ESET has released its SMB Cyber Readiness Index 2026, which found that 45% of small and medium-sized businesses experienced a cybersecurity incident in the past year.
The report is based on responses from 4,400 cybersecurity decision-makers at businesses with 25 to 1,000 endpoints across 13 countries in North America, Europe and Asia. It found that 14% of respondents suffered more than one incident over the same 12-month period.
Phishing was the most common cause of incidents, cited in 26% of cases. ESET's 2025 telemetry also showed that 34% of all threats were phishing or phishing-related.
While phishing remained the most common route for incidents, respondents identified AI-powered malware as their top concern. At the same time, supply chain compromise ranked relatively low at 14%, despite being listed among the top threats involved in incidents.
The findings present a mixed picture for smaller businesses. A majority of respondents, 61%, said they were seriously concerned about cyberattacks, while 75% said cyberwarfare and global conflicts were real cyber threats that could affect business operations.
Even so, confidence levels were high. Among surveyed businesses, 68% were confident in their ability to prevent attacks, and 75% trusted their cyber resilience when responding to incidents.
Confidence was even higher among businesses that had been hit more than once. Among organisations that had experienced multiple incidents, 81% said they were confident in their cyber resilience.
Budget pressures
The survey also suggested that many SMBs believe they have enough money allocated to cybersecurity. Some 65% said they were satisfied with their cybersecurity budgets, while a further 15% said they were more than satisfied.
Spending still appears set to rise, with 40% of respondents expecting to increase cybersecurity budgets in the next year.
Only 11% of surveyed businesses said they operated with essential or minimal cybersecurity protection. The figures suggest many smaller companies have moved beyond the most basic security setup, even if gaps remain in expertise and delivery.
Training was another area where most respondents reported activity rather than neglect. According to the survey, 87% said employee education was very important or critical to cyber resilience, and 67% said they carried out training more than once a year.
Just 6% said they relied solely on basic awareness training programmes, while 2% said they provided no cybersecurity training at all. More than one-third of SMBs said they investigated cyber incidents within two weeks.
Skills gap
Despite rising confidence and steady investment, the survey highlighted several operational weaknesses. The main challenges cited by SMBs were keeping up with the latest security threats, keeping pace with cybersecurity technologies such as AI, lack of employee training and awareness, and lack of internal cybersecurity skills and expertise.
Those pressures have not yet led to broad outsourcing of security work. Only one in five SMBs said they had fully or partially outsourced their cybersecurity responsibilities through managed detection and response services, managed service providers, or managed security service providers.
That low level of outsourcing stands out against the level of concern expressed by respondents. Businesses said they were struggling to keep pace with changing threats and newer tools, yet most still kept cybersecurity primarily in-house.
The report suggested that insurance and compliance requirements were helping to improve security practices. It also indicated that many SMBs no longer assumed that being smaller made them less likely to be targeted.
Juraj Jánošík, Vice President of Artificial Intelligence at ESET, commented on the role of AI in the current threat environment. "The practical impact of AI today is much less about novel autonomous malware and more about enabling higher volumes of more convincing phishing campaigns, faster malware development, and scalable abuse of publicly available AI tools and agentic skills," he said.
The survey points to a market in which smaller businesses are becoming more accustomed to dealing with cyber risk rather than expecting it to recede. Budget increases, more frequent training and quicker investigation times suggest a degree of adaptation, but the prevalence of phishing and the continued shortage of skills indicate that many basic problems remain unresolved.
One of the clearest tensions in the findings is the gap between confidence and exposure. Nearly half of respondents had suffered an incident, yet most still said they felt prepared to prevent or respond to attacks.
For service providers, that combination may create demand from businesses willing to spend more but still hesitant to hand over control. For SMBs themselves, the data shows that concern about AI has risen even though phishing remains the most common entry point for attacks.
The report suggests confidence is growing as businesses adapt to persistent cyber risk, while most breaches still stem from preventable issues and basic security practice remains decisive.