6 Ways to Prevent Leaking Private Data Through Public AI Tools

Tanya Wetson-Catt • 16 January 2026

We all agree that public AI tools are fantastic for general tasks such as brainstorming ideas and working with non-sensitive customer data. They help us draft quick emails, write marketing copy, and even summarise complex reports in seconds. However, despite the efficiency gains, these digital assistants pose serious risks to businesses handling customer Personally Identifiable Information (PII).


Most public AI tools use the data you provide to train and improve their models. This means every prompt entered into a tool like ChatGPT or Gemini could become part of their training data. A single mistake by an employee could expose client information, internal strategies, or proprietary code and processes. As a business owner or manager, it’s essential to prevent data leakage before it turns into a serious liability.


Financial and Reputational Protection


Integrating AI into your business workflows is essential for staying competitive, but doing it safely is your top priority. The cost of a data leak resulting from careless AI use far outweighs the cost of preventative measures. A single mistake by an employee could expose internal strategies, proprietary code, or sensitive client information. This can lead to devastating financial losses from regulatory fines, loss of competitive advantage, and the long-term damage to your company's reputation.


Consider the real-world example of Samsung in 2023. Multiple employees at the company's semiconductor division, in a rush for efficiency, accidentally leaked confidential data by pasting it into ChatGPT. The leaks included source code for new semiconductors and confidential meeting recordings, which were then retained by the public AI model for training. This wasn't a sophisticated cyberattack, it was human error resulting from a lack of clear policy and technical guardrails. As a result was that Samsung had to implement a company-wide ban on generative AI tools to prevent future breaches.


6 Prevention Strategies


Here are six practical strategies to secure your interactions with AI tools and build a culture of security awareness.


1. Establish a Clear AI Security Policy


When it comes to something this critical, guesswork won’t cut it. Your first line of defence is a formal policy that clearly outlines how public AI tools should be used. This policy must define what counts as confidential information and specify which data should never be entered into a public AI model, such as social security numbers, financial records, merger discussions, or product roadmaps.


Educate your team on this policy during onboarding and reinforce it with quarterly refresher sessions to ensure everyone understands the serious consequences of non-compliance. A clear policy removes ambiguity and establishes firm security standards.


2. Mandate the Use of Dedicated Business Accounts


Free, public AI tools often include hidden data-handling terms because their primary goal is improving the model. Upgrading to business tiers such as ChatGPT Team or Enterprise, Google Workspace, or Microsoft Copilot for Microsoft 365 is essential. These commercial agreements explicitly state that customer data is not used to train models. By contrast, free or Plus versions of ChatGPT use customer data for model training by default, though users can adjust settings to limit this.


The data privacy guarantees provided by commercial AI vendors, which ensure that your business inputs will not be used to train public models, establish a critical technical and legal barrier between your sensitive information and the open internet. With these business-tier agreements, you’re not just purchasing features; you’re securing robust AI privacy and compliance assurances from the vendor.


3. Implement Data Loss Prevention Solutions with AI Prompt Protection


Human error and intentional misuse are unavoidable. An employee might accidentally paste confidential information into a public AI chat or attempt to upload a document containing sensitive client PII. You can prevent this by implementing data loss prevention (DLP) solutions that stop data leakage at the source. Tools like Cloudflare DLP and Microsoft Purview offer advanced browser-level context analysis, scanning prompts and file uploads in real time before they ever reach the AI platform.


These DLP solutions automatically block data flagged as sensitive or confidential. For unclassified data, they use contextual analysis to redact information that matches predefined patterns, like credit card numbers, project code names, or internal file paths. Together, these safeguards create a safety net that detects, logs, and reports errors before they escalate into serious data breaches.


4. Conduct Continuous Employee Training


Even the most airtight AI use policy is useless if all it does is sit in a shared folder. Security is a living practice that evolves as the threats advance, and memos or basic compliance lectures are never enough.


Conduct interactive workshops where employees practice crafting safe and effective prompts using real-world scenarios from their daily tasks. This hands-on training teaches them to de-identify sensitive data before analysis, turning staff into active participants in data security while still leveraging AI for efficiency.


