SMB cyber readiness gap persists despite AI-driven threat evolution
ESET analysis reveals that small and medium-sized businesses remain unprepared for modern cyber threats, with foundational security controls still undeployed despite the emergence of AI-enhanced attack tactics.
Affected
ESET's analysis identifies a critical misalignment in SMB security strategy: whilst threat actors increasingly integrate AI into reconnaissance, malware development, and social engineering, many organisations in this segment have yet to implement basic defensive controls. This creates a structural vulnerability where adversaries operate with asymmetric advantage.
The core finding is not new, but its persistence is damning. Multi-factor authentication, patch management, endpoint detection and response (EDR), and privileged access management remain inconsistently deployed across SMB environments. These controls are not sophisticated or expensive relative to breach costs, yet adoption remains voluntary and uneven. This suggests the barrier is not technical knowledge but prioritisation, resource allocation, and failure to connect risk to business outcomes.
SMBs face genuine constraints: limited dedicated security staff, competing IT priorities, and lower breach visibility compared to larger targets. However, threat actors have optimised for this landscape. Ransomware-as-a-service (RaaS) platforms, credential harvesting via public breaches, and supply chain targeting specifically exploit the SMB readiness gap. AI-enhanced phishing and malware obfuscation now compound these risks.
Defenders in SMB environments should focus on ruthless prioritisation: implement MFA on all user accounts, establish automated patch deployment with mandatory restart windows, deploy threat detection tools capable of behavioural analysis (not just signature matching), and conduct structured staff security awareness training. Risk-based incident response planning is more valuable than comprehensive security frameworks when resources are scarce.
The broader implication is that cyber maturity in this sector will not improve through exhortation alone. Regulation (such as enhanced reporting requirements or cyber insurance mandates tied to specific controls), managed security service provider (MSSP) partnerships at lower price points, and simplified configuration tooling will drive adoption faster than industry guidance. is moving faster than SMB readiness, and the gap is widening.
Sources