Every year on June 27, the world marks the United Nations International Day for Micro, Small and Medium-sized Enterprises (MSME Day). This year’s theme — “The Future Generation of MSMEs: An AI-Driven Future” — could not be more timely, because what I’m seeing on the ground is a story very different from the one we usually tell ourselves about how technology spreads.
We tell ourselves a tidy story about how technology spreads. The big enterprise goes first. Pilot projects, a steering committee, a budget line. Everyone else catches up a few years later, once it’s safe. The Internet spread roughly like that. Cloud and Security were similar.
AI isn’t spreading like that.
I spend most of my time talking to the businesses living this transition, both big and small, and what I see on the ground is the inverse of the story. The 25-person accounting firm, the regional logistics company, the three-location dental group. None of them are waiting for permission. They already have AI drafting their proposals, answering customer messages overnight, and reconciling invoices. Meanwhile the enterprise down the highway is in its third meeting about an AI usage policy.
Data from the WEF SME Resource Hub shows that there are an estimated 400 million SMEs worldwide. They account for approximately 90% of all firms globally and generate an estimated 70% of employment, all of whom are under threat of cyberattacks. The data backs up what the field shows. The JPMorgan Chase Institute found that the most recent cohort of small businesses reached a 10% AI adoption rate in roughly six months. The same milestone took the 2019 cohort more than six years. The SBA’s own Office of Advocacy reports the gap has nearly closed: large firms once adopted AI at almost twice the rate of small ones, and by late 2025, that lead had all but evaporated. This is not a slow catch-up. The small end of the market is setting the pace.
That shouldn’t surprise anyone who has actually run a small business. A 30-person company can often adopt new technologies more quickly than larger organizations, but may have fewer dedicated resources available to evaluate and manage the associated cyber risks. It has a founder who found a tool that does the work of two hires for forty dollars a month and switched it on by Tuesday. B2B buying consumerized years ago. Most of the decision happens before anyone ever speaks to a vendor, and AI is the purest example of that yet. No sales cycle. A free trial and a credit card.
The mid-market is where this gets genuinely dangerous. A 200-person company has enough systems, data, and money to be worth attacking, and enough departments that AI gets adopted in five places at once. It still usually runs without a single dedicated security hire. Thryv’s small-business survey found AI use among firms with 10 to 100 employees jumped from 47% to 68% in a single year. That’s not experimentation anymore. That’s dependence, forming faster than the controls around it.
Adopting AI isn’t the risk. Adopting it faster than you can govern it is.
Here’s what that gap looks like at 2am in a real environment, because the conversation usually drifts into abstraction and that’s where it stops being useful.
A marketing coordinator pastes the full customer list into a chatbot to “tidy it up.” That data now lives somewhere the business doesn’t control and can’t claw back. A bookkeeper moves a payment because a message told her to. It used to arrive as an email. Now it just as often lands as a Teams or Slack note in the boss’s voice. Increasingly, it arrives as a deepfake voice note from a “supplier” or a multilingual invoice that looks indistinguishable from the real thing. The AI didn’t invent that scam. It made it fluent, fast, and cheap to run at scale. An office manager connects an AI assistant to the shared inbox and calendar so it can “handle scheduling,” and hands a third-party system standing access to every conversation in the company.
None of that trips an alarm. Most of it breaks nothing, until the day it does. And the businesses doing it are precisely the ones attackers already prefer. Verizon’s latest breach report finds small businesses on the receiving end of a large share of attacks, and that the overwhelming majority of their breaches now involve ransomware, at a far higher rate than at big companies. They get hit not in spite of being small, but because they’re small: real money, thin defenses, and nobody to call at 2am.
And the clock has compressed in a way few owners appreciate. In the AI era, the median time from a vulnerability being disclosed to a working exploit has collapsed from years to hours, and it’s projected to fall under an hour by the end of 2026. The emergence of advanced models like Anthropic’s Claude Mythos Preview, restricted to defensive use for now, show how quickly AI can find and weaponize software flaws. Those capabilities won’t stay restricted forever and leaves very little room for delayed patching, manual processes, or reactive security in any business, let alone a 30-person one.
So you have two lines moving in opposite directions. AI adoption across the small and mid-market is climbing faster than any technology wave I’ve watched. AI security in that same segment is close to flat. The space between those two lines is where the exposure lives, and most owners can’t yet see it.
