Cyber insurance used to be simple. Fill out a questionnaire, check a few boxes, and your policy renewed. Not anymore. In 2025, carriers want proof: evidence that your business has MFA, Endpoint Detection & Response (EDR), and backup restore testing in place.
For Milwaukee SMBs, this shift has meant surprise premium hikes, renewal delays, and in some cases—denials of coverage. The good news: with a focused approach, you can still get renewal-ready in 30 days.
Keep reading for more details, as well as essential resources we put together for you down below!
What Changed in Cyber Insurance Underwriting
Carriers are moving away from “trust but verify” to verify or deny. Here’s what’s new:
MFA enforcement proof → not just a policy, but screenshots or coverage reports.
EDR deployment logs → insurers call out EDR by name, distinguishing it from legacy antivirus.
Backup restore test evidence → success logs aren’t enough; underwriters want proof of a recent restore.
Locally, brokers across Greater Milwaukee are reporting much heavier questionnaires, with more technical controls required.
The 3 Non-Negotiables for SMBs
1. Multi-Factor Authentication (MFA)
Insurers now assume password-only environments are unprotected. To pass underwriting, you’ll need MFA across email, VPN, and admin accounts — and the ability to show where it’s enforced (and where it isn’t yet).
2. Endpoint Detection & Response (EDR)
Antivirus is no longer enough. EDR provides continuous monitoring and detection, and underwriters want deployment lists plus confirmation that alerts are active.
3. Backups with Restore Testing
Insurers have seen too many SMBs with “successful” backup jobs that failed when needed. That’s why they ask for a restore test outcome within the last 90 days, not just job completion.
The 30-Day Renewal Rescue Plan (At-a-Glance)
If renewal is around the corner, here’s how to tackle it week by week:
When MIT released its Project NANDA report this summer, headlines fixated on a startling figure: 95% of enterprise AI projects fail to deliver meaningful results. For Wall Street, it was a warning flare about overhyped technology. For business leaders in Milwaukee and beyond, it raises a sharper question: if companies are spending millions on AI but getting nothing back, who actually is making AI work?
The answer might not be who you think.
AI in the Shadows
The MIT researchers discovered a parallel economy thriving just below the radar of CIOs and CFOs: the Shadow AI economy. While multimillion-dollar deployments stall in pilot purgatory, employees across industries are quietly turning to consumer-grade tools like ChatGPT, Claude, and Midjourney to speed up their work.
They’re writing proposals faster, automating spreadsheets, drafting reports, and even brainstorming new product ideas, often without approval, and sometimes against policy. According to the study, more than 90% of employees already use AI in some form. Most never reported it to IT.
The irony? Workers are realizing measurable productivity gains while corporate projects crumble under the weight of bureaucracy and over-engineering.
Why Big Projects Fail—And Small Ones Win
Official AI rollouts often collapse under familiar pressures: governance slowdowns, tool sprawl, integration nightmares. By the time a solution gets to the frontline worker, it’s clunky, fragmented, and outdated.
Employees, on the other hand, gravitate toward what works. Consumer tools are fast, flexible, and relentlessly improved. For the people doing the work, the choice is obvious.
This tension is driving the quiet divide: companies that ban AI risk losing ground to competitors who learn to govern it instead.
The Hidden Business Case
Buried in the MIT report was another overlooked insight: the biggest payoffs aren’t in flashy front-end pilots but in back-office operations. Document processing, compliance reporting, customer service workflows, and other areas that were once considered too mundane to innovate are now prime targets for AI automation.
Organizations embracing AI in these areas are already seeing annual savings in the millions, without cutting staff. For small and mid-sized businesses, that translates into efficiency gains that can reshape margins and free up teams to focus on growth.
So What Should Leaders Do?
The message is clear: pretending Shadow AI doesn’t exist is a losing strategy. Employees are already bringing these tools into the workplace. The real question is whether leadership chooses to get ahead of it—or wait for compliance violations, data leaks, or client trust issues to force the conversation.
