SMB Cyber Confidence Is Rising. The Risks Are Still Very Real

-

Small and midsize businesses are feeling more confident about cybersecurity. On the surface, that sounds like progress.

But the latest data suggests something more complicated is happening. Confidence may be rising, yet incidents remain widespread, and many of the attacks hurting SMBs still come from highly familiar weaknesses: phishing, weak credentials, limited monitoring, and unpatched systems.

That matters because many business leaders are understandably focused on the newest generation of cyber threats, especially AI-enhanced phishing, impersonation, and malware. Those risks are real. But the underlying lesson from the latest SMB data is not that the old threats have gone away. It is that AI is making many of them more convincing, scalable, and damaging.

Confidence Is Up, but So Are Incidents

According to ESET’s 2026 SMB Cyber Readiness Index for North America, 87% of U.S. SMBs and 83% of Canadian SMBs say they feel at least slightly confident in their cyber resilience. That is a notable sign of optimism in a market that has been under pressure for years.

But that confidence exists alongside a high rate of real-world incidents. The same research found that 54% of U.S. SMBs and 46% of Canadian SMBs reported at least one cyber incident in the last 12 months.

That gap between confidence and exposure is one of the most important takeaways in the report. Businesses may feel they are getting stronger, but many are still operating with the kinds of weaknesses attackers know how to exploit quickly and at scale.

AI Gets the Attention. The Basics Still Drive Many Incidents.

ESET found that AI-powered malware is now the top concern for many SMBs, cited by 32% of U.S. SMBs and 34% of Canadian SMBs.

But when respondents identified the actual causes behind incidents, the answers were far more familiar.

  • United States: phishing (27%), lack of security monitoring (27%), and unpatched vulnerabilities (25%)
  • Canada: phishing (21%), weak passwords (20%), and insufficient security monitoring (20%)

That is the real story. AI may be changing the speed and sophistication of attacks, but many successful compromises are still rooted in weak fundamentals. Attackers do not need a cinematic zero-day if a business is missing patches, reusing passwords, or lacking visibility into what is happening inside its environment.

The Wider Threat Data Tells the Same Story

The ESET findings line up with broader breach and crime data.

Verizon’s 2025 Data Breach Investigations Report, based on more than 22,000 security incidents and 12,195 confirmed breaches, found that credential abuse accounted for 22% of breach initial access and vulnerability exploitation accounted for 20%. Verizon also reported that exploitation of vulnerabilities as an initial access vector rose 34% year over year.

That should get the attention of any SMB leader. It means the pathway into many organizations is still very often tied to credentials and patching discipline, not just exotic attack chains.

The same report found that ransomware was present in 44% of breaches overall, and Verizon’s SMB snapshot showed ransomware was present in 88% of SMB breaches. For smaller organizations, that is a major operational warning. Ransomware is not just an IT problem. It can shut down systems, disrupt service delivery, trigger legal and insurance issues, and force difficult decisions under pressure.

Cybercrime Is Getting More Expensive

The FBI’s 2025 Internet Crime Report adds even more context. In April 2026, the FBI said the Internet Crime Complaint Center received 1,008,597 total complaints and recorded nearly $21 billion in losses in 2025.

Of those, the FBI said approximately 453,000 complaints were cyber-enabled fraud, with losses exceeding $17.7 billion.

For the first time, the FBI also broke out artificial intelligence-related fraud in a dedicated section. The bureau said AI-related complaints reached 22,364, costing Americans nearly $893 million.

That is an important nuance for SMBs. AI risk is real and growing, but not because it replaces traditional attack methods. It is dangerous because it enhances them. It makes phishing emails more credible. It makes impersonation more realistic. It makes fraud more scalable. It makes social engineering harder to spot.

Insurance Is Increasingly Shaping SMB Security Decisions

Another important signal in the ESET data is how deeply cyber insurance is now influencing SMB behavior.

ESET found that 86% of U.S. SMBs and 78% of Canadian SMBs carry cyber insurance. Among insured firms, 55% in the U.S. and 41% in Canada said they are required to implement specific cybersecurity controls as a condition of coverage.

That means cybersecurity is no longer only about protection and compliance. It is also about insurability.

For many SMBs, the issue is becoming very practical: can the organization demonstrate enough visibility, control, and resilience to qualify for better coverage, avoid exclusions, and reduce friction during underwriting or renewal?

Training Still Matters Because Human Risk Still Matters

Even as AI changes the attack landscape, the human layer remains central.

ESET found that more than 90% of SMBs in both countries view security awareness training as critical or very important. It also found that 42% of U.S. SMBs and 43% of Canadian SMBs plan to increase spending on awareness and training. Meanwhile, 44% of U.S. organizations and 47% of Canadian organizations have already moved toward phishing simulations and more structured training approaches.

That makes sense. Technology can reduce risk, but people still make decisions under pressure. They still click. They still approve requests. They still respond to urgency, authority, and familiarity. AI simply makes those manipulations more polished.

The Real SMB Cybersecurity Challenge

The challenge for SMBs is not choosing between “traditional threats” and “AI threats.” That is the wrong frame.

The real challenge is understanding that the old attack paths still work, and AI is making them more effective.

That is why so many organizations feel caught in between. They know modern threats are getting more sophisticated. They know they need to improve. But they also know they cannot chase every alert, every acronym, and every theoretical risk.

What they need is clearer visibility into what matters most, where they are exposed, and what to address first.

How Veriti Spottr Helps

Veriti Spottr helps SMBs understand cyber risk and act on it with greater speed and confidence. Our platform brings together scanning, risk visibility, and AI-powered insight to help organizations identify what matters most and where to focus first.

As attackers use AI to launch more convincing phishing, impersonation, and fraud campaigns, businesses need practical defenses that do more than generate more noise. Veriti Spottr is built to help businesses use modern technology the right way: turning complex cyber risk into clearer action.

Instead of forcing SMBs to sift through fragmented findings, Veriti Spottr helps surface where real-world exposure may be building across vulnerabilities, external attack surface, basic control gaps, and broader cyber hygiene. That makes it easier to prioritize action, strengthen resilience, and support stronger conversations with leadership, customers, and insurers.

AI can be a 10x force for business. Veriti Spottr is built to help make sure that force works in your favor.

Sources

Visit Veriti Spottr

Explore Veriti Spottr

Follow us on Twitter/X

Follow us on LinkedIn

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more