Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreieptlzrjgmmrthibq2a4spgcqw66ckzazllwsesif5bjp5iidrixi",
    "uri": "at://did:plc:jvtquacwpds4pvrhh2k4l3ft/app.bsky.feed.post/3mivykivzaqu2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreigholbhzzrzmtrkrs5l52bq7yz63a2duvfipxchf2f2qjaakaj724"
    },
    "mimeType": "image/jpeg",
    "size": 39533
  },
  "path": "/blog/the-biggest-cybersecurity-risk-for-smbs-still-isnt-the-fancy-stuff/",
  "publishedAt": "2026-04-07T14:30:44.850Z",
  "site": "https://www.kylereddoch.me",
  "tags": [
    "2026 Cyber Protect Report",
    "attackers are getting more precise",
    "basic control that was never fully enforced",
    "enforcing MFA",
    "Cost of a Data Breach Report 2025",
    "2025 Data Breach Investigations Report",
    "Users get access to more than they need",
    "2025 breach cost data",
    "defensive platforms",
    "State of Ransomware 2025"
  ],
  "textContent": "I spent some time reading the 2026 Cyber Protect Report, and the biggest thing that stuck with me was not AI, nation-state actors, or some brand-new attack technique.\n\nIt was the reminder that most organizations are still getting burned by the same old problems.\n\nWeak authentication. Slow patching. Overprivileged accounts. Flat access. Alerts nobody reviews. Tools nobody fully configures. That is not as flashy as talking about the latest advanced threat, but it is a lot closer to what actually causes damage in the real world.\n\nFrom where I sit, that feels pretty accurate.\n\nA lot of cybersecurity conversations drift toward the dramatic. Everyone wants to talk about the newest attack trend, the newest platform, or the newest buzzword. Meanwhile, many small and mid-sized businesses are still one bad password, one exposed VPN account, or one missed patch away from a very bad week. That is not meant to sound dismissive. It is meant to be honest.\n\nOne of the report’s strongest points is that attackers are getting more precise, not just noisier. The volume story matters less than the quality story. If the serious attacks are getting sharper, defenders have less room for error. That matters a lot for smaller organizations that do not have a full security team sitting around waiting for the next alert.\n\nThat part especially resonated with me because it matches what many of us in IT and managed services already know: a breach does not always begin with some wildly sophisticated chain of events. A lot of the time, it starts with a basic control that was never fully enforced.\n\nThat is why I think the report gets it right when it centers the conversation on fundamentals.\n\n## The basics are still doing most of the heavy lifting\n\nOne of the more sobering takeaways in the report is how much of today’s real-world risk still comes back to identity, cloud, and credential issues. That should not be surprising by now, but it still feels like too many environments are built around the assumption that if the perimeter looks decent, everything behind it is probably fine.\n\nIt usually is not.\n\nIf multi-factor authentication is inconsistent, privileged accounts are too broad, stale access never gets cleaned up, and critical systems are not getting patched quickly enough, the attacker does not need a miracle. They just need one opening.\n\nThat is one reason I keep coming back to a boring but important point: good security is often repetitive. It is not glamorous work. It is enforcing MFA everywhere it belongs. It is auditing admin rights. It is removing accounts that no longer need to exist. It is changing default credentials. It is tightening remote access. It is testing backups instead of assuming they work.\n\nNone of that makes for exciting marketing. All of it matters.\n\n## False confidence is one of the most dangerous security gaps\n\nAnother section of the report that stood out to me was its focus on false confidence.\n\nThat is such a real problem.\n\nOrganizations buy tools, run annual awareness training, check the compliance box, and assume that means the environment is secure. Leadership sees dashboards, reports, and subscriptions in place and naturally feels better. The trouble is that confidence and capability are not the same thing.\n\nA security control that has never been tested under pressure is still mostly a theory.\n\nBackups that have not been restored recently are not reassuring to me. They are a question mark. Logging that is enabled but not actively reviewed is not a strategy. It is a storage decision. An incident response plan that has never been exercised is paperwork until proven otherwise.\n\nThat may sound harsh, but I think it is one of the healthier mindsets a business can adopt. The goal should not be to feel secure. The goal should be to verify that the security controls you believe in actually work the way you think they do. IBM’s Cost of a Data Breach Report 2025 is a good companion read there, especially around detection, containment, and breach impact.\n\nThat difference is huge.\n\n## SMBs are not too small to matter\n\nThis is one of the points I wish more business owners would take seriously. The old “we’re too small to be a target” mindset has been wrong for a long time. Reports like Verizon’s 2025 Data Breach Investigations Report keep reinforcing that attackers care far more about access and opportunity than they do about how impressive your company looks from the outside.\n\nThat is part of why SMB risk feels so practical to me. Smaller organizations usually have leaner teams, more shared access, more deferred maintenance, and less time to revisit old decisions. Those are the kinds of conditions attackers love.