Your business may be small, but its attack surface is anything but. Readiness is the first step to resilience.
26 Jun 2026 • , 5 min. read
SMB cybersecurity isn’t always given the attention it deserves, including by small businesses themselves. That’s concerning for various reasons, notably because the companies comprise 90% of the world’s businesses, 70% of its employees, and 50% of global GDP, according to the World Economic Forum (WEF). With fewer resources to spend on cybersecurity, funds must be allocated as effectively as possible.
For these businesses, cyber resilience should be the direction of travel – that is, the ability to continue operating and recover even during a serious incident. But where does the journey start? Cyber readiness is about putting in place the processes and controls to prevent, detect and respond to threats. A new ESET report details how well SMBs are doing, what their biggest challenges are, and what should happen next.
Cybersecurity as an operating condition
SMBs are in many ways no different from their larger peers. They face a threat landscape that continues to evolve at pace, with adversaries harnessing the latest technologies to increase the volume, scale, and speed of attacks. The corporate attack surface is expanding with each new digital tool and investment. Employees remain a source of risk. And businesses must meet a growing number of regulatory mandates.
According to the ESET report, 45% of SMBs suffered a cyber incident last year, and even more (61%) fear an attack over the coming 12 months. They’re most concerned about data loss, operational disruption and financial impact.
These are the kinds of concerns that SMB owners share with the CISOs and boards of the largest multinationals. They speak to the business-criticality of cyber readiness. And why security must function as an operating condition – not a siloed IT function, but something deeply embedded into culture and business operations. This shift is critical because while many SMBs eventually recover, 34% still require two to six weeks to resolve an incident – a duration of operational pain that can be disastrous for many firms.
Is it all about AI?
The report also reveals that most (73%) SMBs are integrating AI into their business, even though they acknowledge that this will introduce new risks. But there are also concerns about its potential in the wrong hands. In fact, AI-powered malware is cited as the “most concerning threat” by a plurality of respondents. Should it feature so prominently?
The truth is that malware using AI in an automated and real-time way is still uncommon, despite what the news headlines may say. Sightings are relatively rare, making it more a topic for cybersecurity researchers than a burning concern for SMBs.
If we look at actual cybersecurity incidents, the usual suspects are responsible for the majority of events. Phishing and unpatched vulnerabilities come top, which chimes with data from other sources like Verizon’s latest report – which cites exploitation and phishing as among the top three initial access vectors for SMBs. Weak passwords and a lack of security monitoring also rank high in the ESET data.
When it comes to AI, the more acute threat comes from within. According to DBIR, shadow AI is the third most common non-malicious insider action. Meanwhile, while AI-powered malware might not be the most burning concern, AI and automation are helping threat actors to upskill and scale their efforts – for social engineering, vulnerability research and exploitation, and other “legacy” threats. In this context, the SMBs that ESET spoke to are keen to use AI to fight fire with fire, for anticipating threats before they occur, faster identification and mitigation of attacks, and detection of social engineering.
The challenge is that these tools either don’t exist, or SMBs aren’t often able to benefit from them.
Before and after
SMBs that adopt cybersecurity awareness training are well on their way to developing a stronger cyber-readiness posture. But are they doing so proactively? ESET finds that training adoption is highest among businesses that have experienced multiple incidents (81% versus 53%). These organizations also display higher confidence in their resilience – perhaps because they’ve reactively adopted best-practice security measures.
In an ideal world, SMBs would pivot from a “better late than never” mentality to one in which they understand the benefits of cyber readiness before an incident teaches them some harsh lessons.
Confidence is high
The good news is that four in five respondents view their security budget as sufficient or more than sufficient, while half of them expect it to increase next year. This indicates smart planning and allocation of resources, including outsourcing where it makes sense financially and operationally to do so. It also points to confidence in current spending but it doesn’t mean every SMB has matched the budget to the risks most likely to test the business first.
So, should confidence in cyber resilience posture be so high, especially if organizations are still getting hit multiple times? Confidence has surged from 48% in 2022 to 87% this year. The truth is that there’s no end state for cyber readiness or resilience. Rather than celebrate what they’ve achieved so far, SMBs should continue to focus on:
- Prevention-first technology and processes including training, regular patching, and strong identity management
- Realistic and regular risk assessments that help them to prioritize security investments
- Incident response that helps organizations recover faster and reduce the business impact of attacks
- Outsourcing capabilities where appropriate, such as managed detection and response (MDR)
- Improved governance to help reduce shadow IT and AI
The journey has only just begun
Despite canny budgeting, a quarter of SMBs say more funds would help them improve cybersecurity posture faster. Complexity and integration remain persistent challenges for those with fewer resources. Respondents say they want reliable, feature-rich, and easy-to-use services and solutions.
Getting hold of these tools shouldn’t be as challenging as it is for many SMBs. If it’s serious about improving the cyber readiness of small businesses, the vendor community should step up. Yet equally, there’s no silver bullet. SMBs have shown they’re well on the way to enhancing resilience. But this is a journey that will continue as technology and threats evolve. Continuous vigilance and adaptability will be key to long-term success.
