Let me ask you a slightly uncomfortable question.

Do you know which AI tools your team is using at work… and what they’re putting into them?

Most business owners I speak to think they do. And then we dig a little deeper.

Generative AI tools like ChatGPT and Gemini have slipped into everyday work incredibly fast. They’re great for productivity. Drafting emails. Summarising documents. Brainstorming ideas. Solving problems faster.

The trouble is, they’ve arrived so quickly that governance hasn’t kept up.

A recent report looked at how businesses are using GenAI, and the findings are eye-opening. 

AI usage in organisations has surged. The number of users tripled in just a year. 

People aren’t just trying it out either. They’re relying on it. Prompt usage has exploded, with some organisations sending tens of thousands of prompts every month.

At the very top end, usage runs into the millions.

On the surface, that sounds like efficiency. 

Underneath, it’s something else entirely.

Nearly half of people using AI tools at work are doing so through personal accounts or unsanctioned apps. 

This is called “shadow AI”. It means staff are uploading text, files, and data into systems the business doesn’t control, can’t see, and can’t audit.

That’s where the risk creeps in.

When someone pastes information into an AI tool, they’re not only asking a question. They’re sharing data. 

Sometimes that data includes customer details, internal documents, pricing information, intellectual property, or even login credentials. Often without you realising it.

According to the report, incidents involving sensitive data being sent to AI tools have doubled in the last year. The average organisation now sees hundreds of these incidents every single month.

And because personal AI apps sit outside company controls, they’ve become a significant insider risk. Not malicious insiders, necessarily. Well-meaning people trying to get their job done faster.

This is where many businesses get caught out. They assume AI risk looks like hacking from the outside. 

It can look like an employee copying and pasting the wrong thing into the wrong box, at the wrong time.

There’s also a compliance angle here. 

If you operate in a regulated environment, or handle sensitive customer data, uncontrolled AI use can put you in breach of your own policies, or someone else’s regulations, without anyone noticing until it’s too late.

The warning is blunt: As sensitive information flows freely into unapproved AI ecosystems, data governance becomes harder and harder to maintain. 

At the same time, attackers are getting smarter, using AI themselves to analyse leaked data and tailor more convincing attacks.

So what’s the answer?

It’s not banning AI. That ship has sailed. And it’s not pretending it’s harmless either.

The real answer is governance.

That means deciding which AI tools are approved for work use. Being clear about what can and cannot be shared with them. Putting visibility and controls in place so data doesn’t quietly drift where it shouldn’t. And making sure your team understands the risks, not in a scary way, but in a practical, grown-up one.

AI is already part of how work gets done. Ignoring it doesn’t make it safer. Governing it does.

We can help you put the right policies in place and educate your team on the risks of AI. Get in touch.

When you open a browser on your phone, what do you think it knows about you?

The websites you visit? Maybe your location? Possibly what you’ve searched for?

The reality is, for many popular mobile browsers, it’s a lot more than that.

A recent analysis looked at how popular mobile browsers handle user data, based on the privacy information they publish in app stores. 

And what it found should make you pause for thought.

If you’re using Google Chrome or Microsoft Edge on your phone or tablet, you’re using two of the most data-hungry browsers around. 

That doesn’t mean they’re unsafe, or that you need to abandon them tomorrow. 

But it does mean you should be paying attention to what they collect, and how you protect yourself.

According to the research, these browsers gather a surprisingly wide range of information. Not just browsing history, but things like location data, payment details, saved files, and even media such as photos or audio in some cases. 

The stated reason is usually sensible enough: Making the app work properly, syncing accounts, preventing fraud, or personalising the experience.

And to be fair, some data collection is unavoidable. A browser can’t function at all without knowing something about what it’s doing.

The concern is how much data is collected, how long it sticks around, and who it may be shared with. 

Some browsers confirm that parts of this information can be passed on to third parties. In the best case, that means advertising profiles and targeted offers. In the worst case, it means valuable identifiers floating around that could be exposed in a breach.

This matters more than many people realise, because browsing history tells a story. 

Over time, it can reveal business interests, financial activity, health concerns, legal worries, and personal habits. It’s not just “websites you like”. It’s a digital trail of who you are and what you’re dealing with.

What surprised researchers most was how few people really think about this anymore. Only a small minority still describe themselves as privacy conscious. Most of us just tap “accept”, install the app, and move on with our day.

That’s understandable. You’re busy running a business. But the risk isn’t theoretical.

When companies are breached, customer identification data is often what leaks first.

Browser data and identifiers are increasingly valuable targets because they help attackers link activity back to real people and real organisations.

So what should you do?

You don’t need to ditch your browser of choice. Chrome and Edge are popular for good reasons, especially in business environments. 

The key is reducing how much unnecessary data you give away and adding a few sensible layers of protection.

Start by checking your browser’s app permissions on your phone. 

Does it really need access to location all the time? Does it need access to files, photos, or media when you’re just browsing? Most people are surprised by how much they’ve allowed without realising.

And be mindful of how you log into websites. 

Using a proper password manager means your browser doesn’t need to remember everything for you, and it reduces the damage if one account is ever compromised. This also makes it far easier to use strong, unique passwords without having to remember them.

None of this requires changing how you work day to day. You still open the same browser. You still visit the same sites. You’re just being more deliberate about what information leaks out in the background.

Your browser is one of the most used tools in your business. It’s also one of the most overlooked when it comes to privacy.

If we can help you keep your data better protected, get in touch.

Here’s a question I suspect most business owners haven’t thought about yet.

