“Fix the roof while the sun is shining.”
– proverb
Cybersecurity has a familiar way of saying the storm will come: “a breach is a matter of when, not if.” While the industry’s sternest maxim has probably never been more true, it sometimes feels as though it’s also lost some of its edge over the years. While everyone agrees that there could be a ‘cloud on the horizon,’ will they also hurry to draft or review their IT contingency plan or commit to a level of operational pain that their company can endure while under attack?
To be sure, a cyber-incident won’t give anyone a date by which to prepare. Organizations can only assume that it’s coming – eventually, in some form, and from some direction. But that realization alone clearly doesn’t prepare them to withstand an attack. A warning only counts when it spurs action, and the companies with the best odds of walking away standing are the ones that used the calm hours to gain a clear-eyed view of the key risks – and to prepare as though the date were fixed.
Gaps and gaping holes
The ESET SMB Cyber Readiness Index 2026 set out to measure the gap between how often SMBs end up in attackers’ crosshairs and how confidently they think they can absorb the hit. Surveying 4,400 decision-makers in the United States, Canada, Europe, the Middle East, and Japan, the report found that 45% of small and medium-sized businesses (SMBs) recorded at least one cyber-incident in the trailing twelve months.
An even more interesting finding is what happens to confidence after an actual incident. Globally, 75% of the respondents describe themselves as either very or slightly confident in their resilience, rising to 81% among those who have already been exposed to more than one incident. In the US and Canada, the confidence is even higher: 86% among all respondents and 91% among the cohort that has been breached more than once.
In other words, confidence seems to rise with incident frequency, not despite it. Have the repeat victims come to view their brushes with cyber-incidents as proof of “what doesn’t kill me makes me stronger”? Or have they made peace with breaches as part of doing business? Probably neither – the survey found that many SMBs have become more prepared, helped along by insurance requirements, compliance pressure, and better cybersecurity awareness training.
Still, the same data also points to a stubborn gap between feeling ready and having the basic precautions in place. So, an attack that doesn’t take an organization out of business can indeed make it stronger – provided it learns the right lessons, of course. But it can also leave it weaker and less capable of avoiding expensive penance in the future.
How most incidents actually start
When it comes to root causes of cyber-incidents, ESET’s data points at the less ‘flashy’ categories: phishing (26%), unpatched vulnerabilities (23%), monitoring gaps (22%) and weak passwords (20%). These are the categories that have for years required most attention, but in people’s minds they’re often displaced by whichever threat dominates the news headlines. For all the talk around AI, automation and attacker sophistication, many SMB breaches still begin with a familiar opening.
This disconnect shows up in what SMBs fear: AI-powered malware is the most-cited threat concern globally (31%), ahead of ransomware and other malware (29%) and phishing (26%). Michal Jankech, ESET Vice President of Enterprise, SMB & MSP, puts it plainly: “We’ve found SMBs’ concerns are often shaped by headlines on emerging threats like AI-driven attacks, while more routine risks – phishing, unpatched vulnerabilities and lack of monitoring – are underestimated. This hints that many respondents misperceive their security posture and resilience.”
Meanwhile, Verizon’s 2026 Data Breach Investigations Report (DBIR) records the inverse priority from the attacker’s side: only 2.5% of AI-assisted malware functions used rare or novel techniques. DBIR’s other findings also point in the same direction: for the first time in the report's nineteen-year history, exploitation of vulnerabilities has overtaken stolen credentials as the leading initial access vector (31% of breaches) while the median time-to-patch grew from 32 to 43 days year on year. When it came to the specific actions affecting SMBs, ransomware, stolen credentials and exploited vulnerabilities appeared at the top again.
The golden hour
Emergency medicine calls the equivalent window the ‘golden hour,’ the period in which the speed of response determines whether damage is reversible. In cybersecurity, the choices are equal parts technical and procedural. Stopping the spread of an ‘infection’ often requires knowing the drill, including when it involves trading a guaranteed self-inflicted outage now to avoid a worse one later. Whoever can take or authorize the decision – say, kill a production database or take payments offline – needs to be reachable in minutes.
Ransomware – a threat consistently looming large on organizations of all sizes but disproportionately targeting SMBs – also thrusts itself into the conversation early. The median ransom payment now sits at $140,000, according to DBIR, and 69% of victims refuse to pay. On this note, ESET’s contingency guidance and most law enforcement is blunt on the point: don’t pay.
Another clock starts at the same time. Under GDPR, for example, a personal data breach triggers a 72-hour notification window to the supervisory authority, regardless of whether the investigation is wrapped up. Logs and other evidence have to be gathered in parallel, because cyber-insurers and law enforcement will ask for them, and whatever isn’t preserved in the first hours may be impossible to recover later.
Why preparation is the answer
Major incident-response frameworks, NIST’s SP 800-61, ISO/IEC 27035-1 and the NCSC’s Cyber Assessment Framework (CAF), front-load preparation by treating incident response as a continuous risk management activity. But expectation – the belief that the hour will come – isn’t the same as preparation, of course. The latter is the conscious decision that, if/when the hour does come, the company will already know how to address the burning questions promptly and can continue to function despite setbacks, which itself an ability that is the core of true cyber resilience.
To be sure, the right answers vary by sector: a manufacturing plant treats availability as close to paramount as possible, because downtime bleeds money by the minute; meanwhile, a hospital, where the wrong shutdown can cost a life, may need to make a different calculus. Either way, the decisions about who has the authority to shut down a revenue-generating environment or which services can come back first belong in the calm hours, not only after ‘all hell breaks loose.’
Today’s attack surface is broad, often too broad, and real preparation requires the organization to shrink the number of available openings. IT environments are known to accumulate operational fat, such as unsupported legacy systems, undocumented APIs or forgotten virtual machines, that isn’t always easy to shed. However, organizations need to get in the habit of minimizing their internet-facing footprint, as it’s impossible to defend an asset or patch a vulnerability that the IT team doesn’t know exists.
Supply-chain integrations create their own kind of sprawl, with no clear owner and an excessive permissions footprint. ESET’s report puts a number on the cost: 21% of SMBs name integration complexity as their second-biggest barrier to improvement – just behind, you guessed it, budget. According to DBIR, third-party involvement now sits at 48% of all breaches, up 60% year on year.
Meanwhile, discipline is increasingly arriving from outside. A total of 71% of SMBs globally now carry cyber insurance, rising to 84% in North America, with adoption climbing sharply among repeat victims. More than half of insured firms with multiple incident histories – 55% worldwide, 71% in North America – have specific controls written into their coverage: MFA, identity and access management, EDR or MDR. Only 31% of SMBs believe insurance alone is a sufficient defense, and 67% globally name single-vendor monoculture as a concern.
Once the dust has settled
The post-incident review is the place for questions, including the ugly ones about precautions that weren’t taken and recovery measures that were assumed to be fine but hadn’t been tested. Organizations shouldn’t default to the version in which the attackers were unusually skilled. Sometimes they are, but often the reality is more mundane.
While “when, not if” has never been more true, that alone doesn’t prepare a business for adversity. A warning only becomes useful when it changes what happens before it ‘comes due.’ The roof is easier to fix before the rain starts.
