October is Cybersecurity Awareness Month, and this year’s theme, “Stay Safe Online,” highlights the importance of making cybersecurity clear, approachable, and actionable for all. For MSPs, it’s an excellent opportunity to reconnect with clients, or even prospects, and start meaningful conversations about security hygiene and emerging risks.
This year, the focus goes beyond traditional threats. AI-driven attacks are transforming the landscape, making phishing, impersonation, and social engineering far more sophisticated. Deepfake video calls, voice cloning, and AI-generated messages allow attackers to convincingly impersonate trusted individuals and organizations. These tactics target human trust and bypass many of the defenses businesses have relied on.
To help MSPs lead high-impact security conversations, we’ve developed the AI-Risk Cybersecurity Hygiene Checklist, a practical tool designed to help clients evaluate both foundational cybersecurity hygiene and preparedness for AI-driven risks.
Below are five key takeaways from the AI-Risk Cybersecurity Hygiene Checklist that you can use to lead your next client meeting or security review:
1. The AI Attack Surface is Expanding
Cybercriminals are using AI to craft highly realistic, targeted attacks that evade traditional defenses. Traditional filters and once-a-year training no longer provide sufficient protection.
Why it matters
- 43% of cyberattacks now target small businesses
- AI-powered attacks have increased 238% since 2022
- 1 in 6 breaches now involve AI methods
- The average SMB breach costs over $28,000
- 60% of SMBs close within six months of a major breach
Real-world AI attack vectors
- Deepfake phishing: AI scrapes social media and websites to craft realistic messages referencing actual events, colleagues, or internal details. AI-generated phishing emails can mimic colleagues with 90% accuracy.
- Voice cloning: Attackers impersonate executives to request wire transfers or credentials.
- Video call spoofing: Realistic deepfake video calls mimic leaders to authorize sensitive actions.
Sample questions to raise with clients:
- Are you aware that AI is fundamentally reshaping how cyberattacks are executed, reducing the effectiveness of traditional defenses such as spam filters and basic security training?
- Are employees trained to recognize AI-enabled social engineering?
- Do your security programs include regular phishing simulations?
2. Verification Protocols Must Be Ironclad
AI makes it easy for cybercriminals to mimic voices, faces, and urgency. Identity must be verified through trusted channels, not only appearances or tone.
Why it matters:
- Attackers can mimic executives or coworkers to issue payment or credential requests
- Messages that appear internal are harder to detect
- Lack of verification becomes the weakest link
Sample questions to raise with clients:
- Are all sensitive requests verified through a separate, trusted communication channel?
- Is there a “two-person rule” for high-value transactions or access changes?
- Are employees trained to challenge unexpected requests (even from leadership)?
3. Strong Passwords and MFA Are Non‑Negotiable
AI amplifies attack speed. What used to take hours now takes minutes. In this environment, weak or reused credentials are a liability.
Why it matters:
- AI speeds up brute‑force and credential stuffing
- Reusing passwords creates a cascading security risk across multiple systems
- SMS or basic MFA methods are susceptible to social engineering or code interception
Sample questions to raise with clients:
- Are team members using long, unique, and different passwords for every account?
- Are you using a trusted password manager to store and generate passwords securely?
- Is MFA enabled on all critical systems, including email, admin portals, and cloud apps?
4. Patching and Backups Are Your Best Defense Against AI-Driven Exploits
Attackers can use AI-driven automation to scan for vulnerabilities the moment they emerge. Unpatched systems and weak backup strategies create critical exposure points.
Why it matters:
- New vulnerabilities are exploitable almost instantly
- AI‑driven ransomware is increasingly aggressive
- Backups are your last line of defense
Sample questions to raise with clients:
- Are automatic updates enabled across operating systems, browsers, and apps?
- Are backups tested regularly to confirm data can be restored?
- Is sensitive backup data encrypted both in transit and at rest?
5. Restrict Exposure Through Access Control & Awareness
AI can combine fragments of public and internal information to build convincing impersonations or scams. When access is overly broad or employees overshare online, it gives attackers the context they need to deceive and gain entry.
Why it matters:
- AI scrapes organizational and behavioral data to craft targeted social engineering
- Excess access rights increase the potential impact of a compromised account
- Public-facing information enables attackers to mimic trusted individuals or communications
Sample questions to raise with clients:
- Are permissions reviewed and minimized regularly?
- Are employees trained to avoid oversharing online?
- Are employees given continuous training to recognize AI-generated phishing messages and scams?
Next Steps: Use the Checklist to Strengthen Client Security and Your MSP Offering
As an MSP, you are in a unique position to guide organizations through today’s most urgent cybersecurity challenges, especially as AI reshapes the threat landscape.
The AI-Risk Cybersecurity Hygiene Checklist equips you to lead informed, relevant security conversations that demonstrate your expertise and uncover real needs. Whether you’re working with long-time clients or engaging new prospects, this checklist is a powerful tool to open doors and deepen trust.
How to use the checklist with clients:
- Kick off security conversations: Use the checklist during onboarding, reviews, or introductory meetings to uncover where support is most needed.
- Identify gaps that lead to services: Map checklist responses to offerings like security awareness training, phishing simulations, MFA rollout, backup improvements, and zero trust frameworks.
- Create long-term value: Build long-term engagement by using the checklist as a baseline for quarterly reviews and to demonstrate security improvements over time.