The part no one wants to say out loud: you can’t audit them all.
Last week, a security research firm named Novee published a finding that should make every CIO in the country uncomfortable. A class of vulnerabilities they’re calling Cordyceps — embedded in GitHub Actions workflows — exposed more than 300 public repositories (including those of Microsoft, Google, and Apache) to full supply-chain takeover. An attacker with the right foothold could push poisoned code into the open source packages that millions of applications depend on. The exposure was wide. The blast radius is the entire internet.
If you’re running a 50-person SaaS company or a regional healthcare network, you probably read that story and thought the same thing I did: I don’t control any of this.
That’s the point. Welcome to the supply chain problem.
Five years ago, “supply chain attack” mostly meant a compromised vendor slipping malware into a software update. The SolarWinds incident of late 2020 fit that model almost perfectly. One point of compromise. Investigate, contain, move on.
The 2026 version is messier, broader, and harder to point at. Three stories from the last ten days alone:
Three different vendors. Three different attack surfaces. One common reality for anyone running a small IT team: the things you depend on to ship software, take payments, or run your website are being attacked in ways you cannot see.
The press coverage tends to focus on the household names. Microsoft, Google, Apache, AWS — these are mature companies with serious security teams. If they miss a bug in their CI/CD pipeline or their extension store, it’s news for a week and then they patch.
The same software is sitting in your stack. A 30-person e-commerce business might run its entire operation on a handful of npm packages, a payment processor, an inventory SaaS, and a small fleet of AWS services. Any one of those is a possible entry point. The smaller company can’t audit the source of every dependency, can’t review the security of every SaaS vendor, and almost certainly doesn’t have a Software Bill of Materials to begin with.
A few uncomfortable numbers, courtesy of Verizon’s 2025 Data Breach Investigations Report: 30% of breaches now involve a third-party component, and that share has been climbing every year since 2021. For small businesses specifically, the figure is higher — somewhere around 40%, depending on which report you read.
You don’t have to be the actual target. You just have to be downstream of one.

The honest answer: you cannot eliminate the risk. Anyone who tells you they can is selling you something. But you can reduce the blast radius and catch problems faster. Here’s what I’d actually do this week if I were running IT for a 50-to-500-person company.
1. Inventory your dependencies. Then inventory them again.
You probably have an official list of approved SaaS vendors and on-prem software. That list is incomplete. The real inventory lives in your developers’ package.json files, your DevOps team’s GitHub Actions, your marketing team’s browser extensions, and your sales team’s Chrome plug-ins. Get a Software Bill of Materials (SBOM) tool — CycloneDX or SPDX-format generators are free and plug into most CI systems. You can’t protect what you can’t name.
2. Lock down browser extensions.
The StegoAd case is a reminder that the attack surface you can see is not the only one. Browser extensions run with the same privileges as the user who installed them. Set a corporate policy. Audit which extensions are installed across the team. Don’t allow employees to install extensions on company-managed browsers without a review. This sounds pedantic. It is not.
3. Watch the maintainers, not just the packages.
A growing share of supply chain attacks in 2026 target the humans behind the software. Compromised maintainer accounts. Social engineering of project owners. Hijacked email addresses used for password resets. Miasma works exactly this way. If your business depends on a small open source library maintained by one person in another time zone, that is a single point of failure. Know who they are. Have a contingency plan for what happens if their account gets hijacked.
4. Treat vendor security like vendor pricing.
If you evaluate SaaS vendors on price, uptime, and feature set, add security to that list and make it count. Ask vendors for SOC 2 reports. Ask how they handle dependency updates. Ask whether they have their own SBOM. The answers vary wildly, and the questions alone will weed out vendors who shouldn’t be in your stack.
5. Have an “off switch.”
When the next big npm or Python package gets compromised — and there will be a next one — how fast can you pin your dependencies to known-good versions, roll back your last build, or block traffic to the affected vendor? That is your incident response plan for supply chain failures. Most companies don’t have one. Spend an afternoon writing it.
The uncomfortable trend is that the perimeter is dissolving. The work of securing your business used to mean securing your network, your laptops, and your office. It now means securing every package, every service, every extension, and every developer tool that touches your stack. The number of those things grows every quarter. The number of people you have to secure them with doesn’t.
For a 200-person company, the practical move isn’t to out-tech the attackers. It’s to be a less attractive target than the next 200-person company. That means knowing your dependencies, limiting the third-party surface, and having a plan for the day one of them fails. None of this is glamorous. All of it is the actual job in 2026.

