{"id":11911,"date":"2026-03-18T11:47:48","date_gmt":"2026-03-18T11:47:48","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/blog\/ai-in-business-how-to-avoid-missing-the-train-without-derailing-the-business\/"},"modified":"2026-06-04T06:38:56","modified_gmt":"2026-06-04T05:38:56","slug":"ai-in-business-how-to-avoid-missing-the-train-without-derailing-the-business","status":"publish","type":"post","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/blog\/ai-in-business-how-to-avoid-missing-the-train-without-derailing-the-business\/","title":{"rendered":"AI in business: how to avoid missing the train without derailing the business"},"content":{"rendered":"\n
\n
\n

\n AI in business: how to avoid missing the train without derailing the business<\/span><\/h1>
\n
\n \n \n AI <\/span>\n \n MSP <\/span>\n <\/span>\n \n 18.03.2026 <\/span>\n <\/div>\n <\/div>\n <\/div>
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n

There is no neutral position on AI adoption right now. Either your organization is experimenting with it and learning, or it is watching from the sidelines while competitors build capabilities that will be very difficult to close the gap on later.<\/p>\n

As WithSecure CISO Christine Bejerasco put it at our February 2026 Cyber Morning: ”It’s like the internet. You just need to grab it, otherwise you’d be left behind.”<\/p>\n

But AI also arrives with a set of security risks that are real, evolving rapidly, and crucially not yet fully understood. The Harvard Law School Forum on Corporate Governance found that 72% of S&P 500 companies have already disclosed at least one material AI risk. That figure is remarkable given how recently these tools have entered enterprise environments at scale.<\/p>\n

So how do you avoid missing the AI train while also avoiding a derailment?<\/p>\n

The Two-Sided Risk Problem<\/h2>\n

There is a clear tension: for large organizations, the bigger risk is often not the security vulnerability that AI introduces \u2013 it is the competitive and operational cost of moving too slowly because of security concerns.<\/p>\n

”What companies are missing the AI train because they don’t know how to use it and they are too security concerned?” is a genuine question for CISOs and security teams right now. Being so cautious that your organization falls behind in AI capability is itself a business risk. The security function needs to enable AI adoption, not just constrain it.<\/p>\n

At the same time, the security risks are real. The Cyber Morning panel identified two primary concerns:<\/p>\n

1.<\/span> Data exposure.<\/h2>\n

When employees use public AI tools with organizational data, the questions of where that data is processed and who can access it become live issues. Public AI services are convenient and often excellent \u2013 but organizations frequently have very limited visibility into what happens to the data they feed into them. This is essentially the same challenge that cloud adoption created a decade ago, now compressed into a much faster adoption cycle.<\/p>\n

2.<\/span> AI as an attack tool.<\/h2>\n

The same capabilities that make AI useful for defenders \u2013 automated analysis, pattern recognition at scale, rapid generation of targeted content \u2013 are equally available to attackers. Phishing messages that would previously have required a fluent Finnish speaker to craft convincingly can now be generated at scale and personalized to the recipient. Vulnerability scanning and exploitation can be automated in ways that dramatically lower the cost of attacking a broad set of targets. The threat surface expands as AI capabilities become commoditized.<\/p>\n

A Risk-Based Framework for AI Adoption<\/h2>\n

The good news is that a workable framework already exists \u2013 most organizations just need to apply it consistently to AI.<\/p>\n

WithSecure CISO Christine Bejerasco outlined the approach used at WithSecure itself, and it starts with information security classification. Most organizations already classify their data in tiers: publicly available, internal, restricted, confidential, top secret. The same classification logic applies directly to AI adoption decisions:<\/p>\n

    \n
  • Publicly available or low-sensitivity internal data: There is very little reason not to use cutting-edge cloud AI tools here. The business benefit is high and the risk of exposure is low. This is where organizations should be experimenting aggressively.<\/li>\n
  • Restricted or confidential data: This is where controls need to be proportionate to the sensitivity. Self-hosted models, enterprise-tier agreements with clear data processing terms, or simply not using AI for these use cases until better options exist \u2013 all are legitimate choices.<\/li>\n
  • Top-secret or highly sensitive data: This may be one area where accepting a less capable, on-premises AI solution is the right trade-off. The security certainty is worth the capability cost. But if the data an AI model can access is very limited, the output is also limited \u2013 so organizations need to be realistic about what they are actually gaining.<\/li>\n<\/ul>\n

