AI in SMBs, Washington's New Tech Tax, and Major Cybersecurity Breaches: What You Need to Know

[00:00:02] It's Thursday, May 22nd, 2025, and I'm Dave Solt. Three things to know today. Small businesses embrace AI but are struggling with impact. Washington State adds a tech tax amidst growing budget gaps. Congress pushes to override state AI laws sparking a privacy fight. And cybersecurity failures are stacking up, from Delta's lawsuit against CrowdStrike, to AI-powered voice fraud, a surging malware network, and North Korean remote worker scams.

[00:00:30] This is the Business of Tech. Considering the slew of AI announcements I covered yesterday from Build and Google I.O., what is everyone doing with all this AI? Small businesses are increasingly focusing their investments on artificial intelligence, particularly in personalized email marketing, which has emerged as a top channel for 18.9% of small to mid-sized businesses in 2025, according to a study by Braze.

[00:00:56] This shift comes as 38% of those businesses now deploy AI, consistent with prior research. While email marketing continues to deliver strong returns on investment, the introduction of AI technology allows for more precise targeting and analytics. Additionally, the study highlights that small businesses are applying AI across various functions, including data analysis and customer service. Yet, 35% of respondents cite a lack of familiarity with the technology as a barrier to implementation.

[00:01:25] A recent survey by Verizon Business reveals that small and medium-sized businesses are rapidly adopting technology generally, particularly artificial intelligence and cybersecurity measures, to enhance their market growth and operational efficiency. Conducted by Morning Consult, the 2025 State of Small Business survey highlights that 47% of businesses have updated their cybersecurity solutions, while 38% are actively using artificial intelligence across various functions, including data analysis and customer service.

[00:01:55] The report indicates that over half of the respondents believe artificial intelligence can address challenges related to employee management, with 56% considering it a tool for improving headcount issues. Additionally, 76% of small and medium-sized businesses agree that social media positively influences their performance, although more than half struggle to keep their online content fresh.

[00:02:18] A recent National Bureau of Economic Research study reveals that investments in artificial intelligence chatbots have yielded minimal productivity gains across 7,000 workplaces. The researchers found that the time savings from these technologies amounted to only 3%, with no significant impact on earnings or recorded work hours.

[00:02:38] The report highlights that while there has been substantial hype around AI's potential, particularly in companies like Shopify and Duolingo, the actual economic benefits have not materialized. In Denmark, where the data was primarily collected, the integration of AI has not led to large-scale layoffs nor considerable advantages for employers or employees. Instead, the hype appears to be driven by a fear of missing out in competitive markets rather than genuine advancements in productivity.

[00:03:08] Recent research from Georgia State University reveals that the impact of artificial intelligence on the job market is complex, potentially leading to both job displacement and growth, depending on the type of tasks involved. The study analyzed over 5 million patents filed between 2007 and 2023, identifying seven domains of human labor that AI can automate, including language, perception, and creativity.

[00:03:33] AI tools that enhance engagement, learning, and creativity significantly increase employment in industries such as finance and design. Conversely, tools focused on perception and motor control displacing workers in farming and construction sectors. A report from Forrester predicts that this trend may accelerate with the rise of humanoid robots.

[00:03:55] The research emphasizes that the potential financial benefits of AI adoption largely depend on the availability of skilled labor, suggesting that firms with a higher number of skilled workers can leverage AI more effectively. Why do we care? Because beneath the hype cycle driven by events like build and Google I.O., the real-world application of AI in business, especially among SMBs, is murky, inconsistent, and increasingly tactical.

[00:04:23] Providers serving the market need to separate signal from noise. AI is not an innovation story, it's a utility story, and increasingly a usability and labor story too. Consider that the models themselves are rapidly moving to commodities, and so far the successful cases are low-hanging fruit. This exposes the gap between AI capability and actual adoption.

[00:04:47] Providers should not oversell AI as revolutionary, they should frame it as incremental advantage and help clients deploy tactically with measurable outcomes. AI adoption is often driven by fear of being left behind rather than by demonstrated business impact. This is important. It indicates that many AI projects will fail quietly unless they are rooted in clear use cases and supported by change management.

[00:05:14] MSPs and IT providers can create real differentiation by cutting through the hype and driving realistic outcomes. There's gold in this rush, but only for those willing to mine it with a shovel, not just chase it with a microphone. This episode is supported by AFI.AI, MSP-focused backup reliable at petabyte scale.