That’s where a structured Shadow AI Audit comes in. It’s a way to bring daylight to what’s already happening inside your business: mapping usage, uncovering risks, and, critically, pinpointing the hidden wins you can scale safely.
Bringing AI Into the Light
At Centurion Data Systems, we’ve seen this pattern unfold across Greater Milwaukee’s SMB landscape: manufacturers, healthcare groups, financial firms. Employees lean on AI because it helps them do their jobs better. Leadership hesitates and worries about risk. The companies that bridge that divide by governing Shadow AI without crushing it are the ones unlocking real value.
That’s why we launched our Shadow AI Audit. It’s designed to help local businesses turn Shadow AI from a liability into an advantage: safely, securely, and with measurable ROI.
Because AI isn’t failing. It’s the way enterprises are trying to use it that’s broken. The workers have already proven it works. Now it’s time to meet them halfway.
Recent reports from Tom’s Guide and Fast Company confirm that private ChatGPT conversations are appearing in Google search results. For individuals, that’s alarming. For business owners, it’s potentially catastrophic.
Imagine an employee using ChatGPT to draft a financial forecast, troubleshoot a security issue, or brainstorm a client project – and that conversation becomes publicly accessible online. That’s not just an embarrassing privacy slip. It’s a potential data breach, a compliance violation, and a reputational risk rolled into one.
If you think it’s only tech-savvy employees using AI, think again. These tools have quietly made their way into marketing, finance, HR, and customer support. Many business owners don’t realize how much company data is already passing through AI tools—sometimes without any oversight.
How Did This Happen?
ChatGPT conversations don’t automatically appear on Google. The issue comes from shared conversation links in ChatGPT. Users can create shareable URLs for their chats, often to collaborate with coworkers, or between personal and work accounts, or during document work. If those links aren’t locked down or get posted publicly (e.g., on blogs, forums, or shared documents that are indexed), Google and other search engines can crawl and index them.
This means what was intended as a simple collaboration step can quickly turn into a public data leak. Employees often don’t realize this risk because they assume that since they’ve signed into an account, especially if the account is paid, that their conversations are always private, even if they opted to make the conversation link “discoverable by anyone.” Random people out there don’t know that the link exists, right? Correct. But search engines do. They can now crawl and index it. The result: internal conversations—sometimes containing sensitive client or operational information—can show up in a basic web search.
Since the issue was reported by Fast Company, there have already been updates that Google and OpenAI are working together on solving this issue. OpenAI CISO Dane Stuckey announced that the feature to share chats in web searches would be removed from the ChatGPT app. The cached chats may still be showing up in search while they’re working with Google to remove it.
However, there are currently no guarantees released that some chat that ended up is search engine’s caches, may not show up, ever. And, more importantly, there is always a risk of things like that happening in the future. Not this exact issue, perhaps, but something completely unforeseen.
Business Impact: Why Owners Should Be Concerned
This isn’t just an IT issue. It’s a business risk with multiple layers:
Client Trust: If client information appears in a public ChatGPT chat, you risk losing accounts and damaging relationships.
Compliance Violations: For industries under HIPAA, GDPR, or financial regulations, exposing data via AI tools can trigger audits and fines.
Competitive Exposure: AI chats often include details about pricing models, sales strategies, or product roadmaps. That’s exactly the kind of intelligence competitors love to find.
Reputation Damage: Even if content is removed later, archived pages and screenshots can live on. Prospects, partners, and investors doing due diligence may find them long after you’ve taken action.
What makes this problem unique is that it often happens without malicious intent. Employees are just trying to be efficient. But unmonitored AI use can turn into an expensive problem for your business.
Shadow AI – The Hidden Risk
“Shadow IT”—when employees use unapproved software—has been a known security risk for years. AI has now amplified it, giving rise to shadow AI. Employees sign up for free AI accounts, often with personal email addresses, and use them for work tasks. These accounts bypass IT controls, data policies, and compliance standards.