5. Conduct Regular Audits of AI Tool Usage and Logs


Any security program only works if it’s actively monitored. You need clear visibility into how your teams are using public AI tools. Business-grade tiers provide admin dashboards, make it a habit to review these weekly or monthly. Watch for unusual activity, patterns, or alerts that could signal potential policy violations before they become a problem.


Audits are never about assigning blame, but identifying gaps in training or weaknesses in your technology stack. Reviewing logs might help you discover which team or department needs extra guidance or indicate areas to refine and close loopholes.


6. Cultivate a Culture of Security Mindfulness


Even the best policies and technical controls can fail without a culture that supports them. Business leaders must lead by example, promoting secure AI practices and encouraging employees to ask questions without fear of reprimand.


This cultural shift turns security into everyone’s responsibility, creating collective vigilance that outperforms any single tool. Your team becomes your strongest line of defence in protecting your data.


Make AI Safety a Core Business Practice


Integrating AI into your business workflows is no longer optional, it’s essential for staying competitive and boosting efficiency. That makes doing it safely and responsibly your top priority. The six strategies we’ve outlined provide a strong foundation to harness AI’s potential while protecting your most valuable data.



Take the next step toward secure AI adoption, contact us today to formalise your approach and safeguard your business.

Let's Talk Tech

More from our blog

Beyond Chatbots: Preparing Your Small Business for “Agentic AI” in 2026

by Tanya Wetson-Catt 2 March 2026
AI chatbots can answer questions. But now picture an AI that goes further, updating your CRM, booking appointments, and sending emails automatically. This isn’t some far-off future. It’s where things are headed in 2026 and beyond, as AI shifts from reactive tools to proactive, autonomous agents. This next wave of AI is called “Agentic AI.” It describes AI that can set a goal, figure out the steps, use the right tools, and get the job done on its own. For a small business, that could mean an AI that takes an invoice from inbox to paid, or one that runs your whole social media presence. The upside is massive efficiency, but it also means you need to be prepared. When AI gets more powerful, having the right controls matters just as much. What Makes an AI “Agentic”? Think of the difference between a tool and an employee. A chatbot is a tool you use to help you with tasks while you stay in control. An AI agent, on the other hand, is more like a digital employee you give direction to. It has access to systems, can make decisions with set boundaries, and learns from outcomes. A research article on the evolution and architecture of AI agents explains the big shift like this: AI is moving from tools that wait for instructions to systems that work toward goals on their own. Instead of just helping with tasks, AI starts doing the work, making it possible to hand off whole processes and collaborate with it like a teammate. The 2026 Opportunity for Your Business For small businesses, this is about real leverage. Agentic AI can work around the clock, clear out repetitive bottlenecks, and cut down errors in routine processes. That means things like personalising customer experiences at scale or even adjusting supply chains in real time become possible. And this isn’t about replacing your team. It’s about leveling them up. AI takes the busywork so your people can focus on strategy, creativity, tough problems, and relationships, the things humans do best. Your role shifts too, from doing everything yourself to guiding and supervising your AI. What You Need Before You Launch Agentic AI Before you hand over your processes to an AI agent, you need to make sure those processes are rock solid. The reasoning is simple: AI will amplify whatever it touches, order or chaos, with equal efficiency. That’s why preparation is key. Start with this checklist: 1. Clean and Organise Your Data: AI agents make decisions based on the data you give them. Garbage in means not just garbage out, it can lead to major errors. Audit your critical data sources first. 