Cybercriminals are using artificial intelligence to find software weaknesses and cause damage faster than ever. U.S. Chamber of Commerce Chief Technology Officer Bill Jewell says basic security best practices are crucial, and AI tools also can be used for good.
“You want to have great access management,” Jewell says. “You want to have great network segmentation. You want to be able to detect and respond to threats quickly.”
The U.S. Chamber of Commerce shares the following strategies that can help small businesses build stronger defenses.
- Prioritize patch management and testing. AI can identify and exploit vulnerabilities soon after they are discovered, so businesses must be timely with software updates and have a regular security testing schedule. Turn on automatic updates for all software programs and devices, and immediately patch any issues found by security scans. You may also want to phase out outdated systems that no longer receive security updates. Jewell says: “It is no longer OK to do a once-a-year or once-a-quarter security test. It’s just got to be a continuous thing, and the more we can use AI tools to do that, the better.”
- Evaluate your vendors and third-party software carefully. Vendors and third-party software can introduce cybersecurity risks. Before signing a contract, ask providers about their patching practices, incident response procedures, and support for tools such as multifactor authentication so you can make a smart decision.
- Reduce your attack surface. An “attack surface” is all the possible entry points cybercriminals can target, such as systems, devices, accounts and applications. Be sure you regularly review and remove unused software and limit administrator privileges. Jewell advises against holding onto sensitive data a business no longer needs.
- Use AI-powered security tools to scan your own code. Companies that develop software can use AI-powered scanning tools to find vulnerabilities during the development process. Additionally, AI-driven cybersecurity platforms can help monitor networks, find suspicious activity and respond to threats faster, allowing small businesses to prevent potential attacks on a limited budget.
- Have an incident response plan before you need one. A December 2025 report from Guardz shows only 34% of small and medium-sized businesses have a formal incident response plan, so the other 66% are unprepared to act quickly and minimize damage when a cyberattack happens. An incident response plan should identify who to contact during an incident, how to isolate affected systems, how to restore backups and how to communicate with employees, customers and other stakeholders.
