It’s 4:45 on a Friday.
Someone on your finance team gets a call.
The voice is calm, knows the CFO’s name, references a real invoice number, and just needs “one quick correction” on a wire transfer.
Ninety seconds later, the money is gone.
Nobody wrote a single line of malicious code to make that happen.
That’s not a scare story. It’s the new baseline. CrowdStrike found that 79% of detections in 2025 involved no malware at all — no virus, no exploit kit, nothing your antivirus was ever built to catch. The attacker just… logged in. Or called. Or asked nicely.
If you run a small or midsize business, 2026 is the year to stop thinking about cybersecurity as “did we install the right software” and start thinking about it as “can someone talk, click, or log their way into something they shouldn’t.”
Here’s what the data actually says, and what to do about it.
Why SMBs, specifically
Big enterprises get the headlines.
Small businesses get the volume.
You’re targeted not because you’re important, but because you’re reachable — connected to customers, suppliers, cloud platforms, and whatever IT vendor you outsourced to three years ago and haven’t thought about since.
The numbers make the case on their own. Ransomware showed up in 88% of SMB breaches in Verizon’s 2025 Data Breach Investigations Report. Third-party involvement in breaches doubled to 30%. And business email compromise — the unglamorous, no-malware, “just ask for money” scam — accounted for $2.77 billion in reported losses in the FBI’s 2024 IC3 data.
None of that requires a nation-state hacker.
It requires you to have a weak admin password, an unpatched VPN, or a finance process that runs on trust and speed instead of verification.
The good news: if the cheap attacks are what’s working, the fixes are also cheap relative to the risk.
You don’t need to outspend attackers. You need to close the doors they’re actually walking through.
Ransomware: still huge, but not the story you think it is
Ransomware isn’t going anywhere — it showed up in that 88% of SMB breaches — but the old mental model of “someone opened a bad attachment” is outdated. Sophos found that exploited vulnerabilities, not phishing emails, were the leading root cause in ransomware cases, and Mandiant has watched attackers get more deliberate: they now go after your backup infrastructure, your identity systems, and your virtualization layer specifically, because that’s what makes recovery expensive instead of routine.
That’s the real shift. Ransomware in 2026 is rarely “one infected laptop.” It’s a combined failure of identity, patching, and recovery planning, and the attacker knows exactly which piece to break first.
The money reflects that. Verizon puts the median ransom payment at $115,000. Sophos puts the average recovery cost — consulting, downtime, lost customers, the whole mess — at $1.5 million. Whatever the ransom demand says on the note, the real bill is usually the business interruption, not the extortion itself.
Your people are the new perimeter
Phishing used to mean a suspicious email. Now it means phone calls, fake IT support tickets, QR codes, and multi-step impersonation that plays out over days, not seconds.
CrowdStrike measured a 442% increase in voice phishing between the first and second half of 2024 alone. Mandiant’s latest data shows voice phishing now accounts for 11% of intrusions — ahead of email phishing at 6%. Somewhere along the way, the phone became a bigger threat than the inbox.
For small businesses, the exposure isn’t technical, it’s cultural. Lean finance teams run on familiarity: “that’s definitely how our vendor sounds,” “the CEO does ask for rush payments sometimes.” Attackers know this, and that’s exactly what business email compromise exploits — not a firewall gap, but a process gap. The single highest-leverage fix here costs nothing but discipline: callback verification on every payment or payroll change, using a number you already have on file, never one provided in the request itself.
Identity is the whole game now
If there’s one sentence to take away from this entire report, it’s this: identity is now the primary battlefield, for both sides.
Verizon names credential abuse and vulnerability exploitation as the top two ways attackers get in. CrowdStrike found that stolen-but-valid credentials were behind 35% of cloud incidents in the first half of 2024. IBM reported that roughly one in three incidents now involves credential theft. And Fortinet found something genuinely unsettling: 1.7 billion stolen credential records circulating on underground forums — meaning the “market” for access into your systems is now industrial-scale, not artisanal.
Multi-factor authentication was supposed to fix this. It helped — but it’s not enough on its own anymore. Cisco Talos found that many organizations they assisted still lacked full MFA coverage, including 19% with no MFA at all on VPN access — one of the most obvious front doors there is.
Meanwhile, Microsoft is seeing 7,000 password attacks per second, and reports that passkeys are succeeding at sign-in far more reliably than passwords ever did. Passwordless authentication has quietly gone from “nice future idea” to “thing you should already be rolling out for your admins and finance team.”
If you do nothing else this year: put phishing-resistant MFA or passkeys on every admin, finance, and executive account. Separate admin logins from daily-use accounts. That one change raises attacker cost more than almost anything else on this list.
The browser is now a front door, not a window
Here’s a stat that surprises people: Unit 42 found that 44% of incidents involved a web browser somewhere in the chain. Malicious redirects, drive-by downloads, stolen session tokens, fake login pages that look pixel-perfect. Mandiant separately documented attackers using help-desk social engineering to steal session tokens straight into SaaS platforms like Microsoft 365 and Google Workspace — no password needed at all.
