{"id":7998,"date":"2026-06-10T12:00:00","date_gmt":"2026-06-10T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=7998"},"modified":"2026-06-14T13:22:20","modified_gmt":"2026-06-14T10:22:20","slug":"smb-cyber-readiness-what-makes-or-breaks-it","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2026\/06\/10\/smb-cyber-readiness-what-makes-or-breaks-it\/","title":{"rendered":"SMB cyber-readiness: What makes or breaks it"},"content":{"rendered":"
\n

\u201cFix the roof while the sun is shining.\u201d<\/p>\n

\u2013 proverb<\/p>\n<\/div>\n

Cybersecurity has a familiar way of saying the storm will come: \u201ca breach is a matter of when, not if.\u201d While the industry\u2019s sternest maxim has probably never been more true, it sometimes feels as though it\u2019s also lost some of its edge over the years. Everyone agrees that there could be a \u2018cloud on the horizon,\u2019 but is it enough to get them to draft or review their IT contingency plan<\/a>? Put differently, will the organizations commit to a level of operational pain that they can endure while under attack?<\/p>\n

To be sure, a cyber-incident won\u2019t give anyone a date by which to prepare. Organizations can only assume that it\u2019s coming \u2013 eventually, in some form, and from some direction. But that realization alone clearly doesn\u2019t prepare them to withstand the attack. Any kind of warning only counts when it spurs action, and the companies with the best odds of walking away standing are the ones that used the calm hours to gain a clear-eyed view of the key risks \u2013 and to prepare as though the date were fixed.<\/p>\n

Gaps and gaping holes<\/h2>\n

The ESET SMB Cyber Readiness Index 2026<\/a> set out to measure the gap between how often SMBs end up in attackers\u2019 crosshairs and how confidently they think they can absorb the hit. Surveying 4,400 decision-makers in the United States, Canada, Europe, the Middle East, and Japan, the report found that 45% of small and medium-sized businesses (SMBs) recorded at least one cyber-incident in the trailing twelve months. <\/p>\n

An even more interesting finding is what happens to confidence after an actual incident. Globally, 75% of the respondents describe themselves as either very or slightly confident in their resilience, rising to 81% among those who have already been exposed to more than one incident. In the US and Canada, the confidence is even higher: 86% among all respondents and 91% among the cohort that has been breached more than once.<\/p>\n

\"Figure
Figure 1. Confidence in cyber-resilience<\/em><\/figcaption><\/figure>\n

In other words, confidence seems to rise with<\/em> incident frequency, not despite it. Have the repeat victims come to view their brushes with cyber-incidents as proof of \u201cwhat doesn\u2019t kill me makes me stronger\u201d? Or have they made peace with breaches as part of doing business? Probably neither \u2013 the survey found that many SMBs have become more prepared, helped along by insurance requirements, compliance pressure, and better cybersecurity awareness training.<\/p>\n

Still, the same data also points to a stubborn gap between feeling ready and having the basic precautions in place. So, an attack that doesn\u2019t take an organization out of business can indeed make it stronger \u2013 provided the organization learns the right lessons, of course. On the other hand, the attack can also leave it weaker and less capable of avoiding expensive penance in the future. Here’s where additional insights from the report can help.<\/p>\n

How most incidents actually start<\/h2>\n

When it comes to root causes of cyber-incidents, ESET\u2019s data points at the less \u2018flashy\u2019 categories: phishing (26%), unpatched vulnerabilities (23%), monitoring gaps (22%) and weak passwords (20%). These are the categories that have for years required most attention, but in people\u2019s minds they\u2019re often displaced by whichever threat dominates the news headlines. For all the talk around AI, automation and attacker sophistication, many SMB breaches still begin with a familiar opening.<\/p>\n

This disconnect shows up in what SMBs fear: AI-powered malware is the most-cited threat concern globally (31%), ahead of ransomware and other malware (29%) and phishing (26%). Michal Jankech, ESET Vice President of Enterprise, SMB & MSP, puts it plainly: \u201cWe\u2019ve found SMBs\u2019 concerns are often shaped by headlines on emerging threats like AI-driven attacks, while more routine risks \u2013 phishing, unpatched vulnerabilities and lack of monitoring \u2013 are underestimated. This hints that many respondents misperceive their security posture and resilience.\u201d<\/p>\n

\"Figure
Figure 2. Most-feared threats<\/em><\/figcaption><\/figure>\n

Meanwhile, Verizon\u2019s 2026 Data Breach Investigations Report<\/a> (DBIR) records the inverse priority from the attacker\u2019s side: only 2.5% of AI-assisted malware functions used rare or novel techniques. DBIR\u2019s other findings also point in the same direction: for the first time in the report’s nineteen-year history, exploitation of vulnerabilities has overtaken stolen credentials as the leading initial access vector (31% of breaches) while the median time-to-patch grew from 32 to 43 days year on year. When it came to the specific actions affecting SMBs, ransomware, stolen credentials and exploited vulnerabilities appeared at the top again.<\/p>\n