\n\n## Access is still way too broad in too many environments\n\nThe report also spends a lot of time on overexposed access and legacy access models, and I think that is another area where a lot of small businesses are still carrying more risk than they realize.\n\nToo many environments are built on convenience first.\n\nA VPN gets set up years ago, works well enough, and then never gets revisited. Users get access to more than they need because it is easier in the moment. Networks stay flat because segmentation sounds like an enterprise problem. Service accounts pile up. Tokens linger. Permissions expand and rarely shrink.\n\nThen one credential gets stolen, and suddenly the conversation is no longer about access. It is about impact.\n\nThat is the real issue with broad access. It does not always look dangerous while things are calm. It looks efficient. It looks practical. It looks like business as usual. But when something goes wrong, that convenience becomes blast radius.\n\nThis is one area where I think a lot of organizations still need to shift their thinking. Authentication is not the finish line. Verifying identity is only the start. What really matters is what that identity can reach next, how long that access lasts, and what controls exist when something about the session stops looking normal.\n\n## Reactive security is not enough\n\nThe report’s section on reactive security also hit home for me.\n\nA lot of environments are still operating as if generating alerts equals being protected. It does not.\n\nIf nobody is consistently reviewing what matters, tuning out the junk, and building workflows around response, alerts become background noise. In a small business, that problem can get even worse because the same person handling user support, device issues, vendor calls, Microsoft 365 problems, and firewall changes is also the person expected to notice security anomalies.\n\nThat is a tough ask.\n\nI think this is one of the least appreciated realities in SMB security. Many small organizations do not have a tooling problem nearly as much as they have a time and attention problem. The logs may exist. The detections may fire. The alerts may land exactly where they are supposed to. That still does not mean someone is looking in the moment it matters.\n\nAttackers benefit from that lag.\n\nThat is why I tend to believe that mature monitoring, incident readiness, and clear escalation matter just as much as the actual products in the stack. Security is not just what you own. It is what you can consistently operate.\n\n## Cheap decisions have expensive consequences\n\nThere is also a part of the report that I think will feel familiar to anyone who has worked with budget-conscious clients or lean internal teams: cost-driven security decisions.\n\nI get it. Budgets are real. Tradeoffs are real. Not every business can throw money at every problem.\n\nBut some savings are not really savings. They are just delayed costs.\n\nSkipping training because the quarter is busy. Delaying incident response planning because nothing bad has happened yet. Buying the cheapest product without thinking through visibility, integration, or manageability. Refusing to revisit remote access because it technically still works. On paper, each of those decisions can sound reasonable. Over time, though, they stack up into an environment with less depth, less resilience, and less margin for error.\n\nThat is where I think the report makes one of its best points: cheap security is often only cheap upfront. IBM’s 2025 breach cost data is a useful reality check for that discussion.\n\nFor SMBs especially, the better question is not “What is the least we can spend?” It is “What gives us the most reduction in real-world risk?” Those are not always the same thing.\n\n## AI is not a substitute for execution\n\nThe report also lands in a place that I strongly agree with when it comes to AI.\n\nYes, AI is changing both attack and defense. Yes, AI-enabled threats are speeding things up. Yes, defensive platforms are evolving.\n\nBut AI is not going to rescue an organization from poor security hygiene.\n\nIf MFA is incomplete, patching is inconsistent, access is too broad, monitoring is weak, and incident response is mostly theoretical, dropping a shiny new tool into the environment is not going to fix the real problem. It just adds another layer that still has to be configured, managed, tuned, and validated.\n\nThat is why “execution over acquisition” feels like the right mindset to me. Even broader industry reporting, including Sophos’ State of Ransomware 2025, keeps pointing back to the same reality: the biggest damage often comes from organizations failing to do the foundational things consistently.\n\nTools matter. Good tools absolutely matter. But they do not create outcomes on their own. Execution does.\n\n## My biggest takeaway\n\nMy biggest takeaway from the report is pretty simple: for most SMBs, the greatest cybersecurity risk still is not the flashy stuff.\n\nIt is the gap between what they think is covered and what is actually being enforced.\n\nThat gap shows up in the basics. It shows up in access. It shows up in monitoring. It shows up in readiness. It shows up in all the boring, repeatable, operational work that tends to get pushed aside while everyone focuses on whatever feels more urgent.\n\nThat is frustrating, sure. But I also think it is strangely encouraging.\n\nBecause if the biggest risks still come back to fundamentals, then a lot of the best improvements are still within reach.\n\nNot easy. Not instant. Not glamorous.\n\nBut reachable.",
  "title": "The Biggest Cybersecurity Risk for SMBs Still Isn’t the Fancy Stuff",
  "updatedAt": "2026-04-01T15:00:00.000Z"
}