Why do employees do this? Because AI makes their work easier and faster. The problem is that these AI chats may contain proprietary data, customer details, or internal processes. Since no one is monitoring these tools, sensitive information can end up outside company oversight—sometimes even indexed publicly.
If your business doesn’t have a defined AI usage policy, chances are you already have shadow AI operating within your organization.
What’s Already Out There About You or Your Team?
Before assuming your company is safe, take a moment to check what’s public. Try searching Google for your company name, product names, or unique phrases you know exist only in internal documentation.
If you see unexpected results, that’s your first red flag. Set up Google Alerts with your brand name plus terms like “ChatGPT” or “ShareGPT” to monitor future exposures.
Finding indexed ChatGPT conversations tied to your business isn’t just a technical issue—it’s a leadership issue. These conversations may already have been archived or scraped by third parties, making removal more complicated. That’s why understanding and controlling your team’s AI usage is critical.
How to Secure Your Personal ChatGPT Conversations
If you’ve ever shared or saved ChatGPT conversations, start by making sure they’re not indexed publicly. Tom’s Guide outlined how to check and delete them, but here’s a simplified version:
1. Check if your conversations are indexed: Search Google for your name or unique phrases you remember using in a ChatGPT conversation. If you see your ChatGPT link (often starting with https://sharegpt.com/), it’s public.
2. Delete shared chats you no longer need: Open your ChatGPT account, go to “Shared Links,” and delete any you don’t want public. This instantly removes access to those chats.
3. Turn off conversation history: Inside ChatGPT settings, toggle “Chat History & Training” off. This prevents your chats from being stored and used for AI training and keeps them more private.
4. Avoid sharing sensitive data in any AI chat: Treat AI conversations like email: once it’s shared, you lose control.
How to Secure Your Business From AI Data Leaks
Personal cleanup is only half the solution. For business owners, the bigger issue is controlling how employees use AI. Here’s what to do:
1. Create an AI usage policy immediately Even a basic one is better than none. Define what kind of company information is acceptable to use in AI tools and what is strictly prohibited.
2. Restrict public sharing of AI chats Disable or discourage the use of “shareable links” for AI-generated content unless approved by IT or leadership.
3. Centralize AI use with company-approved accounts Provide employees with secure, company-controlled AI accounts instead of allowing personal logins. This lets you monitor access and enforce policies.
4. Conduct a shadow AI audit Find out what tools employees are already using. This is often an eye-opener for leadership because unofficial AI use is more common than expected.
5. Train your team on AI security risks Don’t assume employees know. Provide short, practical training on what’s safe to input into AI and what could put the company at risk.
6. Implement AI governance and monitoring tools Use platforms designed to track AI usage, enforce policies, and flag risky behavior. This is especially critical if you handle regulated or sensitive data.
Why You Can’t Just Ignore This
The problem is bigger than a few public chats. AI tools are now embedded in how people work, often without guidance or oversight. Ignoring it increases your risk of:
Data breaches from unintended AI leaks
Compliance violations that trigger fines and legal issues
Loss of competitive advantage when sensitive strategy or product data leaks out
Reputation damage that erodes customer trust
And this isn’t a one-time event. The number of indexed AI conversations is growing, and malicious actors are actively scraping and analyzing AI-generated content for useful information. If your business doesn’t have a plan, you’re relying on luck.
How We Help
We work with business owners to remove luck from the equation. Our services include:
AI Policy Creation: We create clear, practical policies tailored to your business needs.
Shadow AI Audits: We identify which AI tools your team is using—official or not—and assess risks.
AI Governance & Compliance Frameworks: We implement monitoring tools and processes to keep AI use secure and compliant.
Secure AI Adoption Strategies: We help you leverage AI safely so it becomes a business advantage rather than a liability.
If you want to know exactly what AI risks exist in your business right now, we can help.
