The first week of July handed IT teams a worst-case scenario. The interesting part is that the survey data said this was coming.
On Wednesday, CISA added a high-severity SharePoint flaw to its Known Exploited Vulnerabilities catalog. By Thursday, threat actors were actively probing a critical (CVSS 9.8) bug in the official Gitea Docker image, 13 days after disclosure, letting any unauthenticated visitor impersonate any user, including admin. The same day, Progress warned of live exploitation of a pre-auth remote code execution bug in Kemp LoadMaster, a load balancer used heavily in mid-market networks. Adobe patched seven CVSS 10.0 vulnerabilities in ColdFusion and Campaign Classic. The Linux kernel dropped a fix for a use-after-free privilege escalation dubbed “Bad Epoll” that an ordinary logged-in user can ride straight to root, including from inside Chrome’s sandbox.
If you read security news, that paragraph sounds normal. That is the problem.
That string of disclosures is not a coincidence and not a fluke. The week of June 29 to July 6, 2026 was ordinary. Run the same exercise next month and you will get a similar wall of CVEs, similar exploitation, similar “patch now” advisories. The cadence is the story.
Bitdefender published its 2026 Cybersecurity Assessment on July 1, surveying 1,200 IT and security professionals across six countries. The headline finding is the one the industry has been quietly avoiding: awareness of cyber risk is at an all-time high, and operational resilience is at an all-time low. The two curves have decoupled, and they are still moving apart.
The numbers tell the same story in different rooms. 51.8% of respondents told Bitdefender they have full visibility into how AI is being used inside their company. 47.4% admitted they have only partial or no visibility into “Shadow AI,” the personal ChatGPT tabs, the unauthorized Copilot installs, the unvetted browser extensions that summarize meetings. When you split that answer by role, the gap is sharper. Nearly 58% of managers believe they have complete AI visibility. Among frontline practitioners, that number drops to 45.9%. The strategic decisions are being made on a picture half the building does not recognize.
The large enterprise has more attack surface, but it also has people whose entire job is to read the CISA KEV catalog on Monday morning and have a remediation plan by lunch. The 80-person logistics company does not. The 200-person law firm does not. The 40-person SaaS startup does not. They have one or two people doing IT, often with no dedicated security hire, and they are reading the same Gitea writeup that a Fortune 500 CISO is reading, except without a team to back them up.
The Bitdefender report is blunt about this part too. “Security teams understand the importance of reducing the attack surface,” it reads, “yet they often lack the skills, resources, or strategy to do so.” That sentence does not get quoted in marketing decks. Awareness without capacity is a tax you pay every quarter and collect no return on.

On the same day the Bitdefender report came out, Microsoft’s Mark Russinovich published a blog post that nobody at a small business had time to read. He announced that Microsoft is pulling its post-quantum cryptography roadmap forward to 2029, two years earlier than the previous schedule. His reasoning: cryptographically relevant quantum computers could arrive sooner than previously expected. For a CISO at a global bank, this is a multi-year migration program. For an IT generalist at a 150-person manufacturer, it is one more line item on a list that is already too long.
The fix is not exotic, though. Microsoft’s own plan rests on three moves small IT teams can start with: adopt TLS 1.3 everywhere you terminate HTTPS, audit where cryptography is hard-coded into your applications and break those couplings, and design for “crypto agility,” meaning your systems can swap algorithms without being rebuilt from scratch. None of this is a 2029 problem. The migration window is what makes it one.
The honest version of a hardening plan for a small team is small. It is not “buy a SIEM.” It is five things, do them this month.
Subscribe to the CISA KEV catalog as an email or RSS feed. Anything that lands on that list gets a 14-day patch or mitigation deadline from the U.S. government. Treat it as a binding SLA. If you cannot patch in 14 days, document why and what compensating control you have in place.
Build a real list of internet-exposed assets. Not a theoretical list. The actual set of hosts, services, and ports exposed to the public internet as of this week. Run an unauthenticated scan from outside your network. The gap between what you think is exposed and what is exposed is where the Gitea bugs live.
Replace “is MFA enabled” with “is MFA enforced on the highest-privilege accounts, with phishing-resistant factors.” Hardware keys (FIDO2) and platform-bound passkeys are not exotic anymore. They are cheap. They are the single highest-ROI control most small businesses are still not using.
Pick one “if this breaks at 2 a.m.” scenario and write the runbook. A Gitea admin compromise, a SharePoint exploit, a VPN appliance RCE, pick the one most likely to hit you, write three pages of what you do, and rehearse it with the team. A 200-person company with a good runbook beats a 2,000-person company with a stale one.
Schedule a 90-minute review of your top five SaaS vendors by data exposure. SOC 2 report, SBOM availability, breach notification clause. The questions alone will reveal the ones that should not be in your stack.
The gap between awareness and resilience is not going to close on its own. The CVE flood is not going to slow down. AI is not going to reduce the attack surface. The post-quantum transition is going to land on the same overstretched IT generalist who is already triaging a Gitea CVE and patching a SharePoint server. The companies that handle the next two years well are the ones that stop pretending awareness is the same as readiness. The job of hardening is unglamorous, mostly invisible, and the actual work of 2026. The week of July 6 made that impossible to miss.

