Table of Contents
How are cyber security risks evolving due to AI?
Small and medium‑sized enterprises (SMEs) are living through a profound inflection point. Cloud platforms, automation, and AI‑powered productivity tools have unlocked speed and agility once reserved for large enterprises.
However, they’ve also expanded the attack surface and introduced entirely new classes of risk. Attackers now wield artificial intelligence (AI) to scale reconnaissance, personalise social engineering, and mimic genuine user behaviour at a pace that traditional defences cannot match, posing significant security risks.
Discover why legacy models struggle in an AI‑enabled threat environment and set out a clear, actionable roadmap for your SME. The aim is simple: help business leaders understand the shift, then make practical, proportionate moves that materially improve resilience without derailing day‑to‑day operations.
This content is inspired by the conversation had on our recent webinar “Why Your SME Needs Robust Security to Stop Modern AI-Powered Threats”: click here to watch the full conversation on secure AI practices, or find the video below.
The SME cyber security paradox
Digital transformation has made SMEs more competitive and more connected, but exposed. Phishing continues to expand, both in volume and sophistication, as attackers leverage cloud scale and generative tools to produce highly convincing lures that blend into normal business traffic. Industry analysis shows substantial year‑on‑year growth in phishing transactions, reflecting the expanding reach and maturity of social engineering in the AI era.
At the same time, the human element remains central to most incidents, underscoring the importance of staff training and awareness in mitigating risk. Widely referenced breach investigations report that most breaches include a human component – from credential misuse to social engineering and error – underlining why awareness and process discipline still matter in an age of automation.
For SMEs this results in the very technologies that accelerate growth also increasing dependency on people and process. Without targeted investment in identity, behaviour, and governance tools, risk compounds quietly until an incident occurs.
People, process and technology evolved due to AI risks
Security fundamentals haven’t changed, although each area now faces significantly greater pressure from emerging security threats. This is especially clear when you look at how people, processes and technology are being affected.
People
Generative AI can replicate tone, style, and context, eroding familiar “tells” users once relied on to spot scams. When attackers can mirror internal language and pull in real world context, intuition alone is no longer sufficient defence.
Process
Legacy workflows assume attacks unfold over hours or days. AI‑assisted campaigns compress time. Decisions that once felt methodical now demand real time judgement, escalation paths, and containment.
Technology
Mixed estates – a blend of modern cloud and older on‑premise systems – create inconsistent control coverage. AI‑enabled scanning quickly finds the seams from unpatched services and over‑privileged accounts to forgotten automation.
While yesterday’s safeguards still have value, they need reinforcement from identity controls and behaviour detection capable of operating at machine speed.
Why legacy models no longer hold
Risk assessment has changed
Hybrid work, SaaS, and API‑led ecosystems have blurred “inside” and “outside,” complicating the management of security threats. Security built around static boundaries falters when your users, devices, and data move freely across networks you don’t own.
Attackers don’t need to break in: they log in
Credential theft and phishing remain among the most reported cybercrimes globally, showing how frequently attackers gain access with legitimate logins rather than bespoke exploits, highlighting the need for robust risk assessment.
Manual response can’t match machine‑speed attacks
Risk leaders identify AI-enhanced malicious activity as a leading emerging threat, fuelled by the accessibility and quality of AI-assisted tools and the new risks associated with their misuse. This makes it harder for defenders to detect, triage, and respond before damage occurs.
SMEs need to reduce reliance on manual review and single layer controls. By prioritising technologies and playbooks that detect identity misuse and abnormal behaviour early, then containment can occur automatically.
Artificial intelligence as a force multiplier for both sides
On offence
Threat actors automate reconnaissance, draft persuasive emails at scale, produce deepfake audio and video, and iterate payloads to evade basic filtering. Industry analysts point to rising AI‑powered incidents and the growing visibility of deepfake‑based tactics.
On defence
AI can baseline normal behaviour, surface anomalies quickly, cut false positives, and help smaller teams focus on the right signals in their AI risk management efforts, addressing security risks associated with AI. The advantage only materialises when data is well governed and identity is consistently enforced.
AI is neither inherently good nor bad for security; its impact depends on whether your organisation can instrument identity, data, and telemetry well enough for defensive AI to make accurate decisions.
