What can I do to protect my business from AI cyber security risks?
- Scott Gorman
- Jun 10
- 2 min read
The threat from AI keeps increasing…
In April, Anthropic withheld Claude Mythos Preview, citing cyber-offensive capabilities too dangerous to ship. Last week, the UK AI Security Institute (AISI) published its independent evaluation of OpenAI's GPT-5.5. The verdict? It's in the same league, and it's available now 😧
I’m not going to rehash AISI's findings (see link above) or weigh in on whether the risk is overblown. Instead, I’m going to answer a question which I have been asked several times over the past few weeks....
What can I actually do to protect my business from the new risks AI introduces???
My honest answer is that it still comes down to getting the basics right first. This includes:
1. Implement modern, phishing-resistant MFA. AI-generated social engineering is about to get more automated, persistent, and convincing. If you are just relying on passwords — honestly, one of your accounts is probably already compromised.
2. Patch more often. A likely outcome of these new AI models is a wave of newly discovered vulnerabilities and the critical patches that follow. If patching or running those Microsoft updates isn't routine, fix that now.
3. Independent, tamper-proof backups. Ransomware throughput will likely rise with AI, and Microsoft is not your backup. I'll share more on this in the coming weeks. I’ll share more details on this in the coming weeks.
4. External Attack Surface Monitoring (ASM). Did you know that your public facing domain (basically your website address), can tell a hacker a lot about your business? Unfortunately, AI can now access the same information and exploit it faster than a human. An ASM tool gives you the same inventory of cloud assets, certificates, subdomains, and exposures that an attacker would build.
5. 24/7 managed detection and response. If attackers can compress a 20-hour intrusion into a single overnight run, Monday-morning triage is too late. Pair endpoint detection with someone whose job is to respond at 3am.
6. Cyber Essentials Plus. Sounds basic. Is basic. But the certific
ation forces most of the fundamentals above to actually be in place — which is more than most SMBs can honestly claim.