The part no one wants to say out loud: you can’t audit them all.
Last week, a security research firm named Novee published a finding that should make every CIO in the country uncomfortable. A class of vulnerabilities they’re calling Cordyceps — embedded in GitHub Actions workflows — exposed more than 300 public repositories (including those of Microsoft, Google, and Apache) to full supply-chain takeover. An attacker with the right foothold could push poisoned code into the open source packages that millions of applications depend on. The exposure was wide. The blast radius is the entire internet.
If you’re running a 50-person SaaS company or a regional healthcare network, you probably read that story and thought the same thing I did: I don’t control any of this.
That’s the point. Welcome to the supply chain problem.
Five years ago, “supply chain attack” mostly meant a compromised vendor slipping malware into a software update. The SolarWinds incident of late 2020 fit that model almost perfectly. One point of compromise. Investigate, contain, move on.
The 2026 version is messier, broader, and harder to point at. Three stories from the last ten days alone:
Three different vendors. Three different attack surfaces. One common reality for anyone running a small IT team: the things you depend on to ship software, take payments, or run your website are being attacked in ways you cannot see.
The press coverage tends to focus on the household names. Microsoft, Google, Apache, AWS — these are mature companies with serious security teams. If they miss a bug in their CI/CD pipeline or their extension store, it’s news for a week and then they patch.
The same software is sitting in your stack. A 30-person e-commerce business might run its entire operation on a handful of npm packages, a payment processor, an inventory SaaS, and a small fleet of AWS services. Any one of those is a possible entry point. The smaller company can’t audit the source of every dependency, can’t review the security of every SaaS vendor, and almost certainly doesn’t have a Software Bill of Materials to begin with.
A few uncomfortable numbers, courtesy of Verizon’s 2025 Data Breach Investigations Report: 30% of breaches now involve a third-party component, and that share has been climbing every year since 2021. For small businesses specifically, the figure is higher — somewhere around 40%, depending on which report you read.
You don’t have to be the actual target. You just have to be downstream of one.

The honest answer: you cannot eliminate the risk. Anyone who tells you they can is selling you something. But you can reduce the blast radius and catch problems faster. Here’s what I’d actually do this week if I were running IT for a 50-to-500-person company.
1. Inventory your dependencies. Then inventory them again.
You probably have an official list of approved SaaS vendors and on-prem software. That list is incomplete. The real inventory lives in your developers’ package.json files, your DevOps team’s GitHub Actions, your marketing team’s browser extensions, and your sales team’s Chrome plug-ins. Get a Software Bill of Materials (SBOM) tool — CycloneDX or SPDX-format generators are free and plug into most CI systems. You can’t protect what you can’t name.
2. Lock down browser extensions.
The StegoAd case is a reminder that the attack surface you can see is not the only one. Browser extensions run with the same privileges as the user who installed them. Set a corporate policy. Audit which extensions are installed across the team. Don’t allow employees to install extensions on company-managed browsers without a review. This sounds pedantic. It is not.
3. Watch the maintainers, not just the packages.
A growing share of supply chain attacks in 2026 target the humans behind the software. Compromised maintainer accounts. Social engineering of project owners. Hijacked email addresses used for password resets. Miasma works exactly this way. If your business depends on a small open source library maintained by one person in another time zone, that is a single point of failure. Know who they are. Have a contingency plan for what happens if their account gets hijacked.
4. Treat vendor security like vendor pricing.
If you evaluate SaaS vendors on price, uptime, and feature set, add security to that list and make it count. Ask vendors for SOC 2 reports. Ask how they handle dependency updates. Ask whether they have their own SBOM. The answers vary wildly, and the questions alone will weed out vendors who shouldn’t be in your stack.
5. Have an “off switch.”
When the next big npm or Python package gets compromised — and there will be a next one — how fast can you pin your dependencies to known-good versions, roll back your last build, or block traffic to the affected vendor? That is your incident response plan for supply chain failures. Most companies don’t have one. Spend an afternoon writing it.
The uncomfortable trend is that the perimeter is dissolving. The work of securing your business used to mean securing your network, your laptops, and your office. It now means securing every package, every service, every extension, and every developer tool that touches your stack. The number of those things grows every quarter. The number of people you have to secure them with doesn’t.
For a 200-person company, the practical move isn’t to out-tech the attackers. It’s to be a less attractive target than the next 200-person company. That means knowing your dependencies, limiting the third-party surface, and having a plan for the day one of them fails. None of this is glamorous. All of it is the actual job in 2026.

