Data Security 101: A Practical Guide for Small Businesses Using AI

Before you can set rules, you have to understand the tools. The most important distinction for a business owner is between **Public AI** and **Private AI**.

• Public AI (The Risk): These are usually the free or low-cost consumer versions of tools (like the free version of ChatGPT or generic online writing aides). In exchange for free access, the vendor often reserves the right to use your data to train their models. Anything you type in could potentially be learned by the system and regurgitated later.
• Private AI (The Goal): These are business-grade tools or enterprise accounts. They often cost money, but they come with a contract stating that your data is yours. The AI processes your data to give you an answer, but it doesn't learn from it, store it, or share it.

The Rule: If you haven't explicitly vetted a tool and paid for a “private” seat, assume it is Public and unsafe for sensitive data.

Think of your business data like a physical filing cabinet. In the old days, securing it was easy: you locked the office door at night.

Using Public AI for business work is like taking files out of that cabinet and handing them to a stranger on the street because they promised to organize them for you.

You might get organized files back, but you have no idea if that stranger made photocopies or who else they showed them to.

In practice, this means: You need to decide exactly which files are allowed to leave the office (safe for Public AI) and which ones must stay locked in the cabinet (Private AI only).

At BAQS, we believe security isn't about buying one magic piece of software. It’s about three layers: **People, Tools, and Infrastructure**.

1. People: Centralize the Decision

The biggest mistake we see is letting every employee pick their own AI toolkit. One person uses ChatGPT, another uses a random PDF summarizer they found on Google.

Centralize the “Yes.” Designate one person (an owner, Ops lead, or IT partner) to vet and approve tools. If a team member wants to use a new AI writer, they should bring it to this person first. This gatekeeper checks the risks and liabilities so the rest of the team doesn't have to guess.

2. Tools: The "Red Light / Green Light" Framework

Once you have vetted tools, you need clear rules for how to use them. We recommend a simple framework:

• 🔴 Red Light Data (Private Tools Only): Client financial records, passwords, personal health info (PHI), employee social security numbers, or sensitive legal agreements.
• 🟢 Green Light Data (Okay for Public AI): Draft marketing copy, generic emails, brainstorming ideas, public website content, or messy notes that have been “sanitized” (names and numbers removed).

3. Infrastructure: Check the “Health Grade” (SOC 2)

Before you approve a new tool, check if it is **SOC 2 compliant** (or ISO 27001).

Think of SOC 2 like the health inspection grade in a restaurant window. A restaurant might make delicious food, but if they don’t have that “A” grade, you have no idea if the kitchen is clean. If a vendor asks for access to your core business data (email, CRM, files) but cannot prove they are SOC 2 compliant, do not use them.

You don’t need a massive IT project to start securing your business today. Start with these four steps:

1. Run a “Shadow IT” Inventory

Ask your team—without judgment—what tools they are currently using. You might find they are already using three or four “magic AI writers” you’ve never heard of. Inventory them, check their security (SOC 2), and shut down the ones that don't pass the test.

2. Require Basic Safety Training

Most breaches are human error. Ensure every employee who accesses email or the web completes a basic security awareness training. You don't need to create this yourself—there are plenty of free or low-cost courses online (like Google’s Cybersecurity basics or Wizer’s free training) that cover phishing, password hygiene, and data handling. Make it a mandatory onboarding step.

3. Sanitize Your Inputs

Teach your team to “sanitize” data before pasting it into any Public AI tool.

• Unsafe: “Write a collection email to John Smith at Acme Corp who owes $5,000 for Invoice #102.”
• Safe: “Draft a polite but firm collection email to a client who is two weeks late on a mid-sized invoice.”

4. Turn Off “Chat History & Training”

If your team uses ChatGPT, go into the settings today. There is an option to disable “Chat History & Training” (or similar data controls in other tools). This stops the provider from using your conversations to train their models. It’s a five-second fix that significantly lowers your risk.

You cannot stop the wave of AI, and you shouldn't try. The productivity gains are too real. But you must be deliberate about how you ride that wave.

• Know the difference: Public AI trains on your data; Private AI protects it.
• Centralize control: Don't let employees choose their own tools; vet them centrally.
• Classify your data: Know what is Green Light (safe) and Red Light (sensitive).
• Train your team: A 30-minute security course is cheaper than a data breach.