[00:05:37] AFI.AI delivers intelligent backup for Microsoft 365, Azure, Google Workspace, Kubernetes, and AWS. Its AI engine is designed to detect threats and act before damage is done. It performs preemptive backups during ransomware attacks where immutable snapshots ensure data integrity. AFI.AI is the only solution offering full-text search across backups.

[00:06:04] It also features single management portal to manage all clients and workloads, granular access roles, automated reporting, and APIs for integrations. Administrators can restore entire accounts or individual items with a single click, and cross-tenant recovery simplifies migrations between domains. With AFI.AI, organizations gain faster, more reliable protection and unparalleled visibility into their cloud data.

[00:06:29] Start your free trial at AFI.AI slash office dash 365 dash backup. Let's catch up on a round of legislative moves. Washington state lawmakers have approved a new sales tax on technology and digital services, set to take effect in October of 2025.

[00:06:48] This legislation, known as Senate Bill 5814, is expected to generate approximately $2.9 billion in the upcoming two-year budget cycle and $4.7 billion over four years, addressing a projected $16 billion budget shortfall. The tax will apply to a range of businesses, including advertising agencies and software development firms, requiring them to collect sales tax from customers.

[00:07:11] The Washington Technology Industry Association has expressed concerns that the new tax may reduce competitiveness and hinder the growth of the state's tech sector, which constitutes about 22% of the state's economy. President Trump has signed the Take It Down Act into law, which aims to combat online sexual exploitation by imposing strict penalties for the non-consensual publication of intimate images, including deepfakes created using artificial intelligence.

[00:07:39] This legislation, supported by both Senator Ted Cruz and Congresswoman Marie Elvira Salazar, received overwhelming bipartisan approval, passing the House with a vote of 409 to 2 and achieving unanimous consent in the Senate. The law mandates that websites and social media platforms must remove such harmful content within 48 hours of a victim's request and make necessary actions to delete duplicate material.

[00:08:05] Critics, however, expressed concerns that the bill's broad language could lead to censorship of legitimate content and infringe on free speech rights. Congress is moving to implement a moratorium on state regulations regarding artificial intelligence, with House Republicans advocating legislation that would prohibit enforcement of over 20 laws passed in California to regulate technology.

[00:08:28] According to the Transparency Coalition, this proposed legislation, introduced by Congressman Brett Guthrie of Kentucky, could hinder nearly 600 draft bills under consideration in 45 states aimed at AI regulation. Critics, including California state officials, argue that this moratorium threatens essential privacy protections, such as the right to opt out of automated decision-making, approved by voters in 2020.

[00:08:54] Ben Winters, an attorney for the Consumer Federation of America, warns that if passed, the law would undermine state efforts to protect citizens from AI-related harms, including discrimination and privacy violations. Meanwhile, proponents of the moratorium, such as Representative Jay Orbanalti, suggest that a consistent regulatory framework is necessary to foster innovation and prevent a fragmented approach across states.

[00:09:18] The Department of Homeland Security is under scrutiny for not disclosing how many employees have been let go from the Cybersecurity and Infrastructure Security Agency. During a recent congressional hearing, Representative Benny Thompson expressed concern that this lack of transparency could jeopardize national security as adversaries increasingly target U.S. systems.

[00:09:38] Thompson highlighted that despite multiple requests for information, DHS Secretary Kristi Noem has not provided answers regarding staff reductions at CISA and the Federal Emergency Management Agency. This comes amid a proposed budget cut of $491 million to CISA for the fiscal year 2026, prompting further bipartisan concerns about the agency's ability to fulfill its cybersecurity mission.

[00:10:03] And in protection we aren't getting, the White House has officially abandoned a plan intended to prevent data brokers from selling sensitive personal information of Americans, including Social Security numbers. This decision comes from the Consumer Financial Protection Bureau, which had previously aimed to close a loophole in the Fair Credit Reporting Act that would have subjected data brokers to the same privacy protections as other financial institutions.

[00:10:28] The rule was withdrawn by Russell Voight, the acting director of the Bureau, who stated that it does not align with the Bureau's current interpretation of the law. The data broker industry, valued in the multi-billion dollar range, has faced scrutiny for collecting and selling personal data without explicit consent, raising concerns about privacy and security. Now why do we care? The headline, taxes on IT services are spreading, Maryland passed theirs, here's Washington State, and they're not alone.

[00:10:56] Generally, you need to stay updated on the laws, or lack thereof, that affect you and your clients. I'll point out that federal preemption of state AI laws could undermine stronger consumer protections just as states are finally making progress. This is a political turf war with real consequences for providers. While I am certainly not a lawyer, I don't believe this has much long-term substance. The Supreme Court ruled that the federal government couldn't stop states from allowing sports gambling.