test
The December 2024 NPRM ends the “addressable vs. required” loophole. Here’s what healthcare IT teams need to do in the next 90 days.
In February 2024, a single ransomware group compromised Change Healthcare and walked away with the medical records of 192.7 million Americans. That’s more than half the country. The attack vector was almost embarrassingly simple: a Citrix portal without multi-factor authentication.
The company paid a $22 million ransom. UnitedHealth Group, Change’s parent, has since reported breach-related costs north of $3 billion. And yet — until very recently — the federal baseline for protecting patient data hadn’t meaningfully changed since 2013.
That’s about to change. And a lot of healthcare organizations are nowhere near ready.
HHS published a Notice of Proposed Rulemaking on December 27, 2024. Public comments closed in early 2025. The final rule is expected sometime this year, with a compliance window of 6–12 months after publication. The changes are the most significant to the Security Rule in over a decade.
The biggest shift is the end of the “addressable” vs. “required” loophole. Under the current rule, a safeguard can be marked “addressable” — meaning you can skip it if you document a reasonable alternative. In practice, that became an excuse to skip encryption, MFA, and other things organizations didn’t want to budget for. The NPRM basically eliminates that distinction. Things that were “addressable” become required, full stop.
The requirements getting teeth:
If you’re reading that list and feeling a bit of acid reflux, you’re not alone.
The 2013 rule was written for a world of Windows XP workstations on flat networks and clinicians logging in from a single office. The attackers of 2026 are not playing by those rules.
Three patterns define the modern healthcare threat:
Third-party vendors are the new front door. The Change Healthcare breach wasn’t a hospital being hacked. It was a clearinghouse used by virtually every US provider. Ascension’s May 2024 ransomware incident started with a contractor downloading a malicious file. When a single vendor handles billing, scheduling, or credentialing for thousands of practices, that vendor’s security posture becomes your security posture.
Medical devices are a soft target. A 2022–2024 wave of FDA safety communications flagged vulnerabilities in devices from Medtronic, BD, Illumina, and others. Many run outdated embedded operating systems, have hardcoded credentials, and can’t be patched without taking the device offline. The new rule will require device inventories, SBOMs (software bills of materials), and a documented plan for addressing known vulnerabilities.
Initial access brokers are running a SaaS model. Groups like Scattered Spider, BlackCat/ALPHV, and LockBit-affiliated crews specialize in selling access rather than running ransomware themselves. Healthcare organizations with exposed RDP, unpatched VPN appliances, and help desks that don’t do callback verification are paying the price.

You don’t have to wait for the final rule. The practices that get ahead of this now will be the ones that pass their next OCR audit with a handshake instead of a subpoena.
Inventory everything that touches ePHI. Laptops, phones, printers, fax servers, imaging systems, infusion pumps, badge readers that store biometric templates — all of it. If you can’t list it, you can’t protect it.
MFA everywhere, no exceptions. This is the single highest-ROI change. The Change Healthcare attackers walked in through a single Citrix account with no MFA. Don’t let that be your story.
Review your BAAs, then actually test the vendors. A signed Business Associate Agreement is not a security posture. Ask your clearinghouses, billing vendors, and EHR hosting providers for SOC 2 Type II reports and recent penetration test summaries.
Run an actual tabletop exercise. Pretend your EHR is down for 48 hours. Who calls whom? What’s the manual fallback for prescriptions and lab orders? How do you notify patients? Write it down. Then test it again in six months.
Patch the worst things first. CISA’s Known Exploited Vulnerabilities catalog is a free, opinionated list. Work through it. The 15-day SLA for critical flaws isn’t aspirational under the new rule.
If you’re a solo practitioner or a small group, the list above is intimidating. You’re running a medical practice, not a security operations center. The good news: HHS has signaled that some new requirements will scale based on size and complexity. The bad news: “we’re small” has not been a winning defense in OCR enforcement actions for years. The 2024 settlement with Plastic Surgery Associates — $500,000, six affected patients — made that point clearly.
Consider a vCISO arrangement (a fractional security officer, typically $3–8k/month) or a managed detection and response provider that knows healthcare. The per-provider cost is a lot smaller than a breach.
The HIPAA Security Rule is finally catching up to the threats healthcare has been facing for a decade. The final rule will land this year, and the compliance clock will start immediately. The practices that use the next 90 days to get MFA in place, finish their asset inventory, and pressure-test their vendors will spend 2026 focused on patient care. The ones that wait will be explaining to OCR why their Citrix portal didn’t have multi-factor authentication.

Why “we have multi-factor authentication” stopped being a reassuring sentence in 2026 — and what SMBs should do this week.
If you bought MFA in 2020 and forgot about it, this article is for you.
On May 24, 2026, the FBI put out an unusual flash alert. A phishing kit called Kali365 — sold as a subscription on Telegram, of all places — was hitting Microsoft 365 accounts at hundreds of organizations. The headlines screamed that it “bypasses MFA.” A few hours of reading made me realize that’s the wrong way to think about it. Kali365 doesn’t bypass MFA. It bypasses you — the part of the system that is still, embarrassingly, the easiest thing to attack.
If you run IT for a 50-to-500-person company, here’s what changed, why it changed, and what to do before the next vendor breach shows up in your inbox.