2. Document Workflows Clearly: If a human can’t follow a process step by step, an AI won’t be able to either. Map out each workflow in detail before you automate. Building Your Governance Framework Just like with human team members, delegating to an AI agent requires oversight. That means setting up clear guardrails by asking a few key questions: What decisions can the AI agent make on its own? When does it need human approval or guidance? What are its spending limits if it handles finances? Which data sources is it allowed to access? Answering these questions lets you build a framework that becomes your company’s rulebook for its “digital employees.” Security is another critical piece. Every AI agent needs strict access controls, following the principle of least privilege. Just as you wouldn’t give an intern full access to the company bank account, you must carefully define which systems and data each agent can touch. Regular audits of agent activity are now a non-negotiable part of good IT hygiene. Start Preparing Your Business Today You don’t have to deploy an AI agent immediately, but you can start laying the groundwork today. Start by identifying three to five repetitive, rules-based workflows in your business and document them in detail. Then, clean up and centralise the data those workflows rely on. Try experimenting with existing automation tools as a stepping stone. Platforms that connect your apps, like Zapier or Make, let you practice designing triggered, multi-step actions. Thinking this way is the perfect training ground for an agentic AI future. Embracing the Role of Strategic Supervisor The businesses that will thrive are the ones that learn to manage a blended workforce of humans and AI agents. Research from Stanford University suggests that key human skills are shifting, from information-processing to organisational and interpersonal abilities. In a world with agentic AI, leadership means setting agent goals, defining ethical boundaries, providing creative direction, and interpreting outcomes. Agentic AI is a true force multiplier, but it depends on clean data and well-defined processes. It rewards careful preparation and punishes the hasty. By focusing on data integrity and process clarity now, you position your business not just to adapt, but to lead. Contact us today for a technology consultation on AI integration. We can help you audit workflows and create a roadmap for reliable, effective adoption. Article FAQ What is a simple example of Agentic AI in a small business? A good example is an AI agent that monitors inventory levels. For example, when stocks run low, it contacts pre-approved suppliers, negotiates prices based on preset limits, and places a purchase order, all autonomously. Are AI agents expensive to implement for small businesses? Not necessarily. Most AI agents operate on a subscription model, and there are many open-source solutions that you can self-host and run locally. Ideally, the larger cost is not the technology, but investing in preparing your data and workflows for use by the AI agent. What is the biggest risk of using autonomous AI agents? The biggest risk is “unchecked autonomy,” which leads to automation chaos. Basically, implementing an AI agent without clear limits, oversight, and audit logs could lead to financial loss, reputational damage, and security breaches if the agent makes erroneous decisions or is manipulated.

