The AI Security Checklist for Small Businesses (Including self-diagnosis test)
- TecAce Software
- 4 days ago
- 4 min read
You ask ChatGPT to draft an email. You hand Gemini a report to summarize. It feels like having a personal assistant who works only for you. You start to trust it. And that trust is exactly where the problem begins.
AI is helpful. That is precisely why it’s dangerous.
In 2023, three engineers at Samsung’s semiconductor division pasted source code, internal meeting notes, and hardware design data into ChatGPT three separate times over a single month. They were debugging. They were summarizing meetings. The reasons were entirely ordinary. The outcome was an emergency company-wide restriction on AI use across Samsung.
"A small company like ours isn’t even on a hacker’s radar." If that’s what you’ve been telling yourself, take a look at what happened in 2025. Security researchers found 225,000 sets of ChatGPT login credentials for sale on the dark web. ChatGPT itself hadn’t been hacked. Infostealer malware on employees’ PCs had stolen the credentials, and every saved conversation tied to those accounts was exposed along with them. If anyone had been using a personal account for work, those conversations went with the rest.
That November, OpenAI’s analytics partner Mixpanel was breached, and ChatGPT users’ names, emails, and usage data were exposed. Even when your own systems are airtight, a third-party path can still be the way in.
These incidents share something in common. They didn’t fall to advanced hacking techniques. They fell to ordinary, everyday usage habits. And in small businesses without a dedicated IT security team, those habits are more common — and stay undetected longer.
That’s why we built this guide. It isn’t about expensive security infrastructure. It’s a checklist you can review and act on inside your company today.
What relatively safe AI use looks like
Not every AI use case is risky. The following patterns are reasonably safe:
Summarizing already-public blog posts or press releases
Drafting an email after stripping out customer names, amounts, and contract terms
Cleaning up meeting notes that have been anonymized (no names, departments, or dates)
Using enterprise AI accounts (Enterprise plans or API access) — by default these are not used for model training
The principle is simple: "Would I be comfortable if this content left the company?" If you’re unsure, the right answer is to not enter it.
Three settings you can change right now
Safer habits matter, but changing a few AI tool settings can dramatically reduce your exposure. Each takes about five minutes — and most employees don’t even know these toggles exist.
Setting 1. ChatGPT — Turn off "Improve the model for everyone"
By default, ChatGPT may use your conversations to train its models. Turning this off excludes all new conversations from training.
Path: Profile → Settings → Data Controls → "Improve the model for everyone" → Off
Once turned off, the setting applies account-wide, on every device. One caveat: clicking the thumbs-up or thumbs-down feedback buttons inside a chat can submit that entire conversation for training. Toggling the setting off won’t help if you reflexively tap feedback.
Setting 2. ChatGPT — Use Temporary Chat for sensitive topics
When you must work with sensitive content, use Temporary Chat. These sessions are not saved in history, not stored in memory, and not used to train the model.
Path: Start a new chat → Click "Temporary" at the top right of the screen
That said, "Temporary" doesn’t mean "deleted." OpenAI retains the conversation on its servers for up to 30 days for safety and abuse monitoring. Think of it like a browser’s incognito mode — not perfectly private, but not stored in your history either.
Setting 3. Google Gemini — Turn off "Gemini Apps Activity"
Gemini also uses your conversations to improve its models by default. If you sign in with a paid Google Workspace account, Gemini treats your data the same way it treats Gmail and Drive content — it is not used for training.
Path: Gemini app → Activity → Gemini Apps Activity → Switch to "Off"
Note that turning this off also erases your conversation history. Unlike ChatGPT, there is no option to "keep history but exclude from training." Even with the setting off, Google retains conversations for up to 72 hours for safety purposes.
The short version: Changing settings is a good start, but it isn’t enough. Whatever toggles you flip, the most reliable defense is to never enter sensitive data in the first place. Settings are the seatbelt. Data minimization is safe driving.
The practical checklist — assess where your company stands
Telling people to "be careful" is not a security strategy. You need to know which AI tools your team is using, what data is off-limits, who owns AI inside the company, and what happens when something goes wrong.
The checklist below is a 100-point self-assessment SMBs can use to gauge their current AI security posture. It covers five company-level domains (Policy, Ownership, Security Settings, Data Management, Incident Response) for 80 points, plus two employee-level domains (Before Submitting, Before Using Output) for 20 points — 50 items in total, 2 points each.
The takeaway: don’t block AI, operate it safely
AI security doesn’t begin with elaborate systems. For small businesses, what matters most is a simple, repeatable standard that keeps your team from making everyday mistakes.
Use the checklist to find out where your company stands today. A low score doesn’t mean stopping AI use — it means starting with approved tools, company accounts, redacted data, and human review.
AI is a powerful productivity tool. But without a data-handling baseline, that productivity quickly turns into a security liability. Customer trust can be unmade by a single mistake. Treat this checklist as your AI seatbelt, and start moving faster — and more safely — with AI.
Comments