Cyberattacks are no longer viewed by small and medium-sized businesses (SMBs) as rare events or something only large enterprises should be worried about. While facing this new reality, SMBs show confidence in their resilience despite admitting they don’t understand the current threat landscape involving AI enough.
This observation is just one takeaway from the ESET SMB Cyber Readiness Index 2026, which globally surveys 4,400 decision-makers of SMBs (25 to 1,000 endpoints) across multiple sectors.
Confidence grows
If you are an SMB, you can pretty much flip a coin to see if you’ll have a cyber incident this year. Accordingly, 45% of SMBs faced a cybersecurity incident in the past 12 months and 14% experienced an incident more than once. Germany (64%) leads with the highest rate of recorded incidents (one or more), followed by the USA (54%) and Spain (53%).
Notably, 61% of all surveyed SMBs are seriously concerned about cyberattacks, and 75% consider cyberwarfare and global conflicts as real cyber threats that can impact their businesses.
However, 68% of businesses have confidence in their cybersecurity to prevent these attacks, and 75% of businesses declare confidence in their cyberattack resilience, i.e., capability to handle attacks.
Confidence in cyber resilience climbs even higher among organizations that have already experienced multiple incidents (81%), suggesting that firsthand exposure is shaping more realistic and mature security postures.
Perception versus reality
However, the survey also highlights a considerable gap between perceived and actual risks. While AI-powered malware dominates boardroom discussions, media headlines, and other perceived threats in this survey, real-world incidents continue to be driven by more familiar problems such as phishing, weak credentials, unpatched systems, and insufficient monitoring.
“The practical impact of AI today is much less about novel autonomous malware and more about enabling higher volumes of more convincing phishing campaigns, faster malware development, and scalable abuse of publicly available AI tools and agentic skills,” said ESET VP of Artificial Intelligence, Juraj Jánošík.
At the time of writing, ESET engineers clearly observed that any direct use of AI to generate malware and scripts remained limited and specific. “Attackers increasingly rely on automation and creating the appearance of trustworthiness, rather than achieving genuine AI functionality, leveraging AI to mimic professional-grade presentations and interactions – further entrenching social engineering as one of the primary battlegrounds in cyber defense,” continued Jánošík.
Still, AI tools are playing a dual role in this evolving threat landscape: On one hand, SMBs are rapidly integrating them to improve productivity and efficiency, with adoption particularly strong in the United States (81%). On the other hand, 40% of all surveyed businesses do not have policies restricting shadow AI, which is an emerging attack vector.
Overall, phishing remains the single most common cause of cybersecurity incidents (26%), a trend also reinforced by ESET telemetry for all of 2025, which showed that 34% of all threats were phishing and phishing-related.
Supply chain compromise, despite being among the top threats involved in incidents and its potentially devastating downstream impact, ranks surprisingly low (14%) among SMB concerns.
Positive trends
Overall, the survey shows multiple positives trends such as higher satisfaction with budgets (65% are satisfied; 15% more than satisfied) or wider adoption of higher tiers of cybersecurity products (only 11% say they have essential (minimal) protection).
Training and Awareness stands out as one of the most consistent bright spots in the data. As many as 87% of SMBs see employee education as very important or critical to their cyber resilience, and many (72%) are moving beyond basic programs toward more structured training that includes phishing simulations and regular reinforcement.
Faster investigation times (41% need less than two weeks to investigate) and broader incident reporting (only 5% don’t report) also suggest that the stigma around breaches is fading, with SMBs showing the will to engage insurers, partners, customers, and authorities when something goes wrong.
Clearly, broad adoption of cyber risk insurance (71%), especially insurance with special requirements (37%), supports these positive trends.
Living with cyber threats
In the end, the ESET Cyber Readiness Index 2026 paints a nuanced picture of SMB cybersecurity. Confidence is growing, not because threats are diminishing, but because businesses are learning to live with them. Cyber insurance, improved training, faster response, and greater transparency have all contributed to stronger resilience.
At the same time, the fundamentals remain decisive. Most breaches still stem from preventable issues, and as successful cyberattacks become the new normal, getting those basics right matters more than ever. For SMBs navigating an increasingly complex and AI-influenced threat environment, resilience will depend less on chasing headlines and more on sustained, strategic investment in people, processes, and proven security practices.
Read the full ESET SMB Cyber Readiness Index 2026 report.