How bad actors are leveraging AI systems
To understand how swiftly the ground has shifted, consider a widely reported 2023 case involving AI applications. A businessman in northern China joined what looked like a routine video call and authorised a transfer of roughly $622,000. He later learnt that the person he “met” had never spoken to him.
Criminals had used real time AI face‑swapping to impersonate a trusted contact. So convincing was the fake that the usual cues – expressions, lip movements, mannerisms – were indistinguishable from the real thing. This incident highlights several important lessons for SMEs that are becoming increasingly relevant across the wider threat landscape.
Deepfake tools are no longer niche: attackers can deploy accessible AI models that manipulate live video in real time, creating new vulnerabilities. The barrier to entry has fallen, and the quality is high enough to pass as genuine in fast moving situations.
Human intuition is fallible at speed: many people overestimate their ability to spot synthetic media, especially under time pressure or authority cues. This is precisely the psychological angle modern attackers exploit.
This is part of a broader pattern: other reports highlight AI‑assisted impersonation of executives and officials designed to trigger high‑value actions, reinforcing that the threat is global and evolving.
To counteract attacks such as this, SMEs should build “out‑of‑band” verification into financial approvals and sensitive requests. If a transaction is initiated on a call or chat, require confirmation via a second channel that the initiator cannot control. For example, an approved finance system workflow with strong authentication and multiple approvers can enhance security risk assessment.
Want content like this in your inbox?
Sign up and we’ll make sure to keep you up-to-date on new technologies, trends, and promotions.
Shadow AI, unmanaged tools, and cyber security risks
Unapproved use of generative AI (“shadow AI”) is now a predictable as a product of fast adoption. Staff paste sensitive text into public tools to save time; teams prototype agents or automations; proof‑of‑concepts linger with permissions intact.
None of this is malicious, but all of it increases exposure to security vulnerabilities. SMEs can reduce their exposure to shadow AI and unapproved tools by adopting a few practical measures that tackle the most common risks posed.
Create an AI register
Log all AI tools and automations in use (including trials), who owns them, what data they access, and where outputs are stored.
Define “approved inputs”
Make it explicit which data classes must never be pasted into external systems.
Sunset experiments
Put time limits on trials and remove access by default unless there’s a formal business case to continue, especially in the context of AI technologies.
Educate by role
Give finance, HR, sales, and engineering tailored guidance on safe AI usage based on their workflows to mitigate risks associated with AI development.
This is governance as enablement, not prohibition – a way to capture value from AI while reducing silent drift.
Identity is the new perimeter
When every system is everywhere, the only reliable anchor is who or what is asking for access and whether the activity makes sense in context. That’s the essence of zero trust: never trust by default, always verify, grant least privilege, and continuously reassess.
AI‑enhanced malicious activity raises the stakes for identity proof, policy enforcement, and continuous verification across users, devices, and services. To strengthen identity security in a meaningful way, organisations benefit from focusing on several core areas that make access far safer.
Strong authentication
Move decisively towards phishing‑resistant methods (e.g., passkeys or hardware backed factors).
Least privilege by design
Reduce standing admin rights; use just‑in‑time elevation with audit trails.
Conditional access
Make device health, location, and risk signals part of every decision.
Machine identities
Treat service accounts, API keys, and AI agents as first class identities with scoped permissions and rotation.
Behavioural analytics: detecting what credentials can’t
If attackers increasingly “log in” with valid credentials, detection must pivot from static indicators to behaviour. When behavioural analytics is applied effectively, it becomes much easier to spot activity that falls outside someone’s normal pattern. Several examples regularly prove useful in day‑to‑day detection.
- Unusual file access (locations, volumes, or types never touched before)
- Atypical login patterns (times, geographies, device profiles)
- Sudden privilege escalations or consent grants
- Novel combinations of actions (e.g., launching scripts from note‑taking apps, or mass exports from CRM)
Because these methods focus on how activity unfolds, not just what signature is present, they are well suited to detecting AI‑assisted attacks that otherwise resemble legitimate use.
Supply chain risk and increasing regulatory pressure
Your attack surface now includes your suppliers, their subcontractors, and the SaaS platforms that knit your operations together. A single weak link can expose sensitive data or disrupt services in ways you can neither anticipate nor directly control, leading to significant security threats.