Securing the ‘Third Place’ Office Policy Guidelines for Employees Working From Coffee Shops and Coworking Spaces

by Tanya Wetson-Catt 25 February 2026
The modern office extends far beyond traditional cubicles or open-plan spaces. Since the concept of remote work became popularised in the COVID and post-COVID era, employees now find themselves working from their homes, libraries, bustling coffee shops, and even vacation destinations. These environments, often called “ third places ,” offer flexibility and convenience but can also introduce risks to company IT systems. With remote work now a permanent reality, businesses must adapt their security policies accordingly. A coffee shop cannot be treated like a secure office, as its open environment exposes different types of threats. Employees need clear guidance on how to stay safe and protect company data. Neglecting security on public Wi-Fi can have serious consequences, as hackers often target these locations to exploit remote workers. Equip your team with the right knowledge and tools, and enforce a robust external network security policy to keep company data safe. The Dangers of Open Networks Free internet access is a major draw for remote workers frequenting cafes, malls, libraries, and coworking spaces. However, these networks rarely have encryption or strong security, and even when they do, they lack the specific controls that would be present in a secure company network. This makes it easy for cybercriminals to intercept network traffic and steal passwords or sensitive emails in a matter of seconds. Attackers often set up fake networks that look legitimate. They might give them names such as “Free Wi-Fi” or give them a name resembling a nearby business, such as a coffee shop or café, to trick users. Once connected, the hacker who controls the network sees everything the employee sends. This is a classic “man-in-the-middle” attack. It is critical to advise employees never to rely on open connections. Networks that require a password may still be widely shared, posing significant risks to business data. Exercise caution at all times when accessing public networks. Mandating Virtual Private Networks The most effective tool for remote security is a VPN. A Virtual Private Network encrypts all data leaving the laptop by creating a secure tunnel through the unsecured public internet. This makes the data unreadable to anyone trying to snoop. Providing a VPN is essential for remote work, and employees should be required to use it whenever they are outside the office. Ensure the software is easy to launch and operate, as overly complex tools may be ignored. Whenever possible, configure the VPN to connect automatically on employee devices, eliminating human error and ensuring continuous protection. At the same time, enforce mandatory VPN usage by implementing technical controls that prevent employees from bypassing the connection when accessing company servers. The Risk of Visual Hacking Digital threats are not the only concern in public spaces since someone sitting at the next table can easily glance at a screen. Visual hacking involves stealing information just by looking over a shoulder, which makes it low-tech but highly effective and hard to trace. Employees often forget how visible their screens are to passers-by, and in a crowded room full of prying eyes, sensitive client data, financial spreadsheets, and product designs are at risk of being viewed and even covertly photographed by malicious actors. To address this physical security gap, issue privacy screens to all employees who work remotely. Privacy screens are filters that make laptop and monitor screens appear black from the side, and only the person sitting directly in front can see the content. Some devices come with built-in hardware privacy screens that obscure content so that it cannot be viewed from an angle. Physical Security of Devices Leaving a laptop unattended is a recipe for theft. In a secure office, you might walk away to get water or even leave the office and expect to find your device in the same place, untouched. In a coffee shop, that same action can cost you a device, since thieves are always scanning for distracted victims and are quick to act. Your remote work policy should stress the importance of physical device security. Employees must keep their laptops with them at all times and never entrust them to strangers. A laptop can be stolen and its data accessed in just seconds. Encourage employees to use cable locks, particularly if they plan to remain in one location for an extended period. While not fool proof, locks serve as a deterrent, especially in coworking spaces where some level of security is expected. The goal is to make theft more difficult, and staying aware of the surroundings helps employees assess potential risks. Handling Phone Calls and Conversations Coffee shops can be noisy, but conversations still travel through the air. Discussing confidential business matters in public is risky, as you never know who might be listening. Competitors or malicious actors could easily overhear sensitive information. Employees should avoid discussing sensitive matters in these “third places.” If a call is necessary, they should step outside or move to a private space, such as a car. While headphones prevent others from hearing the other side, the employee’s own voice can still be overheard. Creating a Clear Remote Work Policy Employees shouldn’t have to guess the rules. A written policy clarifies expectations, sets standards, and supports training and enforcement. Include dedicated sections on public Wi-Fi and physical security, and explain the reasoning behind each rule so employees understand their importance. Make sure the policy is easily accessible on the company intranet. Most importantly, review this policy annually as technology changes. As new threats emerge, your guidelines must also evolve to counter them. Make routine updates to the policy, and reissue the revised versions to keep the conversation about security alive and ongoing. Empower Your Remote Teams While working from a “third place” offers flexibility and a morale boost, it also requires a higher level of vigilance. This makes prioritising public Wi-Fi security and physical awareness non-negotiable, and you must equip your team to work safely from anywhere. With the right tools and policies, you can manage the risks while enjoying the benefits of remote work. Success comes from balancing freedom with responsibility, and well-informed employees serve as your strongest line of defence. Protect your data, no matter where your team works.  Is your team working remotely without a safety net? We help businesses implement secure remote access solutions and policies, ensuring your data stays private, even on public networks. Call us today to fortify your remote workforce.

The Server Refresh Deadline: Why Windows Server 2016’s End of Support Should Drive Your Cloud Migration Plan