For a long time, MFA was the line in the sand. You drew it between “people who got phished” and “people who didn’t.” In 2026, that line is somewhere it isn’t useful anymore.
Three things happened in the last month that I think every IT leader should know about:
1. Kali365 and the rise of consent phishing. The FBI alert describes a kit that tricks a user into clicking “Allow” on a malicious OAuth app. No password is typed. No MFA prompt is shown. The user authorizes an app, the app gets a refresh token, and from that point forward the attacker is the user — until someone revokes the token or it expires. Microsoft 365 sits behind more than a million U.S. companies. Most of them have no idea which third-party apps their employees have already authorized. (FBI warning, May 24, 2026; reported by TechRadar, HotHardware, TechTimes.)
2. CrowdStrike’s 2026 Financial Services Threat Report found that the single most common attacker against banks and insurers last year never phished a password at all. They phished a session. Once a user authenticated successfully, the attacker stole the cookie and rode it across the rest of the network. The report’s framing is sharp: MFA verifies who logged in. It has no idea what they do next.
3. SonicWall CVE-2024-12802. A previously-patched SSL-VPN authentication bypass got re-bypassed by a new flaw disclosed in mid-May. The lesson isn’t about SonicWall specifically. It’s that identity-layer bugs are showing up in the patches designed to fix identity-layer bugs. Every appliance you expose to the internet deserves a second look this quarter.
Put those three stories next to the GitHub breach on May 20 (a poisoned VS Code extension on an employee’s laptop, 3,800 internal repos gone in a single worm) and the picture is hard to argue with: the attackers have moved past your login screen.
When I say “you have MFA,” I want to know which kind. The difference matters more than it used to.
| Method | Can Kali365 / token-theft beat it? |
|---|---|
| SMS codes | Yes. SIM swap, SS7 routing, prompt bombing. |
| Authenticator app (TOTP) | Mostly yes. Real-time phishing proxies relay the code before it expires. |
| Push notifications (Duo, Microsoft Authenticator push) | Yes. Prompt bombing (“are you sure? are you sure?”) and adversary-in-the-middle kits. |
| FIDO2 / WebAuthn / Passkeys (YubiKey, Windows Hello, Apple passkeys) | No. The key is bound to the real domain. A fake login page can’t complete the handshake. |

Microsoft, Google, and CISA have all said, in writing, that FIDO2-based credentials are the only MFA worth buying for new deployments. If your authenticator app has a green “Approve” button, you should be planning a migration. Hardware keys cost roughly $25-$50 per employee. For a 100-person shop, that’s a one-weekend project and a meaningful dent in your attack surface.

If I were running IT at a small business and could only pick five things, this is the list — in order of how much risk it actually buys down:
Turn on conditional access. In Entra ID (Azure AD) or Google Workspace, require device compliance, block legacy authentication, and restrict sign-ins by country or IP range. Legacy auth is where most of the OAuth-token attacks still land. Microsoft has a one-click toggle in the Entra admin center. Do it this afternoon.
Audit OAuth consents. Go to https://myapps.microsoft.com (or the Google equivalent) and click “My Apps.” Look at every third-party app a user has authorized. You will be horrified. Revoke anything you don’t recognize. The Kali365 attack leaves a long trail of “Mailbox.Read” or “Files.ReadWrite” grants with publisher names like “K365Sync” or “CloudBackup365.” Train your finance and HR teams to never click “Accept” on a Microsoft 365 consent screen — full stop.
Move admin accounts to phishing-resistant MFA. Domain admins, finance, anyone who can move money or change payroll. Hardware key only. No exceptions. The single biggest dollar-loss events in 2025 all started with a privileged account.
Set session lifetime to 8 hours or less. A stolen token is only useful until it expires. Shorter sessions mean more re-auth prompts, but the alternative is a 30-day refresh token that an attacker can hand around the dark web.
Watch the post-authentication behavior, not the login. This is the conceptual shift. Push alerts, Slack messages, MFA prompts — those are login-layer signals. You also need post-login signals: which mailbox rules were created, which OAuth grants were added, which file-share permissions were changed in the last 24 hours. Microsoft Defender, Huntress, and a dozen newer tools now do this. Pick one and turn it on.
I don’t say this to scare anyone. The attackers aren’t smarter than they were in 2022. They just got more patient. A Kali365 subscription costs a few hundred dollars a month. An hour of a junior analyst’s time at your company is worth more than that. The economics have flipped, and the defense has to flip with it.
MFA is still the best thing most of you have done. It’s just no longer the last thing. The next layer — what happens after a user proves who they are — is where the work is now. The good news: most of it is policy, not purchases. You can do a meaningful chunk of it this week, before the next alert shows up in your inbox.
Have a question about your own MFA setup? Reply to the newsletter — I read every message. If you want a second pair of eyes on your Microsoft 365 or Google Workspace tenant, that’s exactly the kind of thing we do.
Word count: ~1,090
Three weeks ago, OpenAI confirmed what many in the security community already suspected: two of its employees had their devices compromised through a supply chain attack on TanStack, a popular open-source framework. The attackers made off with internal credentials. OpenAI is not a small business. It has dedicated security teams, strict DevOps hygiene, and resources that most companies would envy. Still, the attackers got in.
That fact should unsettle every small-business owner and IT manager who thinks supply chain security is someone else’s problem.
The numbers from 2026 make the threat concrete. Ransomware attacks against SMBs are projected to rise 40% by year’s end, according to Cobalt. Small businesses report a cyberattack every seven seconds. The average breach costs roughly $254,000 — a figure that puts survival into sharp relief, since 60% of attacked firms close within six months. Those aren’t abstract statistics. They’re the beginning of a conversation about whether your business can absorb that kind of loss.
But the more significant shift in 2026 isn’t the volume of attacks. It’s the target selection and the methods. SMBs now account for 43% of all cyberattacks, per recent industry surveys. And the attack on SAP’s npm ecosystem in late April — a campaign researchers dubbed “Mini Shai-Hulud” — shows exactly how threat actors are exploiting the smaller, less-defended perimeter.
On April 29, 2026, four official npm packages from SAP’s development ecosystem were republished with malicious versions. For roughly two to four hours, anyone running npm install against the wrong version pulled a credential-stealing payload. Researchers found references to the campaign in over 1,000 GitHub repositories — each one a developer’s project, recently poisoned without their knowledge.