Treat your browser like the security perimeter it’s become: DNS filtering, managed browser policies, extension review, and session protections for anyone with elevated access. It’s an unglamorous fix, and it matters more than most of the “AI security” tools being pitched to you right now.
Your vendors are your problem too
Verizon’s finding that third-party involvement in breaches doubled to 30% should make every SMB owner pause. You might have decent security. Does your bookkeeper? Your MSP? The logistics company with a login into your inventory system?
Attackers have figured out that the smaller supplier is often the easier target — and just as useful a stepping stone into you. This risk tends to be invisible until it isn’t: an incident happens, and only then does anyone realize a contractor’s account was never disabled, or a vendor had far more access than the relationship ever required.
The fix is unsexy but effective: keep an actual inventory of every third party with administrative access to anything of yours, review those permissions on a schedule, and hold critical vendors to real contractual and logging standards — not just a handshake.
AI didn’t invent new attacks. It made the old ones faster.
Let’s cut through the hype: generative AI is not spawning some new category of attack. It’s making the existing playbook cheaper and more convincing. Better-written phishing emails. Faster reconnaissance. More believable fake support calls. IBM saw infostealer-delivery emails jump 84% in a single year, and Fortinet is now tracking roughly 36,000 automated scans per second hitting the internet — up nearly 17% year over year.
The right response isn’t panic-buying an “AI security” product. It’s tightening the same verification habits that already stop social engineering — because AI is aimed squarely at your people’s judgment, not your firewall.
Where the money actually goes to work
If you’re triaging a limited budget and limited time, here’s the order that matches the actual data, not the sales pitch:
1. Identity first. Phishing-resistant MFA or passkeys for admins, finance, and executives. Separate admin accounts from daily accounts. Kill legacy authentication protocols that don’t support modern MFA at all.
2. Patch what’s exposed to the internet. Firewalls, VPNs, remote access tools, and identity platforms should be on an emergency patch track, not the quarterly one. This is still one of the top entry paths across Verizon, Sophos, and Mandiant’s data.
3. Fix the money process, not just the inbox. Callback verification for wires and payroll changes. Help-desk identity proofing before anyone resets a password or re-enrolls MFA. This single process change addresses the highest-dollar-loss attack path in the entire report.
4. Treat the browser as a control point. Managed browser policies, DNS filtering, and session protections for anyone with real access.
5. Test your backups like you mean it. Not “did the backup job complete” — can you actually restore identity systems, cloud data, and your core line-of-business applications, in the right order, under pressure? Keep at least one immutable or offline copy, because attackers are now targeting backup infrastructure directly to remove your leverage.
6. Audit your vendors like you audit your employees. Because increasingly, they’re the same risk.
Mandiant’s numbers explain why the ordering matters so much: once an attacker is in, the median handoff to a second threat group was 22 seconds, and CrowdStrike’s average breakout time to lateral movement was 48 minutes. There is no “catch it later.” Identity and access controls are the only layer fast enough to matter before an attacker is already three systems deep.
The passwordless shift is no longer optional
One more data point worth sitting with: Microsoft now sees nearly a million passkeys registered every single day, across more than 15 billion accounts that support passwordless sign-in. That’s not an early-adopter trend anymore — it’s the direction the entire industry is moving, and sign-in success rates back it up.
For an SMB, this doesn’t mean ripping out every password overnight. It means starting with the accounts that would hurt the most if compromised — admins, finance, execs — and moving them to passkeys or FIDO2 hardware keys now, while it’s a choice, rather than later, after it’s a incident report.
The bottom line
None of this requires predicting the next zero-day or outspending a nation-state. The attacks doing the most damage to small businesses right now are boring: stolen passwords, unpatched VPNs, a convincing phone call, an over-trusted vendor. Boring problems have boring, achievable fixes — you just have to actually do them, on a schedule, instead of hoping this is the year nobody calls.
Start with identity.
Everything else gets easier from there.
The numbers, all in one place
- 88% of SMB breaches involved ransomware — Verizon DBIR, 2025
- 30% of breaches involved a third party, double the year before — Verizon DBIR, 2025
- $2.77B in BEC losses across 21,442 reported incidents — Proofpoint / FBI IC3, 2025
- 442% increase in voice phishing, H1 to H2 2024 — CrowdStrike, 2025
- 79% of detections were malware-free — CrowdStrike, 2025
- 44% of incidents involved a web browser — Unit 42, 2025
- 22 seconds — median handoff window to a second threat group — Mandiant M-Trends, 2026
- 7,000 password attacks per second observed — Microsoft, 2025
- 1.7 billion stolen credential records seen in underground forums — Fortinet, 2025
- 63% of ransomware victims cited a lack of people or skills as a contributing factor — Sophos, 2025
Sources
- Verizon DBIR 2025
- Proofpoint (citing FBI IC3 2024)
- CrowdStrike 2025 Global Threat Report
- Google Cloud/Mandiant M-Trends 2025 & 2026
- Palo Alto Networks Unit 42 Incident Response Report 2025
- Sophos State of Ransomware 2025
- IBM X-Force Threat Index 2025
- Microsoft Security Blog 2025
Discover more from Ido Green
Subscribe to get the latest posts sent to your email.