The U.S. Chamber of Commerce has urged small business owners to strengthen their cybersecurity defenses as AI makes cyberattacks faster, cheaper, and easier to launch. Its latest guidance, published through the CO small business editorial unit, outlines five practical steps that companies can take without dramatically increasing their security budgets. The advice draws on commentary from Chamber CTO Bill Jewell and reflects the organization’s broader position that businesses should adopt AI while also preparing for the risks it creates.
The recommendations focus on the basics that matter most for smaller operators: keeping software updated, vetting vendors, reducing exposed systems and accounts, using AI scanning tools defensively, and tightening access management. Still, the guidance leaves some important questions unanswered. It does not break down likely implementation costs for lean teams, explain the regulatory exposure small businesses may face after a breach, or fully account for the gap between a sole proprietor running a cloud-based storefront and the larger companies often assumed in enterprise cybersecurity advice.
The immediate backdrop for the Chamber‘s guidance is a new AI security development from Anthropic. The company announced Claude Mythos, an advanced AI model designed to identify software vulnerabilities at an unusual speed. Early access was limited to a small group of major technology firms, but Anthropic warned that “it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely.” That is a warning about likely future diffusion rather than proof of widespread misuse today, and the model has not yet been independently benchmarked against real-world attack timelines.
For small businesses, the concern is straightforward. As Jewell explained in an interview on The Call, attack timelines are no longer moving at the pace of days or weeks. The window between a public vulnerability disclosure and an attacker exploiting it is shrinking toward hours or less when AI-assisted tools are involved. That shift is already visible in adjacent threats. AI is already being weaponized for fraud targeting small business transactions, with criminals using automated tools to create convincing impersonation attempts and account takeover sequences at scale.
The same pattern has already appeared in phishing and malware services. Subscription-based hacking tools sold through messaging apps for a few hundred dollars per month, including those cited in FBI warnings about platforms targeting Microsoft Teams, Outlook, and OneDrive users, show how quickly sophisticated tactics can be packaged for less skilled attackers. AI-powered vulnerability scanners could follow the same path. Tools that once required deep technical knowledge are becoming easier to operate, which lowers the skill barrier for attacks while raising the level of threat small businesses face.
AI Is Making Small Businesses Easier and Cheaper Targets for Cybercriminals
The U.S. Small Business Administration has reported that 43% of cyberattacks target small businesses, while only 14% of small businesses are adequately prepared to defend themselves. Those numbers point to more than a budget problem. Large companies often have security information and event management systems, dedicated IT security teams, continuous monitoring tools, and legal or compliance teams ready to handle breach notifications. Small businesses usually do not. The same people who need to respond to a suspicious alert are often also managing customers, payroll, inventory, and daily operations.
AI has made that imbalance sharper. Attackers can now automate reconnaissance, produce targeted phishing messages, and scan thousands of possible targets for weak points with far less manual work. That lowers the cost of each attack attempt. As a result, companies that once looked too small to be worth targeting can become profitable targets simply because AI reduces the effort required to attack them. Jewell described AI as “a structural change for security programs,” which captures the size of the shift even if it is not a quantified risk estimate.
Vendor risk adds another layer of exposure. When a payroll provider, point of sale platform, cloud service, or managed IT vendor is compromised, the small business using that provider can still face regulatory, financial, and reputational consequences. Yet many small companies have little leverage to audit a vendor’s security before signing a contract. That exposure is growing as small businesses adopt more AI tools to manage operations across multiple functions. Every new integration creates another dependency, and each dependency brings its own security posture.
- Move from occasional security testing to continuous monitoring. The Chamber guidance, citing Jewell, says that once a year or once a quarter testing is no longer enough when AI can accelerate attacks. “It is no longer OK to do a once-a-year or once-a-quarter security test,” Jewell said. “It’s just got to be a continuous thing, and the more we can use AI tools to do that, the better.” In practice, this means using AI-enabled scanning tools that can check systems automatically without requiring a full-time security team. The challenge is that these tools still need setup, review, and alert triage. A scanner that produces warnings no one understands, or monitors, will not provide meaningful protection.
