YOUNGSTOWN, Ohio – In 2026, the question is no longer if your business and employees will use artificial intelligence but when.
But that can lead to IT concerns about safe usage.
“Let’s make sure that if you’re using AI today, the security settings are in place to make sure that your data is as protected as it can be,” says Robert Merva, owner and CEO of Avrem Technologies, adding the security settings and configurations on some AI platforms can be vague. “Regardless of how well you think that system is locked down, don’t put anything in there that you don’t want out in the public.”
Merva says the Youngstown area may be behind in adopting technology, but his company receives calls from businesses outside the area that want to formulate an AI plan. The conversation includes security concerns and misconceptions about the technology’s capabilities
A survey by McKinsey & Company showed AI is being used in at least one form by 88% of responding businesses while 79% are using generative AI. The same survey found industries experiencing the most AI-associated cost benefits were software engineering, manufacturing and IT.
Jason Wurst, vice president of Tele-Solutions Inc. of Youngstown, says while his company’s clients are looking for how they can leverage AI to benefit their businesses, assisting clients with cybersecurity is their primary focus.
Justin White, co-owner and CEO of Advanced Technology Partners in Austintown, says implementing an AI policy may be the best way to ensure employees are using AI safely. For instance, a policy for employees, especially those who handle sensitive company data, need instructions about what not to input into free AI programs.
Instead, he suggests using “enterprise grade versions” of programs, which require a paid subscription.
“Most of the time with these AI tools, your standard package comes with a limit on how much you can use it and how much data you can process,” White says, adding it is quantified by tokens. “Some of these packages just give you a larger token allowance or allow you to purchase it on a token basis.”
Ralph Blanco, owner of ECMSI in Struthers, agrees free AI programs can “unintentionally leak data,” which can cause compliance issues. Additionally, Blanco says it’s important to know where the company’s data is stored and who in the organization has access to it to prevent external threats but also in considering internal operations.
“If you have AI, someone could say ‘show me all the payroll files.’ If you don’t know how your data is locked out, other people could see it within your organization,” Blanco notes.
Avrem Technologies uses technology to prevent employees, who may just be trying to solve a problem, from putting company information into AI programs, but Merva agrees it is important to create policies around AI use.
“I think the marketing promise with AI is that everything will be trouble free and easy, and that’s not necessarily the case,” says Mike Timko, president of Cortland Computer Inc. in Warren.
Timko says some clients have put in controls allowing only certain AI programs to be used on company computers and designating what company information cannot be used with AI.
AI can accelerate how much data even a small company can analyze, Merva says, noting it can level the competitive landscape of business, by finding trends, making predictions and enabling data to work for the business. But at the same time, some companies are throwing a lot of money into AI resources and not seeing profit. Capabilities vary among AI models and having Avrem help find the right tool can save money.
“AI is the hot thing right now and a lot of people are obsessed with it and what you can do with it, but it shouldn’t be a replacement for good old-fashioned standards – principles and practices,” Merva says.
Multifactor Authentication
Multifactor authentication should be required, particularly at work, according to the local experts, especially with emails and cloud-based applications.
“We have made multifactor authentication for our clients mandatory for a very long time,” Merva says. “Anybody who does not have that enabled on all of the platforms that it can be enabled on is doing themselves a serious disservice and really putting themselves at risk.”
Additionally, Merva says as a company, Avrem decided eight years ago if a product or platform doesn’t have the security level they require, they don’t use it. While a business may hesitate to switch from an application they rely on, Merva says it is necessary.
Timko agrees.
“Multifactor authentication, I know it’s the holy grail to a lot of smaller businesses, but that’s the starting point,” he says. “That’s where you start your security and then you go from there.”
Wurst notes while multifactor authentication is “nonnegotiable,” there are ways to bypass it. He says it is important to train employees to only move money if they receive a phone call asking for it and then verifying that move either in person or through a separate phone call. Through token theft, White says phishing emails that appear to be from a legitimate company – often one you commonly receive emails from – allow access to your account by asking you to log in using your two-factor authentication to download information. If you follow their instructions, they have bypassed even multifactor authentication.
White also notes there are new technologies that are more phishing resistant, such as biometric authentication, which helps verify the computer is not being proxied somewhere else.
Advanced Technology Partners offers cybersecurity awareness training as part of their package, which includes monthly training sessions.
Blanco seconds the need for verification.
“I always tell our partners, we can protect your email, but we can’t protect other people’s emails that are sending to you,” he says. “They may have been doing business with this person for 15 or 20 years… Unfortunately, we’re in a world now, you really can’t trust anything, which is sad. You’ve got to verify everything.”
If someone requests to change routing numbers, Blanco advises clients to pick up the phone and double check.
Additionally, White says backing up your data and checking certifications on your software, as well as the security policies of companies your company is doing business with can be important.
“Are they a security first company?” White asks “Or do they have a product out there and you’ve got to cross your fingers and hope they’re being as secure as you would expect them to be.”