Three weeks ago, OpenAI confirmed what many in the security community already suspected: two of its employees had their devices compromised through a supply chain attack on TanStack, a popular open-source framework. The attackers made off with internal credentials. OpenAI is not a small business. It has dedicated security teams, strict DevOps hygiene, and resources that most companies would envy. Still, the attackers got in.
That fact should unsettle every small-business owner and IT manager who thinks supply chain security is someone else’s problem.
The numbers from 2026 make the threat concrete. Ransomware attacks against SMBs are projected to rise 40% by year’s end, according to Cobalt. Small businesses report a cyberattack every seven seconds. The average breach costs roughly $254,000 — a figure that puts survival into sharp relief, since 60% of attacked firms close within six months. Those aren’t abstract statistics. They’re the beginning of a conversation about whether your business can absorb that kind of loss.
But the more significant shift in 2026 isn’t the volume of attacks. It’s the target selection and the methods. SMBs now account for 43% of all cyberattacks, per recent industry surveys. And the attack on SAP’s npm ecosystem in late April — a campaign researchers dubbed “Mini Shai-Hulud” — shows exactly how threat actors are exploiting the smaller, less-defended perimeter.
On April 29, 2026, four official npm packages from SAP’s development ecosystem were republished with malicious versions. For roughly two to four hours, anyone running npm install against the wrong version pulled a credential-stealing payload. Researchers found references to the campaign in over 1,000 GitHub repositories — each one a developer’s project, recently poisoned without their knowledge.

The mechanism was a preinstall script embedded in the malicious package. When a developer ran npm install, the script executed silently, in the background, harvesting credentials from the local environment. No zero-day exploit. No sophisticated vulnerability. Just a trusted package, briefly compromised, doing exactly what it was designed to do.
This is the supply chain attack model: compromise the tool, not the target. One successful poisoning can yield hundreds of downstream infections. The attacker invests once; the payoff multiplies across every organization that pulls the poisoned package.
For a small business that relies on open-source dependencies — which is to say, almost all of them — this means your security posture is partially determined by maintainers you’ve never met, at companies you’ve never heard of, whose CI/CD pipelines you’ve never audited. You inherit their risk.