The mechanism was a preinstall script embedded in the malicious package. When a developer ran npm install, the script executed silently, in the background, harvesting credentials from the local environment. No zero-day exploit. No sophisticated vulnerability. Just a trusted package, briefly compromised, doing exactly what it was designed to do.
This is the supply chain attack model: compromise the tool, not the target. One successful poisoning can yield hundreds of downstream infections. The attacker invests once; the payoff multiplies across every organization that pulls the poisoned package.
For a small business that relies on open-source dependencies — which is to say, almost all of them — this means your security posture is partially determined by maintainers you’ve never met, at companies you’ve never heard of, whose CI/CD pipelines you’ve never audited. You inherit their risk.

April 2026 brought another quiet shift that compounds the problem. NIST’s National Vulnerability Database, the canonical source that most organizations rely on for CVE information, formally gave up on enriching the long tail of older vulnerabilities. As of mid-April, approximately 29,000 legacy CVEs are now marked “Not Scheduled” — not because they’re resolved, but because NIST no longer has the resources to process them.
New submissions in Q1 2026 ran about a third higher than the same period last year. The NVD is working faster than ever, but falling further behind. Only an estimated 15 to 20 percent of new CVEs receive full enrichment now. That means the detailed analysis, the severity scoring, the context that helps teams prioritize — it’s missing for the majority of newly published vulnerabilities.
For a small business that relies on automated vulnerability scanning, this creates a dangerous gap. Your scanner may flag thousands of CVEs without the context to know which ones are actually exploitable in your environment. You’re flying partially blind just when attackers are getting more sophisticated.
The security community has spent years warning that AI would lower the barrier for threat actors. In 2026, that warning is materializing. Agents are now deploying fully autonomous attack campaigns with no human operator steering the intrusion. Ransomware groups are using AI to identify vulnerable supply chain links faster, to craft convincing phishing content, and to adapt in real time when a lure gets burned.
But AI cuts both ways. The same models that generate convincing social engineering content are being integrated into security tooling — automated threat hunting, anomaly detection tuned to your specific network traffic, and incident response that starts containment before a human analyst finishes reading the first alert. The organizations making progress on defense are the ones treating AI as a force multiplier for their existing team, not a magic solution.
This is where the advice gets uncomfortable, because there is no single fix. Supply chain security requires discipline across multiple layers.
Audit your dependency tree. Most small businesses have more open-source packages in their projects than they’d estimate. Run npm audit or its equivalent regularly. Pin your package versions and review your package-lock.json — don’t let your CI/CD pull unchecked updates from registries you trust by default.
Implement a software bill of materials. A SBOM sounds like enterprise bureaucracy, but the cost of generating one has dropped dramatically. Knowing exactly what you’ve pulled in is the prerequisite for knowing what’s been compromised when the next advisory drops.
Rotate credentials regularly, especially within CI/CD pipelines. The SAP attack harvested developer credentials. Long-lived tokens, unused service accounts, and old deploy keys are the quiet accumulation of technical debt that becomes a breach vector.
Prioritize by exploitability, not just severity scores. With 80% of new CVEs arriving without full NVD enrichment, you need to make your own prioritization calls. If a CVE has a known proof-of-concept exploit in the wild, treat it as critical regardless of what the official score says.
Apply the principle of least privilege to your vendor relationships. The attack on OpenAI started with two employee devices. That means the initial access path didn’t require hacking the company — just one person’s workstation. Your vendors are an extension of your attack surface. Know what access they’ve been granted and why.
The hardest part of supply chain risk is that it moves through channels you don’t control and often don’t monitor. You’re trusting that the SAP developer who republished those npm packages had secure credentials. You’re trusting that the TanStack maintainer’s account wasn’t phished. You’re trusting that the Cemu project’s GitHub builds were properly secured — and 20,000 Linux users learned the hard way that those trusts were misplaced.
Supply chain attacks are not new. What’s new in 2026 is the combination of AI-accelerated exploitation, an overwhelmed NVD, and threat actors specifically targeting the smaller, less-defended organizations in the chain. The attackers have made the math work in their favor: small businesses are profitable targets precisely because they can’t afford dedicated security teams, but they depend heavily on open-source tooling and vendor software that the attackers can compromise at scale.
The good news is that most supply chain attacks have a window. The SAP packages were malicious for two to four hours. If your monitoring is fast enough, you can catch the infection before it spreads. The question is whether your team will be looking when that window opens.
The phone buzzes. Your CEO’s name appears on a text message: “Hey, are you around? Need you to grab some gift cards for a client emergency. I’ll pay you back tomorrow.” It looks legitimate. The number matches. The wording feels normal.
But the number was spoofed, and the voice was cloned from a LinkedIn video posted three years ago. By the time you realize what happened, $12,000 is gone.
This isn’t science fiction. It’s happening to real businesses right now, and the attacks are getting harder to spot.