[00:11:26] I would argue that they can't do this either without also establishing federal standards. It would just be confusing and messy in the interim. I don't want to clear my security story backlog here with some really good ones. Delta Airlines has received the green light from a federal judge to proceed with its lawsuit against cybersecurity firm CrowdStrike, following that significant outage last summer that resulted in the cancellation of 7,000 flights.

[00:11:53] The outage, described as the largest IT failure in history, was attributed to a faulty software update, busting U.S. Fortune 500 companies an estimated $5.4 billion, with Delta facing $550 million in lost revenue and additional costs. Judge Kelly Lee Elberly of Fulton County Superior Court noted that CrowdStrike's president admitted the company made a

[00:12:16] quote, horribly wrong, end quote, mistake, which is the critical point in Delta's case claiming gross negligence. Furthermore, CrowdStrike contends that Delta's own operational issues contributed to the severity of the disruptions. Over 394,000 Windows devices have been infected with Luma Steeler malware, prompting a significant response from Microsoft and Europol.

[00:12:40] In a collaborative operation, the two organizations have successfully disrupted the malware's communication channels and seized more than 1,300 related domains, which now redirect to research-focused sinkholes. Luma Steeler has been marketed as malware as a service, allowing cybercriminals to customize and distribute the tool easily. The malware has been linked to various cybercriminal activities, including the harvesting of sensitive information, such as passwords and credit card details.

[00:13:08] According to Europol, the main developer of Luma operates from Russia and claims to serve over 400 active clients. The Federal Bureau of Investigation has issued a warning about a malicious campaign in which hackers use artificial intelligence generated voice clones to impersonate senior U.S. government officials. This campaign has been reported ongoing since April and aims to access personal accounts by leveraging these convincing voice simulations.

[00:13:35] In recent years, high-profile incidents have highlighted the dangers of AI-generated attacks, such as a $25 million fraud case involving a British engineering firm that was targeted through a false video call. The FBI describes these tactics as smishing and vishing, which blend social engineering with advanced technology, making it increasingly difficult for victims to discern real communications from fraudulent ones.

[00:14:01] According to recent research, nearly 70% of businesses are developing response plans for deep fake threats as the trend continues to rise, indicating growing awareness and proactive stance against these scams. North Korean hackers have successfully stolen approximately $88 million by creating fake identities to secure remote IT jobs at U.S. companies and nonprofits over a span of six years.

[00:14:25] The U.S. Department of Justice indicted 14 North Korean nationals in December of 2024 for their involvement in this elaborate scheme. According to an investigation by the security firm Flashpoint, the hackers utilized fake companies and identities to craft convincing resumes and references. Their tactics included using remote desktop software, which allowed them direct access to sensitive U.S. company networks.

[00:14:48] The investigators revealed that the hackers communicated extensively in both English and Korean, using methods to avoid detection while expressing frustration over remote, poor worker performance. Why do we care? Cybersecurity is about resilience, responsibility, and response. Each incident here reveals a failure or risk vector that matters to providers and the customers they support. CrowdStrike's failure is one of the manufacturer having accountability.

[00:15:16] Producing cybersecurity software, yet having no liability in how effective it is, is insane. Cybersecurity companies make money if their stuff works or not. There have to be minimum requirements for effectiveness, and hiding behind risk management doesn't cut it. I'm uncomfortable rooting for Delta, but here I am. I'm also highlighting the risks of AI voice generation now. Clients increasingly rely on trust-based systems like email or voice approvals.

[00:15:43] As AI removes the friction in faking authority, every customer becomes vulnerable to engineered fraud. While there is a risk of overreacting – you can't assume every call is a fake – the goal should be systematic validation. The connecting thread here is failure at the seams between trust and verification. Between internal systems and third-party platforms. Between legitimate access and malicious use. Between voice and identity.

[00:16:09] IT service providers must rebuild their value narrative around trust governance. Not just managing tech, but securing relationships. Thanks for listening. Today is National Maritime Day, Chardonnay Day, and National Boss Babe Day. Let's not forget National Crafted Distillery Day, and National Vanilla Pudding Day. So, a business-owning woman standing on a boat with booze and pudding.

[00:16:36] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP Radio, and you'll get access to content early. Or, buy our Why Do We Care merch at businessof.tech.

[00:17:05] Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio.com slash engage.

[00:17:32] Once again, thanks for listening, and I will talk to you again on our next episode. Part of the MSP Radio Network.