Shadow AI : The Risks SMEs Didn’t Approve
One of the biggest risks I see in SMEs isn’t the AI the business deploys — it’s the AI employees adopt without anyone knowing. Staff are using AI assistants to write emails, summarise documents, generate slides, and draft code. The productivity gain is real. So is the spillover: sensitive customer data, financial records, intellectual property, and confidential plans quietly uploaded into public AI platforms. Decisions made on outputs that were confidently wrong. And a business that has lost visibility into where its own data is being processed or stored.
For the businesses I’m describing, this lands on two desks: the owner’s and the CFO’s. Not the IT contractor’s. The exposure here is money and trust, which makes it a business problem before it’s a technical one. The payment that clears because an AI-fluent message looked legitimate is a finance problem. The customer data that walks out the door inside a chatbot prompt is a liability problem. The AI agent quietly reading the company’s mail is a governance problem. None of those wait for an IT ticket, and none of them get solved by telling staff to “be careful.”
It’s common to see a business govern the AI spend and miss the AI risk entirely. The tools get approved the way any software subscription gets approved: a line item, a quick nod, done. What never gets approved, because no one frames it as a decision, is the staff feeding client financials into those tools to speed up month-end. The spend is governed. The risk isn’t. That’s the whole gap in miniature.
Here’s the part owners often miss: even if your business feels too small to be a target, you’re almost certainly part of someone else’s supply chain. Attackers know this. Rather than going after a multinational head-on, they go after the smaller supplier, the logistics partner, the boutique software developer, or the professional services firm with lighter controls. Customers, regulators, insurers, investors, and partners are starting to ask hard questions before they’ll work with you. In an AI-driven economy, trust has quietly become a competitive advantage
If you’re the owner or the CFO reading this, the answer is not to slow down. AI is the cheapest leverage a small company has ever had, and handing that advantage back would be its own kind of risk. The answer is to put a few guardrails up before you scale, not after the incident.
Find out what’s actually in use. A good share of the AI in your business was switched on by someone who doesn’t work in IT. Ask the question out loud. The list will be longer than you think.
Decide what data is allowed near these tools. “Don’t put customer or financial information into public AI tools” is one sentence, and it prevents a large slice of the damage on its own.
Treat AI access like a hire. If an assistant can read your email or move money, give it the scrutiny you’d give a new employee holding those same keys.
Get help that owns this. Most small businesses won’t build security in house, and they don’t need to. But whoever you lean on, inside or outside the company, should be able to tell you in plain language how your AI use is secured today. If they can’t, that’s the meeting to book this quarter, not next year.
None of this is exotic. It’s the same discipline good operators have always applied to a powerful new tool: use it hard, and know where the edges are.
Security as a growth enabler, not a cost line
One shift I’d encourage every owner and CFO to make is how they think about cyber security itself. For years it was treated as a cost centre — a tax you paid to reduce risk. In an AI-driven economy, it’s becoming the opposite: the thing that lets you adopt AI with confidence, win larger customers, qualify for bigger supply chains, meet emerging regulations, and protect the trust you’ve spent years building. Businesses that bake security into their AI strategy from day one tend to move faster, not slower.
I care about getting this right for a reason that has nothing to do with selling more security. According to the UN Sustainable Development Group, MSMEs represent 90% of all businesses, create up to 70% of jobs, and generate half of the world’s GDP. They’re the part of the economy AI could genuinely level. Picture the small firm that finally goes toe to toe with a rival ten times its size, because the tooling no longer cares who’s bigger.
On this Day of Micro, Small and Medium Sized Enterprises, that’s worth protecting. The technology showed up at their door early. For many SMEs, AI-powered security is the first realistic shot at enterprise-grade protection without enterprise-grade headcount. And because attackers are moving in minutes, not weeks, a prevention-first posture matters more than ever: stopping an attack before it gains a foothold is dramatically cheaper than recovering from one.
The future generation of MSMEs will succeed not because they have the biggest budgets or the largest tech teams, but because they can innovate faster, operate smarter, and defend themselves more effectively in an AI-driven world. The job now is to make sure the security shows up too — so that the next generation of MSMEs is not just AI-powered, but AI-protected.