The FBI’s Internet Crime Complaint Center reported $20.88 billion in losses to cybercrime in 2025 alone. That’s a 26% spike from the year before. More than a million Americans filed complaints.
For small and medium businesses, the math is brutal. Sophos found the average ransomware recovery cost for companies with 100-250 employees hit $638,536 excluding ransom payments. That figure covers downtime, forensic work, lost business, and rebuilt systems. No wonder 75% of SMBs surveyed by CyberCatch said a single ransomware incident could shut them down for good.
And here’s the statistic that keeps chief information security officers up at night: 95% of cybersecurity incidents trace back to human error. Not zero-days. Not sophisticated nation-state tooling. People clicking links they shouldn’t, reusing passwords, or responding to messages that feel urgent and real.
The 2026 Verizon Data Breach Investigations Report, published this spring, surfaced another shift. For the first time in nearly two decades, vulnerability exploitation overtook stolen credentials as the leading initial access method. Attackers aren’t always hacking in. They’re walking through unlocked doors that developers forgot to close.

Phishing has been the top threat to SMBs for years, and it’s not going away. The volume is staggering. According to CyberTec Security’s February 2026 analysis, millions of phishing attempts launch every quarter. SMBs are favorite targets because they’re accessible, often understaffed on security, and frequently lack the awareness training that enterprises run routinely. An attacker can spray 10,000 emails at a Fortune 500 with sophisticated filters working overtime, or they can hit a 50-person accounting firm where everyone shares a single Microsoft 365 admin account.
The human factor compounds the problem. When People.ai analyzed breach causes, they found 68% of cybersecurity incidents came from human error. Human error is cheap to exploit. You don’t need to find a zero-day when an email promising “your payroll is ready” will do.
The thing that separated 2025-2026 from earlier years wasn’t just phishing — it was the weaponization of AI. Deepfake audio attacks emerged as a genuine threat to businesses of every size. The most documented case: a Hong Kong firm where a CFO received a call he swore was his UK-based CEO. Voice, cadence, even background noise. He transferred $25 million in a single afternoon.
AI-generated phishing emails are now indistinguishable from legitimate correspondence. They carry proper grammar, correct tone, and personalized content pulled from LinkedIn profiles or recent company announcements. Spelling errors — once the telltale sign of a fraudulent message — are largely gone.

Most security advice reads like a to-do list that goes nowhere. Here’s what actually moves the needle for SMBs with limited budgets and even more limited time.
Verify first. Any request involving money or sensitive data should go through a secondary channel. Call the person back on a known number — not the one that just texted you. If the CFO calls asking for an urgent wire transfer, hang up and dial the extension you have on file.
Run table-top exercises. Once a quarter, walk your team through a hypothetical breach scenario. Not to scare them, but to build the reflex to question unusual requests. The people who catch phishing attempts most reliably are the ones who’ve thought about what one looks like before they encounter it.
Lock down multi-factor authentication everywhere. Email, banking, cloud storage, remote access tools. If it doesn’t have MFA enabled, it’s a single point of failure. Time-based authentication apps or hardware keys are the gold standard — SMS is better than nothing but remains spoofable.
Practice your incident response before you need it. Know who you’re going to call, what you’re going to disconnect first, and who has the authority to make decisions at 2am on a Saturday. Breaches handled in the first hour cost a fraction of those that spread while teams figure out their own playbook.
Your team isn’t the weakest link in your security posture. They’re your biggest risk and your best defense. Invest accordingly.
A dentist’s office in Ohio. A manufacturing firm in Michigan with 40 employees. A landscaping company in Colorado. What do they have in common? All three were breached in the past year alone, and all three had something else in common: they thought they were too small to be worth targeting.
They were wrong.
The modern cyberattack economy has made every business with an internet connection a potential target. The question isn’t whether you’ll be attacked. For most small and medium businesses, it’s already happening. The question is whether you’ll notice before something critical gets encrypted, stolen, or held hostage.
Here’s what’s changed in the past few years. Ransomware groups used to focus on big enterprises because that’s where the big paydays were. You go after a Fortune 500 company, you might get a $10 million ransom. Easy calculus.
That calculus is broken now.
The rise of ransomware-as-a-service means anyone with a few hundred dollars and minimal technical skill can rent attack infrastructure. Meanwhile, AI has automated the tedious parts of cybercrime: phishing email generation, vulnerability scanning, credential stuffing. What used to require a skilled operator now runs in fully automated attack pipelines that churn through potential targets 24/7.
The result is that small businesses have become the path of least resistance. A 40-person accounting firm has fewer security resources than an enterprise but often stores the same types of sensitive data—client financial records, Social Security numbers, tax documents. Attackers know this. They’re not picking on you specifically; you’re just in the pile, and the pile keeps getting larger.
Let’s talk about actual risk instead of marketing FUD.
SonicWall’s 2026 report found that SMBs face seven critical security gaps on average, with network edge devices being the most commonly exploited entry point. The report noted that attacks are evolving faster than many SMB defense capabilities can keep up.
The cybercrime economy is now estimated at $10.5 trillion annually. About 43% of cyberattacks specifically target small businesses, according to multiple industry sources. The average cost of a breach for a small business? Somewhere between $120,000 and $1.2 million, depending on the study and what you count. For many businesses this size, that’s existential.
But here’s the number that should keep you up at night: 60% of small businesses that experience a significant cyberattack shut down within six months. Not because the attack itself is always fatal, but because the recovery costs, reputational damage, and regulatory fallout compound faster than the business can handle.
Here’s the uncomfortable truth about most small businesses: cybersecurity falls to whoever has bandwidth, and nobody has bandwidth.
In an enterprise, there’s a CISO, a security team, maybe an MSSP. At a 50-person company, IT might be one person who also handles billing and schedules vendor meetings. Cybersecurity isn’t their job; it’s one of fourteen things they do between outages and software updates.
This is what some researchers call the accountability gap. Nobody owns security holistically. Nobody has time to stay current on threats. And nobody’s job depends on getting it right—until they get it wrong.
The result is predictable: outdated software, reused passwords, no multi-factor authentication on critical systems, no tested backups. The same vulnerabilities that security professionals have been screaming about for years, still unpatched because there’s always something more urgent.
Let me be concrete. If you’re running a small business and your security budget is “whatever’s left over,” here’s where to focus.
Multi-factor authentication is non-negotiable. Not optional, not someday. Turn it on for everything that supports it: email, banking, cloud services, remote access. Use an authenticator app or hardware key rather than SMS if you can. This one change alone would have prevented a significant percentage of the breaches I track.
Assume your backup will fail when you need it. Test it. Actually restore something from backup and verify it works. The number of businesses that had backups that turned out to be corrupted, incomplete, or mapped to the wrong VM is absurd. If your backup has never been tested under realistic conditions, you don’t have a backup; you have a hope.