April 2026 brought another quiet shift that compounds the problem. NIST’s National Vulnerability Database, the canonical source that most organizations rely on for CVE information, formally gave up on enriching the long tail of older vulnerabilities. As of mid-April, approximately 29,000 legacy CVEs are now marked “Not Scheduled” — not because they’re resolved, but because NIST no longer has the resources to process them.
New submissions in Q1 2026 ran about a third higher than the same period last year. The NVD is working faster than ever, but falling further behind. Only an estimated 15 to 20 percent of new CVEs receive full enrichment now. That means the detailed analysis, the severity scoring, the context that helps teams prioritize — it’s missing for the majority of newly published vulnerabilities.
For a small business that relies on automated vulnerability scanning, this creates a dangerous gap. Your scanner may flag thousands of CVEs without the context to know which ones are actually exploitable in your environment. You’re flying partially blind just when attackers are getting more sophisticated.
The security community has spent years warning that AI would lower the barrier for threat actors. In 2026, that warning is materializing. Agents are now deploying fully autonomous attack campaigns with no human operator steering the intrusion. Ransomware groups are using AI to identify vulnerable supply chain links faster, to craft convincing phishing content, and to adapt in real time when a lure gets burned.
But AI cuts both ways. The same models that generate convincing social engineering content are being integrated into security tooling — automated threat hunting, anomaly detection tuned to your specific network traffic, and incident response that starts containment before a human analyst finishes reading the first alert. The organizations making progress on defense are the ones treating AI as a force multiplier for their existing team, not a magic solution.
This is where the advice gets uncomfortable, because there is no single fix. Supply chain security requires discipline across multiple layers.
Audit your dependency tree. Most small businesses have more open-source packages in their projects than they’d estimate. Run npm audit or its equivalent regularly. Pin your package versions and review your package-lock.json — don’t let your CI/CD pull unchecked updates from registries you trust by default.
Implement a software bill of materials. A SBOM sounds like enterprise bureaucracy, but the cost of generating one has dropped dramatically. Knowing exactly what you’ve pulled in is the prerequisite for knowing what’s been compromised when the next advisory drops.
Rotate credentials regularly, especially within CI/CD pipelines. The SAP attack harvested developer credentials. Long-lived tokens, unused service accounts, and old deploy keys are the quiet accumulation of technical debt that becomes a breach vector.
Prioritize by exploitability, not just severity scores. With 80% of new CVEs arriving without full NVD enrichment, you need to make your own prioritization calls. If a CVE has a known proof-of-concept exploit in the wild, treat it as critical regardless of what the official score says.
Apply the principle of least privilege to your vendor relationships. The attack on OpenAI started with two employee devices. That means the initial access path didn’t require hacking the company — just one person’s workstation. Your vendors are an extension of your attack surface. Know what access they’ve been granted and why.
The hardest part of supply chain risk is that it moves through channels you don’t control and often don’t monitor. You’re trusting that the SAP developer who republished those npm packages had secure credentials. You’re trusting that the TanStack maintainer’s account wasn’t phished. You’re trusting that the Cemu project’s GitHub builds were properly secured — and 20,000 Linux users learned the hard way that those trusts were misplaced.
Supply chain attacks are not new. What’s new in 2026 is the combination of AI-accelerated exploitation, an overwhelmed NVD, and threat actors specifically targeting the smaller, less-defended organizations in the chain. The attackers have made the math work in their favor: small businesses are profitable targets precisely because they can’t afford dedicated security teams, but they depend heavily on open-source tooling and vendor software that the attackers can compromise at scale.
The good news is that most supply chain attacks have a window. The SAP packages were malicious for two to four hours. If your monitoring is fast enough, you can catch the infection before it spreads. The question is whether your team will be looking when that window opens.
The phone buzzes. Your CEO’s name appears on a text message: “Hey, are you around? Need you to grab some gift cards for a client emergency. I’ll pay you back tomorrow.” It looks legitimate. The number matches. The wording feels normal.
But the number was spoofed, and the voice was cloned from a LinkedIn video posted three years ago. By the time you realize what happened, $12,000 is gone.
This isn’t science fiction. It’s happening to real businesses right now, and the attacks are getting harder to spot.

The FBI’s Internet Crime Complaint Center reported $20.88 billion in losses to cybercrime in 2025 alone. That’s a 26% spike from the year before. More than a million Americans filed complaints.
For small and medium businesses, the math is brutal. Sophos found the average ransomware recovery cost for companies with 100-250 employees hit $638,536 excluding ransom payments. That figure covers downtime, forensic work, lost business, and rebuilt systems. No wonder 75% of SMBs surveyed by CyberCatch said a single ransomware incident could shut them down for good.
And here’s the statistic that keeps chief information security officers up at night: 95% of cybersecurity incidents trace back to human error. Not zero-days. Not sophisticated nation-state tooling. People clicking links they shouldn’t, reusing passwords, or responding to messages that feel urgent and real.
The 2026 Verizon Data Breach Investigations Report, published this spring, surfaced another shift. For the first time in nearly two decades, vulnerability exploitation overtook stolen credentials as the leading initial access method. Attackers aren’t always hacking in. They’re walking through unlocked doors that developers forgot to close.