The golden hour<\/h2>\n

Emergency medicine calls the equivalent window the \u2018golden hour,\u2019 the period in which the speed of response determines whether damage is reversible. In cybersecurity, the choices are equal parts technical and procedural. Stopping the spread of an \u2018infection\u2019 often requires knowing the drill, including when it involves trading a guaranteed self-inflicted outage now to avoid a worse one later. Whoever can take or authorize the decision \u2013 say, kill a production database or take payments offline \u2013 needs to be reachable in minutes.<\/p>\n

Ransomware \u2013 a threat consistently looming large on organizations of all sizes but disproportionately targeting SMBs \u2013 also thrusts itself into the conversation early. The median ransom payment now sits at $140,000, according to DBIR, and 69% of victims refuse to pay. On this note, ESET\u2019s contingency guidance and most law enforcement is blunt on the point: don\u2019t pay.<\/p>\n<\/p>\n

\n
\n<\/p>\n

ESET SMB Cyber Readiness Index 2026<\/p>\n

<\/a>
\nRead the full report<\/a>\n<\/div>\n


\n\"ESET
\n<\/a>\n<\/div>\n

Another clock starts at the same time. Under GDPR, for example, a personal data breach triggers a 72-hour notification window to the supervisory authority, regardless of whether the investigation is wrapped up. Logs and other evidence have to be gathered in parallel, because cyber-insurers and law enforcement will ask for them, and whatever isn\u2019t preserved in the first hours may be impossible to recover later.<\/p>\n

Why preparation is the answer<\/h2>\n

Major incident-response frameworks, NIST\u2019s SP 800-61<\/a>, ISO\/IEC 27035-1<\/a> and the NCSC\u2019s Cyber Assessment Framework<\/a> (CAF), front-load preparation by treating incident response as a continuous risk management activity. But expectation \u2013 the belief that the hour will come \u2013 isn\u2019t the same as preparation, of course. The latter is the conscious decision that, if\/when the hour does come, the company will already know how to address the burning questions promptly and can continue to function despite setbacks, which itself an ability that is the core of true cyber resilience.<\/p>\n

To be sure, the right answers vary by sector: a manufacturing plant treats availability as close to paramount as possible, because downtime bleeds money by the minute; meanwhile, a hospital, where the wrong shutdown can cost a life, may need to make a different calculus. Either way, the decisions about who has the authority to shut down a revenue-generating environment or which services can come back first belong in the calm hours, not only after \u2018all hell breaks loose.\u2019<\/p>\n

Today\u2019s attack surface is broad, often too broad, and real preparation requires the organization to shrink the number of available openings. IT environments are known to accumulate operational fat, such as unsupported legacy systems, undocumented APIs<\/a> or forgotten virtual machines<\/a>, that isn\u2019t always easy to shed. However, organizations need to get in the habit of minimizing their internet-facing footprint, as it\u2019s impossible to defend an asset or patch a vulnerability that the IT team doesn\u2019t know exists.<\/p>\n

Supply-chain integrations<\/a> create their own kind of sprawl, with no clear owner and an excessive permissions footprint. ESET\u2019s report puts a number on the cost: 21% of SMBs name integration complexity as their second-biggest barrier to improvement \u2013 just behind, you guessed it, budget. According to DBIR, third-party involvement now sits at 48% of all breaches, up 60% year on year.<\/p>\n

Meanwhile, discipline is increasingly arriving from outside. A total of 71% of SMBs globally now carry cyber insurance, rising to 84% in North America, with adoption climbing sharply among repeat victims. More than half of insured firms with multiple incident histories \u2013 55% worldwide, 71% in North America \u2013 have specific controls written into their coverage: MFA, identity and access management, EDR or MDR. Only 31% of SMBs believe insurance alone is a sufficient defense, and 67% globally name single-vendor monoculture as a concern.<\/p>\n

Once the dust has settled<\/h2>\n

The post-incident review is the place for questions, including the ugly ones about precautions that weren\u2019t taken and recovery measures that were assumed to be fine but hadn\u2019t been tested. Organizations shouldn\u2019t default to the version in which the attackers were unusually skilled. Sometimes they are, but often the reality is more mundane.<\/p>\n

While \u201cwhen, not if\u201d has never been more true, that alone doesn\u2019t prepare a business for adversity. A warning only becomes useful when it changes what happens before it \u2018comes due.\u2019 The roof is easier to fix before the rain starts.<\/p>\n

Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A company that’s expecting a cyberattack but hasn\u2019t actively prepared for it risks making the hardest decisions at the worst possible moment<\/p>\n","protected":false},"author":5,"featured_media":7999,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2879],"tags":[],"class_list":["post-7998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business-security"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/7998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=7998"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/7998\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/7999"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=7998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=7998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=7998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}