Lock down remote access. RDP exposure to the internet is still one of the most common breach paths for small businesses. If you need remote access, use a VPN or better yet, a zero-trust network access solution. Port 3389 should not be directly accessible from the internet under any circumstances I can think of.
Segment your network. Your HVAC vendor doesn’t need to be on the same network as your finance systems. Neither does your point-of-sale, if you have one. Network segmentation won’t stop a breach, but it will limit what an attacker can reach once they’re inside.
I want to address the “we don’t have budget for this” objection because it’s sometimes valid and sometimes not.
Yes, some security tools are expensive. But the most impactful security measures aren’t: MFA is free on most platforms. Backups are as old as computing. Network segmentation is a configuration change, not a purchase order.

What often gets skipped isn’t the expensive stuff—it’s the boring stuff. Documenting what you have. Knowing which vendor has access to what. Having a conversation with your team about what phishing looks like. These aren’t glamorous, but they’re where breaches actually come from.
A realistic security posture for a small business doesn’t require a security operations center. It requires that you know what you’re protecting, you control who has access, and you can recover when something goes wrong.
The threat landscape isn’t going to get simpler. AI will make attacks more sophisticated and more automated. The supply chain for cybercrime will keep lowering barriers. The businesses that survive won’t be the ones with the biggest security budgets—they’ll be the ones that did the basic things consistently.
Start with the basics: MFA everywhere, tested backups, locked-down remote access, network segmentation, and an actual plan for when things break. Everything else is refinement.
If you want a starting point, NIST’s Small Business Cybersecurity page has practical guides that aren’t written for security professionals. They’re written for people who have a business to run and need to know what actually matters.
The attackers aren’t going to slow down. But there are legitimate steps you can take that don’t require a six-figure security budget. Start somewhere. The cost of starting is far less than the cost of not starting.
The old advice was simple: you’re probably too small to bother with. Cybercriminals go after the big fish, the enterprises with millions of customer records and deep pockets. Run a 50-person accounting firm or a regional plumbing supply company? You’re safe.
That logic is now dangerously outdated.
In 2025, 80% of small businesses experienced at least one cyberattack. Not because they were unlucky or singled out, but because automated attack tools have made it cheap and easy to sweep for vulnerabilities across millions of small business systems simultaneously. You’re not being targeted. You’re being fished.
Small businesses have the same digital footprint as large enterprises, minus the security budget. You run Microsoft 365. You have remote employees accessing shared drives. You probably use some cloud-based accounting software, a CRM, maybe a VoIP phone system. Each connection point is a potential entry.
A Fortune 500 company has a security operations center monitoring those entry points 24/7. You have whoever handles IT when they’re not doing something else.
This is exactly what attackers exploit. Ransomware-as-a-Service platforms now let anyone with a few hundred dollars and minimal technical skill launch professional-grade attacks. The tools have gotten better; the barrier to entry has dropped to nearly zero. Three ransomware groups were responsible for nearly half of all ransomware attacks in a recent month, and they weren’t exclusively going after big targets.

