
Artificial Intelligence, and its more advanced cousin, Generative AI (Gen AI), is everywhere. It’s in our emails, our customer service chats, our marketing content, and increasingly, in our defenses against cybercrime. But it’s also becoming one of the most potent tools in the arsenal of cybercriminals. For small businesses, which often lack the extensive cybersecurity infrastructure of large enterprises, this Jekyll and Hyde trait makes Gen AI both a powerful friend and a formidable foe.
Just like the Internet democratized access to markets and streamlined operations for small businesses, AI is poised to level the playing field once again—offering automation, personalization, and productivity at unprecedented scale. But this innovation brings risks. The more reliant we become on digital tools, the more attractive we become to those who want to exploit them.
Cybercriminals are evolving rapidly, and Gen AI is accelerating that evolution. According to the World Economic Forum’s Global Cybersecurity Outlook 2025, nearly half (47%) of organizations cite AI-powered attacks as their top cybersecurity concern.
Gen AI as a Foe: Smarter, Faster, Scarier
Let’s start with the dark side.
Today’s hackers are no longer hoodie-wearing lone computer savants. With Gen AI, anyone with modest technical skills can launch highly effective attacks. Phishing, for example, has entered a new era. No longer are we dealing with generic scam emails riddled with spelling mistakes. AI can craft hyper-personalized phishing messages that mimic a coworker’s tone, language, and even humor—making them far more convincing and dangerous.
Smishing (SMS phishing) has also exploded. AI-generated fake texts from your “bank” or “shipping provider” now mimic the look and tone of real messages with unnerving accuracy. And these aren’t isolated one-offs—Gen AI allows these deceptions to be produced and deployed at scale.
Meanwhile, hackers are using AI to analyze newly released software patches and identify vulnerabilities faster than ever. As soon as an update is issued, cybercriminals race to exploit it before companies apply the patch. This puts pressure on small businesses to be faster and more disciplined in updating their systems.
And then there are fake websites—slick, AI-generated doppelgangers of trusted brands, designed to steal your data or trick you into downloading malware. Combined with AI-written malicious code, these threats are increasingly difficult to detect.
But perhaps most troubling is how Gen AI itself can be hijacked. Cybercriminals are attempting to plant malicious content in the public data sets that power Large Language Models (LLMs). If successful, they can trick unsuspecting users into clicking on bad links surfaced in seemingly innocent Gen AI search results.
In short, Gen AI has armed cybercriminals with smarter tools and faster methods. And small businesses are in the crosshairs.
Gen AI as a Friend: A Smarter, Scalable Defense
But there’s good news. Gen AI is also revolutionizing the way we defend against these threats.
Behind the scenes, large tech companies are using AI to analyze vast amounts of network data and detect anomalies that might indicate a cyberattack. AI-powered security systems can automatically block malicious traffic, isolate compromised devices, and send instant alerts to affected users—dramatically shortening response times and minimizing damage.
That same power is being made available to small businesses—often without them even realizing it. Microsoft, Google, Apple, and Amazon Web Services (AWS) all offer built-in, AI-driven security features as part of their cloud services. These tools include automated software update checks, phishing detection, suspicious login alerts, and more. Small businesses should review their cloud service subscriptions and activate every available AI security feature.
In addition to defense, Gen AI can be a powerful tool for cybersecurity awareness and education. Gen AI can help generate clear, engaging communication in seconds to remind your team about using stronger passwords or enabling multi-factor authentication (MFA). A simple prompt like “Write a memo to employees about the importance of updating software” can produce a polished, ready-to-send message.
Small business leaders can use Gen AI to create a consistent drumbeat of cybersecurity awareness—especially around what experts call the “Core Four” of cyber readiness:
This kind of regular, bite-sized communication helps build a culture of cyber readiness—a critical line of defense in a world where technology alone isn’t enough.
The AI Agent Dilemma
There’s another twist in this story: AI Agents. These are intelligent bots that can perform complex tasks with minimal oversight—monitoring networks, issuing warnings, even enforcing policy updates. On the surface, AI agents offer a powerful way to scale cybersecurity efforts without hiring a full-time IT team.
But there’s a catch. If hijacked, these same agents can be turned against you. A compromised AI agent could lock down your systems, delete critical files, or even reroute sensitive data to bad actors. As such, businesses must approach AI agent deployment carefully—asking tough questions about vendor security practices and staying vigilant about system access.
Here’s the paradox: While two-thirds of organizations expect AI to have the most significant impact on cybersecurity in the year ahead, only 37% have systems in place to assess the security of the AI tools they’re using, according to the World Economic Forum report. That gap represents an enormous vulnerability.
For small businesses, the challenge is even greater. Most don’t have the luxury of dedicated IT teams or Chief Information Security Officers. But that doesn’t mean they’re powerless.
What Small Businesses Should Do Now
Here’s a simple, actionable roadmap:
Final Thoughts: A Double-Edged Sword
The bottom line? AI is here to stay. And like every powerful technology before it—electricity, the Internet, smartphones—it’s a double-edged sword.
For small businesses, the choice is clear: adapt or fall behind. That means embracing AI for what it offers while staying vigilant about what it threatens. Cybercriminals are already using Gen AI. The only way to stay ahead is to use it, too—but wisely.
Because in this new era, your best defense may be the same tool your enemies are using.
Craig Moss is Director of Content & Certification for the Cyber Readiness Institute. Craig has extensive experience working with global value chain companies to better manage risks and improve compliance.
