ESET released its SMB Cyber Readiness Index 2026, based on a global survey of 4,400 SMB decision makers representing organisations with 25 to 1,000 endpoints across 13 countries in North America, Europe, and Asia.
The index examines SMB cybersecurity sentiment across the most pressing challenges facing the segment, including the dual role of AI in driving new threats within the threat landscape and defending against them in business environments, overall cybersecurity posture, awareness training, and incident response.
The data shows that 45% of SMBs experienced a cybersecurity incident in the past 12 months, with 14% experiencing more than one incident. A majority of surveyed SMBs (61%) report being seriously concerned about cyberattacks, while 75% consider cyberwarfare and global conflicts to be real cyber threats capable of impacting their business operations.
Among cyber threats, SMBs report the greatest concern with AI powered malware, even though such threats remain relatively rare at present.
Overall, the survey highlights several positive trends. Insurance and compliance requirements are driving stronger cybersecurity practices, and many SMBs have accepted that organisational size does not provide protection from cyber threats. As a result, businesses appear increasingly prepared to confront attacks.
- 68% of SMBs are confident in their ability to prevent attacks, and 75% trust their cyber resilience when responding to incidents
- 65% are satisfied with their cybersecurity budgets, with an additional 15% reporting they are “more than satisfied”
- Only 11% operate with essential (minimal) cybersecurity protection
- 87% view employee education as very important or critical to cyber resilience, with 67% conducting training more than once per year
- Just 6% rely solely on basic awareness training programmes, while an additional 2% provide no cybersecurity training at all
- More than one third of SMBs investigated cyber incidents within two weeks
Despite these improvements, notable concerns remain. Many SMBs underestimate the seriousness of supply chain attacks and the risks associated with AI enabled tools, including so called shadow AI.
Discussion about this post