Takeaways
- Phishing is still the top entry point. The 2024 Verizon DBIR found phishing drove 36% of confirmed breaches. AI-generated messages now pass grammar checks and spoof domains well enough to fool trained employees.
- Ransomware now steals data before encrypting it. Double extortion tactics mean restoring from backup isn’t enough. Average SMB ransom demands now exceed $120,000, before recovery and downtime costs.
- Stolen credentials are in more breaches than most businesses realize. The 2024 Verizon DBIR found 71% of data compromised in web application attacks consisted of credentials. Attackers often go undetected for weeks after getting in.
- Unpatched systems are an open door. The 2025 Verizon DBIR found vulnerability exploitation as an initial access vector increased 34% year over year. Nearly half of known perimeter vulnerabilities remained unresolved.
- Human error causes more breaches than most businesses expect. 28% of breaches in the 2024 Verizon DBIR were driven by mistakes like misconfigured cloud systems or sensitive data sent to the wrong address.
The Cybersecurity Threats Hitting Small Businesses Hardest in 2026
Small businesses aren’t secondary targets. They’re the preferred ones. Function4’s computer security services team works with Houston-area businesses that assumed they were too small to matter to attackers. That assumption is exactly what attackers count on.
The numbers back this up. The 2024 Verizon Data Breach Investigations Report analyzed more than 30,000 security incidents and confirmed over 10,600 data breaches. The human element was a factor in 68% of them. Phishing alone drove 36% of confirmed breaches. Small businesses with fewer than 1,000 employees make up the majority of attack targets across multiple industry reports.
Here’s what’s actually hitting small businesses in 2026 — and what can be done about it.
1. Phishing and Business Email Compromise
Phishing is still the most common way attackers get in. It’s not going away because it keeps working. Modern phishing emails don’t carry the obvious typos and awkward phrasing of a decade ago. AI-generated messages now mimic writing styles, pass grammar checks, and spoof domains well enough to fool trained employees.
Business Email Compromise (BEC) is the more expensive variant. An attacker impersonates a company executive or vendor and convinces a finance employee to wire money or share login credentials. The FBI’s Internet Crime Complaint Center reported that BEC scams transferred more than $6.3 billion from victims in 2024 alone. The median loss per incident is several thousand dollars — enough to seriously damage a small business.
What to do:
- Train employees to verify any financial request through a second channel, like a phone call to a known number.
- Enable multi-factor authentication (MFA) on all email accounts, especially accounts with payment authority.
- Deploy email filtering that flags spoofed domains and unusual sender patterns.
- Run phishing simulation tests so employees encounter fake attacks in a safe environment before real ones hit.
2. Ransomware and Data Extortion
Ransomware has changed. It’s no longer just file encryption with a ransom demand. Threat actors now steal data first, encrypt it second, and threaten to publish it if the ransom isn’t paid. This double extortion tactic removes the option of simply restoring from backup and walking away.
Average ransom demands for small and mid-sized businesses now exceed $120,000, according to cybersecurity industry data. That figure doesn’t include recovery costs, legal exposure, or the downtime that follows. Some businesses never reopen after a serious ransomware hit.
Ransomware-as-a-Service has lowered the bar for attackers significantly. Criminal groups sell ransomware toolkits to affiliates who pay a cut of each payout. Someone with no technical background can launch a capable ransomware campaign. That’s why attack volume against smaller businesses has kept climbing.
What to do:
- Maintain offline, tested backups of all critical systems. Cloud backups alone aren’t sufficient if they’re connected to the same environment an attacker can reach.
- Deploy Endpoint Detection and Response (EDR) tools that catch early-stage infections before they spread.
- Patch software and operating systems on a fixed schedule. Unpatched systems are the most common entry point.
- Partner with a managed IT security provider that monitors for threats around the clock.
3. Credential Theft and Weak Authentication
Stolen credentials are involved in more breaches than most people realize. The 2024 Verizon DBIR found that 71% of data compromised in basic web application attacks consisted of credentials. Once attackers have a valid username and password, they don’t need to hack anything. They just log in.
Credentials get stolen through phishing, dark web purchases of leaked data, and keylogging malware. Password reuse makes the problem worse. An employee who uses the same password for a personal account and a work system hands attackers access to both when that personal account gets breached somewhere else.
Credential theft is quiet. Attackers often stay inside systems for weeks before doing anything noticeable. Continuous monitoring catches this behavior early. Most break-fix IT arrangements don’t.
What to do:
- Require MFA across all accounts, not just email. Financial systems and remote access tools are especially important.
- Enforce a password manager for all employees and ban password reuse.
- Audit account access regularly and revoke credentials that haven’t been used in 30 days.
- Check for exposed employee credentials on the dark web through a dark web scan before attackers find them first.
