How small and medium-sized businesses (SMBs) can navigate AI cybersecurity risks in 2026

It’s estimated that last year, cyber threats cost SMEs £3.4 billion.

Has your business adapted its protocols to account for AI cybersecurity risks?

In a recent poll, we found that a third of small and medium-sized businesses (SMBs) feel more exposed this year.

To help HR leaders better navigate the current security challenges, Dan Grace, Director of International HR Consulting at IRIS Software Group, joined HR magazine for a lunchtime debate, offering a wide array of advice.

In this blog, we’ve summarised the debate, pulling together Dan’s key insights.

AI cybersecurity risks and how HR should respond

During the webinar, Dan outlined how the current cybersecurity landscape is evolving, particularly due to AI.

“The cybersecurity landscape is more complex than it ever has been.

“We’re seeing more and more, let’s call them the nefarious actors, using tools like AI to help them do ransomware attacks, advanced phishing and spear phishing attacks.

“I work with a lot of cybersecurity professionals, and they’re seeing the world become a more dangerous place every day due to these advanced tools.

“Now, some organisations, like Anthropic and OpenAI, are putting in AI safety teams to make sure people aren’t using their tools for these nefarious reasons.

“However, there are always ways around it, and we’re seeing more and more dangerous cyberattacks emerging as this technology is becoming more mature.

“How can you stay ahead of it as an HR professional? Well, we’d all love to see SMBs have a resident cybersecurity expert or have their own in-house IT security team, but that’s not always a reality.

“Instead, covering the basics is your best defence.”

Spear phishing and practical prevention

Following this initial glimpse at the current cybersecurity landscape, Dan explained what spear phishing is and offered some practical advice on how individuals and organisations can avoid it.

“Spear phishing is a relatively new term.

“It’s a really specific, highly targeted phishing attack.

“Criminals normally know something about your social standing or socio-economic environment, and they’ll know very specific details about you as a person.

“They’ll then reach out to you, typically with something very specific to you as an individual, posing as someone who has a high level of authority.

“For example, they may reach out, using something like WhatsApp, pretending to be the Finance Director, saying that they need you to sign an NDA because they need to talk about stock options.

“This outreach is so targeted, so we call it spear phishing.

“The number one way to avoid spear phishing is if someone’s contacting you and it does appear genuine, stop and verify via another channel.

“So, if your CEO is coming to you on WhatsApp, which is probably unreasonable, stop and verify via a different channel before you act.”

Training, awareness and multi-factor authentication

As the conversation continued, Dan shifted into practical actions your business can take, such as employee training and basic security controls, like multi-factor authentication (MFA).

“We spoke to 500 HR leaders and SMEs, and what we found was that 52% of their employees are not getting cybersecurity training.

“If you’re an HR leader, the big thing you need to do is educate your team about security.

“Next is implementing multi-factor authentication (MFA).

“You’ve probably experienced MFA if you’re on any Microsoft platform.

“MFA is where you log in with a password, and then authenticate your action with another device.

“This helps stop the majority of attacks.

“Make sure you’re ahead of the threat and using these modern security frameworks.”

During the webinar, Dan was asked about the availability of multi-factor authentication in HR apps, especially as SMEs may have fewer resources to implement other measures.

“I can’t answer for every vendor, but for most, there isn’t any significant cost impact to using features like MFA.

“Plus, the cost of a cyber incident in your business on average is multiple thousands.

“That doesn’t even cover the impact on your reputation and customers.

“For an average SME, you’re looking at a six-figure cost impact for a cyber incident.

“Is that worth the investment for things like training and multi-factor authentication? Absolutely.

“If there is a cost impact, weigh it up against the potential threat.”

Upcoming cybersecurity legislation

To help keep you at the forefront of what’s changing, Dan explained upcoming UK legislation and what it means for SMBs.

“In the last 18 months, there was a huge cyberattack on a big supermarket chain in the UK, and they lost hundreds of millions of revenue.

“Following this, the Government started paying more attention.

“Late last year, they came out with the Cyber Security and Resilience Bill.

“It really applies to certain industries, but I think it’s going to be wide-ranging.

“The bill will enforce certain standards on regulated organisations and their supply chain.

“That includes you, if you’re an SME, who’s supplying someone like a bank or any other regulated organisation, in addition to applying to people in data centres.

“What we’re going to see out of this legislation, once it receives Royal Assent, is more maintained access controls and more patching if you’ve got software.

“We’ll also see more scrutiny and regulation come upon supply chain suppliers.

“Getting prepared for this legislation is really important.

“I’d recommend having a read, as the bill is quite comprehensive.

“We’re expecting to see it in 2027, which may seem far away, but it’s not.”

Should cybersecurity negligence be treated as gross misconduct?

During the webinar, the question was posed: does an employee who is not adhering to security protocols need to be detailed in disciplinary procedures?

“Look, every organisation has to have a documented disciplinary procedure.

“Adhering to all of your company’s policies and procedures, including cybersecurity, should absolutely be part of that.

“If someone is wilfully damaging and harming your business by exposing you to the extra threats, absolutely, it’s gross misconduct.

“You can’t have that level of vulnerability and non-trust in your organisation.

“I know it sounds grim, but there are very serious consequences.”

Watch the full HR Magazine discussion

Cybersecurity needs to be front of mind for all businesses, especially with the advancements in AI.

The HR Magazine discussion not only covered the above but also explored the use of AI in recruitment and what it means for the upcoming unfair dismissal changes.

You can watch the full HR Magazine webinar here.

Alternatively, for those businesses looking for added support with changing legislation, like the Employment Rights Act, check out our handy webinar.

Webinar: The New Rules of Work

Watch here

Stephanie Coward

Managing Director, HCM

Stephanie Coward is Managing Director for HCM at IRIS, where she leads the strategy, innovation and growth of the organisation’s HR and payroll portfolio. She is responsible for positioning IRIS as a trusted partner to HR professionals and ensuring its solutions support the evolving needs of modern workforces.

With more than 25 years’ experience in the technology sector, Stephanie brings deep commercial and operational expertise, with a passion for improving the employee experience through technology.

Stephanie is committed to advancing IRIS’ HCM offering and helping organisations build more resilient, empowered workforces.