Want to know what’s out there about your company? Let’s start with a shadow AI risk assessment and discuss how to secure your business.
Contact us today to schedule a conversation and take control of AI before it becomes your next security or compliance problem.
According to Forbes, a mind-boggling 98.5% of passwords tested against modern hacking techniques couldn’t withstand even basic attacks. This isn’t a hypothetical problem. Billions of usernames and passwords have been leaked across multiple data breaches and are now available on the dark web. These databases are frequently used by hackers to automate credential stuffing and brute-force attacks across thousands of services.
If you’re still using passwords like Summer2024!, your pet’s name, or even slightly modified versions of old ones, you’re almost certainly on borrowed time. A password that’s “good enough” a few years ago can now be cracked in seconds. The bar has been raised, and attackers are using sophisticated tools that mimic human password habits to get in faster than ever.
Why Most Passwords Fail
Hackers no longer rely on random guessing. They use massive lists of exposed passwords, some from leaked datasets totaling more than 16 billion credentials , which they blend with behavioral rules to guess what you’re likely to use. They understand that users often pick predictable patterns, like appending numbers or symbols to simple words (Password123! or Welcome2023!). Known as rule-based cracking techniques, they simulate human logic and are extremely effective. A recent arXiv study found that many human-generated passwords fall within the first few thousand guesses made by modern cracking software.
Short passwords, reused ones, or even long but predictable strings (like a quote or movie title) can often be cracked in minutes. Even when users try to get creative by substituting letters with numbers or special characters (P@ssw0rd!), those modifications are built into hacking tools’ guesswork logic.
Real-World Consequences of Password Failure
It’s not just consumers or small businesses who are vulnerable. Credential-based attacks remain one of the top vectors for enterprise breaches, often leading to ransomware infections, data exfiltration, or complete system compromise. Attackers don’t discriminate—they go for low-hanging fruit, and that often means weak or reused passwords.
Whether it’s Apple IDs, Google accounts, or Linux servers, the story is the same: if the password is weak, the account is vulnerable. Hackers use automated tools that scan thousands of login pages simultaneously, injecting lists of stolen or guessed passwords. The attack surface is massive, and weak credentials are the easiest way in.
What You Can Do Right Now
1. Use Passkeys Instead of Passwords
Passkeys are gaining momentum because they completely remove the guessable password from the equation. They use a cryptographic key pair—one stored securely on your device, and the other verified by the service you’re logging into. Since there’s no password to intercept, guess, or reuse, they neutralize phishing and brute-force attacks entirely.
Companies like Google, Apple, and Microsoft have already implemented passkeys in their platforms, and users report a dramatically smoother login experience. As noted in a LinkedIn post by Nok Nok Labs, passkey registration has a 99% completion rate, and users log in three times faster on average.
2. Adopt a Reputable Password Manager
While you’re transitioning to passkeys, a password manager is your best friend. Tools like 1Password, Bitwarden, and Dashlane can generate and store long, complex passwords that you’d never remember on your own—and that’s the point. The passwords they create aren’t connected to your personal life, making them much harder to crack.
Avoid relying solely on browser-based password vaults. These are better than nothing, but dedicated tools provide enhanced security features, like monitoring for breached credentials and alerting you when passwords need to be updated.
Even if your password is strong, it could still be exposed in a breach. That’s where multi-factor authentication comes in. MFA requires a second layer of verification—often a code sent to your phone or a biometric scan—before granting access. This means that even if someone has your password, they still can’t get in.
Security experts across the board, including those quoted in the Forbes piece, emphasize MFA as a minimum requirement for any sensitive system. It’s not just good practice; it’s essential.
4. Regularly Audit Your Credentials
Many people don’t realize their password has been compromised until it’s too late. Tools like Have I Been Pwned allow you to check whether your email or password has appeared in any known data breaches. Use this as a routine check-up. If your credentials show up on one of these lists, change them immediately across all services where they’re used.
