The Veriti Spottr Cybersecurity Brief

Most cyberattacks against small businesses do not begin with elite hacking or cinematic zero-days. They usually begin with something much more ordinary: a reused password, an exposed system, a convincing email, an unpatched vulnerability, or a vendor connection no one is watching closely. That is why small and midsize businesses need a practical view of cybersecurity. Attackers are not guessing. They are looking for the fastest path in. The better question for SMB leaders is simple: what would an attacker see first? Recent data makes this especially urgent. Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled to 30%, while exploitation of vulnerabilities surged 34%. The report also found that credential abuse and vulnerability exploitation remain major initial access paths. For SMBs specifically, Verizon’s SMB snapshot showed ransomware was present in 88% of SMB breaches. Source: Verizon 2025 DBIR The FBI’s 2025 Internet Crime Re...

Small and midsize businesses are feeling more confident about cybersecurity. On the surface, that sounds like progress. But the latest data suggests something more complicated is happening. Confidence may be rising, yet incidents remain widespread, and many of the attacks hurting SMBs still come from highly familiar weaknesses: phishing, weak credentials, limited monitoring, and unpatched systems. That matters because many business leaders are understandably focused on the newest generation of cyber threats, especially AI-enhanced phishing, impersonation, and malware. Those risks are real. But the underlying lesson from the latest SMB data is not that the old threats have gone away. It is that AI is making many of them more convincing, scalable, and damaging. Confidence Is Up, but So Are Incidents According to ESET’s 2026 SMB Cyber Readiness Index for North America, 87% of U.S. SMBs and 83% of Canadian SMBs say they feel at least slightly confident in their cyber resilience. Th...

Artificial intelligence is powerful. Used correctly, it can accelerate research, improve productivity, strengthen decision-making, and act as a true force multiplier across the business. In the right hands, AI can absolutely be a 10x enabler. But recent court filing controversies show the other side of the equation: AI without oversight can create serious risk. Reports indicate that Sullivan & Cromwell apologized to a federal bankruptcy judge after a filing contained AI-generated hallucinations, including inaccurate citations and misquoted legal authority. That is not just a legal story. It is a business story about trust, control, and the consequences of using powerful technology without the right safeguards. When AI-generated inaccuracies appear in a court filing, the issue is no longer theoretical. It becomes a real-world example of how even polished, professional-looking output can be wrong. And if it can happen in one of the most high-stakes forms of business communication...

When Cyber Risk Starts to Feel Normal, Small Businesses Are in Trouble Many small-business leaders know cybersecurity matters. The problem is not awareness. The problem is what happens when day-to-day business pressure makes manageable security gaps start to feel normal. A patch gets delayed because the team is busy. Multi-factor authentication is incomplete because it is inconvenient for one system. A former vendor still has access because no one wants to disrupt operations. Monitoring is limited after hours because there is no one available to watch everything closely. None of these choices feels catastrophic in the moment. But over time, this is how cyber risk builds inside many SMBs — not through one dramatic failure, but through the quiet normalization of preventable exposure. Cybersecurity problems often become routine before they become serious Most small businesses do not deliberately accept poor security. ...

Many small-business owners hear about cyber conflict, state-backed attacks, and geopolitical tensions and assume the same thing: That sounds serious, but it probably has nothing to do with my business. In one sense, that is true. Most small businesses are not the primary target of nation-state cyber campaigns. Verizon’s latest small-business breach data even notes that nation-state actors rarely target SMBs directly. But that does not mean world conflict has no effect on small-business cyber risk. It does. Just not always in the way people imagine. Small businesses are usually not the bullseye. But they can still be in the blast radius. When geopolitical tensions rise, cyber activity often rises with them. Government agencies and critical infrastructure may be the most visible concern, but the effects can spread much wider through the digital environment that businesses rely on every day. Small businesses ca...

Many small businesses still think of email as just a communication tool. But in reality, one compromised inbox can become a starting point for fraud, data exposure, vendor impersonation, payment disruption, customer confusion, and wider business compromise. That is what makes email one of the most underestimated cyber risks in a small business. Attackers do not always need to break into your entire environment at once. Sometimes they only need one inbox, one set of credentials, and one trusted identity inside the business. Why email matters so much in small businesses In most SMBs, email is not just where messages live. It is where business happens. Email often touches: vendor communication invoices and billing customer support password resets and account recovery contract discussions internal approvals banking and payment instructions shared documents and file access ...

Most small businesses worry about outside attackers. But one of the biggest cyber risks often sits much closer to home: access that was granted, forgotten, never reviewed, or never removed. A former employee may still have login rights. A vendor may still be connected to a system they no longer support. A SaaS tool may still be linked to business data. A shared admin credential may still be floating between people who no longer need it. An AI tool may still have access to files, messages, or workflows no one has reevaluated. None of this looks dramatic in the moment. That is exactly why it becomes dangerous. The real problem is not just exposure. It is lingering access. Small businesses often think about cyber risk in terms of what is visible from the internet: websites, remote access tools, email, cloud apps, and exposed services. That matters. But there is another problem that gets less attention: ...

Cyber risk is not evenly distributed across the United States. Some states consistently report higher levels of cybercrime activity than others. That does not mean businesses in other states are safe. But it does show where attackers are most active, where digital activity is concentrated, and where financial and data-driven targets are more common. The FBI’s Internet Crime Complaint Center (IC3) publishes annual data showing cybercrime complaints and losses by state. While these figures are not limited to small businesses, they provide one of the clearest views of where cybercrime activity is most concentrated. When combined with small-business breach data, a clear takeaway emerges: SMBs operating in high-activity states often face higher exposure simply because of the volume and nature of digital activity around them. The states reporting the highest cybercrime activity Based on recent FBI IC3 reporting, the following states con...

Not all small businesses face the same level of cyber risk. Some industries are hit harder because they handle sensitive data. Some are targeted because they move money quickly. Others are exposed because they rely on vendors, web portals, email-heavy workflows, or distributed operations that create more ways in. There is not one single public report that publishes a perfect SMB-only “top 10 industries by exact number of cyber attacks” table. But when you combine the latest verified small-business claims data, breach-pattern data, and sector-specific incident trends, a clear picture emerges. Certain industries appear again and again. Here is a practical, data-backed ranking of the industries where small businesses appear to face the most cyber risk. 1. Professional Services Professional services consistently sits at the top of SME cyber claims data. This category includes law firms, accounting and tax firms, consulting ...

AI hallucinations are no longer just an accuracy problem. For small and midsize businesses, they can become a cybersecurity problem when false output affects money, code, compliance, customer trust, access decisions, or sensitive data. That is the shift business leaders need to understand. The issue is not simply that AI can be wrong. The issue is that AI can be wrong confidently — in a format that looks polished, credible, and ready to use. If that output reaches a legal filing, a financial decision, a codebase, a compliance process, or a customer-facing deliverable before it is verified, the risk is no longer theoretical. For SMBs, that matters because lean teams often use AI to move faster. Faster drafting. Faster coding. Faster reporting. Faster analysis. Faster content. But when speed outruns verification, hallucinations can move directly into production. That is where AI stops being just a productivity tool issue and starts bec...