Phishing has been the top threat to SMBs for years, and it’s not going away. The volume is staggering. According to CyberTec Security’s February 2026 analysis, millions of phishing attempts launch every quarter. SMBs are favorite targets because they’re accessible, often understaffed on security, and frequently lack the awareness training that enterprises run routinely. An attacker can spray 10,000 emails at a Fortune 500 with sophisticated filters working overtime, or they can hit a 50-person accounting firm where everyone shares a single Microsoft 365 admin account.
The human factor compounds the problem. When People.ai analyzed breach causes, they found 68% of cybersecurity incidents came from human error. Human error is cheap to exploit. You don’t need to find a zero-day when an email promising “your payroll is ready” will do.
The thing that separated 2025-2026 from earlier years wasn’t just phishing — it was the weaponization of AI. Deepfake audio attacks emerged as a genuine threat to businesses of every size. The most documented case: a Hong Kong firm where a CFO received a call he swore was his UK-based CEO. Voice, cadence, even background noise. He transferred $25 million in a single afternoon.
AI-generated phishing emails are now indistinguishable from legitimate correspondence. They carry proper grammar, correct tone, and personalized content pulled from LinkedIn profiles or recent company announcements. Spelling errors — once the telltale sign of a fraudulent message — are largely gone.

Most security advice reads like a to-do list that goes nowhere. Here’s what actually moves the needle for SMBs with limited budgets and even more limited time.
Verify first. Any request involving money or sensitive data should go through a secondary channel. Call the person back on a known number — not the one that just texted you. If the CFO calls asking for an urgent wire transfer, hang up and dial the extension you have on file.
Run table-top exercises. Once a quarter, walk your team through a hypothetical breach scenario. Not to scare them, but to build the reflex to question unusual requests. The people who catch phishing attempts most reliably are the ones who’ve thought about what one looks like before they encounter it.
Lock down multi-factor authentication everywhere. Email, banking, cloud storage, remote access tools. If it doesn’t have MFA enabled, it’s a single point of failure. Time-based authentication apps or hardware keys are the gold standard — SMS is better than nothing but remains spoofable.
Practice your incident response before you need it. Know who you’re going to call, what you’re going to disconnect first, and who has the authority to make decisions at 2am on a Saturday. Breaches handled in the first hour cost a fraction of those that spread while teams figure out their own playbook.
Your team isn’t the weakest link in your security posture. They’re your biggest risk and your best defense. Invest accordingly.
A dentist’s office in Ohio. A manufacturing firm in Michigan with 40 employees. A landscaping company in Colorado. What do they have in common? All three were breached in the past year alone, and all three had something else in common: they thought they were too small to be worth targeting.
They were wrong.
The modern cyberattack economy has made every business with an internet connection a potential target. The question isn’t whether you’ll be attacked. For most small and medium businesses, it’s already happening. The question is whether you’ll notice before something critical gets encrypted, stolen, or held hostage.
Here’s what’s changed in the past few years. Ransomware groups used to focus on big enterprises because that’s where the big paydays were. You go after a Fortune 500 company, you might get a $10 million ransom. Easy calculus.
That calculus is broken now.
The rise of ransomware-as-a-service means anyone with a few hundred dollars and minimal technical skill can rent attack infrastructure. Meanwhile, AI has automated the tedious parts of cybercrime: phishing email generation, vulnerability scanning, credential stuffing. What used to require a skilled operator now runs in fully automated attack pipelines that churn through potential targets 24/7.
The result is that small businesses have become the path of least resistance. A 40-person accounting firm has fewer security resources than an enterprise but often stores the same types of sensitive data—client financial records, Social Security numbers, tax documents. Attackers know this. They’re not picking on you specifically; you’re just in the pile, and the pile keeps getting larger.
Let’s talk about actual risk instead of marketing FUD.
SonicWall’s 2026 report found that SMBs face seven critical security gaps on average, with network edge devices being the most commonly exploited entry point. The report noted that attacks are evolving faster than many SMB defense capabilities can keep up.
The cybercrime economy is now estimated at $10.5 trillion annually. About 43% of cyberattacks specifically target small businesses, according to multiple industry sources. The average cost of a breach for a small business? Somewhere between $120,000 and $1.2 million, depending on the study and what you count. For many businesses this size, that’s existential.
But here’s the number that should keep you up at night: 60% of small businesses that experience a significant cyberattack shut down within six months. Not because the attack itself is always fatal, but because the recovery costs, reputational damage, and regulatory fallout compound faster than the business can handle.
Here’s the uncomfortable truth about most small businesses: cybersecurity falls to whoever has bandwidth, and nobody has bandwidth.
In an enterprise, there’s a CISO, a security team, maybe an MSSP. At a 50-person company, IT might be one person who also handles billing and schedules vendor meetings. Cybersecurity isn’t their job; it’s one of fourteen things they do between outages and software updates.
This is what some researchers call the accountability gap. Nobody owns security holistically. Nobody has time to stay current on threats. And nobody’s job depends on getting it right—until they get it wrong.
The result is predictable: outdated software, reused passwords, no multi-factor authentication on critical systems, no tested backups. The same vulnerabilities that security professionals have been screaming about for years, still unpatched because there’s always something more urgent.
Let me be concrete. If you’re running a small business and your security budget is “whatever’s left over,” here’s where to focus.
Multi-factor authentication is non-negotiable. Not optional, not someday. Turn it on for everything that supports it: email, banking, cloud services, remote access. Use an authenticator app or hardware key rather than SMS if you can. This one change alone would have prevented a significant percentage of the breaches I track.
Assume your backup will fail when you need it. Test it. Actually restore something from backup and verify it works. The number of businesses that had backups that turned out to be corrupted, incomplete, or mapped to the wrong VM is absurd. If your backup has never been tested under realistic conditions, you don’t have a backup; you have a hope.