- Turn on automatic software updates and patch quickly. Because AI reduces the time between vulnerability discovery and exploitation, delayed patching gives attackers an opening. The Federal Communications Commission‘s small business cybersecurity guidance recommends automatic software updates across devices, which is one of the simplest and most effective steps a smaller operator can take. Businesses should also identify software that no longer receives security updates and replace it when possible. Unsupported systems create permanent weak points that routine patching cannot fix.
- Ask vendors direct security questions before signing contracts. Jewell put the vendor issue plainly: “It’s not good enough for [you] to be strong, [your vendors] have to be strong, too.” Before choosing a cloud provider, payroll platform, payment processor, or managed IT service, small businesses should ask whether the vendor supports multi-factor authentication, how often it applies patches, how it handles incidents, and how quickly it will notify customers after a breach. Third-party risk tools can help score vendors, but even without paid tools, operators should request written security commitments and understand what happens if the vendor is compromised.
- Reduce attack surface by removing unused tools, accounts, and stored data. A company’s attack surface includes every application, user account, device, data store, and system an attacker could target. Jewell recommended removing unused software and accounts, limiting administrator privileges, and taking a hard look at how much sensitive data the business keeps. “If you can’t afford to protect all the data you have, you probably want to have … conversations about how much data you even need to be holding,” Jewell said. This is one of the most practical recommendations in the guidance because it does not require expensive technology. Keeping less data can reduce both the chance of a breach and the damage if one occurs.
- Use AI scanning tools defensively, especially for custom code. Businesses that build software, maintain custom applications, or rely on internal automation should use AI-based code scanning to catch vulnerabilities before deployment. “We need to be … using AI-based or LLM-based scans to make sure that we’re deploying the same technologies on our own code [and] finding the vulnerabilities … as we’re writing it,” Jewell said. AI-driven security platforms can also monitor networks, flag unusual activity, and speed up threat response for businesses without a dedicated security operations team. The key limitation is still human oversight. These tools need proper configuration and regular review to be useful.
Cybersecurity Trends Small Business Owners Should Monitor Next
- AI vulnerability tools are becoming easier to access. Anthropic‘s comments on Claude Mythos suggest that advanced vulnerability discovery tools may become more widely available over time. Small businesses and security observers should watch whether similar capabilities move into commercial products, open source tools, or gray market services at prices that make them accessible to a broader range of attackers.
- Updated small business cybersecurity frameworks from NIST and federal agencies. The National Institute of Standards and Technology and other federal agencies are continuing to develop AI risk management resources and small business cybersecurity frameworks. These could eventually influence insurer requirements, vendor contracts, and payment processor expectations. Businesses that align early with emerging NIST guidance may be better positioned when those practices become conditions of coverage or partnership.
- FTC and CISA guidance on breach notification and vendor liability. Federal expectations around breach notification and third-party vendor responsibility continue to evolve. Small businesses should keep an eye on Federal Trade Commission guidance and Cybersecurity and Infrastructure Security Agency advisories, especially as AI-assisted attacks make data theft faster and potentially more widespread.
- Fraud detection requirements from banks and payment processors. Banks and payment processors are rolling out AI-based fraud detection and risk scoring tools. Some small businesses may be encouraged or required to adopt these systems as part of their merchant account terms. Operators should review whether these tools reduce liability, shift liability, or create new obligations before relying on them.
- Cyber insurance underwriting focused on AI threat exposure. Cyber insurers are beginning to ask more detailed questions about the controls small businesses have in place. Patch cadence, vendor security, access controls, and data retention practices are likely to become more important during renewals. Those questions mirror the baseline steps the Chamber guidance recommends.
The Chamber‘s message is that small businesses do not need enterprise budgets to make meaningful security improvements. Continuous testing, tighter vendor review, better patching, reduced data exposure, and defensive use of AI tools can all help. The harder question is whether these practices will be adopted evenly across very different small business environments. Sole proprietors, companies without IT staff, and businesses that handle sensitive customer data may face much greater implementation challenges than the guidance fully addresses.