If one of your team buys something inside an AI chat window… is that okay with you?

Because that’s exactly where things are heading.

You’re probably already familiar with tools like Microsoft Copilot and ChatGPT helping people write emails, summarise documents, or answer questions. 

The next step is much more practical. And potentially much more sensitive.

Buying stuff.

Last year, ChatGPT quietly introduced a feature called Instant Checkout. In simple terms, if you ask a shopping-related question, you can be shown products and complete the purchase without ever leaving the chat.

Now Microsoft is rolling out something very similar: Copilot Checkout.

If someone asks Copilot for recommendations, say software, equipment, subscriptions, or services, Copilot can show relevant products. 

If the seller supports Copilot Checkout, the user can click “Buy”, confirm delivery and payment details, and complete the purchase right there inside Copilot.

No jumping to a website. No checkout page in a browser. No familiar “are you sure?” pause.

From Microsoft’s point of view, this is powerful. 

Its data suggests people are far more likely to complete purchases when Copilot is involved, and they do it faster too. 

That’s why this feature won’t just live in one place. It’s expected to appear across Copilot, Bing, Edge, MSN, and more.

For consumers, this feels convenient.

But for businesses, it raises a different set of questions.

The first one is simple: Do you want your team buying things this way?

In many businesses, purchasing is deliberately slow. There are approval steps. Budgets. Supplier lists. Controls. Someone checks what’s being bought, why, and by whom.

Copilot Checkout has the potential to quietly bypass some of that, especially if it’s used casually or without guidance.

Then there’s the data side.

To make checkout work, payment details, shipping information, and account data need to be involved. 

Copilot Checkout launches with platforms like PayPal, Stripe, and Shopify. These are reputable systems, but the question isn’t whether they’re trustworthy. It’s whether your policies account for this new way of buying.

If an employee is signed into Copilot with a work account, whose payment method is being used? 

What information is Copilot allowed to see or reuse?


Are purchases logged somewhere central, or do they disappear into the noise?

And then there’s behaviour.

When buying becomes frictionless, people buy more. Microsoft openly says journeys involving Copilot are far more likely to end in a purchase. That’s great for sellers, but it can quietly inflate costs if nobody’s watching.

None of this means Copilot Checkout is “bad”. But it does mean it’s something you should decide on deliberately, rather than discovering it accidentally after the fact.

If you do want your team to use it, there are a few sensible considerations:

• Clear rules around who can buy
• What they can buy
• Which accounts or payment methods are allowed 
• Visibility into purchases made through AI tools
• Guidance for staff so they understand that convenience doesn’t remove responsibility

If you don’t want it used, that decision also needs to be clear. Because if it’s not written down, explained, and enforced, people will assume it’s fine.

This is a recurring theme with AI features.

They don’t arrive with a big announcement saying, “You should update your policies now.”
They just… appear.

The real question isn’t whether your team can use it. It’s whether you’ve decided if they should.

My team and I can help you decide what’s best for your business. Get in touch.

What would happen if someone got hold of one of your employees’ passwords from years ago?

Not a password they’re using today.

Not one they even remember.

Just an old one that never got changed.

Because that’s exactly how a recent, large-scale data-theft campaign worked.

A recent investigation by a cyber security firm uncovered a new hacking campaign. Sensitive business data from dozens of organisations around the world was quietly collected and later put up for sale on the dark web.

Different industries. Different countries. Different sizes of business.

But one thing kept coming up again and again.

Every affected organisation had allowed staff to log into important cloud systems using nothing more than a username and password. No second step. No extra check. Just type your password and you’re in.

This is where MFA comes in.

Multi-factor authentication simply means using more than one piece of evidence to prove it’s really you. Usually that’s your password plus something else, like a code on your phone, a notification you approve, or a fingerprint. 

So even if someone steals your password, they still can’t get in.

In these cases, MFA wasn’t enforced.

So how did the attackers get hold of the passwords in the first place?

They relied on something called infostealing malware. That’s a type of malicious software that can end up on a computer without the person using it realising. 

Once it’s there, it quietly collects saved passwords, login details, and other sensitive information, and sends it back to criminals.

This doesn’t only happen on office computers. It can happen on home devices, personal laptops, or any machine that’s ever been used to log into work systems.

When those details are stolen, they don’t always get used straight away. And this is the part that really matters.

Some of the passwords used in this campaign were years old.

That tells us two important things:

• Passwords weren’t being changed often enough
• Old logins were still being trusted long after they should have been invalidated

In other words, a device infected a long time ago could suddenly become a serious problem today.

This has been described as a “latency” issue. The threat sits quietly in the background, waiting. An old mistake doesn’t disappear just because time has passed.

The attackers would have been stopped if MFA had been switched on.

They had the passwords. But they didn’t have the second factor. No phone. No app. No approval tap. That one extra step would have turned a successful break-in into a dead end.

This is why security professionals (like me) keep saying the same thing, repeatedly: Passwords on their own are no longer enough.

I know one of the most common reactions to MFA is, “But it’s annoying”. And yes, it does add an extra moment to the login process. 

But compare that to what happens when a password nobody remembers is still valid years later. When confidential files can be copied, sold, or quietly taken without anyone noticing until it’s too late.

MFA turns a stolen password into a useless piece of information. And that’s why enforcing MFA isn’t overkill anymore, it’s sensible.

If there’s one lesson here, it’s a simple one: Old passwords don’t expire on their own. One extra lock on the door makes all the difference.

Need help getting set up? Get in touch.