Lock down remote access. RDP exposure to the internet is still one of the most common breach paths for small businesses. If you need remote access, use a VPN or better yet, a zero-trust network access solution. Port 3389 should not be directly accessible from the internet under any circumstances I can think of.
Segment your network. Your HVAC vendor doesn’t need to be on the same network as your finance systems. Neither does your point-of-sale, if you have one. Network segmentation won’t stop a breach, but it will limit what an attacker can reach once they’re inside.
I want to address the “we don’t have budget for this” objection because it’s sometimes valid and sometimes not.
Yes, some security tools are expensive. But the most impactful security measures aren’t: MFA is free on most platforms. Backups are as old as computing. Network segmentation is a configuration change, not a purchase order.

What often gets skipped isn’t the expensive stuff—it’s the boring stuff. Documenting what you have. Knowing which vendor has access to what. Having a conversation with your team about what phishing looks like. These aren’t glamorous, but they’re where breaches actually come from.
A realistic security posture for a small business doesn’t require a security operations center. It requires that you know what you’re protecting, you control who has access, and you can recover when something goes wrong.
The threat landscape isn’t going to get simpler. AI will make attacks more sophisticated and more automated. The supply chain for cybercrime will keep lowering barriers. The businesses that survive won’t be the ones with the biggest security budgets—they’ll be the ones that did the basic things consistently.
Start with the basics: MFA everywhere, tested backups, locked-down remote access, network segmentation, and an actual plan for when things break. Everything else is refinement.
If you want a starting point, NIST’s Small Business Cybersecurity page has practical guides that aren’t written for security professionals. They’re written for people who have a business to run and need to know what actually matters.
The attackers aren’t going to slow down. But there are legitimate steps you can take that don’t require a six-figure security budget. Start somewhere. The cost of starting is far less than the cost of not starting.
Alright, grab your stethoscopes and firefighting gear—because cloud security in healthcare isn’t just a nerdy topic; it’s the digital version of locking up your grandma’s jewelry box while she’s asleep. Yes, I know—plumbing isn’t exactly Netflix material, but hang tight. We’re about to turn this technical Tetris into something even a sleep-deprived nurse (or dad trying to set up parental controls) can understand. Let’s dive into the black box of healthcare cloud security best practices—no hazmat suit required, just a little brainpower and maybe a coffee or three.
Picture this: your most sensitive hospital records sitting pretty in the cloud, accessible from a tablet, a laptop, or maybe—even your fridge (Hey, smart homes are a thing now). Sounds dreamy, right? Well, don’t forget the nightmare scenario: hackers lurking like teenagers waiting to snatch that Wi-Fi-enabled Roomba – or being able to simply connect to over 7000 with just one oauth token!
Healthcare data isn’t just personal; it’s prime real estate for cybercriminals. Think identity theft, financial fraud, or—worse—medical records being sold on the dark web. According to SentinelOne, breaches here can mess with your patients’ lives faster than you can say “HIPAA compliance,” which even sounds like a secret society. These regulations demand privacy, security controls, and breach notifications—kind of like the doctor’s code: “First, do no harm (to data).”
And with cloud infrastructure, it’s like opening your front door for everyone to peek inside—unless you’re prepared. It’s more dynamic than a toddler at a sugar rush, which means your old set-it-and-forget-it security approach? Yeah, that’s about as effective as a screen door on a submarine.
Alright, future healthcare heroes, wrap your head around these best practices—think of them as the Swiss Army knives of cloud security. Ready? Set? Secure!

