Security considerations for adopting Claude Code and Cowork for SMBs

If your SMB is adopting Claude, roll out features gradually and protect your API keys, because you cannot outsource your security risks.

You are a security leader at a small or medium-sized business (SMB), and your organization has decided to adopt Claude. If you are like me, after the initial “surprise” wears off, you probably want to quickly get your arms around what adopting Claude means for the business, and for security specifically. Below are some lessons I learned, witnessed as a bystander or heard from fellow security leaders in the SMB space. The business wants to move fast, and Security is tasked with keeping up with that velocity.

Know what you are buying and accept that things are changing fast

Make sure you really understand what the organization is trying to achieve and which Claude plan you are buying. Understanding the Claude plan you are on, or planning to purchase, is important because most security necessities do not become available until the Team plan or higher. For example, while the Team plan provides SSO, the Compliance API is available only on the Enterprise plan. Claude Code (“Code”), Cloud Cowork (“Cowork”) and Claude Chat (“Chat”) are different products with different use cases and outcomes. The strategy here is to manage the blast radius. Most likely, every user will ask for “Claude” without knowing which plan or product they need to accomplish the task. I have found that an analogy works well here: Finance probably has a low appetite for giving everyone in the organization a corporate credit card with unlimited spending and no expense policy.

Along those same lines, it might not be necessary to equip everyone with a Claude license, and while some users might have a business case for using Cowork, not everyone will need Code. Provisioning these products is not always clear-cut. My recommendation is to stand up an agile approval process to determine who needs a Claude license in the first place, which products they need and how to initially control the blast radius that way. A word of warning, though: while it might seem that the user with the Claude license is now riskier than the one without it, that might not actually be true. Unless you can tightly control shadow AI use, the unlicensed user might be using Claude’s free plan or a different AI product altogether. Roughly half of employees are using shadow AI tools, while some other surveys say it could be even higher (in the 80th percentile).

Also, accept that keeping up with the ever-changing AI landscape is difficult, especially as an SMB security leader. Claude pushes updates almost daily, and functions and features move around within the organizational settings. Just keeping up with the speed of innovation is daunting, so do not feel bad if you do not have all the answers right away. We are all learning how to use and secure AI at the same time.

Shortcut tip: Unsure where to start? Ask Claude. Prompt it to explain your Claude plan’s features, which security features are available to you and what an implementation plan could look like for your organization. Also, if someone has a question for you, ask them, “Have you asked Claude?” Delegating at its finest.

Don’t enable everything all at once, and guard your keys

What I found works well is to risk-rank Claude’s features. If the advice above is related to blast radius, you can think of this as assessing the “attack vectors.” Undoubtedly, users will ask to have all Claude features enabled at once, but I recommend a phased approach. It is very easy in Claude’s organizational settings to simply toggle features on and off, and while there are some warnings about how a feature could impact security, it is not always clear how the feature works across Claude products or within them.

Enabling egress comes with a warning banner; enabling web search or a browser extension does not. However, the risk of indirect prompt injection is real and still emerging. A hard “no” might not work for the business, but a well-explained “maybe later” might. My recommendation is to go through Claude’s features and risk-rank them (or better yet, have Claude risk-rank them first) and build a roadmap from there. I ended up with three tranches: “enable now,” “enable with additional controls and monitoring,” and “do not enable until risk can be better controlled,” but yours might look different. A valuable resource we used was this implementation guide for Cowork, but there are others out there, and this one is for Cowork only.

One of the more confusing parts is how to manage API keys. Do not hand out the Anthropic API key; depending on who the “primary owner” of the Claude account is, that person controls the keys to the kingdom. Enabling a safe and structured way to administer API keys was difficult to figure out, since instructions are nowhere to be found in the organizational (admin) settings. Since this is a very complex topic, know that there are different kinds of API keys, and Anthropic has introduced the concept of workspaces. Further, the Admin API requires a special API key (starting with sk-ant-admin…) versus a standard key (sk-ant-api…). Access is always an area of high risk, so make sure to understand how the organization is issuing, managing and reviewing API keys. I recommend keeping the pool of people who can create API keys small, especially in the beginning.

Shortcut tip: Drop a pic. Did you know that Claude can analyze screenshots? If you are unsure what a specific Claude feature means for security, take a screenshot of the setting and prompt Claude to assess what that feature means based on your security policies, SOC 2 and so on. The more context you provide, the better the results.

You still can’t outsource the security risk, and the elephant in the room is still data

Do not assume security is automatically baked into Claude products, and getting visibility from a security standpoint can be a challenge. While Anthropic continuously improves security controls and guardrails for its products, just like in the early days of the internet, controls and guardrails are still being built, but that does not mean you are relieved of the responsibility to understand the security risks and concerns. For example, enabling Skills could lead to the execution of malicious code. While Anthropic issues guidance on how to author skills, there is no out-of-the-box solution yet. With the help of Claude Code, we created our own “skills auditor,” a mini workflow to automatically submit a skill for review. It uses internal documentation and Anthropic’s best-practice guide to audit the skill, identify potential issues and provide recommendations to fix them.

We are now looking to enhance the skill even further so it can provide an updated skill rather than just recommendations. The big challenge remains having good controls and governance around your data— not only what is going into Claude, but also what is coming out. And honestly, that might be one of the trickiest problems to solve, so if you have figured it out, call me. Web search in Cowork essentially acts like a proxy for web traffic. Websites or web content that you blocked or filtered with traditional tools might now bypass your controls. Also, LLMs are people pleasers: if they do not know the answer, they might make it up (aka hallucinate). Users are often inclined or tempted to take the output as truth. Not only can that create security issues, but it can also lead to bad business outcomes.

Shortcut tip: Leverage your existing tools and vendors as much as possible. Push them on emerging questions. They, just like you, have to adjust to new products and AI developments. Do not feel like you are on an island.

As security practitioners, I believe we all dream of the day when vulnerabilities get fixed automatically long before they hit production, but with implementation choices comes the possibility of doing it “wrong.” However, I also believe that as a security leader in the SMB space, you already have the skills and repetitions needed to make the right choices. You are probably used to less red tape, more agile compliance and a quicker time to market. That means you are constantly walking the line between risk and reward, and this is no different. All the best— you’ve got this!

This article is published as part of the Foundry Expert Contributor Network.
Want to join?