by Tanya Wetson-Catt 20 February 2026
Time moves fast in the world of technology, and operating systems that once felt cutting-edge are becoming obsolete. With Microsoft having set the deadline for Windows Server 2016 End of Support to January 12, 2027 , the clock is ticking for businesses that use this operating system. Once support ends, Microsoft will no longer provide security updates or patches, leaving your business systems vulnerable. It’s not just about missing new features, continuing to use unsupported software significantly increases the risk of cyberattacks. If your systems are still on Windows Server 2016, now is the time to plan your upgrade. With about a year until support ends, waiting until the last minute can lead to rushed decisions and higher costs. Understanding the Security Implications When support ends, the protection provided by security updates and patches disappears, as Microsoft will no longer fix bugs or vulnerabilities. Hackers often target unsupported systems, knowing any new exploits will go unpatched and open the door to attacks. Legacy systems put IT administrators in a tough spot. Without vendor support, defending against threats becomes nearly impossible, compliance with industry regulations is compromised, and running unsupported software can lead to failed audits. Additionally, customer data on servers running this operating system is vulnerable to theft and ransomware. The cost of a breach far outweighs the cost of upgrading. Using unsupported systems is like driving a faulty, uninsured car, failure is inevitable. The question isn’t if it will happen, but when. The Case for Cloud Migration With the end-of-support deadline approaching, businesses face a choice: purchase new physical servers that run the latest Windows Server editions, or migrate their infrastructure to the cloud. Investing in new hardware and software comes with substantial upfront costs and locks you into that capacity for five years, the typical span of mainstream support for Windows Server , plus an additional five years for Long-Term Servicing Channel (LTSC) releases. On the other hand, a cloud migration strategy offers a more flexible alternative. Platforms such as Microsoft Azure or Amazon’s AWS cloud services, allow you to select virtualised computing resources such as servers and storage, which can scale as needed. On these platforms, you only pay for what you use, transforming your IT spending from capital expenditure to operating expense. The cloud provides greater reliability and disaster recovery, eliminating concerns about hard drive failures in your server rack. Cloud providers handle the management and upgrades of the physical infrastructure, freeing your IT team to focus on driving business growth. Analyse Your Current Workloads Before moving to the cloud, it’s essential to know what you’re working with. Take inventory of all applications running on your Windows Server 2016 machines. While some are cloud-ready, others may need updates or reconfiguration. Identify which workloads are critical to your daily operations and prioritise them in your migration plan. You may also discover applications you no longer need, making this an ideal time to streamline and clean up your environment. When in doubt, consult with your software vendors to confirm compatibility, as they might have specific requirements for newer operating systems. Gathering this information early helps you to avoid surprises during the actual migration. Create a Phased Migration Plan When transitioning to a new system, moving everything at once is risky, ‘big bang’ migrations often cause downtime and confusion. The best approach is a phased migration to manage risk effectively. Begin with low-impact workloads to test the process, then proceed to medium and high-impact workloads once you’re confident everything runs smoothly. Set a realistic timeline that beats the server upgrade deadline by a significant margin, and then work backward from the end-of-support date. This approach allows for plenty of buffer time for testing and troubleshooting, since rushing migrations often results in mistakes and security gaps. Communicate the schedule to your staff clearly, they need to know when maintenance windows will occur, so that they can also manage their workflows effectively. Managing expectations is just as important as managing servers, and you don’t want to get in your own way. A smooth transition requires everyone to be informed and on the same page. Test and Validate Once you migrate a workload, it’s essential to verify that it functions as expected. Key questions to ask include: Does the application launch correctly? Can users access their data without permission errors? Testing is the most critical phase of any migration. After migration, run extensive performance benchmarks to compare the new system with the old one. The cloud should offer equal or better speed, and if things are slow, you might need to adjust resources. Optimisation will be a normal part of the migration process, until you find the perfect balance that works for you. The summarised steps for a successful migration include: Audit all current hardware and software assets Choose between an on-premise upgrade or a cloud migration Back up all data securely before making changes Test applications thoroughly in the new environment Do not declare victory until users confirm everything is working. The Cost of Doing Nothing Ignoring the end of support deadline is not a viable strategy. Some businesses hope to delay until the last minute and then rush a migration, but this is extremely risky. Cybercriminals constantly target outdated, vulnerable systems, often using automated bots to scan for weaknesses. If you continue using Windows Server 2016 past the extended support dates, you may need to purchase 'Extended Security Updates.' While Microsoft offers this service, it is extremely costly, and the price rises each year, making it more a penalty for delay than a sustainable long-term solution. Act Now to Modernise Your Infrastructure If your business still relies on Windows Server 2016, the end of support marks a pivotal moment for your IT strategy, upgrading your technology stack is no longer optional. Whether you choose new hardware or a cloud solution, decisive action is required. Take this opportunity to enhance your legacy system’s security and efficiency, ensuring your modern business runs on a modern infrastructure. Don’t let time compromise your data’s safety, plan your migration today and safeguard your future.  Concerned about the approaching Windows Server 2016 end-of-support deadline? We specialise in smooth migrations to the cloud and modern server environments. Let us take care of the technical heavy lifting, contact us today to begin your upgrade plan.