– Kaiser Permanente encrypts and meticulously controls access, protecting millions of records—like Fort Knox, but make it healthcare.
– An increasing number of providers deploy AI-driven threat detection, fighting cybercriminals like digital Sherlock Holmes.
– Microsoft Cloud for Healthcare isn’t just a fancy name; it’s a fortress of compliance and security options tailored for the healthcare sector.
Embracing the cloud in healthcare is like adopting a pet dinosaur—you get massive benefits, but you better be prepared for the teeth and claws. Implement encryption, strong identity controls, vigilant monitoring, and a good risk appetite, and you’re well on your way to building a sturdy digital fortress.
So, if you’re ready to keep your patients’ data safer than grandma’s secret recipes, use these best practices as your blueprint. After all, in healthcare, the only thing more precious than the data is the trust your patients place in you—trust you definitely don’t want to lose.

Your cloud can be more than just a shiny, accessible data silo. With the right security practices, it can be your healthcare fortress. And yes, it will be on the test.
*Sources:*
SentinelOne: Cloud Security in Healthcare
TechMagic: Cloud Security Strategies
HealthTech Magazine: Managing Security in the Cloud
AWS Healthcare Industry Lens
Microsoft Cloud Security Overview for Healthcare
CrowdStrike: Cloud Security Best Practices
Now go forth! Secure those clouds like a boss, and keep that patient data safer than the secret family hot sauce recipe.
Alright, strap in and grab your digital helmet because we’re about to go on a cybersecurity adventure that’s more exciting than watching cat videos at work (and yes, I said it). Today, we’re diving into the mysterious, mystical realm of… drumroll, please… Zero Trust Architecture. Yep, it sounds like something out of a sci-fi movie, but I promise—this is real-world stuff that your small business needs to survive in the wild, wild web.
Picture this: Your cybersecurity strategy is like a fortress. Now, traditional castles rely on big, thick walls — perimeter defenses, like firewalls, that try to keep everything out. But these days, hackers are sneaky ninja-warriors who find chinks in your walls faster than you can say “password123.” So, what do we do? We abandon the fortress approach and adopt a Zero Trust mindset—because trust, my friend, is overrated when it comes to digital security.
*Cue dramatic music* — Zero Trust is all about “never trust, always verify.” Think of it as your grandma’s advice but for cybersecurity: “Don’t trust those emails until you’ve checked,” and “No, you can’t have the Wi-Fi password just because you’re family.”
Now, let’s break down how to make this work for your small business without needing a Ph.D. in cybersecurity or selling a kidney:
Think of your devices as the locks on your front door. If they’re broken or outdated, even the most sophisticated security system won’t save you from burglars.
You wouldn’t leave your front door wide open, right? Same with your network.
Your data isn’t just some bunch of numbers; it’s the heart of your business.
Monitoring manually is like trying to find a needle in a haystack—boring and ineffective.
You don’t have to build the Great Wall of China overnight.
Besides feeling like a cybersecurity superhero, your small biz can enjoy:

Now that you’re probably sitting there thinking, “This sounds complicated,” let me hit you with a hot take: The smallest, easiest step to get started is multi-factor authentication. Do it today! That single layer of verification is like locking your front door—simple, cheap, effective.
From there, take it step-by-step. No need to turn your whole network upside down in one weekend. Rome wasn’t built in a day, and neither is a Zero Trust fortress—but with patience and persistence, your small business can turn its cybersecurity from a leaky boat into a battleship.
And hey, if you’re feeling overwhelmed, check out resources like the NIST Zero Trust guide—because even the digital fortress needs blueprints.
Remember: trust is overrated, especially online. Embrace Zero Trust, and stay safe out there—because in cybersecurity, the best defense is a well-verified offense.