Legal and regulatory expectations are rising accordingly, with growing emphasis on breach notification, internal controls, and AI‑related governance across multiple jurisdictions. Commentary on recent enforcement trends highlights heightened scrutiny and more complex compliance landscapes, particularly where organisations fail to maintain adequate security measures against potential risks from AI.
As supply‑chain dependencies grow, SMEs can improve their overall resilience by concentrating on several well‑established practices that consistently reduce third‑party risk.
Tier suppliers by criticality: apply deeper due diligence to those with access to data, identity, or payment flows.
Request evidence, not assurances: seek certifications, testing results, and incident response details rather than generic statements.
Include right‑to‑audit clauses: even if seldom used, they create incentives for better hygiene and risk management practices.
Plan third party incident playbooks: assume you’ll need to communicate and contain issues you didn’t cause.
AI governance in adoption
A common mistake is to treat governance as a brake on innovation. The opposite is true when implemented well. A simple, well-defined framework can streamline processes and reduce security risks.
AI register
All tools and agents, their owners, data inputs/outputs, and purpose.
Risk screening
Quick, repeatable questions on data sensitivity, model behaviour, and failure modes.
Guardrails
Pre‑approved prompts or tool restrictions for sensitive workflows (e.g., finance, HR).
Data retention rules
Ensure outputs containing sensitive information are stored securely or summarised safely to protect against potential security vulnerabilities in the use of AI.
Sunset policy
Time‑box trials; remove access automatically unless renewed to mitigate risks associated with prolonged exposure to vulnerabilities.
Keep the process lightweight
The point is visibility and consistency in risk management, not bureaucracy.
Measures that matter: how to track progress
To maintain momentum, measure outcomes, not just implementations, while keeping an eye on security measures to address potential risks. It helps to track a set of clear indicators that show whether your security posture is strengthening over time.
Authentication coverage
Proportion of users on phishing‑resistant methods; number of exceptions.
Privilege exposure
Count of standing admin roles; time spent at elevated rights.
Detection quality
Mean time to detect and contain; ratio of high‑fidelity alerts to noise.
Supplier assurance
Percentage of critical suppliers with verified controls and incident contacts.
Awareness efficacy
Post‑training behavioural change (e.g., reported suspicious messages, correct use of second channel verification).
Dashboards don’t need to be ornate; they must be honest, current, and linked to executive decision‑making.
Common AI security risks and how to avoid them
“We’ve got MFA; we’re fine,”: MFA helps, but attackers phish factors and target exception paths. Push towards phishing resistant methods and conditional access.
Tool sprawl without integration: multiple overlapping tools create gaps and fatigue, increasing the risk associated with inadequate oversight in AI development. Consolidate where possible and integrate telemetry for better signal.
One‑off projects: security is not “done,” it’s maintained. Set review cadences and iterate.
Over‑reliance on intuition: deepfakes and AI‑generated content defeat gut feel. Institutionalise second channel verification for sensitive actions.
Governance as prohibition: bans drive shadow AI. Offer safe, approved paths that meet the real needs of teams using AI technologies.
A new security mindset for a new era
AI has changed the tempo and texture of cyber risk management. Threats now move at machine speed, blending technical compromise with hyper‑convincing social engineering, increasing the potential risks to individuals or your organisation. Perimeter‑centric models designed for stationary networks cannot cope with mobile identities, cloud-hosted data, and live deepfakes, necessitating a re-evaluation of risk management strategies.
The path forward for SMEs is clear and achievable:
- Anchor security on identity and behaviour, not just on networks and endpoints, to address potential risks from security vulnerabilities.
- Replace intuition with process, especially for payments, approvals, and data access.
- Embrace AI in defence, with the governance framework needed to use it safely and effectively.
- Treat suppliers as an extension of your attack surface and hold them to verifiable standards.
- Build resilience through practice: run the playbooks, review the outcomes, iterate.
By moving deliberately on these fronts, SMEs can modernise at a sustainable pace, protecting their people, their data, and their reputation without sacrificing the agility that sets them apart.
Remember, you can watch the full webinar that this article was created from here.