Businesses should also conduct organization-wide credential audits. Weak or reused passwords by just one employee can be the entry point for a larger breach.
5. Choose Passphrases, Not Words
If you’re stuck with passwords, the best bet is to switch from single words to full passphrases. Think combinations like “purple-squirrel-bikeshed-elephant”—strings of random, unrelated words that are easier to remember but exponentially harder to crack. Avoid anything predictable, like movie quotes or lyrics. If a phrase is famous or shows up in a common source, it can likely be guessed.
Still, even passphrases don’t offer the protection that passkeys or MFA do. They’re a temporary fix to an outdated system that’s slowly being phased out by major tech companies.
Bottom Line
Your password is probably among the 98.5% that fail a modern hacking test. That’s not meant to scare—it’s meant to inform and empower. The best step forward is to reduce reliance on passwords altogether. Start transitioning to passkeys. In the meantime, use a trusted password manager, enable multi-factor authentication, and audit your credentials regularly.
If you’re interested, we can walk you through setting up passkeys, choosing a top-tier password manager, or building a password audit workflow. Just let us know!
When summer rolls around, everyone’s thinking about PTO calendars, long weekends, and maybe even cutting out a little early on Fridays. But if your IT systems aren’t just as ready for the season as your people are, you could be setting yourself up for a meltdown—literally and figuratively.
IT tends to get overlooked when things slow down. But that’s exactly when trouble brews. Here’s how to prep your environment now, so you’re not scrambling in July.
1. Get Ahead of Patching and Firmware Updates
Summertime is open season for cyber threats. Attackers know that internal teams are stretched thin and response times slow down. That’s why now is the time to make sure every system—from your servers and switches to workstations and printers—is up to date.
If there are machines you can’t patch due to compatibility issues or legacy software, that’s fine. Just flag them, monitor them closely, and build in extra safeguards. An unpatched system that’s documented and monitored is far better than one that flies under the radar.
2. Don’t Wait Until July to Replace Aging Equipment
Heat, humidity, and heavier travel schedules put added stress on hardware. If any employee devices are already on their last legs, they won’t survive the season. And if you wait until the middle of July to order replacements, you’ll hit a wall of backorders and vacation-related shipping delays.
The solution is simple: take a quick inventory of what’s due for replacement. Prioritize mobile workers and execs first, then order early and schedule upgrades now, while everyone’s still around.
3. Make Sure You Can Recover—Fast
Every business says they have backups. Fewer have actually tested them. Before the season kicks into full swing, have your team run a real-world recovery drill. Restore a few critical files. Spin up a test server from a backup image. Time how long it takes.
This isn’t just a technical exercise—it’s a confidence boost. Knowing your team can recover quickly in a real emergency (especially when your IT lead is out on vacation) gives you one less thing to stress about.
4. Run a Fire Drill for Your Incident Response Plan
It’s one thing to have an incident response policy. It’s another to test it when your top engineer is in a different time zone. That’s why tabletop exercises are so valuable. Simulate a ransomware attack. Pretend your CEO’s email was hacked. Walk through the actual steps your team would take.
The goal isn’t perfection. It’s about identifying gaps in the process and making sure people know who to call, what to do, and where the documentation lives when something real happens.
5. Prep for PTO Coverage Like a Pro
Everyone deserves a break. But that doesn’t mean support can stop. Before peak vacation season hits, make sure there’s a clear coverage plan in place. That might mean cross-training someone internally or leaning on your MSP for extra support.
Either way, ensure that whoever’s stepping in has access to the right documentation, knows which systems are most critical, and has a go-to contact in case something escalates.
Your Next Step: A 5-Minute Readiness Check
To help you stay organized, we’ve put all this into a simple, one-page guide you can share with your team.
Want more summer and less hassle? Call us today at (262) 524-9290 for a free Summer Readiness Review with Centurion. We’ll walk through your environment, flag the big risks, and help you head into summer with confidence.
