AI is changing attackers’ toolkits. It can help criminals write better lures, scale social engineering and speed up reconnaissance, all while generally lowering the barrier to entry for less skilled attackers. Organizations are right to pay attention, especially because malicious use of AI makes old gaps a more urgent test of an organization’s cyber readiness.
Meanwhile, the first points of failure remain strikingly familiar and typically involve the usual suspects, such as a phishing link that an employee clicks on or a vulnerability that isn’t patched in time. Unlike truly AI-powered malware (which remains a rare sight), these are not the flashiest risks in cybersecurity, but they remain among the most important ones for businesses trying to improve their readiness.
Fortunately, the threats that are still causing the majority of incidents also have tried-and-tested mitigations that should help to keep your business safe.
AI and the basics
“AI-powered malware” is cited as the top concern of global SMBs for the year ahead, according to the ESET SMB Cyber Readiness Index 2026. It’s even higher (33%) in North America. However, if we’re taking the definition to mean malware that uses AI in an automated and real-time way, it’s more of a topic for the research community than it is for cybersecurity practitioners.
ESET discovered the first example of AI-written ransomware in 2025. However, even this is likely to have been a proof-of-concept (PoC). Meanwhile, PromptSpy, which ESET discovered earlier this year, was the first-known Android malware to abuse generative AI (GenAI) in its execution flow to achieve persistence.
There have been relatively few, if any, similar discoveries by threat researchers. It’s also true that ESET’s MDR service has no evidence of incidents in which GenAI played a significant role. Threat actors do benefit from AI support, but few are operationalizing the technology in real time for truly automated tasks.
The real cyberthreats to your business
A more profitable approach for SMB leaders would be to pay more attention to the real causes of incidents. For many SMBs, the first point of failure is still much more familiar: a phishing message that works, a vulnerability left unpatched, an alert no one sees, or a password that should never have been reused. These are not the flashiest risks in cybersecurity, but they remain among the most important ones for businesses trying to improve their readiness.
To this end, ESET data is instructive. It points to the following as the top threats facing smaller businesses:
- Phishing (26%): ESET telemetry reveals that phishing was the top detected threat in the second half of 2025 (30.8%), and volumes continue to rise. Social engineering has always been a favored tactic of threat actors, with phishing texts (smishing) and even voice calls (vishing) growing in popularity. Technology can play a part in defense, but so must staff training and awareness, which can be harder to get right.
- Unpatched security vulnerabilities (23%): Even smaller organizations may be running a diverse range of software, not all of which can be patched simply by switching on automatic updates. Understanding what you have running and what critical data and systems may be exposed, is the first challenge. The sheer volume and frequency of vulnerability discovery these days, and limited expertise to test and apply critical updates, can also be roadblocks.
- Lack of security monitoring (22%): You might have plenty of security tools, but do you have a single, centralized place to collect, correlate and flag alerts? Effective monitoring is critically important to accelerating threat detection and response. But even businesses that have monitoring in place might find they end up being overwhelmed with alerts, making it difficult to discern false from true positives.
- Weak passwords (20%): A security challenge as old as time. Despite industry moves to phish-resistant multi-factor authentication (MFA) and passkeys, many organizations still rely on static passwords to protect their core assets. And employees tend to reuse them, compounding the risk of compromise. Creating a robust password policy is the first step. Enforcing it is the next.
Tried-and-tested solutions to age-old threats
This isn’t to say that SMBs should ignore AI-enabled threats. The key is to recognize that many of the above risks are exacerbated by AI, rather than the technology being used to create completely novel threats. For example, attackers are using AI to:
- Improve the quality of phishing messages (including the use of deepfakes) and scale and manage campaigns
- Collapse the vulnerability exploitation window by rapidly finding and weaponizing new flaws
- Analyze large datasets in order to work out commonly used passwords
- Perform reconnaissance on targets to work out attack paths faster
It may also compress the time businesses have to respond. If cybercriminals can identify vulnerable systems faster, produce exploit code more easily or automate parts of their workflow, then the window between disclosure, weaponization and exploitation may narrow further. For an SMB that already struggles with asset inventory and patch prioritization, that matters. One lesson is that this raises the cost of leaving the basics unfinished.
So what’s the answer? The good news is that best practices can still help to improve your security posture. Vulnerability and patch management is a good place to start. Continuously scan operating systems and applications for known CVEs to surface exposures, then deploy updates automatically according to policy and risk.
Identity security is increasingly critical. Password managers can create and store strong and unique credentials for employees, but even so, MFA is a non-negotiable line of defense these days. Use privileged account management (PAM) tools to reduce the attack surface and protect high-risk accounts.
Tackle security skills shortages and improve monitoring by outsourcing detection and response to a trusted third party. Using a Managed Detection and Response (MDR) service can also reduce the complexity and integration challenges which a fifth (21%) of SMBs cite as their biggest barrier to improving security posture.
Destination: readiness and resilience
The bottom line is that no organization is too small to be attacked, so a proactive approach to cybersecurity is essential. True cyber readiness means being able to prevent, detect and respond to threats – a crucial milestone on the journey to business resilience.
You can reach it much faster by being clear-eyed about the threats facing your organization. Not the ones that make a good story, but the ones causing real impact.