    The key insight is that most enterprise data is not at the top of the sensitivity spectrum. The majority of day-to-day data that employees work with is internal but not genuinely sensitive in a way that would cause serious harm if it left the organization. Treating all data as top-secret and blocking all AI adoption is both operationally damaging and not proportionate to the actual risk.<\/p>\n

    The Quantum Variable<\/h2>\n

    As AI security risks are still being mapped and mitigated, quantum computing represents the next wave of disruption to the cryptographic foundations that current security infrastructure depends on. Post-quantum cryptography planning is already on the agenda for security teams at the most forward-thinking organizations. For most mid-market businesses, this is not an immediate priority \u2013 but it is worth being aware of as a medium-term planning consideration.<\/p>\n

    The Attacker’s AI Advantage \u2013 and How to Counter It<\/h2>\n

    One of the more sobering observations from the panel was that cyber criminals are becoming more creative precisely because AI lowers the barrier to sophisticated attacks. It was noted that roughly 20% of people would click on a convincing phishing link if the narrative is good enough \u2013 and AI makes that narrative much easier to craft at scale.<\/p>\n

    The defensive response to AI-augmented attacks is not simply to train people harder. As Christine Bejerasco emphasized, the reflex of calling people ”the weakest link” needs examination. Are they weak, or have we built systems that leave them exposed? Finnish telecom company DNA’s commitment to automated security patching on home routers \u2013 removing the vulnerability before the user ever needs to make a decision \u2013 is the principle in action: design the secure path, don’t just rely on human vigilance.<\/p>\n

    At the network and endpoint level, AI-augmented defenses can block malicious links before users ever see them. At the platform level, detecting and blocking known malicious patterns before they reach inboxes. These technical controls, properly deployed, reduce the surface area that human vigilance needs to cover. This is exactly the kind of proactive, AI-driven protection that WithSecure Elements delivers \u2013 using behavioral detection and exposure management to find and close gaps before attackers can exploit them, rather than responding after the fact.<\/p>\n

    What This Means for MSPs<\/h2>\n

    AI represents both a service delivery challenge and a significant commercial opportunity for Managed Service Providers.<\/p>\n

    On the challenge side: MSPs need their own clear AI governance framework. Your customers will ask how you are using AI in your service delivery, and what that means for their data. Having a clear, documented answer \u2013 covering where AI tools are used, what data they process, and what controls are in place \u2013 is increasingly a prerequisite for enterprise customer trust. This is especially true for MSPs serving NIS2-regulated organizations, where supply chain security obligations extend to how service providers handle customer data.<\/p>\n

    On the opportunity side: AI governance is a conversation that most mid-market organizations have not had in any structured way. Helping customers work through their own data classification framework, apply it to their AI adoption decisions, and establish appropriate policies around AI tool usage is a high-value advisory service. It is also a natural conversation starter for broader security posture work \u2013 and an opportunity to demonstrate the kind of proactive, outcomes-focused partnership that differentiates serious security MSPs from basic IT support providers.<\/p>\n

    The organizations that use AI well \u2013 both internally and to enhance their security offerings \u2013 will be significantly more capable in two or three years. The ones that are paralyzed by the security questions will have closed off options that will be hard to reopen.<\/p>\n<\/div>\n <\/div>\n<\/section>\n\n\n\n

    \n
    \n

    \n Share this story <\/p>\n

    \n \n \n
    \n
    \n \"\"

    Blogi<\/p>\n <\/div>\n

    \n
    \n
    \n AI<\/span>\n MSP<\/span>\n <\/div>\n <\/div>\n

    AI in business: how to avoid missing the train without derailing the business<\/h3>\n
    \n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts\/11911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/comments?post=11911"}],"version-history":[{"count":1,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts\/11911\/revisions"}],"predecessor-version":[{"id":11918,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/posts\/11911\/revisions\/11918"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=11911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=11911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/tags?post=11911"},{"taxonomy":"content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/content_type?post=11911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}