While there is “zero trust,” authentication, which requires permission to see anything while outside the network, Blanco says it is also possible to lock things down too tight and hinder productivity.
Threats and Ransomware
While there is no guarantee against a data breach, Blanco says the best option is layered security on the network – content filtering, spam filtering, breach detection software and a good disaster recovery plan.
“Not only where is your data, but how quickly can you get back up and running,” Blanco says, adding you need to test data recovery and hope to never need it.
Additionally, ransomware attacks have evolved with companies not just locking your data down, but threatening to leak it if you don’t pay,” Blanco says. Patient data, credit cards and business records are all at risk.
Ransomware attacks used to be the biggest threat, but Timko says business identity theft is on the rise. Thieves are impersonating companies your business may be doing business with and intercepting client vendor payments. About five years ago, hackers intercepting deposits in the title and mortgage industries became common, Timko says, and it ramped up from there.
“Of course, a ransomware event is bigger in the news,” Timko says. “You see a ransomware event and its $2 million, but business email compromises are generally a smaller amount, based on what that company is paying. But I do believe they are a lot more successful.”
And someone can monitor a compromised email for days, because oftentimes it goes undetected. They send out emails that appear to be from the email they are watching and intercept return emails that might question their legitimacy.
“We find that when we take people on and bring them in, when we start working through those processes and tools that you’ll find things, a history of past compromises or active compromises that are way more in depth than people realize were there,” Timko says.
Besides emails, AI is helping hackers not just impersonate someone’s voice, but their speech patterns and likeness, Merva says. This has prompted some officers of companies to refuse to get onto online meetings to keep their identity private.
Wurst cites one example at a large corporation where an email appeared to come from the boss to the help desk. That was followed up with an AI generated phone call from someone who sounded like the boss demanding the problem he was reporting be fixed immediately.
“The 22-year-old sitting in a cubicle reset his credentials and gave them the keys to the castle,” Wurst says, “There are some pretty sophisticated things that AI can do and from a human aspect we need to be really cognizant of it, training our employees and making sure everybody knows those things are out there.”
AI is also helping cybersecurity companies defend against other AI. Wurst says AI defense mechanisms placed on the computer analyze all aspects of the customer’s network and it can quickly recognize if something is acting differently or trying to get in from the outside. Not only do Tele-Solutions Inc. professionals monitor what is happening, but AI software platforms are monitoring it in real time.
Wurst says the days of just setting up antivirus software on a computer and forgetting about it are long gone. He says many cyber insurance companies will not cover a business unless it is fully compliant with security tools in place to defend against an attack.
White says there are tools that restrict what applications an employee can use on a company computer, requiring them to get permission from an administrator before downloading anything not on the list.
Blanco says AI creates more attacks, with attempts autogenerated on many networks simultaneously, trying different things and then alerting the hacker where the hole is in the security.
Cost of Peace of Mind
White says how much you invest in IT and security for a business can be based on the number of system users, but also on how confidential the data is that is being stored. And while the tools to protect a computer might cost $10 to $15 per month, there is also the IT support costs.
At ECMSI, Blanco says co-managing is typical with many partners having an internal IT person and using their services to monitor and manage their security. It’s no longer about just having someone fix problems as they arrive, Blanco adds, companies need to be proactive about securing data.
As someone who once worked at a hospital with millions to spend on IT, Blanco says it has always been his goal to provide the same level of support to small businesses and large companies.
“It has to be cost effective, but they still need to have enterprise-level type support,” Blanco says.
Timko says cybersecurity and IT needs to be built into the business and at some businesses such as financial and medical, which deal with records, security can cost 10% of their gross revenue. With medical privacy laws, the cost of protecting that data can be more than a small medical practice can afford. Timko says he believes that is why so many physicians in the area align themselves with hospital systems.
“IT services aren’t cheap, and that doesn’t cover all the other compliances and things they have to deal with,” Timko says. “And I think that has driven a lot of small businesses merging and buyouts. It’s just not economical to do things properly and securely when you’re small.”
Merva agrees a part-time employee isn’t sufficient to handle a company’s IT needs. It’s typical for companies to pay 3 to 5% of their gross revenue on IT. However, his company on average does it for 1 to 2%.
Outsourcing IT can save money, Merva notes, because instead of hiring one or two people internally, Avrem offers an entire team with all the knowledge, experience and equipment. While Merva says the company doesn’t share information between clients, they can implement what is working at one company at another.
“We see a lot more and we’re just exposed to a lot more,” Merva says. “It’s just the nature of what we do.”
Even a small company or business needs protection, Wurst says, noting he has been reminding businesses of that for years.
“If they can get $1,000 from you, you’re worth it to them, because you’re one of a million people they may get $1,000 from, so you do matter.”
AI is also driving up costs, according to Timko, with the price of computer memory doubling as AI vendors are buying it up. “I’m worried we’re going to see another chip shortage,” Timko says, “but only worse because it’s not just chips. It’s also memory and storage for vendors. Some [manufacturers] have exited the space and are only going to do enterprise AI production. Now we’re no longer going to have any more consumer lines.”