4. Unpatched Software and Systems
Small businesses delay updates. It happens for real reasons: short-staffed IT, concern about breaking something that works, or simply not having a process for it. Attackers know this. They scan for unpatched systems at scale, looking for known vulnerabilities with available exploits.
The 2025 Verizon DBIR found that exploitation of vulnerabilities as an initial access vector increased 34% year over year. Perimeter device vulnerabilities — like unpatched firewalls and VPN appliances — were a primary driver. Nearly half of identified perimeter vulnerabilities remained unresolved.
An unpatched system doesn’t have to be running ancient software. A vulnerability disclosed and patched last month becomes a target within hours of publication. Attackers test for it before most businesses apply the fix.
What to do:
- Enable automatic updates where possible for operating systems, browsers, and common applications.
- Assign ownership of patching to a specific person or partner with defined timelines, not ad-hoc schedules.
- Prioritize patching for internet-facing systems, VPNs, and remote access tools.
- A managed IT provider handles patch deployment automatically as part of the service agreement.
5. Insider Threats and Human Error
Not every breach involves an outside attacker. The 2024 Verizon DBIR found that human error drove 28% of breaches. Mistakes like sending sensitive data to the wrong person or misconfiguring a cloud system can cause the same damage a deliberate attacker would. The result is the same regardless of intent.
Insider threats don’t require malicious intent. A contractor who has access to systems they no longer need, an employee who forwards a file to a personal email address, or an IT administrator who misconfigures a backup system can each trigger a significant breach. Disgruntled employees with broad system access present a more deliberate risk. Most small businesses don’t have the access controls or monitoring to catch this quickly.
What to do:
- Apply a need-to-know access policy. Employees should only have access to systems and data required for their specific role.
- Review and revoke third-party and contractor access promptly when engagements end.
- Use behavior monitoring tools that flag unusual data transfers or access patterns.
- Train staff on data handling procedures, not just phishing awareness.
Building a Defense That Actually Holds
Knowing the threats is step one. Step two is having someone responsible for acting on them. Many of the vulnerabilities attackers exploit exist because of technical debt that built up quietly over time — outdated systems, deferred patches, and aging infrastructure that never got the attention it needed.
Function4’s computer security services include 24/7 monitoring, patch management, MFA deployment, dark web scanning, and cybersecurity awareness training. A cybersecurity assessment is often the fastest way to find out where the gaps are before an attacker finds them instead.
Frequently Asked Questions
Are small businesses really targeted as often as larger companies?
Yes. Small businesses make up the majority of attack targets because they often carry valuable data and have weaker defenses than enterprises. Size isn’t a defense. Over 60% of cybersecurity threats target organizations with fewer than 1,000 employees, according to industry data. Attackers go where the barriers are lowest.
What’s the most common way attackers get into small business systems?
Phishing and stolen credentials account for the majority of initial access. The 2024 Verizon DBIR found phishing drove 36% of confirmed breaches, and credential theft was directly involved in a significant portion of the rest. Human behavior is the primary attack surface, not technical vulnerabilities.
How much does a ransomware attack actually cost a small business?
Average ransom demands for SMBs now exceed $120,000. Add recovery costs, downtime, legal fees, and potential customer notification expenses, and total costs often run two to three times the ransom amount. Some businesses don’t recover. The financial impact is rarely captured in the ransom demand alone.
Does multi-factor authentication actually stop attacks?
MFA blocks the vast majority of credential-based attacks. Microsoft has reported that MFA prevents more than 99% of account compromise attacks. It isn’t foolproof against sophisticated phishing designed to capture MFA codes in real time, but it eliminates nearly all opportunistic credential attacks that target small businesses.
What’s the difference between a cybersecurity assessment and antivirus software?
Antivirus catches known malware on individual devices. A cybersecurity assessment evaluates the full security posture: access controls, network configuration, patch status, backup integrity, and employee practices. Antivirus is one layer. An assessment shows whether all the other layers are actually in place and working.
How does managed IT security differ from standard IT support?
Standard IT support fixes problems after they happen. Managed security is continuous monitoring, threat detection, and proactive patching that catches issues before they become incidents. The difference is reactive versus preventive. That distinction shows up clearly in breach statistics and recovery costs.
What should a small business do first if it suspects a breach?
Isolate affected systems from the network immediately to prevent spread. Don’t power off machines, as forensic evidence may be on them. Contact a managed security provider or incident response team. Document everything. Notify legal counsel early, especially if customer data may be involved.
How often should employees receive cybersecurity training?
At minimum, annually with phishing simulation tests throughout the year. The 2024 Verizon DBIR found the average time for users to fall for phishing emails is under 60 seconds, which means training can’t just be a once-a-year checkbox. Quarterly training with monthly simulations is a practical standard for most SMBs.
Find Out Where Your Security Gaps Actually Are
Function4 provides cybersecurity assessments for Southeast Texas businesses that show exactly where attackers would get in — and what it takes to close those doors before they try. Schedule a free cybersecurity assessment.