Forty-one percent of small business cyber incidents in 2025 were AI-driven. Phishing emails that used to announce themselves with bad grammar and obvious red flags now read like internal memos from your CEO. Business Email Compromise attacks, where attackers impersonate executives or vendors to wire money, increasingly use AI to generate convincing correspondence. In Q2 of last year, 40% of BEC emails were AI-generated.
This matters for small businesses because you lack the dedicated training resources that larger organizations can throw at employee awareness. Your team isn’t getting quarterly phishing simulations and security briefings. They get a memo once a year, maybe.
Attackers know this. They’ve calibrated their tools accordingly.
The numbers are grim. For companies with fewer than 500 employees, the average cost of a data breach now runs $3.31 million. That’s not a typo. That’s direct costs, regulatory fines, legal fees, lost business while systems are down, and the customers who never come back.
Most small businesses don’t have cyber insurance that covers this. Many don’t have any cyber insurance at all. Of those that do, policy language often excludes certain types of attacks or requires documentation standards that small businesses can’t meet in the chaos of an incident.
The survival rate after a significant cyberattack for a small business is grim. Not because the attacks are technically unstoppable, but because the financial shock is often terminal.
“We use a cloud provider, so we’re covered.” Your cloud provider secures their infrastructure. You’re responsible for your data, your access controls, your configuration. The 2019 Capital One breach happened because of a misconfigured web application firewall, not a failure at Amazon’s end.
“Our employees would never click on that.” The most sophisticated phishing emails don’t look like phishing emails. They look like DocuSign notifications, QuickBooks invoices, or a Slack message from your office manager about a voicemail. By the time someone realizes something’s wrong, it’s too late.
“We’d know if we were attacked.” dwell time, the period between a breach and its discovery, averages over 200 days for small businesses. Your systems might be compromised right now, with an attacker watching your email traffic and mapping your financial processes, waiting for the right moment to strike.
You don’t need enterprise security to dramatically reduce your risk. The basics work; they just require consistency.
Multi-factor authentication on everything. If your email is compromised, attackers have a foothold into everything else. One compromised email account has been the starting point for breaches that cost companies millions. Every account, no exceptions.
Offline backups. Ransomware attackers specifically target backups first. If your backup solution is connected to your network, it can be encrypted along with everything else. Offline, tested backups that you can actually restore from are non-negotiable.
Patch management. A decade-old vulnerability in a VPN appliance was responsible for millions in breach costs in 2024. The vulnerability had been patched. The companies affected hadn’t applied the update. Pick one day a month to update critical systems and treat it like a business meeting you can’t cancel.

Incident response plan. Only 34% of small businesses have a formal incident response plan. When you’re in the middle of an attack is a terrible time to figure out who does what, which systems to shut down first, and how to communicate with customers. Write the plan now, while your systems are running normally.
Assume your vendors are a risk. Your IT managed service provider, your payroll processor, the software your accountant uses to access your books, all of these are potential entry points. Ask your vendors about their security practices. If they can’t give you a straight answer, that’s information.
You can’t prevent every attack. Nation-state actors and determined criminals will sometimes get through no matter what you do. What you can do is make yourself a harder target than the business next door, build systems that recover quickly, and understand that security is not a product you buy but a practice you maintain.
The attackers aren’t going to stop targeting small businesses. The tools are getting cheaper and more sophisticated. The only question is whether you’re going to do anything about it before something happens, not after.
The FBI’s Internet Crime Complaint Center received over 21,000 BEC complaints with adjusted losses exceeding $2.9 billion in 2023. Industry analysts estimate the real number is significantly higher because most businesses quietly absorb losses rather than report them publicly.
The average BEC wire transfer loss for mid-size companies now sits around $498,000, according to an AFP/Fortress Security survey. For companies under 100 employees, the median loss is lower but still devastating in proportion to revenue.
BEC works because it doesn’t hack systems — it hacks people. An attacker impersonates a vendor, CEO, or IT administrator and asks for something routine: an invoice paid to a new account, a wire transfer, a change to direct deposit credentials.
The sophistication has increased dramatically. Modern BEC actors research their targets: they know the vendor relationships, the CFO’s travel schedule, the timing of quarterly payments. They don’t need malware or phishing links. A convincing email voice and a sense of urgency are enough.

The most common BEC variant — vendor email compromise — exploits the trust between businesses. An attacker compromises a vendor’s email, monitors invoices, and then sends a convincing update asking the customer to route payment to a new account.
By the time the real vendor follows up on the unpaid invoice, the money is gone and the bank account is empty. Recovery rates are near zero. Law enforcement can track the funds but the money moves through multiple intermediary accounts in days.
BEC emails share common patterns that are obvious in retrospect:
Urgency is the biggest tell. “We need this processed today” or “The CEO is asking personally” creates pressure that bypasses normal verification steps. Legitimate requests from real vendors rarely demand same-day wire transfers out of nowhere.

The most effective BEC defense is also the simplest: out-of-band verification. If someone requests a wire transfer or payment change via email, you call them back on a known-good number — not the number in the email. This one control breaks the attack chain entirely.
For vendors and financial requests, establish a callback verification process as standard operating procedure. Any request to change payment details should trigger a mandatory confirmation call before processing.
Dual authorization on wire transfers above a threshold dollar amount adds a second human to the decision, which dramatically reduces the effectiveness of urgency-based attacks.
Training employees to recognize BEC patterns is table stakes. But training alone fails because BEC emails don’t look like phishing — they look like normal business communication. The cultural shift that matters is making it safe for employees to slow down and verify, without feeling like they’re questioning authority or slowing down the business.
The $2.9 billion figure from the FBI is a floor, not a ceiling. Companies don’t report BEC incidents because of reputational concerns, legal exposure, and the uncomfortable admission that someone in accounting got fooled by a stranger pretending to be a trusted vendor.
This silence benefits attackers. Every successful BEC that goes unreported means the attackers can use the same playbook again against another company in the same industry, with the same vendor relationships, without fear of law enforcement catching on.
BEC is not a technology problem you can solve with better email filtering. It’s a human problem that requires human solutions: verified processes, dual controls, and a culture where verification is a habit, not a怀疑.